Login
We’re back with a new edition of “This Week in Scams,” a roundup of what’s current and trending in all things sketchy online.
This week, we have fake steaks, why you should shop online with a credit card, and a new and utterly brash form of debit card fraud.
Yes, the letter “O” for Omaha in the subject line of this email scam is actually a zero. And that’s not the only thing that’s off with this email, it’s a total scam.
If you like your choice cuts, the name Omaha Steaks might be a familiar one. They’ve been around for almost 110 years, and since 1953 they’ve been in the mail order meat business. Today, they sell, well, just about anything you can picture in the butcher or seafood case. With that, the company enjoys a premium reputation, so it’s little surprise scammers have latched onto it and built a phishing attack around the brand—one they garnish with a nod to concerns over rising food prices.
A few things can quickly tip you off to this scam. For starters, the scammers oddly spell Omaha with a zero in the subject line, as mentioned. From there, the sender’s email address is a straight ref flag. In this case, it’s the curiously spelled “steaksamplnext” followed by a (redacted) domain name that isn’t the legitimate omahasteaks dot-com address. Also curious is the lack of an actual price for the bogus “Gourmet Box.” And lastly, you might think that a premium foods brand would showcase some pictures of their famous fare in the email. Not so here.
Rounding it out, you’ll see the classic scammer tactics of scarcity and urgency, which scammers hope will pressure people to act immediately. In this case, only 500 of these supposed boxes are available, and the offer “concludes tomorrow.”
Even as this scam makes the rounds, it’s easy to spot if you give it a closer look and a little thought—giving it a sort of old-school feel to it. However, more and more of today’s phishing emails look increasingly legit, thanks to AI tools, which might get you to click.
As for phishing attacks like this in general, you can protect yourself by:
Always checking the email address of the sender. If it doesn’t match the proper address of the company or brand that’s supposedly sending the email, it’s a scam. In this case, from the people at Omaha Steaks themselves, “If it doesn’t show OmahaSteaks.com and @OmahaSteaks, it’s not us!”
Looking for addresses and links that look like they’ve been slightly altered so that they seem “close enough” to the real thing. In this case, the scammer didn’t even bother to try. However, you could expect an alteration like “omahasteakofferforyou.com” to try and look legit.
Getting a scam detector. Our Scam Detector, found in all core McAfee plans, helps you stay safer with advanced scam detection technology built to spot and stop scams across text messages, emails, and videos. It’ll also block those sites if you accidentally tap or click on a bad link.
What’s the most common kind of fraud? If you said, “credit card,” you’ll find it number five on the list. The top form is debit cards, according to 2025 findings from the U.S. Federal Reserve.
As reported by financial institutions, the Fed found that attempts at debit card fraud rose to 73% with 52% of those attempts being successful.
There’s a good reason for that debit card fraud ranks highest for attempts and success rate. It’s the same reason that credit card fraud is relatively low. Debit cards don’t have the same fraud protections in place that credit cards do.
As you might have read in our blogs before, credit cards offer additional protection thanks to the Fair Credit Billing Act (FCBA). Your maximum liability is $50 for fraudulent charges on a lost or stolen card if you report the loss to your issuer within 60 days. In the case of relatively unprotected debit cards, those losses often go unrecovered.
Keep this in mind as you sit down for your online shopping for the holidays: use a credit card instead of a debit card. That gives you the protection of the FCBA if your shopping session gets hacked or if the retailer experiences a data breach somewhere down the road. Also think about making it even safer by shopping with a VPN. Our VPN creates an encrypted “tunnel” that protects your data from crooks and prying eyes, so your card info stays private.
First reported by the FBI last year, we’re seeing continued reports of a brash and bold form of debit card scam—people physically handing over their cards to scammers.
The scam starts like many card scams do, with a phone call. Scammers spoof the caller ID of the victim’s bank or credit union, ring them up, and tell them there’s a “problem” with their account. From there, scammers direct victims to cut up their current card—but with a twist. They tell victims to keep the little EMV chip for tap-and-go payments intact.
Why? Victims get instructed to leave the cut-up card and intact chip in the mailbox for a “courier” to pick up for “security purposes.” Once in hand, scammers get access to the bank account associated with the chip. Even if the scammers don’t wrangle a PIN number out of their victims with a little social engineering trickery, they can still make purchases with the chip as some points of sale don’t require a PIN number when tapping to pay.
Shred your old cards in a paper shredder. Then, take the next step. Grab the shredded pieces and throw them away in separate batches. This will all make it fantastically tough for a scammer to piece together your card and steal your info.
Call back your bank yourself. If you get a call, voicemail, or text saying there’s an issue with your account, you can verify any possible issue yourself by calling the number on the back of your card.
Know that banks won’t send “couriers” for cards. And they’ll simply never ask you to leave your card in your mailbox.
That’s our roundup for this week. We’ll catch you next Friday with more updates, scam news, and ways you can stay safer out there.
The post This Week in Scams: Fake Steaks and Debit Card Porch Pirates appeared first on McAfee Blog.
If you’ve been watching the news, you’ve probably seen the headlines out of Paris: one of the most audacious heists in decades took place at the Louvre, where thieves made off with centuries-old crown jewels worth tens of millions of dollars.
But amid the cinematic drama, a quieter detail emerged that’s almost harder to believe—according to French newspaper Libération (via PC Gamer), auditors discovered that the password protecting the museum’s video surveillance system was simply “Louvre.”
While it’s not yet confirmed whether this played a direct role in the robbery, cybersecurity experts point out that weak or reused passwords remain one of the easiest ways for criminals—digital or otherwise—to get inside.
The Louvre’s cybersecurity audits, dating back to 2014, reportedly revealed a pattern of outdated software and simple passwords that hadn’t been updated in years. Subsequent reviews noted “serious shortcomings,” including security systems running on decades-old software no longer supported by developers.
That situation mirrors one of the most common security issues individuals face at home. Whether it’s an email account, a social media login, or your home Wi-Fi router, using an easy or repeated password is like leaving the front door open. Hackers don’t need to break in when they can just walk through.
As experts here at McAfee have explained, cybercriminals routinely rely on “credential stuffing” attacks, in which they test stolen passwords from one breach against other sites to see what else they can access. If you’ve used the same password for your streaming account and your online banking, it’s not hard to imagine what could go wrong.
A strong password is long, complex, and unique. Cybersecurity experts recommend at least 12–16 characters that mix uppercase and lowercase letters, numbers, and symbols. A short password can be guessed in minutes; a long one can take decades to crack.
If that sounds like a lot to juggle, you’re not alone. That’s why password managers exist.
A password manager takes the work—and the guesswork—out of creating and remembering complex passwords. It generates random combinations that are nearly impossible to crack, then stores them securely using advanced encryption.
The added bonus? You’ll never have to reuse a password again. Even if one account is theoretically compromised in a breach, your others remain protected because each password is unique.
McAfee’s password manager also uses multi-factor authentication (MFA), meaning you’ll need at least two forms of verification before signing in—like a code sent to your phone. That extra step can stop hackers cold, even if they somehow get your password.
To keep your digital treasures safer than the Louvre’s jewels:
Reports of the Louvre’s weak password might make for an easy punchline, but the truth is that millions of people make the same mistake every day—reusing simple passwords across dozens of accounts. Strong, unique passwords (and the right tools to manage them) are still one of the most powerful defenses against data theft and identity fraud.
As scams and breaches continue to evolve, your best defense is awareness and protection that adapts just as fast. McAfee’s built-in Scam Detector, included in all core plans, automatically detects scams across text, email, and video, blocks dangerous links, and identifies deepfakes—stopping harm before it happens.
The post The Louvre Used Its Own Name as a Password. Here’s What to Learn From It appeared first on McAfee Blog.
I hate hyperbolic news headlines about data breaches, but for the "2 Billion Email Addresses" headline to be hyperbolic, it'd need to be exaggerated or overstated - and it isn't. It's rounded up from the more precise number of 1,957,476,021 unique email addresses, but other than that, it's exactly what it sounds like. Oh - and 1.3 billion unique passwords, 625 million of which we'd never seen before either. It's the most extensive corpus of data we've ever processed, by a significant margin.
Edit: Just to be crystal clear about the origin of the data and the role of Synthient (who you’ll read about in the next paragraph): this data came from numerous locations where cybercriminals had published it. Synthient (run by Ben during his final year of college) indexed that data and provided it to Have I Been Pwned solely for the purpose of notifying victims. He’s the good guy shining a light on the bad guys, so keep that in mind as you read on. (Some of the feedback Ben has received is exactly what I foreshadowed in the final paragraph of this post.)
A couple of weeks ago, I wrote about the 183M unique email addresses that Synthient had indexed in their threat intelligence platform and then shared with us. I explained that this was only part of the corpus of data they'd indexed, and that it didn't include the credential stuffing records. Stealer log data is obtained by malware running on infected machines. In contrast, credential stuffing lists usually originate from other data breaches where email addresses and passwords are exposed. They're then bundled up, sold, redistributed, and ultimately used to log in to victims' accounts. Not just the accounts they were initially breached from, either, because people reuse the same password over and over again, the data from one breach is frequently usable on completely unrelated sites. A breach of a forum to comment on cats often exposes data that can then be used to log in to the victim's shopping, social media and even email accounts. In that regard, credential stuffing data becomes "the keys to the castle".
Let me run through how we verified the data, what you can do about it and for the tech folks, some of the hoops we had to jump through to make processing this volume of data possible.
The first person whose data I verified was easy - me 😔 An old email address I've had since the 90s has been in credential stuffing lists before, so it wasn't too much of a surprise. Furthermore, I found a password associated with my address, which I'd definitely used many eons ago, and it was about as terrible as you'd expect from that era. However, none of the other passwords associated with my address were familiar. They certainly looked like passwords that other people might have feasibly used, but I'm pretty sure they weren't mine. One was even just an IP address from Perth on the other side of the country, which is both infeasible as a password I would have used, yet eerily close to home. I mean, of all the places in the world an IP address could have appeared from, it had to be somewhere in my own country I've been many times before...
Moving on to HIBP subscribers, I reached out to a handful and asked for support verifying the data. I chose a mix of subscribers with many who'd never been involved in any data breach we'd ever seen before; my experience above suggested that there's recycled data in there, and we had previously verified that when investigating those other incidents. However, is the all-new stuff legitimate? The very first response I received was exactly what I was looking for:
#1 is an old password that I don't use anymore. #2 is a more recent password. Thanks for the heads up, I've gone and changed the password for every critical account that used either one.
Perfectly illustrating most people's behaviour with passwords, #2 referred to above was just #1 with two exclamation marks at the end!! (Incidentally, these were simple six and eight-character passwords, and neither of them was in Pwned Passwords either.) He had three passwords in total, which also means one of them, like with my data, was not familiar. However, the most important thing here is that this example perfectly illustrates why we put the effort into processing data like this: #2 was a real, live password that this guy was actively using, and it was sitting right next to his email address, being passed around among criminals. However, through this effort, that credential pair has now become useless, which is precisely what we're aiming for with this exercise, just a couple of billion times over.
The second respondent only had one password against their address:
Yes that was a password I used for many years for what I would call throw away or unimportant accounts between 20 and 10 years ago
That was also only eight characters, but this time, we'd seen it in Pwned Passwords many times before. And the observation about the password's age was consistent with my own records, so there's definitely some pretty old data in there.
The following response was not at all surprising:
I am familiar with that password... I used it almost 10 years ago... and cannot recall the last time I used it.
That was on a corporate account, too, and the owner of the address duly forwarded my email to the cybersecurity team for further investigation. The single password associated with this lady's email address had a massive nine characters, and also hadn't previously appeared in Pwned Passwords.
Next up was a respondent who replied inline to my questions, so I'll list them below with the corresponding answers:
Is this familiar? Yes
Have you ever used it in the past? Yes and is still on some accounts I do not use any longer.
And if so, how long ago? Unfortunately, it is still on some active accounts that I have just made a list of to change or close immediately.
This individual's eight-character password with uppercase, lowercase, numbers and a "special" character also wasn't in Pwned Passwords. Similarly, as with the earlier response, that password was still in active use, posing a real risk to the owner. It would pass most password complexity criteria and slip through any service using Pwned Passwords to block bad ones, so again, this highlights why it was so important for us to process the data.
The next person had three different passwords against rows with their email address, and they came back with a now common response:
Yes, these are familiar, last used 10 years ago
We'd actually seen all three of them in Pwned Passwords before, many times each. Another respondent with precisely the kind of gamer-like passwords you'd expect a kid to use (one of which we hadn't seen before), also confirmed (I think?) their use:
maybe when i was a kid lol
Responses that weren't an emphatic "yes, that's my data" were scarce. The two passwords against one person's name were both in Pwned Passwords (albeit only once each), yet it's entirely possible that neither of them had been used by this specific individual before. It's also possible they'd forgotten a password they'd used more than a decade ago, or it may have even been automatically assigned to them by the service that was subsequently breached. Put it down as a statistical anomaly, but I thought it was worth mentioning to highlight that being in this data set isn't a guarantee of a genuine password of yours being exposed. If your email address is found in this corpus then that's real, of course, so there must be some truth in the data, but it's a reminder that when data is aggregated from so many different sources over such a long period of time, there's going to be some inconsistencies.
As a brief recap, we load passwords into the service we call Pwned Passwords. When we do so, there is absolutely no association between the password and the email address it appeared next to. This is for both your protection and ours; can you imagine if HIBP was pwned? It's not beyond the realm of possibility, and the impact of exposing billions of credential pairs that can immediately unlock an untold number of accounts would be catastrophic. It's highly risky, and completely unnecessary when you can search for standalone passwords anyway without creating the risk of it being linked back to someone.
Think about it: if you have a password of "Fido123!" and you find it's been previously exposed (which it has), it doesn't matter if it was exposed against your email address or someone else's; it's still a bad password because it's named after your dog followed by a very predictable pattern. If you have a genuinely strong password and it's in Pwned Passwords, then you can walk away with some confidence that it really was yours. Either way, you shouldn't ever use that password again anywhere, and Pwned Passwords has done its job.
Checking the service is easy, anonymous and depending on your level of technical comfort, can be done in several different ways. Here's a copy and paste from the last Synthient blog post:
My vested interest in 1Password aside, Watchtower is the easiest, fastest way to understand your potential exposure in this incident. And in case you're wondering why I have so many vulnerable and reused passwords, it's a combination of the test accounts I've saved over the years and the 4-digit PINs some services force you to use. Would you believe that every single 4-digit number ever has been pwned?! (If you're interested, the ABC has a fantastic infographic using a heatmap based on HIBP data that shows some very predictable patterns for 4-digit PINs.)
It pains me to say it, but I have to, given the way the stealer logs made ridiculous, completely false headlines a couple of weeks ago:
This story has suddenly gained *way* more traction in recent hours, and something I thought was obvious needs clarifying: this *is not* a Gmail leak, it simply has the credentials of victims infected with malware, and Gmail is the dominant email provider: https://t.co/S75hF4T1es
— Troy Hunt (@troyhunt) October 27, 2025
There are 32 million different email domains in this latest corpus, of which gmail.com is one. It is, of course, the largest and has 394 million unique email addresses on it. In other words, 80% of the data in this corpus has absolutely nothing to do with Gmail, and the 20% of Gmail addresses have absolutely nothing to do with any sort of security vulnerability on Google's behalf. There - now let reporting sanity prevail!
I wanted to add this just to highlight how painful it has been to deal with this data. This corpus is nearly 3 times the size of the previous largest breach we'd loaded, and HIBP is many times larger than it was in 2019 when we loaded the Collection #1 data. Taking 2 billion records and adding the ones we hadn't already seen in the existing 15 billion corpus, whilst not adversely impacting the live system serving millions of visitors a day, was very non-trivial. Managing the nuances of SQL Server indexes such that we could optimise both inserts and queries is not my idea of fun, and it's been a pretty hard couple of weeks if I'm honest. It's also been a very expensive period as we turned the cloud up to 11 (we run on Azure SQL Hyperscale, which we maxed out at 80 cores for almost two weeks).
A simple example of the challenge is that after loading all the email addresses up into a staging table, we needed to create SHA1 hashes of each. Normally, that would involve something to the effect of "update table set column = sha1(email)" and you're done. That crashed completely, so we ended up doing "insert into new table select email, sha1(email)". But on other occasions the breach load required us to do updates on other columns (with no hash creation), which, on mulitple occasions, we had to kill after a day or more of execution with no end in sight. So, we ended up batching in loops (usually 1M records at a time), reporting on progress along the way so we had some idea of when it would actually finish. It was a painful process of trial, waiting ages, error then taking a completely different approach.
Notifying our subscribers is another problem. We have 5.9 million of them, and 2.9 million are in this data 🫨 Simply sending that many emails at once is hard. It's not so much hard in terms of firing them off, rather it's hard in terms of not ending up on a reputation naughty list or having mail throttled by the receiving server. That's happened many times in the past when loading large, albeit much smaller corpuses; Gmail, for example, suddenly sees a massive spike and slows down the delivery to inboxes. Not such a biggy for sending breach notices, but a major problem for people trying to sign into their dashboard who can no longer receive the email with the "magic" link.
What we've done to address that for this incident is to slow down the delivery of emails for the individual breach notification. Whilst I'd originally intended to send the emails at a constant rate over the period of a week, someone listening to me on my Friday live stream had a much better suggestion:
the strategy I've found to best work with large email delivery is to look at the average number of emails you've sent over the last 30 days each time you want to ramp up, and then increase that volume by around 50% per day until you've worked your way through the queue
Which makes a lot of sense, and stacked up as I did more research (thanks Joe!). So, here's what our planned delivery schedule now looks like:
That's broken down by hour, increasing in volume by 1.015 times per hour, such that the emails are spread out in a similar, gradually increasing cadence. On a daily basis, that works out at a 45% increase in each 24-hour period, within Joe's suggested 50% threshold. Plus, we obviously have all the other mechanisms such as a dedicated IP, properly configured DKIM, DMARC and SPF, only emailing double-opted-in subscribers and spam-friendly message body construction. So, it could be days before you receive a notification, or just run a haveibeenpwned.com search on demand if you're impatient.
We've sent all the domain notification emails instantly because, by definition, they're going to a very wide range of different mail servers; it's just the individual ones we're drop-feeding.
Lastly, if you've integrated Pwned Passwords into your service, you'll now see noticeably larger response sizes. The numbers I mentioned in the opening paragraph increase the size of each hash range by an average of about 50%, which will push responses from about 26kb to 40kb. That's when brotli compressed, so obviously, make sure you're making requests that make the most of the compression.
This data is now searchable in HIBP as the Synthient Credential Stuffing Threat Data. It's an entirely separate corpus from that previous Synthient data I mentioned earlier; they're discrete datasets with some crossover, but obviously, this one is significantly larger. And, of course, all the passwords are now searchable per the Pwned Passwords guidance above.
If I could close with one request: this was an extremely laborious, time-consuming and expensive exercise for us to complete. We've done our best to verify the integrity of the data and make it searchable in a practical way while remaining as privacy-centric as possible. Sending as many notifications as we have will inevitably lead to a barrage of responses from people wanting access to complete rows of data, grilling us on precisely where it was obtained from or, believe it or not, outright abusing us. Not doing those things would be awesome, and I suggest instead putting the energy into getting a password manager, making passwords strong and unique (or even better, using passkeys where available), and turning on multi-factor auth. That would be an awesome outcome for all 😊
For the past week, domains associated with the massive Aisuru botnet have repeatedly usurped Amazon, Apple, Google and Microsoft in Cloudflare’s public ranking of the most frequently requested websites. Cloudflare responded by redacting Aisuru domain names from their top websites list. The chief executive at Cloudflare says Aisuru’s overlords are using the botnet to boost their malicious domain rankings, while simultaneously attacking the company’s domain name system (DNS) service.
The #1 and #3 positions in this chart are Aisuru botnet controllers with their full domain names redacted. Source: radar.cloudflare.com.
Aisuru is a rapidly growing botnet comprising hundreds of thousands of hacked Internet of Things (IoT) devices, such as poorly secured Internet routers and security cameras. The botnet has increased in size and firepower significantly since its debut in 2024, demonstrating the ability to launch record distributed denial-of-service (DDoS) attacks nearing 30 terabits of data per second.
Until recently, Aisuru’s malicious code instructed all infected systems to use DNS servers from Google — specifically, the servers at 8.8.8.8. But in early October, Aisuru switched to invoking Cloudflare’s main DNS server — 1.1.1.1 — and over the past week domains used by Aisuru to control infected systems started populating Cloudflare’s top domain rankings.
As screenshots of Aisuru domains claiming two of the Top 10 positions ping-ponged across social media, many feared this was yet another sign that an already untamable botnet was running completely amok. One Aisuru botnet domain that sat prominently for days at #1 on the list was someone’s street address in Massachusetts followed by “.com”. Other Aisuru domains mimicked those belonging to major cloud providers.
Cloudflare tried to address these security, brand confusion and privacy concerns by partially redacting the malicious domains, and adding a warning at the top of its rankings:
“Note that the top 100 domains and trending domains lists include domains with organic activity as well as domains with emerging malicious behavior.”
Cloudflare CEO Matthew Prince told KrebsOnSecurity the company’s domain ranking system is fairly simplistic, and that it merely measures the volume of DNS queries to 1.1.1.1.
“The attacker is just generating a ton of requests, maybe to influence the ranking but also to attack our DNS service,” Prince said, adding that Cloudflare has heard reports of other large public DNS services seeing similar uptick in attacks. “We’re fixing the ranking to make it smarter. And, in the meantime, redacting any sites we classify as malware.”
Renee Burton, vice president of threat intel at the DNS security firm Infoblox, said many people erroneously assumed that the skewed Cloudflare domain rankings meant there were more bot-infected devices than there were regular devices querying sites like Google and Apple and Microsoft.
“Cloudflare’s documentation is clear — they know that when it comes to ranking domains you have to make choices on how to normalize things,” Burton wrote on LinkedIn. “There are many aspects that are simply out of your control. Why is it hard? Because reasons. TTL values, caching, prefetching, architecture, load balancing. Things that have shared control between the domain owner and everything in between.”
Alex Greenland is CEO of the anti-phishing and security firm Epi. Greenland said he understands the technical reason why Aisuru botnet domains are showing up in Cloudflare’s rankings (those rankings are based on DNS query volume, not actual web visits). But he said they’re still not meant to be there.
“It’s a failure on Cloudflare’s part, and reveals a compromise of the trust and integrity of their rankings,” he said.
Greenland said Cloudflare planned for its Domain Rankings to list the most popular domains as used by human users, and it was never meant to be a raw calculation of query frequency or traffic volume going through their 1.1.1.1 DNS resolver.
“They spelled out how their popularity algorithm is designed to reflect real human use and exclude automated traffic (they said they’re good at this),” Greenland wrote on LinkedIn. “So something has evidently gone wrong internally. We should have two rankings: one representing trust and real human use, and another derived from raw DNS volume.”
Why might it be a good idea to wholly separate malicious domains from the list? Greenland notes that Cloudflare Domain Rankings see widespread use for trust and safety determination, by browsers, DNS resolvers, safe browsing APIs and things like TRANCO.
“TRANCO is a respected open source list of the top million domains, and Cloudflare Radar is one of their five data providers,” he continued. “So there can be serious knock-on effects when a malicious domain features in Cloudflare’s top 10/100/1000/million. To many people and systems, the top 10 and 100 are naively considered safe and trusted, even though algorithmically-defined top-N lists will always be somewhat crude.”
Over this past week, Cloudflare started redacting portions of the malicious Aisuru domains from its Top Domains list, leaving only their domain suffix visible. Sometime in the past 24 hours, Cloudflare appears to have begun hiding the malicious Aisuru domains entirely from the web version of that list. However, downloading a spreadsheet of the current Top 200 domains from Cloudflare Radar shows an Aisuru domain still at the very top.
According to Cloudflare’s website, the majority of DNS queries to the top Aisuru domains — nearly 52 percent — originated from the United States. This tracks with my reporting from early October, which found Aisuru was drawing most of its firepower from IoT devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon.
Experts tracking Aisuru say the botnet relies on well more than a hundred control servers, and that for the moment at least most of those domains are registered in the .su top-level domain (TLD). Dot-su is the TLD assigned to the former Soviet Union (.su’s Wikipedia page says the TLD was created just 15 months before the fall of the Berlin wall).
A Cloudflare blog post from October 27 found that .su had the highest “DNS magnitude” of any TLD, referring to a metric estimating the popularity of a TLD based on the number of unique networks querying Cloudflare’s 1.1.1.1 resolver. The report concluded that the top .su hostnames were associated with a popular online world-building game, and that more than half of the queries for that TLD came from the United States, Brazil and Germany [it’s worth noting that servers for the world-building game Minecraft were some of Aisuru’s most frequent targets].
A simple and crude way to detect Aisuru bot activity on a network may be to set an alert on any systems attempting to contact domains ending in .su. This TLD is frequently abused for cybercrime and by cybercrime forums and services, and blocking access to it entirely is unlikely to raise any legitimate complaints.
Football season is in full swing — tailgates, rivalries, fantasy leagues, and Sunday afternoons glued to the screen. Alongside the highlights and heartbreaks, there’s another game playing out online: the rush to place bets.
Every break in the action brings another sportsbook promo — risk-free wagers, bonus bets, exclusive odds — flooding your feed and inbox. But what you don’t see between the ads and sponsorships is how much money is really in play, or how scammers have joined the lineup.
Last year, legally licensed online and retail sportsbooks took nearly $150 billion in bets, a 22.2% jump from 2023 according to the American Gaming Association. And with so much of that money flowing through apps and websites, scammers are finding creative new ways to cash in.
They’re setting up fake betting sites, phishing for logins, and spinning up unlicensed offshore platforms that operate without oversight. Even self-proclaimed “insider tipsters” are pitching guaranteed wins that never exist.
If sports betting is legal in your state and you’re planning to make some wagers this season, here’s how to keep your money — and your data — safe.
Since a U.S. Supreme Court ruling in 2018, individual states can determine their own laws for sports betting. Soon after, sports betting became legal in waves. In all, 39 states and Washington D.C. currently offer sports betting through licensed retail locations. Of them, 31 further offer legal sports betting through licensed online apps and websites. The map below offers a quick view as to how all that plays out.
Image from https://sportsdata.usatoday.com/legality-map
Even as online sportsbooks must be licensed to operate legally, be aware that the terms and conditions they operate under vary from service to service. Per the Better Business Bureau (BBB), that calls for closely reading their fine print. For one, you might come across language that says the company can “restrict a user’s activity,” meaning that they can freeze accounts and the funds associated with them based on their terms and conditions. Also, the BBB cautions people about those promo offers that are often heavily advertised, because “like any sales pitch, these can be deceptive.”
Fake betting sites
This form of scam follows the same playbook scammers use for all kinds of bogus sites in general. They cook up a copycat site that looks like a legitimate betting site, create a web address that looks like it could be legitimate, and then flood the web with sponsored search results, ads, and social media posts to drive traffic to them. From there, scammers capture payment info and take bogus bets that they never pay out on. Once the site gets discovered as a scam, they pull it down and spin up other scam sites. With the aid of AI tools to help with the process, scammers can turn around scam sites quickly.
Sports app phishing scams
Scammers piggyback on legitimate betting apps and sites another way. They’ll create phony customer support sites that they promote online, with the addition of scam texts and emails to lure in victims. Under the guise of support, they gain a victim’s login info, hack the account, and clean out the victim’s cash.
Unlicensed offshore platforms
These form a gray area when it comes to scams. Some of these offshore platforms, while unlicensed, are legitimate to varying degrees. What makes them dangerous is that they have no regulatory oversight, which means they can do things like charge hidden costs, lock accounts, and refuse payment without users having any way to dispute those actions. Some of these platforms might have suspect security measures as well, which could lead to account hacks. And of course, some of these offshore platforms are simply fake betting sites, as mentioned above.
Handicapper scams
Earlier this year, the BBB shared word of a growing scam where self-proclaimed experts with “insider information to place sure-thing bets” reach out to victims via email and social media posts. Per the BBB, “A handicapper’s goal isn’t to win bets for their members, it’s to get people to buy their picks. Once you’ve purchased their picks, the handicapper has already won. It doesn’t matter if the pick wins or loses, the handicapper keeps the payment.”
Of course, that “insider info” is entirely fake. It’s all just a smokescreen to draw in victims.
1) Stick with legitimate betting sites and apps. Use only legal, regulated sportsbooks when you place a bet.
If you’re a sports fan, you probably know the names, like BetMGM, DraftKings, FanDuel, bet365 and Fanatics Sportsbook. In addition, check out the organization’s BBB listing at BBB.org. Here you can get a snapshot of customer ratings, complaints registered against the organization, and the organization’s response to the complaints, along with its BBB rating, if it has one.
2) Use a secure payment method other than your debit card. Credit cards are a good way to go when buying, or betting, online.
One reason why is the Fair Credit Billing Act, which offers protection against fraudulent charges on credit cards by giving you the right to dispute charges over $50 for goods and services that were never delivered or otherwise billed incorrectly. Your credit card companies may have its own policies that improve upon the Fair Credit Billing Act as well. Debit cards don’t get the same protection under the Act.
3) Protect yourself from fake betting sites and bogus offers.
You can steer clear from all kinds of fake sites and bogus offers with the combination of our Web Protection and Scam Detector, found in our McAfee+ plans. They’ll alert you if a link might take you to a sketchy site, and they’ll block those sites if you accidentally tap or click on a bad link.
In addition to the latest virus, malware, spyware, and ransomware protection, it also includes strong password protection by generating and automatically storing complex passwords to keep your winnings and payment info safer from hackers and crooks.
If gambling is a problem for you or someone you know, you can seek assistance from a qualified service or professional. Several states have their own helplines, and nationally you can reach out to resources like http://www.gamblersanonymous.org/ or https://www.ncpgambling.org/help-treatment/.
The post Kickoffs and Rip-offs—Watch Out for Online Betting Scams This Football Season appeared first on McAfee Blog.
A Ukrainian man indicted in 2012 for conspiring with a prolific hacking group to steal tens of millions of dollars from U.S. businesses was arrested in Italy and is now in custody in the United States, KrebsOnSecurity has learned.
Sources close to the investigation say Yuriy Igorevich Rybtsov, a 41-year-old from the Russia-controlled city of Donetsk, Ukraine, was previously referenced in U.S. federal charging documents only by his online handle “MrICQ.” According to a 13-year-old indictment (PDF) filed by prosecutors in Nebraska, MrICQ was a developer for a cybercrime group known as “Jabber Zeus.”
Image: lockedup dot wtf.
The Jabber Zeus name is derived from the malware they used — a custom version of the ZeuS banking trojan — that stole banking login credentials and would send the group a Jabber instant message each time a new victim entered a one-time passcode at a financial institution website. The gang targeted mostly small to mid-sized businesses, and they were an early pioneer of so-called “man-in-the-browser” attacks, malware that can silently intercept any data that victims submit in a web-based form.
Once inside a victim company’s accounts, the Jabber Zeus crew would modify the firm’s payroll to add dozens of “money mules,” people recruited through elaborate work-at-home schemes to handle bank transfers. The mules in turn would forward any stolen payroll deposits — minus their commissions — via wire transfers to other mules in Ukraine and the United Kingdom.
The 2012 indictment targeting the Jabber Zeus crew named MrICQ as “John Doe #3,” and said this person handled incoming notifications of newly compromised victims. The Department of Justice (DOJ) said MrICQ also helped the group launder the proceeds of their heists through electronic currency exchange services.
Two sources familiar with the Jabber Zeus investigation said Rybtsov was arrested in Italy, although the exact date and circumstances of his arrest remain unclear. A summary of recent decisions (PDF) published by the Italian Supreme Court states that in April 2025, Rybtsov lost a final appeal to avoid extradition to the United States.
According to the mugshot website lockedup[.]wtf, Rybtsov arrived in Nebraska on October 9, and was being held under an arrest warrant from the U.S. Federal Bureau of Investigation (FBI).
The data breach tracking service Constella Intelligence found breached records from the business profiling site bvdinfo[.]com showing that a 41-year-old Yuriy Igorevich Rybtsov worked in a building at 59 Barnaulska St. in Donetsk. Further searching on this address in Constella finds the same apartment building was shared by a business registered to Vyacheslav “Tank” Penchukov, the leader of the Jabber Zeus crew in Ukraine.
Vyacheslav “Tank” Penchukov, seen here performing as “DJ Slava Rich” in Ukraine, in an undated photo from social media.
Penchukov was arrested in 2022 while traveling to meet his wife in Switzerland. Last year, a federal court in Nebraska sentenced Penchukov to 18 years in prison and ordered him to pay more than $73 million in restitution.
Lawrence Baldwin is founder of myNetWatchman, a threat intelligence company based in Georgia that began tracking and disrupting the Jabber Zeus gang in 2009. myNetWatchman had secretly gained access to the Jabber chat server used by the Ukrainian hackers, allowing Baldwin to eavesdrop on the daily conversations between MrICQ and other Jabber Zeus members.
Baldwin shared those real-time chat records with multiple state and federal law enforcement agencies, and with this reporter. Between 2010 and 2013, I spent several hours each day alerting small businesses across the country that their payroll accounts were about to be drained by these cybercriminals.
Those notifications, and Baldwin’s tireless efforts, saved countless would-be victims a great deal of money. In most cases, however, we were already too late. Nevertheless, the pilfered Jabber Zeus group chats provided the basis for dozens of stories published here about small businesses fighting their banks in court over six- and seven-figure financial losses.
Baldwin said the Jabber Zeus crew was far ahead of its peers in several respects. For starters, their intercepted chats showed they worked to create a highly customized botnet directly with the author of the original Zeus Trojan — Evgeniy Mikhailovich Bogachev, a Russian man who has long been on the FBI’s “Most Wanted” list. The feds have a standing $3 million reward for information leading to Bogachev’s arrest.
Evgeniy M. Bogachev, in undated photos.
The core innovation of Jabber Zeus was an alert that MrICQ would receive each time a new victim entered a one-time password code into a phishing page mimicking their financial institution. The gang’s internal name for this component was “Leprechaun,” (the video below from myNetWatchman shows it in action). Jabber Zeus would actually re-write the HTML code as displayed in the victim’s browser, allowing them to intercept any passcodes sent by the victim’s bank for multi-factor authentication.
“These guys had compromised such a large number of victims that they were getting buried in a tsunami of stolen banking credentials,” Baldwin told KrebsOnSecurity. “But the whole point of Leprechaun was to isolate the highest-value credentials — the commercial bank accounts with two-factor authentication turned on. They knew these were far juicier targets because they clearly had a lot more money to protect.”
Baldwin said the Jabber Zeus trojan also included a custom “backconnect” component that allowed the hackers to relay their bank account takeovers through the victim’s own infected PC.
“The Jabber Zeus crew were literally connecting to the victim’s bank account from the victim’s IP address, or from the remote control function and by fully emulating the device,” he said. “That trojan was like a hot knife through butter of what everyone thought was state-of-the-art secure online banking at the time.”
Although the Jabber Zeus crew was in direct contact with the Zeus author, the chats intercepted by myNetWatchman show Bogachev frequently ignored the group’s pleas for help. The government says the real leader of the Jabber Zeus crew was Maksim Yakubets, a 38-year Ukrainian man with Russian citizenship who went by the hacker handle “Aqua.”
Alleged Evil Corp leader Maksim “Aqua” Yakubets. Image: FBI
The Jabber chats intercepted by Baldwin show that Aqua interacted almost daily with MrICQ, Tank and other members of the hacking team, often facilitating the group’s money mule and cashout activities remotely from Russia.
The government says Yakubets/Aqua would later emerge as the leader of an elite cybercrime ring of at least 17 hackers that referred to themselves internally as “Evil Corp.” Members of Evil Corp developed and used the Dridex (a.k.a. Bugat) trojan, which helped them siphon more than $100 million from hundreds of victim companies in the United States and Europe.
This 2019 story about the government’s $5 million bounty for information leading to Yakubets’s arrest includes excerpts of conversations between Aqua, Tank, Bogachev and other Jabber Zeus crew members discussing stories I’d written about their victims. Both Baldwin and I were interviewed at length for a new weekly six-part podcast by the BBC that delves deep into the history of Evil Corp. Episode One focuses on the evolution of Zeus, while the second episode centers on an investigation into the group by former FBI agent Jim Craig.
Image: https://www.bbc.co.uk/programmes/w3ct89y8
Article tags
Your digital life is being stitched together—one purchase, one search, one swipe at a time.
Data brokers collect and combine fragments of your personal information to build detailed profiles they can sell to advertisers, employers, and anyone willing to pay.
While you can request that these brokers delete your data, many make it almost impossible to do so.
A joint investigation by CalMatters and The Markup found that 35 data brokers had intentionally hidden their opt-out pages from search results, making it harder for people to remove their information.
The result: a patchwork version of you exists online—a Frankenstein of your data, stitched together without your consent.
Moreover, practically anyone can purchase this sensitive info. That ranges from advertisers to law enforcement and from employers to anyone on the street who wants to know a lot more about you.
Here’s what’s happening, and what you can do about it.
As part of the article, reporters analyzed 499 data broker sites registered in the state of California. Of them, 35 had search-blocking code. Additionally per the article, many opt out pages “required scrolling multiple screens, dismissing pop-ups for cookie permissions, and newsletter sign-ups and then finding a link that was a fraction the size of other text on the page.”[i]
Once the publications contacted the data brokers in question, multiple companies halted the practice, some responding that they were unaware their site had search-blocking code. Several others didn’t respond by the time the article was published and kept their practices in place.
There are several ways information brokers can get your info about you …
Sources available to the public: Some of your personal records are easily available to the public. Data brokers can collect public records like your voter registration records, birth certificate, criminal record, and even bankruptcy records. By rounding them up from multiple sources and gathering them in one place, it takes someone seconds to find out all these things about you, rather than spending hours poring over public records.
Search, browsing, and app usage: Through a combination of data collected from internet service providers (ISPs), websites, and apps, data brokers can get access to all kinds of activity. They can see what content you’re interested in, how much time you spend on certain sites, and even your daily travels thanks to location data. They also use web scraping tools (software that pulls info from the web), to gather yet more. All this data collecting makes up a multi-billion-dollar industry where personal data is gathered, analyzed, sold, and then sold again and again—all without a person’s knowledge.
Online agreements: As it is with smartphone apps, you’ll usually have to sign an agreement when signing up for a new online service. Many of these agreements have disclosures in the fine print that give the company the right to collect and distribute your personal info.
Purchase history: Data brokers want to know what products or services you’ve purchased, how you paid for them (credit card, debit card, or coupon), and when and where you purchased them. In some cases, they get this info from loyalty programs at places like supermarkets, drugstores, and other retailers. Kroger, one of the largest grocery chains, is a good example of how purchasing insights end up in the hands of others. According to Consumer Reports, the company draws 35% of its net income from selling customer data to other companies.
For starters, there aren’t any data privacy laws on the federal level. That, so far, has fallen to individual states to enact. As such, data privacy laws vary from state-to-state, with California having some of the earliest and strongest protections on record, via the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
In all, 20 states currently have comprehensive privacy laws in place, with five others that have put narrower privacy protections in place, covering data brokers, internet service providers, and medical/biometric data.
States with Comprehensive Data Privacy Laws
| · California
· Virginia · Colorado · Connecticut · Utah · Iowa · Indiana · Tennessee · Texas |
· Florida
· Montana · Oregon · Delaware · New Hampshire · New Jersey · Kentucky · Nebraska · Rhode Island |
For specific laws in your state and how they can protect you, we suggest doing a search for “data privacy laws [your state]” for more info.
Even if your state has no or narrow data privacy laws in place, you still have several ways you can take back your privacy.
The first thing you can do is keep a lower profile online. That can limit the amount of personal info they can get their hands on:
The list of data brokers is long. Cleaning up your personal data online can quickly eat up your time, as it requires you to reach out to multiple data brokers and opt out.
Rather than removing yourself one-by-one from the host of data broker sites out there, you have a solution: our Personal Data Cleanup.
Personal Data Cleanup scans data broker and people search sites and shows you which ones are selling your personal info. It also provides guidance on how you can remove your data from those sites. And if you want to save time on manually removing that info, you have options. Our McAfee+ Advanced and Ultimate plans come with full-service Personal Data Cleanup, which sends requests to remove your data automatically.
If the thought of your personal info getting bought and sold in such a public way bothers you, our Personal Data Cleanup can put you back in charge of it.
The post Frankenstein Data: How Data Brokers Stitch Together—and Sell—Your Digital Self appeared first on McAfee Blog.
They’re not hiding in dark alleys—they’re hiding in plain sight. Airports, cafés, hotels, even libraries can harbor dangerous Vampire Wi-Fi networks.
These vampires pass themselves off as legitimate public Wi-Fi hotspots, using names that look innocent enough, such as “FREE_WIFI” and “AT&T_FREE_WIFI”. These can potentially be “evil twin networks,” they often mimic the name of the airport you’re in, or the place where you’re grabbing a quick coffee and some laptop time while you’re on the road. In fact, when you connect to a vampire or evil twin network, you’re connecting to a hacker.
These networks are relatively easy to set up. With just a few hundred dollars of gear, attackers can set up these digital bloodsuckers anywhere. The moment you log on, they begin feeding on your data, using tools called packet sniffers to capture and analyze every bit you send.
So say you’re on the road and log into one of these networks, a hacker on the network can see what you’re connecting to and what data you’re passing along. Your credit card number while you shop. Your password when you bank. That confidential contract you just sent to a client. And your email password when your app regularly checks for mail every few minutes or so.
What tools let hackers snoop? Network analyzers, or packet sniffers as many call them. A bad actor can gather up data with a packet sniffer, analyze it, and pluck out the sensitive bits of info that are of value. Before you know it, you’re a victim of identity theft.
Another common vampire Wi-Fi ploy is to set up a phony login screen that asks for a username and password, often for popular online services like Google and Apple. In this case, the hacker gets the keys to all the personal info, apps, files, and financial info connected to them.
Hackers typically take lengths to make these networks look legitimate, but they may give off signs:
Still, even with some of these flags, they can be tough to spot. And that’s a reason why our mobile security apps for iOS and Android analyze Wi-Fi networks before you connect to them—letting you know if a connection is Safe, Risky, or altogether Unsafe.
Your best bet when using any public Wi-Fi at all is to use a VPN.
A VPN is an app that you install on your device to help keep your data safe as you browse the internet. With your VPN on, your device makes a secure connection to a VPN server that routes internet traffic through an encrypted “tunnel.” This keeps your online activity private on any network, shielding it from prying eyes.
While you’re on a VPN, you can browse and bank with the confidence that your passwords, credentials, and financial info are secure. If a hacker attempts to intercept your web traffic, they’ll only see garbled content, thanks to your VPN’s encryption functionality.
With that, choosing a secure and trustworthy VPN provider is a must. A VPN like ours has both your security and privacy in mind. In a VPN, look for:
Not every VPN offers these features. Selecting one that does gives you the protection you want paired with the privacy you want. You’ll find them all in our VPN, which is also included as part of our McAfee+ plans.
Several other straightforward steps can keep you safer from vampire and evil twin Wi-Fi—and safer while using public Wi-Fi in general:
Vampire Wi-Fi networks aren’t going anywhere. Hackers will keep setting up these traps because they work. People see “free Wi-Fi” and click without thinking twice. But now you know better. You’ve got the tools to spot the red flags, the habits to stay protected, and most importantly, you understand why a quality VPN isn’t optional anymore—it’s essential.
McAfee+ gives you everything we’ve talked about: bank-level encryption, zero-logging policies, independent security audits, and that smart auto-connect feature that kicks in when you need it most. Plus, unlimited data across all your devices, because who has time to ration their security?
Your personal information is worth protecting. Your financial data, your work files, your private conversations, they’re all valuable to the wrong people. Don’t hand them over just because someone dangled “free Wi-Fi” in front of you.
Ready to stop gambling with your data? Get comprehensive protection with McAfee+ and never worry about vampire networks again.
The post Vampire Wifi: How Public Wi-Fi Traps Travelers in Cyber Attacks appeared first on McAfee Blog.
Remember that website where you bought a T-shirt in 2013? No?
Hackers do. And it’s one way they can steal your personal info.
Consider this website, and other forgotten sites like it, an example of a “Ghost Account,” a place where one of your long-unused logins lives on and puts your identity at risk.
Ghosts aside, old accounts like these are very real.
Think of all the times you’ve created a one-off account to make a single purchase, take an online quiz, or get more information about an event or a sale. For all the accounts you remember, there are plenty more you’ve probably completely forgotten about.
Even as estimates vary, it’s likely the average person has somewhere between 100 to 200 online accounts, where varying degrees of their personal and financial info are stored.
And all those accounts add up to plenty of exposure. Those companies still have your address, payment information, and other personal details in their system.
In a time where data breaches of varying sizes hack 3.5 million accounts on average each day, the odds of an old account of yours getting compromised are higher than you may realize. The more places your info resides, the more exposure to risk you have, namely data breaches, which can quickly lead to identity theft and fraud.
Compounding the problem is human nature. People tend to reuse passwords, or use highly similar passwords, all in an effort to maintain some degree of sanity across all the accounts they’re juggling. Hackers love that too. With one password in hand, they potentially get the keys to several other accounts, also with varying levels of personal and financial info, which (again) can lead to identity theft and fraud.
Our Online Account Cleanup can do the work for you, which you can find in all our McAfee+ plans.
It finds and deletes old accounts to reduce your risk of data exposure. In our McAfee+ Ultimate plans, you get full-service Online Account Cleanup, which sends the data deletion requests for you.
With each scan, you get an all-up view of accounts in your name. From there, it shows which are riskiest to keep, along with a look at what personal info is typically included in those accounts, which helps you decide what you’d like to keep and what you’d like to delete. Again, with McAfee+ Ultimate, you can request to delete accounts with a single click.
And because you add accounts and passwords from time to time, Online Account Cleanup gives you a monthly report. That way, you can keep tabs on your ever-evolving list of accounts and delete any you don’t want over time.
Yes, with all those accounts come passwords. While you’re cleaning up your old accounts, you can better protect the ones you keep with our Password Manager. It’s a simple and highly secure way you can create strong, unique passwords for each and every one of your accounts. That offers you yet one more line of defense against data breaches, because hackers know so many people reuse their passwords.
Lastly, it’s convenient. You only need to remember one password. Our password manager securely stores all your passwords, where one primary password grants access to them all.
Whether it’s for an old online gaming account, a streaming service you never use anymore, or a login for a doctor’s office you don’t visit anymore, delete it. The less personal and financial info you have sitting in a database somewhere is less info a hacker can steal and use to commit identity theft or fraud.
We all have our “ghosts” floating around online, and today you have an easy way to get rid of them for good.
The post Ghost Accounts: How Old, Forgotten Logins Put You at Risk for Identity Theft appeared first on McAfee Blog.
Aisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this year, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their traffic. Experts say a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts tied to various artificial intelligence (AI) projects, helping content scrapers evade detection by routing their traffic through residential connections that appear to be regular Internet users.
First identified in August 2024, Aisuru has spread to at least 700,000 IoT systems, such as poorly secured Internet routers and security cameras. Aisuru’s overlords have used their massive botnet to clobber targets with headline-grabbing DDoS attacks, flooding targeted hosts with blasts of junk requests from all infected systems simultaneously.
In June, Aisuru hit KrebsOnSecurity.com with a DDoS clocking at 6.3 terabits per second — the biggest attack that Google had ever mitigated at the time. In the weeks and months that followed, Aisuru’s operators demonstrated DDoS capabilities of nearly 30 terabits of data per second — well beyond the attack mitigation capabilities of most Internet destinations.
These digital sieges have been particularly disruptive this year for U.S.-based Internet service providers (ISPs), in part because Aisuru recently succeeded in taking over a large number of IoT devices in the United States. And when Aisuru launches attacks, the volume of outgoing traffic from infected systems on these ISPs is often so high that it can disrupt or degrade Internet service for adjacent (non-botted) customers of the ISPs.
“Multiple broadband access network operators have experienced significant operational impact due to outbound DDoS attacks in excess of 1.5Tb/sec launched from Aisuru botnet nodes residing on end-customer premises,” wrote Roland Dobbins, principal engineer at Netscout, in a recent executive summary on Aisuru. “Outbound/crossbound attack traffic exceeding 1Tb/sec from compromised customer premise equipment (CPE) devices has caused significant disruption to wireline and wireless broadband access networks. High-throughput attacks have caused chassis-based router line card failures.”
The incessant attacks from Aisuru have caught the attention of federal authorities in the United States and Europe (many of Aisuru’s victims are customers of ISPs and hosting providers based in Europe). Quite recently, some of the world’s largest ISPs have started informally sharing block lists identifying the rapidly shifting locations of the servers that the attackers use to control the activities of the botnet.
Experts say the Aisuru botmasters recently updated their malware so that compromised devices can more easily be rented to so-called “residential proxy” providers. These proxy services allow paying customers to route their Internet communications through someone else’s device, providing anonymity and the ability to appear as a regular Internet user in almost any major city worldwide.
From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. Proxy services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence. But they are massively abused for hiding cybercrime activity (think advertising fraud, credential stuffing) because they can make it difficult to trace malicious traffic to its original source.
And as we’ll see in a moment, this entire shadowy industry appears to be shifting its focus toward enabling aggressive content scraping activity that continuously feeds raw data into large language models (LLMs) built to support various AI projects.
Riley Kilmer is co-founder of spur.us, a service that tracks proxy networks. Kilmer said all of the top proxy services have grown substantially over the past six months.
“I just checked, and in the last 90 days we’ve seen 250 million unique residential proxy IPs,” Kilmer said. “That is insane. That is so high of a number, it’s unheard of. These proxies are absolutely everywhere now.”
Today, Spur says it is tracking an unprecedented spike in available proxies across all providers, including;
LUMINATI_PROXY 11,856,421
NETNUT_PROXY 10,982,458
ABCPROXY_PROXY 9,294,419
OXYLABS_PROXY 6,754,790
IPIDEA_PROXY 3,209,313
EARNFM_PROXY 2,659,913
NODEMAVEN_PROXY 2,627,851
INFATICA_PROXY 2,335,194
IPROYAL_PROXY 2,032,027
YILU_PROXY 1,549,155
Reached for comment about the apparent rapid growth in their proxy network, Oxylabs (#4 on Spur’s list) said while their proxy pool did grow recently, it did so at nowhere near the rate cited by Spur.
“We don’t systematically track other providers’ figures, and we’re not aware of any instances of 10× or 100× growth, especially when it comes to a few bigger companies that are legitimate businesses,” the company said in a written statement.
Bright Data was formerly known as Luminati Networks, the name that is currently at the top of Spur’s list of the biggest residential proxy networks. Bright Data likewise told KrebsOnSecurity that Spur’s current estimates of its proxy network are dramatically overstated and inaccurate.
“We did not actively initiate nor do we see any 10x or 100x expansion of our network, which leads me to believe that someone might be presenting these IPs as Bright Data’s in some way,” said Rony Shalit, Bright Data’s chief compliance and ethics officer. “In many cases in the past, due to us being the leading data collection proxy provider, IPs were falsely tagged as being part of our network, or while being used by other proxy providers for malicious activity.”
“Our network is only sourced from verified IP providers and a robust opt-in only residential peers, which we work hard and in complete transparency to obtain,” Shalit continued. “Every DC, ISP or SDK partner is reviewed and approved, and every residential peer must actively opt in to be part of our network.”
Even Spur acknowledges that Luminati and Oxylabs are unlike most other proxy services on their top proxy providers list, in that these providers actually adhere to “know-your-customer” policies, such as requiring video calls with all customers, and strictly blocking customers from reselling access.
Benjamin Brundage is founder of Synthient, a startup that helps companies detect proxy networks. Brundage said if there is increasing confusion around which proxy networks are the most worrisome, it’s because nearly all of these lesser-known proxy services have evolved into highly incestuous bandwidth resellers. What’s more, he said, some proxy providers do not appreciate being tracked and have been known to take aggressive steps to confuse systems that scan the Internet for residential proxy nodes.
Brundage said most proxy services today have created their own software development kit or SDK that other app developers can bundle with their code to earn revenue. These SDKs quietly modify the user’s device so that some portion of their bandwidth can be used to forward traffic from proxy service customers.
“Proxy providers have pools of constantly churning IP addresses,” he said. “These IP addresses are sourced through various means, such as bandwidth-sharing apps, botnets, Android SDKs, and more. These providers will often either directly approach resellers or offer a reseller program that allows users to resell bandwidth through their platform.”
Many SDK providers say they require full consent before allowing their software to be installed on end-user devices. Still, those opt-in agreements and consent checkboxes may be little more than a formality for cybercriminals like the Aisuru botmasters, who can earn a commission each time one of their infected devices is forced to install some SDK that enables one or more of these proxy services.
Depending on its structure, a single provider may operate hundreds of different proxy pools at a time — all maintained through other means, Brundage said.
“Often, you’ll see resellers maintaining their own proxy pool in addition to an upstream provider,” he said. “It allows them to market a proxy pool to high-value clients and offer an unlimited bandwidth plan for cheap reduce their own costs.”
Some proxy providers appear to be directly in league with botmasters. Brundage identified one proxy seller that was aggressively advertising cheap and plentiful bandwidth to content scraping companies. After scanning that provider’s pool of available proxies, Brundage said he found a one-to-one match with IP addresses he’d previously mapped to the Aisuru botnet.
Brundage says that by almost any measurement, the world’s largest residential proxy service is IPidea, a China-based proxy network. IPidea is #5 on Spur’s Top 10, and Brundage said its brands include ABCProxy (#3), Roxlabs, LunaProxy, PIA S5 Proxy, PyProxy, 922Proxy, 360Proxy, IP2World, and Cherry Proxy. Spur’s Kilmer said they also track Yilu Proxy (#10) as IPidea.
Brundage said all of these providers operate under a corporate umbrella known on the cybercrime forums as “HK Network.”
“The way it works is there’s this whole reseller ecosystem, where IPidea will be incredibly aggressive and approach all these proxy providers with the offer, ‘Hey, if you guys buy bandwidth from us, we’ll give you these amazing reseller prices,'” Brundage explained. “But they’re also very aggressive in recruiting resellers for their apps.”
A graphic depicting the relationship between proxy providers that Synthient found are white labeling IPidea proxies. Image: Synthient.com.
Those apps include a range of low-cost and “free” virtual private networking (VPN) services that indeed allow users to enjoy a free VPN, but which also turn the user’s device into a traffic relay that can be rented to cybercriminals, or else parceled out to countless other proxy networks.
“They have all this bandwidth to offload,” Brundage said of IPidea and its sister networks. “And they can do it through their own platforms, or they go get resellers to do it for them by advertising on sketchy hacker forums to reach more people.”
One of IPidea’s core brands is 922S5Proxy, which is a not-so-subtle nod to the 911S5Proxy service that was hugely popular between 2015 and 2022. In July 2022, KrebsOnSecurity published a deep dive into 911S5Proxy’s origins and apparent owners in China. Less than a week later, 911S5Proxy announced it was closing down after the company’s servers were massively hacked.
That 2022 story named Yunhe Wang from Beijing as the apparent owner and/or manager of the 911S5 proxy service. In May 2024, the U.S. Department of Justice arrested Mr Wang, alleging that his network was used to steal billions of dollars from financial institutions, credit card issuers, and federal lending programs. At the same time, the U.S. Treasury Department announced sanctions against Wang and two other Chinese nationals for operating 911S5Proxy.
The website for 922Proxy.
In recent months, multiple experts who track botnet and proxy activity have shared that a great deal of content scraping which ultimately benefits AI companies is now leveraging these proxy networks to further obfuscate their aggressive data-slurping activity. That’s because by routing it through residential IP addresses, content scraping firms can make their traffic far trickier to filter out.
“It’s really difficult to block, because there’s a risk of blocking real people,” Spur’s Kilmer said of the LLM scraping activity that is fed through individual residential IP addresses, which are often shared by multiple customers at once.
Kilmer says the AI industry has brought a veneer of legitimacy to residential proxy business, which has heretofore mostly been associated with sketchy affiliate money making programs, automated abuse, and unwanted Internet traffic.
“Web crawling and scraping has always been a thing, but AI made it like a commodity, data that had to be collected,” Kilmer said. “Everybody wanted to monetize their own data pots, and how they monetize that is different across the board.”
Kilmer said many LLM-related scrapers rely on residential proxies in cases where the content provider has restricted access to their platform in some way, such as forcing interaction through an app, or keeping all content behind a login page with multi-factor authentication.
“Where the cost of data is out of reach — there is some exclusivity or reason they can’t access the data — they’ll turn to residential proxies so they look like a real person accessing that data,” Kilmer said of the content scraping efforts.
Aggressive AI crawlers increasingly are overloading community-maintained infrastructure, causing what amounts to persistent DDoS attacks on vital public resources. A report earlier this year from LibreNews found some open-source projects now see as much as 97 percent of their traffic originating from AI company bots, dramatically increasing bandwidth costs, service instability, and burdening already stretched-thin maintainers.
Cloudflare is now experimenting with tools that will allow content creators to charge a fee to AI crawlers to scrape their websites. The company’s “pay-per-crawl” feature is currently in a private beta, and it lets publishers set their own prices that bots must pay before scraping content.
On October 22, the social media and news network Reddit sued Oxylabs (PDF) and several other proxy providers, alleging that their systems enabled the mass-scraping of Reddit user content even though Reddit had taken steps to block such activity.
“Recognizing that Reddit denies scrapers like them access to its site, Defendants scrape the data from Google’s search results instead,” the lawsuit alleges. “They do so by masking their identities, hiding their locations, and disguising their web scrapers as regular people (among other techniques) to circumvent or bypass the security restrictions meant to stop them.”
Denas Grybauskas, chief governance and strategy officer at Oxylabs, said the company was shocked and disappointed by the lawsuit.
“Reddit has made no attempt to speak with us directly or communicate any potential concerns,” Grybauskas said in a written statement. “Oxylabs has always been and will continue to be a pioneer and an industry leader in public data collection, and it will not hesitate to defend itself against these allegations. Oxylabs’ position is that no company should claim ownership of public data that does not belong to them. It is possible that it is just an attempt to sell the same public data at an inflated price.”
As big and powerful as Aisuru may be, it is hardly the only botnet that is contributing to the overall broad availability of residential proxies. For example, on June 5 the FBI’s Internet Crime Complaint Center warned that an IoT malware threat dubbed BADBOX 2.0 had compromised millions of smart-TV boxes, digital projectors, vehicle infotainment units, picture frames, and other IoT devices.
In July, Google filed a lawsuit in New York federal court against the Badbox botnet’s alleged perpetrators. Google said the Badbox 2.0 botnet “compromised more than 10 million uncertified devices running Android’s open-source software, which lacks Google’s security protections. Cybercriminals infected these devices with pre-installed malware and exploited them to conduct large-scale ad fraud and other digital crimes.”
Brundage said the Aisuru botmasters have their own SDK, and for some reason part of its code tells many newly-infected systems to query the domain name fuckbriankrebs[.]com. This may be little more than an elaborate “screw you” to this site’s author: One of the botnet’s alleged partners goes by the handle “Forky,” and was identified in June by KrebsOnSecurity as a young man from Sao Paulo, Brazil.
Brundage noted that only systems infected with Aisuru’s Android SDK will be forced to resolve the domain. Initially, there was some discussion about whether the domain might have some utility as a “kill switch” capable of disrupting the botnet’s operations, although Brundage and others interviewed for this story say that is unlikely.
A tiny sample of the traffic after a DNS server was enabled on the newly registered domain fuckbriankrebs dot com. Each unique IP address requested its own unique subdomain. Image: Seralys.
For one thing, they said, if the domain was somehow critical to the operation of the botnet, why was it still unregistered and actively for-sale? Why indeed, we asked. Happily, the domain name was deftly snatched up last week by Philippe Caturegli, “chief hacking officer” for the security intelligence company Seralys.
Caturegli enabled a passive DNS server on that domain and within a few hours received more than 700,000 requests for unique subdomains on fuckbriankrebs[.]com.
But even with that visibility into Aisuru, it is difficult to use this domain check-in feature to measure its true size, Brundage said. After all, he said, the systems that are phoning home to the domain are only a small portion of the overall botnet.
“The bots are hardcoded to just spam lookups on the subdomains,” he said. “So anytime an infection occurs or it runs in the background, it will do one of those DNS queries.”
Caturegli briefly configured all subdomains on fuckbriankrebs dot com to display this ASCII art image to visiting systems today.
The domain fuckbriankrebs[.]com has a storied history. On its initial launch in 2009, it was used to spread malicious software by the Cutwail spam botnet. In 2011, the domain was involved in a notable DDoS against this website from a botnet powered by Russkill (a.k.a. “Dirt Jumper”).
Domaintools.com finds that in 2015, fuckbriankrebs[.]com was registered to an email address attributed to David “Abdilo” Crees, a 27-year-old Australian man sentenced in May 2025 to time served for cybercrime convictions related to the Lizard Squad hacking group.
Update, Nov. 1, 2025, 10:25 a.m. ET: An earlier version of this story erroneously cited Spur’s proxy numbers from earlier this year; Spur said those numbers conflated residential proxies — which are rotating and attached to real end-user devices — with “ISP proxies” located at AT&T. ISP proxies, Spur said, involve tricking an ISP into routing a large number of IP addresses that are resold as far more static datacenter proxies.
Article tags
Cybercriminals are turning to TikTok to spread new scams that promise “free upgrades” or access to premium versions of popular apps.
According to Bleeping Computer, scammers are posting videos that look like tech tutorials, offering so-called activation hacks for software like Windows, Adobe Premiere, or Photoshop, and even fake “premium” services for Netflix and Spotify.
But instead of unlocking anything, these videos trick people into running hidden malware on their devices. Once that happens, attackers can steal passwords, cryptocurrency wallet details, or access to social media and bank accounts.
These “ClickFix” scams, as researchers call them, are spreading quickly because they rely on trust and curiosity. The videos look legitimate. Many use the same tone and layout as real how-to tech content, but behind the scenes, they’re designed to take control of your device and your data.
The scam works because it blends the look and feel of ordinary TikTok tutorials with social proof, think comments, hashtags, and even fake success stories, that make it seem credible.
Security researchers say the same technique has been spotted in similar scams spreading via fake CAPTCHA pages and cracked game downloads. The goal is always the same: convince users to “verify,” “activate,” or “fix” something, when in reality, they’re opening the door to attackers.
McAfee Labs has been tracking a related wave of attacks using fake CAPTCHA pages and cracked download sites to deliver info-stealing malware. In both campaigns, scammers prey on everyday habits such as downloading software, clicking “I’m not a robot,” or following quick tech fixes that seem safe.
Our researchers found that these scams spread through multiple channels, including phishing emails and fake support sites, all designed to look familiar. The end result is the same: stolen credentials, compromised devices, and exposed personal information.
These patterns mirror the rise of TikTok-based scams reported by Bleeping Computer. The methods may evolve, but the psychology is the same: social engineering that turns trust into a weapon.
Scammers are getting smarter about how they reach people. They’re blending into everyday content like short-form videos, social challenges, and viral tips. Then they’re using those moments of distraction to plant malware.
Tools like McAfee’s built-in Scam Detector, included in all core plans, are designed to spot this new kind of threat early. It automatically detects scams across text, email, and video, blocks dangerous links, and even identifies AI-manipulated content like deepfakes, helping stop harm before it happens.
As scammers adapt, your best defense is awareness and technology that adapts just as fast.
The post This New “Verification” Trick Fools You Into Installing Malware appeared first on McAfee Blog.
Tracking down bugs in software is a pain that all of us who write code must bear. When we're talking about outright errors in a web page, you typically have something to get you started (such as output in the console), but that wasn't the case here:
Sure! Reboots don't help :) Here are the two error screens which show up. pic.twitter.com/w2dmZcVyHk
— Peter Vogel (@PeterVogel) July 11, 2025
That's on a Chromebook, and it's the first user report we had about the issue back in early July. The initial problem this presented is that there are not a lot of people running around with devices we could test on. But there are enough people using them that we had multiple similar reports, so we were well beyond just giving people like Peter a bit of "works on my machine", and moving on. But the "SIGILL" error means that something pretty low-level has happened and, as you can see from the screen grab, you can't exactly just pop open the dev tools and peak at what's broken in the site when it can't even load in the first place.
However, after months of making no progress whilst the occasional Chromium user popped their head up and reported exactly the same problem, the answer finally emerged:
Reading MDN docs I don't find a directive 'report-sha256', so tried only removing that, and no crash.
— Mark : 1x Software Artisan (@virullius) October 24, 2025
Uh... shouldn't a browser just ignore a directive it doesn't recognise? (And incidentally, report-sha256 is documented in CSP level 3.) But the timing was awful coincidental with when we added that exact directive, only just before people started reporting problems:
Wow, good sleuthing! The timing of when this first began aligns with this commit from @stebets. I've just dropped it, does it look ok now? Also CC'ing @Scott_Helme - you seen this before mate? Bug was logged here: https://t.co/wiKpdmSxhU pic.twitter.com/m2nsDtAMjB
— Troy Hunt (@troyhunt) October 24, 2025
Getting to the title of this post, we almost worked this out ourselves, we just didn't look at data that was right in front of our eyes. Here it is:
This is Report URI's crash report graph, and until June, we'd had a good run! Crash reports are super cool because your customers' browsers automatically generate them, and with just a little tweaking of your response headers, you can easily turn your customers into automatic crash reporting bots! Report URI's value proposition (disclosure: I have a working relationship with them) is that it can receive those reports and create graphs like you see above. We just weren't watching the reports closely enough, hence the "almost" in the title.
I wanted to write this short post because sometimes, the answer is right in front of your eyes, and if we'd looked at what in hindsight is a really obvious place to check, we would have nailed this months ago. So, turn on crash reporting, and pay attention to it!
FreshRSS