Login
Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weaknesses affect all versions of Windows, including Windows 10.
Affected products this month include the Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot, and Azure Monitor Agent. The zero-day threat concerns a memory corruption bug deep in the Windows innards called CVE-2025-62215. Despite the flaw’s zero-day status, Microsoft has assigned it an “important” rating rather than critical, because exploiting it requires an attacker to already have access to the target’s device.
“These types of vulnerabilities are often exploited as part of a more complex attack chain,” said Johannes Ullrich, dean of research for the SANS Technology Institute. “However, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities.”
Ben McCarthy, lead cybersecurity engineer at Immersive, called attention to CVE-2025-60274, a critical weakness in a core Windows graphic component (GDI+) that is used by a massive number of applications, including Microsoft Office, web servers processing images, and countless third-party applications.
“The patch for this should be an organization’s highest priority,” McCarthy said. “While Microsoft assesses this as ‘Exploitation Less Likely,’ a 9.8-rated flaw in a ubiquitous library like GDI+ is a critical risk.”
Microsoft patched a critical bug in Office — CVE-2025-62199 — that can lead to remote code execution on a Windows system. Alex Vovk, CEO and co-founder of Action1, said this Office flaw is a high priority because it is low complexity, needs no privileges, and can be exploited just by viewing a booby-trapped message in the Preview Pane.
Many of the more concerning bugs addressed by Microsoft this month affect Windows 10, an operating system that Microsoft officially ceased supporting with patches last month. As that deadline rolled around, however, Microsoft began offering Windows 10 users an extra year of free updates, so long as they register their PC to an active Microsoft account.
Judging from the comments on last month’s Patch Tuesday post, that registration worked for a lot of Windows 10 users, but some readers reported the option for an extra year of updates was never offered. Nick Carroll, cyber incident response manager at Nightwing, notes that Microsoft has recently released an out-of-band update to address issues when trying to enroll in the Windows 10 Consumer Extended Security Update program.
“If you plan to participate in the program, make sure you update and install KB5071959 to address the enrollment issues,” Carroll said. “After that is installed, users should be able to install other updates such as today’s KB5068781 which is the latest update to Windows 10.”
Chris Goettl at Ivanti notes that in addition to Microsoft updates today, third-party updates from Adobe and Mozilla have already been released. Also, an update for Google Chrome is expected soon, which means Edge will also be in need of its own update.
The SANS Internet Storm Center has a clickable breakdown of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on any updates gone awry.
As always, please don’t neglect to back up your data (if not your entire system) at regular intervals, and feel free to sound off in the comments if you experience problems installing any of these fixes.
[Author’s note: This post was intended to appear on the homepage on Tuesday, Nov. 11. I’m still not sure how it happened, but somehow this story failed to publish that day. My apologies for the oversight.]
Welcome back to another This Week in Scams.
This week, have attacks that take over Androids and iPhones, plus news that Google has gone on the offensive against phishing websites.
First up, a heads-up for iPhone owners.
In the hands of a scammer, “Find My” can quickly turn into “Scam Me.”
Switzerland’s National Cyber Security Center (NCSC) shared word this week of a new scam that turns the otherwise helpful “Find My” iOS feature into an avenue of attack.
Now, the thought of losing your phone, along with all the important and precious things you have on it, is enough to give you goosebumps. Luckily, the “Find My” can help you track it down and even post a personalized message on the lock screen to help with its return. And that’s where the scam kicks in.
From the NCSC:
When a device is marked as lost, the owner can display a message on the lock screen containing contact details, such as a phone number or email address. This can be very helpful if the finder is honest – but in dishonest hands, the same information can be used to launch a targeted phishing attack.
With that, scammers send a targeted phishing text, as seen in the sample provided by the NCSC below …
What do the scammers want once you tap that link? They request your Apple ID and password, which effectively hands your phone over to them—along with everything on it and everything else that’s associated with your Apple ID.
It’s a scam you can easily avoid. So even if you’re still stuck with a lost phone that’s likely in the hands of a scammer the point of consolation is that, without your ID, the phone is useless to them.
Ignore such messages. The most important rule is Apple will never contact you by text message or email to inform you that a lost device has been found.
Never click on links in unsolicited messages or enter your Apple ID credentials on a linked website.
If you lose your device, act immediately. Enable Lost Mode straight away via the Find My app on another device or at iCloud.com/find. This will lock the device.
Be careful about which contact details you show on your lost device’s lock screen. For example, use a dedicated email address created specifically for this purpose. Never remove the device from your Apple account, as this would disable the Activation Lock.
Make sure your SIM card is protected with a PIN. This simple yet effective measure prevents criminals from gaining access to your phone number.
Now, a different attack aimed at Android owners …
A story shared on Fox this week breaks down how a combination of paid search ads, remote access tools, and social engineering have led to hijacked Android phones.
It starts with a search, where an Android owner looks up a bank, a tech support company, or what have you. Instead of getting a legitimate result, they get a link to a bogus site via paid search results that appear above organic search results. The link, and the page it takes them to, look quite convincing, given the ease with which scammers can spin up ads and sites today. (More on that next.)
Once there, they call a support number and get connected to a phony agent. The agent convinces the victim to download an app that will help the “agent” solve their issue with their account or phone. In fact, the app is a remote access tool that gives control of the phone, and everything on it, to the scammer. That means they can steal passwords, send messages to friends, family, or anyone at all, and even go so far as to lock you out.
Basically, this scam hands over one of your most precious possessions to a scammer.
Skip paid search results for extra security. That’s particularly true when contacting your bank or other companies you’re doing business with. Look for their official website in the organic search results below paid ads. Better yet, contact places like your bank or credit card company by calling the number on the back of your card.
Get a scam detector. A combination of our Scam Detector and Web Protection can call out sketchy links, like the bogus paid links here. They’ll even block malicious sites if you accidentally tap a bad link.
Never download apps from third-party sites outside of the Google Play Store. Google has checks in place to spot malicious apps in its store.
Lastly, never give anyone access to your phone. No bank rep needs it. So if someone on a call asks you to download an app like TeamViewer, AnyDesk, or AirDroid, it’s a scam. Hang up.
Beyond that, you can protect yourself further by installing an app like our McAfee Security: Antivirus VPN. You can pick it up in the Google Play store, which also includes our Scam Detector and Identity Monitoring. You can also get it as part of your McAfee+ protection.
Just Wednesday, Google took a first step toward making the internet safer from bogus sites, per a story filed by National Public Radio.
A lawsuit alleges that a China-based company called “Lighthouse” runs a “Phishing-as-a-Service” operation that outfits scammers with quick and easy tools and templates for creating convincing-looking websites. According to Google’s general counsel, these sites could “compromise between 12.7 and 115 million credit cards in the U.S. alone.”
The suit was filed in the U.S. District Court in the Southern District of New York, which, of course, has no jurisdiction over a China-based company. The aim, per Google’s counsel, is deterrence. From the article:
“It allows us a legal basis on which to go to other platforms and services and ask for their assistance in taking down different components of this particular illegal infrastructure,” she said, without naming which platforms or services Google might focus on. “Even if we can’t get to the individuals, the idea is to deter the overall infrastructure in some cases.”
We’ll keep an eye on this case as it progresses. And in the meantime, it’s a good reminder to get Scam Detector and Web Protection on all your devices so you don’t get hoodwinked by these increasingly convincing-looking scam sites.
Again, scammers can roll them out so quickly and easily today.
Here’s a quick list of a few stories that caught our eye this week:
Alarmingly realistic deepfake threats now target banks in South Africa
Hyundai data breach exposes 2.7 million Social Security numbers
And that’s it for this week! We’ll see you next Friday with more updates, scam news, and ways you can stay safer out there.
The post This Week in Scams: New Alerts for iPhone and Android Users and a Major Google Crackdown appeared first on McAfee Blog.
You’ve seen the videos: a too-perfect Taylor Swift promoting free cookware. A fake Tom Hanks offering dental insurance.
They look real—but they’re not.
New research from McAfee Labs shows just how common these scams have become.
Our 2025 Most Dangerous Celebrity: Deepfake Deception List ranks the stars and influencers whose likenesses are most hijacked by scammers, and reveals a growing market for AI-powered fake endorsements.
At the top of the list? Taylor Swift, followed by Scarlett Johansson, Jenna Ortega, and Sydney Sweeney. Globally, names like Brad Pitt, Billie Eilish, and Emma Watson also appear among the most exploited.
McAfee also released its first-ever Influencer Deepfake Deception List, led by gamer and streamer Pokimane, showing that scammers are now targeting social platforms just as aggressively as Hollywood.
The formula is simple: use someone people trust to sell something that doesn’t exist.
Criminals clone celebrity voices and faces with AI to promote fake giveaways, skincare products, crypto investments, or “exclusive” deals that lead straight to malware or payment fraud.
According to McAfee’s survey of 8,600 people worldwide:
Scammers exploit trust. When you see a familiar face, your brain automatically lowers its guard. And that’s exactly what they count on.
AI has made these scams look frighteningly real.
Modern deepfake generators can mimic voices, facial movements, and even micro-expressions with uncanny precision. Only 29% of people feel confident identifying a fake, and 21% admit to having low confidence spotting deepfakes.
That’s how fake endorsements and AI romance scams have exploded online.
“Seeing is believing” doesn’t apply anymore, and scammers know it.
Deepfake scams don’t just rely on technology; they prey on parasocial relationships, the one-sided emotional bonds fans form with public figures.
When a “celebrity” DMs you, it doesn’t always feel strange. It feels personal. That sense of intimacy makes people act before thinking.
It’s the same psychological playbook behind romance scams, now supercharged by AI tools that make fake videos and voice messages sound heartbreakingly real.
Celebrity and influencer culture has always shaped what we buy, but now it’s shaping how scammers deceive. These deepfakes don’t just steal money; they chip away at our trust in what we see, hear, and share online.
The celebrities at the center of these scams aren’t accomplices, they’re victims, too, as criminals hijack their likenesses to exploit the bond between fans and the people they admire. And as deepfake tools become easier to use, the line between real and fake is vanishing fast.
The next viral “giveaway” might not be an ad at all…it could be bait.
You can’t stop scammers from cloning famous faces, but you can stop them from fooling you. Use McAfee’s Scam Detector to scan links, messages, and videos before you click.
The post The Stars Scammers Love Most: McAfee Reveals World’s Most Deepfaked Celebs appeared first on McAfee Blog.
Google is suing more than two dozen unnamed individuals allegedly involved in peddling a popular China-based mobile phishing service that helps scammers impersonate hundreds of trusted brands, blast out text message lures, and convert phished payment card data into mobile wallets from Apple and Google.
In a lawsuit filed in the Southern District of New York on November 12, Google sued to unmask and disrupt 25 “John Doe” defendants allegedly linked to the sale of Lighthouse, a sophisticated phishing kit that makes it simple for even novices to steal payment card data from mobile users. Google said Lighthouse has harmed more than a million victims across 120 countries.
A component of the Chinese phishing kit Lighthouse made to target customers of The Toll Roads, which refers to several state routes through Orange County, Calif.
Lighthouse is one of several prolific phishing-as-a-service operations known as the “Smishing Triad,” and collectively they are responsible for sending millions of text messages that spoof the U.S. Postal Service to supposedly collect some outstanding delivery fee, or that pretend to be a local toll road operator warning of a delinquent toll fee. More recently, Lighthouse has been used to spoof e-commerce websites, financial institutions and brokerage firms.
Regardless of the text message lure used or brand used, the basic scam remains the same: After the visitor enters their payment information, the phishing site will automatically attempt to enroll the card as a mobile wallet from Apple or Google. The phishing site then tells the visitor that their bank is going to verify the transaction by sending a one-time code that needs to be entered into the payment page before the transaction can be completed.
If the recipient provides that one-time code, the scammers can link the victim’s card data to a mobile wallet on a device that they control. Researchers say the fraudsters usually load several stolen wallets onto each mobile device, and wait 7-10 days after that enrollment before selling the phones or using them for fraud.
Google called the scale of the Lighthouse phishing attacks “staggering.” A May 2025 report from Silent Push found the domains used by the Smishing Triad are rotated frequently, with approximately 25,000 phishing domains active during any 8-day period.
Google’s lawsuit alleges the purveyors of Lighthouse violated the company’s trademarks by including Google’s logos on countless phishing websites. The complaint says Lighthouse offers over 600 templates for phishing websites of more than 400 entities, and that Google’s logos were featured on at least a quarter of those templates.
Google is also pursuing Lighthouse under the Racketeer Influenced and Corrupt Organizations (RICO) Act, saying the Lighthouse phishing enterprise encompasses several connected threat actor groups that work together to design and implement complex criminal schemes targeting the general public.
According to Google, those threat actor teams include a “developer group” that supplies the phishing software and templates; a “data broker group” that provides a list of targets; a “spammer group” that provides the tools to send fraudulent text messages in volume; a “theft group,” in charge of monetizing the phished information; and an “administrative group,” which runs their Telegram support channels and discussion groups designed to facilitate collaboration and recruit new members.
“While different members of the Enterprise may play different roles in the Schemes, they all collaborate to execute phishing attacks that rely on the Lighthouse software,” Google’s complaint alleges. “None of the Enterprise’s Schemes can generate revenue without collaboration and cooperation among the members of the Enterprise. All of the threat actor groups are connected to one another through historical and current business ties, including through their use of Lighthouse and the online community supporting its use, which exists on both YouTube and Telegram channels.”
Silent Push’s May report observed that the Smishing Triad boasts it has “300+ front desk staff worldwide” involved in Lighthouse, staff that is mainly used to support various aspects of the group’s fraud and cash-out schemes.
An image shared by an SMS phishing group shows a panel of mobile phones responsible for mass-sending phishing messages. These panels require a live operator because the one-time codes being shared by phishing victims must be used quickly as they generally expire within a few minutes.
Google alleges that in addition to blasting out text messages spoofing known brands, Lighthouse makes it easy for customers to mass-create fake e-commerce websites that are advertised using Google Ads accounts (and paid for with stolen credit cards). These phony merchants collect payment card information at checkout, and then prompt the customer to expect and share a one-time code sent from their financial institution.
Once again, that one-time code is being sent by the bank because the fake e-commerce site has just attempted to enroll the victim’s payment card data in a mobile wallet. By the time a victim understands they will likely never receive the item they just purchased from the fake e-commerce shop, the scammers have already run through hundreds of dollars in fraudulent charges, often at high-end electronics stores or jewelers.
Ford Merrill works in security research at SecAlliance, a CSIS Security Group company, and he’s been tracking Chinese SMS phishing groups for several years. Merrill said many Lighthouse customers are now using the phishing kit to erect fake e-commerce websites that are advertised on Google and Meta platforms.
“You find this shop by searching for a particular product online or whatever, and you think you’re getting a good deal,” Merrill said. “But of course you never receive the product, and they will phish that one-time code at checkout.”
Merrill said some of the phishing templates include payment buttons for services like PayPal, and that victims who choose to pay through PayPal can also see their PayPal accounts hijacked.
A fake e-commerce site from the Smishing Triad spoofing PayPal on a mobile device.
“The main advantage of the fake e-commerce site is that it doesn’t require them to send out message lures,” Merrill said, noting that the fake vendor sites have more staying power than traditional phishing sites because it takes far longer for them to be flagged for fraud.
Merrill said Google’s legal action may temporarily disrupt the Lighthouse operators, and could make it easier for U.S. federal authorities to bring criminal charges against the group. But he said the Chinese mobile phishing market is so lucrative right now that it’s difficult to imagine a popular phishing service voluntarily turning out the lights.
Merrill said Google’s lawsuit also can help lay the groundwork for future disruptive actions against Lighthouse and other phishing-as-a-service entities that are operating almost entirely on Chinese networks. According to Silent Push, a majority of the phishing sites created with these kits are sitting at two Chinese hosting companies: Tencent (AS132203) and Alibaba (AS45102).
“Once Google has a default judgment against the Lighthouse guys in court, theoretically they could use that to go to Alibaba and Tencent and say, ‘These guys have been found guilty, here are their domains and IP addresses, we want you to shut these down or we’ll include you in the case.'”
If Google can bring that kind of legal pressure consistently over time, Merrill said, they might succeed in increasing costs for the phishers and more frequently disrupting their operations.
“If you take all of these Chinese phishing kit developers, I have to believe it’s tens of thousands of Chinese-speaking people involved,” he said. “The Lighthouse guys will probably burn down their Telegram channels and disappear for a while. They might call it something else or redevelop their service entirely. But I don’t believe for a minute they’re going to close up shop and leave forever.”
Chances are, you have more personal information posted online than you think.
In 2024, the U.S. Federal Trade Commission (FTC) reported that 1.1 million identity theft complaints were filed, where $12.5 billion was lost to identity theft and fraud overall—a 25% increase over the year prior.
What fuels all this theft and fraud? Easy access to personal information.
Here’s one way you can reduce your chances of identity theft: remove your personal information from the internet.
Scammers and thieves can get a hold of your personal information in several ways, such as information leaked in data breaches, phishing attacks that lure you into handing it over, malware that steals it from your devices, or by purchasing your information on dark web marketplaces, just to name a few.
However, scammers and thieves have other resources and connections to help them commit theft and fraud—data broker sites, places where personal information is posted online for practically anyone to see. This makes removing your info from these sites so important, from both an identity and privacy standpoint.
Data broker sites are massive repositories of personal information that also buy information from other data brokers. As a result, some data brokers have thousands of pieces of data on billions of individuals worldwide.
What kind of data could they have on you? A broker may know how much you paid for your home, your education level, where you’ve lived over the years, who you’ve lived with, your driving record, and possibly your political leanings. A broker could even know your favorite flavor of ice cream and your preferred over-the-counter allergy medicine thanks to information from loyalty cards. They may also have health-related information from fitness apps. The amount of personal information can run that broadly, and that deeply.
With information at this level of detail, it’s no wonder that data brokers rake in an estimated $200 billion worldwide every year.
Your personal information reaches the internet through six main methods, most of which are initiated by activities you perform every day. Understanding these channels can help you make more informed choices about your digital footprint.
When you buy a home, register to vote, get married, or start a business, government agencies create public records that contain your personal details. These records, once stored in filing cabinets, are now digitized, accessible online, and searchable by anyone with an internet connection.
Every photo you post, location you tag, and profile detail you share contributes to your digital presence. Even with privacy settings enabled, social media platforms collect extensive data about your behavior, relationships, and preferences. You may not realize it, but every time you share details with your network, you are training algorithms that analyze and categorize your information.
You create accounts with retailers, healthcare providers, employers, and service companies, trusting them to protect your information. However, when hackers breach these systems, your personal information often ends up for sale on dark web marketplaces, where data brokers can purchase it. The Identity Theft Research Center Annual Data Breach Report revealed that 2024 saw the second-highest number of data compromises in the U.S. since the organization began recording incidents in 2005.
When you browse, shop, or use apps, your online behavior is recorded by tracking pixels, cookies, and software development kits. The data collected—such as your location, device usage, and interests—is packaged and sold to data brokers who combine it with other sources to build a profile of you.
Grocery store cards, coffee shop apps, and airline miles programs offer discounts in exchange for detailed purchasing information. Every transaction gets recorded, analyzed, and often shared with third-party data brokers, who then create detailed lifestyle profiles that are sold to marketing companies.
Data brokers act as the hubs that collect information from the various sources to create comprehensive profiles that may include over 5,000 data points per person. Seemingly separate pieces of information become a detailed digital dossier that reveals intimate details about your life, relationships, health, and financial situation.
Legally, your aggregated information from data brokers is used by advertisers to create targeted ad campaigns. In addition, law enforcement, journalists, and employers may use data brokers because the time-consuming pre-work of assembling your data has largely been done.
Currently, the U.S. has no federal laws that regulate data brokers or require them to remove personal information if requested. Only a few states, such as Nevada, Vermont, and California, have legislation that protects consumers. In the European Union, the General Data Protection Regulation (GDPR) has stricter rules about what information can be collected and what can be done with it.
On the darker side, scammers and thieves use personal information for identity theft and fraud. With enough information, they can create a high-fidelity profile of their victims to open new accounts in their name. For this reason, cleaning up your personal information online makes a great deal of sense.
Understanding which data types pose the greatest threat can help you prioritize your removal efforts. Here are the high-risk personal details you should target first, ranked by their potential for harm.
When prioritizing your personal information removal efforts, focus on combinations of data rather than individual pieces. For example, your name alone poses minimal risk, but your name combined with your address, phone number, and date of birth creates a comprehensive profile that criminals can exploit. Tools such as McAfee Personal Data Cleanup can help you identify and remove these high-risk combinations from data broker sites systematically.
This process takes time and persistence, but services such as McAfee Personal Data Cleanup can continuously monitor for new exposures and manage opt-out requests on your behalf. The key is to first understand the full scope of your online presence before beginning the removal process.
Let’s review some ways you can remove your personal information from data brokers and other sources on the internet.
Once you have found the sites that have your information, the next step is to request to have it removed. You can do this yourself or employ services such as McAfee’s Personal Data Cleanup, which can help manage the removal for you depending on your subscription. It also monitors those sites, so if your info gets posted again, you can request its removal again.
You can request to remove your name from Google search to limit your information from turning up in searches. You can also turn on “Auto Delete” in your privacy settings to ensure your data is deleted regularly. Occasionally deleting your cookies or browsing in incognito mode prevents websites from tracking you. If Google denies your initial request, you can appeal using the same tool, providing more context, documentation, or legal grounds for removal. Google’s troubleshooter tool may explain why your request was denied—either legitimate public interest or newsworthiness—and how to improve your appeal.
It’s important to know that the original content remains on the source website. You’ll still need to contact website owners directly to have your actual content removed. Additionally, the information may still appear in other search engines.
If you have old, inactive accounts that have gone by the wayside such as Myspace or Tumblr, you may want to deactivate or delete them entirely. For social media platforms that you use regularly, such as Facebook and Instagram, consider adjusting your privacy settings to keep your personal information to the bare minimum.
If you’ve ever published articles, written blogs, or created any content online, it is a good time to consider taking them down if they no longer serve a purpose. If you were mentioned or tagged by other people, it is worth requesting them to take down posts with sensitive information.
Another way to tidy up your digital footprint is to delete phone apps you no longer use as hackers are able to track personal information on these and sell it. As a rule, share as little information with apps as possible using your phone’s settings.
After sending your removal request, give the search engine or source website 7 to 10 business days to respond initially, then follow up weekly if needed. If a website owner doesn’t respond within 30 days or refuses your request, you have several escalation options:
For comprehensive guidance on website takedown procedures and your legal rights, visit the FTC’s privacy and security guidance for the most current information on consumer data protection. Direct website contact can be time-consuming, but it’s often effective for removing information from smaller sites that don’t appear on major data broker opt-out lists. Stay persistent, document everything, and remember that you have legal rights to protect your privacy online.
After you’ve cleaned up your data from websites and social platforms, your web browsers may still save personal information such as your browsing history, cookies, autofill data, saved passwords, and even payment methods. Clearing this information and adjusting your privacy settings helps prevent tracking, reduces targeted ads, and limits how much personal data websites can collect about you.
When your home address is publicly available, it can expose you to risks like identity theft, stalking, or targeted scams. Taking steps to remove or mask your address across data broker sites, public records, and even old social media profiles helps protect your privacy, reduce unwanted contact, and keep your personal life more secure.
The cost to remove your personal information from the internet varies, depending on whether you do it yourself or use a professional service. Read the guide below to help you make an informed decision:
Removing your information on your own primarily requires time investment. Expect to spend 20 to 40 hours looking for your information online and submitting removal requests. In terms of financial costs, most data brokers may not charge for opting out, but other expenses could include certified mail fees for formal removal requests—about $3-$8 per letter—and possibly notarization fees for legal documents. In total, this effort can be substantial when dealing with dozens of sites.
Depending on which paid removal and monitoring service you employ, basic plans typically range from $8 to $25 monthly while annual plans, which often provide better value, range from $100 to $600. Premium services that monitor hundreds of data broker sites and provide ongoing removal can cost $1,200-$2,400 annually.
The difference in pricing is driven by several factors. This includes the number of data broker sites to be monitored, which could cover more than 200 sites, and the scope of removal requests which may include basic personal information or comprehensive family protection. The monitoring frequency and additional features such as dark web monitoring, credit protection, and identity restoration support and insurance coverage typically command higher prices.
The upfront cost may seem significant, but continuous monitoring provides essential value. A McAfee survey revealed that 95% of consumers’ personal information ends up on data broker sites without their consent. It is possible that after the successful removal of your information, it may reappear on data broker sites without ongoing monitoring. This makes continuous protection far more cost-effective than repeated one-time cleanups.
Services such as McAfee Personal Data Cleanup can prove invaluable, as it handles the initial removal process, as well as ongoing monitoring to catch when your information resurfaces, saving you time and effort while offering long-term privacy protection.
Aside from the services above, comprehensive protection software can help safeguard your privacy and minimize your exposure to cybercrime with these offerings such as:
So while it may seem like all this rampant collecting and selling of personal information is out of your hands, there’s plenty you can do to take control. With the steps outlined above and strong online protection software at your back, you can keep your personal information more private and secure.
Unlike legitimate data broker sites, the dark web operates outside legal boundaries where takedown requests don’t apply. Rather than trying to remove information that’s already circulating, you can take immediate steps to reduce the potential harm and focus on preventing future exposure. A more effective approach is to treat data breaches as ongoing security issues rather than one-time events.
Both the FTC and Cybersecurity and Infrastructure Security Agency have released guidelines on proactive controls and continuous monitoring. Here are key steps of those recommendations:
As you go about removing your information for the internet, it is important to set realistic expectations. Several factors may limit how completely you can remove personal data from internet sources:
While some states like California have stronger consumer privacy rights, most data removal still depends on voluntary compliance from companies.
Removing your personal information from the internet takes effort, but it’s one of the most effective ways to protect yourself from identity theft and privacy violations. The steps outlined above provide you with a clear roadmap to systematically reduce your online exposure, from opting out of data brokers to tightening your social media privacy settings.
This isn’t a one-time task but an ongoing process that requires regular attention, as new data appears online constantly. Rather than attempting to complete digital erasure, focus on reducing your exposure to the most harmful uses of your personal information. Services like McAfee Personal Data Cleanup can help automate the most time-consuming parts of this process, monitoring high-risk data broker sites and managing removal requests for you.
The post How to Remove Your Personal Information From the Internet appeared first on McAfee Blog.
It’s an all-too-familiar trap. You’re scrolling TikTok when an ad for your favorite shoe brand pops up. Black Friday and Cyber Monday sales are everywhere, and this one—buy one, get one free—looks completely legit.
The site it links to looks real too. The logo, the product pages, even the checkout cart all match what you’d expect from the brand. You place your order and move on.
A few days later, you notice the charge on your bank statement. It’s the right amount—but the payment didn’t go to the store you thought. Instead, there’s a company name you don’t recognize.
That’s when it hits you: the site wasn’t real at all. You’ve been scammed.
Peak shopping season is peak scam season, with fake deals and ads making up one major tactic used to deceive shoppers.
Nearly all U.S. adults plan to shop online this season, with about half planning to do so daily or more. Scammers know that when people are rushing to buy gifts and click “checkout,” they’re also less likely to slow down and verify what they’re seeing.
That’s when fraudsters strike, often using artificial intelligence to make their fake messages and websites look authentic.
McAfee’s 2025 holiday shopping research revealed that almost half of Americans (46%) say they’ve already encountered these AI-powered scams while shopping.
The era of “obvious scams” is over.
Generative AI tools have made it simple to clone brand websites, copy influencer voices, and even create realistic video ads promoting fake sales. And our recent State of the Scamiverse research found people struggle identifying deepfakes, with 39% of people saying deepfake video scams are getting more sophisticated and harder to spot.
That’s why deepfake-driven scams utilizing advanced tactics are multiplying across platforms like TikTok and Instagram. Scammers are impersonating celebrity likenesses, or well-known brands, to advertise “exclusive” promotions or fake giveaways. For holiday shoppers, the line between what is authentic and fraudulent continues to blur.
These scams mimic major brand websites down to the logo, product photography, and even customer service pages. The only difference is the URL—a single extra letter or misplaced period (“target-sale.com” instead of “target.com”).
When shoppers enter their payment details or passwords on these fraudulent websites, that information goes directly to criminals. According to McAfee research, this fear of scams while shopping has stopped 40% of consumers from completing a holiday purchase.
How to spot it: Always check the full web address, look for “https,” and avoid clicking through from an ad or social post. It’s best to just type the retailer’s name directly into your browser instead to reach the official site.
Even cybercriminals follow trends, and short-form videos are scam hotspots. Scammers use deepfakes or stolen influencer content to make “exclusive” deals look legitimate.
For example, a TikTok clip may show a celebrity promoting a discount code that redirects to a counterfeit store.
According to McAfee research, 1 in 5 people (20%) say they or someone they know has fallen victim to a deepfake scam in the past year. And overwhelmingly, respondents said they came across deepfakes on social media.
How to spot it: Check if the creator’s account is verified. Look at past posts and engagement patterns. Real brands rarely share one-off videos with unfamiliar links.
You’ll receive a text saying a package can’t be delivered or that a small fee is needed to confirm your address.
McAfee found that have encountered fake delivery notifications, and many victims say they entered credit card information thinking they were resolving a legitimate issue.
How to spot it: Real shipping companies rarely send texts with clickable payment links. Visit the carrier’s official website or app to verify any delivery problems.
These scams pressure you to “verify” your account or make an urgent payment. Messages may claim your PayPal or Amazon account is locked and request you to confirm details. Others ask for gift cards to “resolve” a billing issue.
Scammers count on urgency—once you send a code or card number, the funds are gone instantly.
How to spot it: No legitimate company will ask for payment in gift cards or ask you to share one-time codes over text. Always log in to your account directly, never through a link sent via message.
Go straight to the source. If you see an offer on social media, type the retailer’s URL yourself instead of clicking through the post. Fraudulent ads often lead to look-alike domains.
Pause before you click. Take a moment to verify emails and DMs. Check the sender’s address, look for misspellings, and hover over links to preview where they lead.
Use AI to fight AI. McAfee’s Scam Detector can identify suspicious messages, fake websites, and deepfake content before harm occurs.
Keep your software up to date. Many scams exploit outdated browsers or apps. Regular updates patch vulnerabilities before criminals can use them.
Avoid public Wi-Fi while shopping. Public networks are easy for hackers to monitor. Use a secure or mobile connection instead. Check out McAfee’s VPN to stay protected while browsing and shopping.
Never pay with gift cards: Legitimate companies and businesses will never ask for you to pay or verify a purchase in exchange for gift cards.
Be suspicious of requests to pay with crypto: A legitimate company will not force you to pay in crypto or other specific crypto assets.
McAfee’s Scam Detector uses advanced artificial intelligence to automatically detect scams across text, email, and video. It blocks dangerous links, identifies deepfakes, and stops harm before it happens.
McAfee’s identity protection tools also monitor for signs that your personal information may have been exposed and guide you through recovery steps.
You can sign in to your McAfee account to scan for recent breaches linked to your email, or try a free trial of McAfee antivirus to keep your devices secure throughout the shopping season.
The post Holiday Shopping Scams: What to Watch as Black Friday & Cyber Monday Approach appeared first on McAfee Blog.
The U.S. government is reportedly preparing to ban the sale of wireless routers and other networking gear from TP-Link Systems, a tech company that currently enjoys an estimated 50% market share among home users and small businesses. Experts say while the proposed ban may have more to do with TP-Link’s ties to China than any specific technical threats, much of the rest of the industry serving this market also sources hardware from China and ships products that are insecure fresh out of the box.
A TP-Link WiFi 6 AX1800 Smart WiFi Router (Archer AX20).
The Washington Post recently reported that more than a half-dozen federal departments and agencies were backing a proposed ban on future sales of TP-Link devices in the United States. The story said U.S. Department of Commerce officials concluded TP-Link Systems products pose a risk because the U.S.-based company’s products handle sensitive American data and because the officials believe it remains subject to jurisdiction or influence by the Chinese government.
TP-Link Systems denies that, saying that it fully split from the Chinese TP-Link Technologies over the past three years, and that its critics have vastly overstated the company’s market share (TP-Link puts it at around 30 percent). TP-Link says it has headquarters in California, with a branch in Singapore, and that it manufactures in Vietnam. The company says it researches, designs, develops and manufactures everything except its chipsets in-house.
TP-Link Systems told The Post it has sole ownership of some engineering, design and manufacturing capabilities in China that were once part of China-based TP-Link Technologies, and that it operates them without Chinese government supervision.
“TP-Link vigorously disputes any allegation that its products present national security risks to the United States,” Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement. “TP-Link is a U.S. company committed to supplying high-quality and secure products to the U.S. market and beyond.”
Cost is a big reason TP-Link devices are so prevalent in the consumer and small business market: As this February 2025 story from Wired observed regarding the proposed ban, TP-Link has long had a reputation for flooding the market with devices that are considerably cheaper than comparable models from other vendors. That price point (and consistently excellent performance ratings) has made TP-Link a favorite among Internet service providers (ISPs) that provide routers to their customers.
In August 2024, the chairman and the ranking member of the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party called for an investigation into TP-Link devices, which they said were found on U.S. military bases and for sale at exchanges that sell them to members of the military and their families.
“TP-Link’s unusual degree of vulnerabilities and required compliance with PRC law are in and of themselves disconcerting,” the House lawmakers warned in a letter (PDF) to the director of the Commerce Department. “When combined with the PRC government’s common use of SOHO [small office/home office] routers like TP-Link to perpetrate extensive cyberattacks in the United States, it becomes significantly alarming.”
The letter cited a May 2023 blog post by Check Point Research about a Chinese state-sponsored hacking group dubbed “Camaro Dragon” that used a malicious firmware implant for some TP-Link routers to carry out a sequence of targeted cyberattacks against European foreign affairs entities. Check Point said while it only found the malicious firmware on TP-Link devices, “the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk.”
In a report published in October 2024, Microsoft said it was tracking a network of compromised TP-Link small office and home office routers that has been abused by multiple distinct Chinese state-sponsored hacking groups since 2021. Microsoft found the hacker groups were leveraging the compromised TP-Link systems to conduct “password spraying” attacks against Microsoft accounts. Password spraying involves rapidly attempting to access a large number of accounts (usernames/email addresses) with a relatively small number of commonly used passwords.
TP-Link rightly points out that most of its competitors likewise source components from China. The company also correctly notes that advanced persistent threat (APT) groups from China and other nations have leveraged vulnerabilities in products from their competitors, such as Cisco and Netgear.
But that may be cold comfort for TP-Link customers who are now wondering if it’s smart to continue using these products, or whether it makes sense to buy more costly networking gear that might only be marginally less vulnerable to compromise.
Almost without exception, the hardware and software that ships with most consumer-grade routers includes a number of default settings that need to be changed before the devices can be safely connected to the Internet. For example, bring a new router online without changing the default username and password and chances are it will only take a few minutes before it is probed and possibly compromised by some type of Internet-of-Things botnet. Also, it is incredibly common for the firmware in a brand new router to be dangerously out of date by the time it is purchased and unboxed.
Until quite recently, the idea that router manufacturers should make it easier for their customers to use these products safely was something of an anathema to this industry. Consumers were largely left to figure that out on their own, with predictably disastrous results.
But over the past few years, many manufacturers of popular consumer routers have begun forcing users to perform basic hygiene — such as changing the default password and updating the internal firmware — before the devices can be used as a router. For example, most brands of “mesh” wireless routers — like Amazon’s Eero, Netgear’s Orbi series, or Asus’s ZenWifi — require online registration that automates these critical steps going forward (or at least through their stated support lifecycle).
For better or worse, less expensive, traditional consumer routers like those from Belkin and Linksys also now automate this setup by heavily steering customers toward installing a mobile app to complete the installation (this often comes as a shock to people more accustomed to manually configuring a router). Still, these products tend to put the onus on users to check for and install available updates periodically. Also, they’re often powered by underwhelming or else bloated firmware, and a dearth of configurable options.
Of course, not everyone wants to fiddle with mobile apps or is comfortable with registering their router so that it can be managed or monitored remotely in the cloud. For those hands-on folks — and for power users seeking more advanced router features like VPNs, ad blockers and network monitoring — the best advice is to check if your router’s stock firmware can be replaced with open-source alternatives, such as OpenWrt or DD-WRT.
These open-source firmware options are compatible with a wide range of devices, and they generally offer more features and configurability. Open-source firmware can even help extend the life of routers years after the vendor stops supporting the underlying hardware, but it still requires users to manually check for and install any available updates.
Happily, TP-Link users spooked by the proposed ban may have an alternative to outright junking these devices, as many TP-Link routers also support open-source firmware options like OpenWRT. While this approach may not eliminate any potential hardware-specific security flaws, it could serve as an effective hedge against more common vendor-specific vulnerabilities, such as undocumented user accounts, hard-coded credentials, and weaknesses that allow attackers to bypass authentication.
Regardless of the brand, if your router is more than four or five years old it may be worth upgrading for performance reasons alone — particularly if your home or office is primarily accessing the Internet through WiFi.
NB: The Post’s story notes that a substantial portion of TP-Link routers and those of its competitors are purchased or leased through ISPs. In these cases, the devices are typically managed and updated remotely by your ISP, and equipped with custom profiles responsible for authenticating your device to the ISP’s network. If this describes your setup, please do not attempt to modify or replace these devices without first consulting with your Internet provider.
We’re back with a new edition of “This Week in Scams,” a roundup of what’s current and trending in all things sketchy online.
This week, we have fake steaks, why you should shop online with a credit card, and a new and utterly brash form of debit card fraud.
Yes, the letter “O” for Omaha in the subject line of this email scam is actually a zero. And that’s not the only thing that’s off with this email, it’s a total scam.
If you like your choice cuts, the name Omaha Steaks might be a familiar one. They’ve been around for almost 110 years, and since 1953 they’ve been in the mail order meat business. Today, they sell, well, just about anything you can picture in the butcher or seafood case. With that, the company enjoys a premium reputation, so it’s little surprise scammers have latched onto it and built a phishing attack around the brand—one they garnish with a nod to concerns over rising food prices.
A few things can quickly tip you off to this scam. For starters, the scammers oddly spell Omaha with a zero in the subject line, as mentioned. From there, the sender’s email address is a straight ref flag. In this case, it’s the curiously spelled “steaksamplnext” followed by a (redacted) domain name that isn’t the legitimate omahasteaks dot-com address. Also curious is the lack of an actual price for the bogus “Gourmet Box.” And lastly, you might think that a premium foods brand would showcase some pictures of their famous fare in the email. Not so here.
Rounding it out, you’ll see the classic scammer tactics of scarcity and urgency, which scammers hope will pressure people to act immediately. In this case, only 500 of these supposed boxes are available, and the offer “concludes tomorrow.”
Even as this scam makes the rounds, it’s easy to spot if you give it a closer look and a little thought—giving it a sort of old-school feel to it. However, more and more of today’s phishing emails look increasingly legit, thanks to AI tools, which might get you to click.
As for phishing attacks like this in general, you can protect yourself by:
Always checking the email address of the sender. If it doesn’t match the proper address of the company or brand that’s supposedly sending the email, it’s a scam. In this case, from the people at Omaha Steaks themselves, “If it doesn’t show OmahaSteaks.com and @OmahaSteaks, it’s not us!”
Looking for addresses and links that look like they’ve been slightly altered so that they seem “close enough” to the real thing. In this case, the scammer didn’t even bother to try. However, you could expect an alteration like “omahasteakofferforyou.com” to try and look legit.
Getting a scam detector. Our Scam Detector, found in all core McAfee plans, helps you stay safer with advanced scam detection technology built to spot and stop scams across text messages, emails, and videos. It’ll also block those sites if you accidentally tap or click on a bad link.
What’s the most common kind of fraud? If you said, “credit card,” you’ll find it number five on the list. The top form is debit cards, according to 2025 findings from the U.S. Federal Reserve.
As reported by financial institutions, the Fed found that attempts at debit card fraud rose to 73% with 52% of those attempts being successful.
There’s a good reason for that debit card fraud ranks highest for attempts and success rate. It’s the same reason that credit card fraud is relatively low. Debit cards don’t have the same fraud protections in place that credit cards do.
As you might have read in our blogs before, credit cards offer additional protection thanks to the Fair Credit Billing Act (FCBA). Your maximum liability is $50 for fraudulent charges on a lost or stolen card if you report the loss to your issuer within 60 days. In the case of relatively unprotected debit cards, those losses often go unrecovered.
Keep this in mind as you sit down for your online shopping for the holidays: use a credit card instead of a debit card. That gives you the protection of the FCBA if your shopping session gets hacked or if the retailer experiences a data breach somewhere down the road. Also think about making it even safer by shopping with a VPN. Our VPN creates an encrypted “tunnel” that protects your data from crooks and prying eyes, so your card info stays private.
First reported by the FBI last year, we’re seeing continued reports of a brash and bold form of debit card scam—people physically handing over their cards to scammers.
The scam starts like many card scams do, with a phone call. Scammers spoof the caller ID of the victim’s bank or credit union, ring them up, and tell them there’s a “problem” with their account. From there, scammers direct victims to cut up their current card—but with a twist. They tell victims to keep the little EMV chip for tap-and-go payments intact.
Why? Victims get instructed to leave the cut-up card and intact chip in the mailbox for a “courier” to pick up for “security purposes.” Once in hand, scammers get access to the bank account associated with the chip. Even if the scammers don’t wrangle a PIN number out of their victims with a little social engineering trickery, they can still make purchases with the chip as some points of sale don’t require a PIN number when tapping to pay.
Shred your old cards in a paper shredder. Then, take the next step. Grab the shredded pieces and throw them away in separate batches. This will all make it fantastically tough for a scammer to piece together your card and steal your info.
Call back your bank yourself. If you get a call, voicemail, or text saying there’s an issue with your account, you can verify any possible issue yourself by calling the number on the back of your card.
Know that banks won’t send “couriers” for cards. And they’ll simply never ask you to leave your card in your mailbox.
That’s our roundup for this week. We’ll catch you next Friday with more updates, scam news, and ways you can stay safer out there.
The post This Week in Scams: Fake Steaks and Debit Card Porch Pirates appeared first on McAfee Blog.
If you’ve been watching the news, you’ve probably seen the headlines out of Paris: one of the most audacious heists in decades took place at the Louvre, where thieves made off with centuries-old crown jewels worth tens of millions of dollars.
But amid the cinematic drama, a quieter detail emerged that’s almost harder to believe—according to French newspaper Libération (via PC Gamer), auditors discovered that the password protecting the museum’s video surveillance system was simply “Louvre.”
While it’s not yet confirmed whether this played a direct role in the robbery, cybersecurity experts point out that weak or reused passwords remain one of the easiest ways for criminals—digital or otherwise—to get inside.
The Louvre’s cybersecurity audits, dating back to 2014, reportedly revealed a pattern of outdated software and simple passwords that hadn’t been updated in years. Subsequent reviews noted “serious shortcomings,” including security systems running on decades-old software no longer supported by developers.
That situation mirrors one of the most common security issues individuals face at home. Whether it’s an email account, a social media login, or your home Wi-Fi router, using an easy or repeated password is like leaving the front door open. Hackers don’t need to break in when they can just walk through.
As experts here at McAfee have explained, cybercriminals routinely rely on “credential stuffing” attacks, in which they test stolen passwords from one breach against other sites to see what else they can access. If you’ve used the same password for your streaming account and your online banking, it’s not hard to imagine what could go wrong.
A strong password is long, complex, and unique. Cybersecurity experts recommend at least 12–16 characters that mix uppercase and lowercase letters, numbers, and symbols. A short password can be guessed in minutes; a long one can take decades to crack.
If that sounds like a lot to juggle, you’re not alone. That’s why password managers exist.
A password manager takes the work—and the guesswork—out of creating and remembering complex passwords. It generates random combinations that are nearly impossible to crack, then stores them securely using advanced encryption.
The added bonus? You’ll never have to reuse a password again. Even if one account is theoretically compromised in a breach, your others remain protected because each password is unique.
McAfee’s password manager also uses multi-factor authentication (MFA), meaning you’ll need at least two forms of verification before signing in—like a code sent to your phone. That extra step can stop hackers cold, even if they somehow get your password.
To keep your digital treasures safer than the Louvre’s jewels:
Reports of the Louvre’s weak password might make for an easy punchline, but the truth is that millions of people make the same mistake every day—reusing simple passwords across dozens of accounts. Strong, unique passwords (and the right tools to manage them) are still one of the most powerful defenses against data theft and identity fraud.
As scams and breaches continue to evolve, your best defense is awareness and protection that adapts just as fast. McAfee’s built-in Scam Detector, included in all core plans, automatically detects scams across text, email, and video, blocks dangerous links, and identifies deepfakes—stopping harm before it happens.
The post The Louvre Used Its Own Name as a Password. Here’s What to Learn From It appeared first on McAfee Blog.
For the past week, domains associated with the massive Aisuru botnet have repeatedly usurped Amazon, Apple, Google and Microsoft in Cloudflare’s public ranking of the most frequently requested websites. Cloudflare responded by redacting Aisuru domain names from their top websites list. The chief executive at Cloudflare says Aisuru’s overlords are using the botnet to boost their malicious domain rankings, while simultaneously attacking the company’s domain name system (DNS) service.
The #1 and #3 positions in this chart are Aisuru botnet controllers with their full domain names redacted. Source: radar.cloudflare.com.
Aisuru is a rapidly growing botnet comprising hundreds of thousands of hacked Internet of Things (IoT) devices, such as poorly secured Internet routers and security cameras. The botnet has increased in size and firepower significantly since its debut in 2024, demonstrating the ability to launch record distributed denial-of-service (DDoS) attacks nearing 30 terabits of data per second.
Until recently, Aisuru’s malicious code instructed all infected systems to use DNS servers from Google — specifically, the servers at 8.8.8.8. But in early October, Aisuru switched to invoking Cloudflare’s main DNS server — 1.1.1.1 — and over the past week domains used by Aisuru to control infected systems started populating Cloudflare’s top domain rankings.
As screenshots of Aisuru domains claiming two of the Top 10 positions ping-ponged across social media, many feared this was yet another sign that an already untamable botnet was running completely amok. One Aisuru botnet domain that sat prominently for days at #1 on the list was someone’s street address in Massachusetts followed by “.com”. Other Aisuru domains mimicked those belonging to major cloud providers.
Cloudflare tried to address these security, brand confusion and privacy concerns by partially redacting the malicious domains, and adding a warning at the top of its rankings:
“Note that the top 100 domains and trending domains lists include domains with organic activity as well as domains with emerging malicious behavior.”
Cloudflare CEO Matthew Prince told KrebsOnSecurity the company’s domain ranking system is fairly simplistic, and that it merely measures the volume of DNS queries to 1.1.1.1.
“The attacker is just generating a ton of requests, maybe to influence the ranking but also to attack our DNS service,” Prince said, adding that Cloudflare has heard reports of other large public DNS services seeing similar uptick in attacks. “We’re fixing the ranking to make it smarter. And, in the meantime, redacting any sites we classify as malware.”
Renee Burton, vice president of threat intel at the DNS security firm Infoblox, said many people erroneously assumed that the skewed Cloudflare domain rankings meant there were more bot-infected devices than there were regular devices querying sites like Google and Apple and Microsoft.
“Cloudflare’s documentation is clear — they know that when it comes to ranking domains you have to make choices on how to normalize things,” Burton wrote on LinkedIn. “There are many aspects that are simply out of your control. Why is it hard? Because reasons. TTL values, caching, prefetching, architecture, load balancing. Things that have shared control between the domain owner and everything in between.”
Alex Greenland is CEO of the anti-phishing and security firm Epi. Greenland said he understands the technical reason why Aisuru botnet domains are showing up in Cloudflare’s rankings (those rankings are based on DNS query volume, not actual web visits). But he said they’re still not meant to be there.
“It’s a failure on Cloudflare’s part, and reveals a compromise of the trust and integrity of their rankings,” he said.
Greenland said Cloudflare planned for its Domain Rankings to list the most popular domains as used by human users, and it was never meant to be a raw calculation of query frequency or traffic volume going through their 1.1.1.1 DNS resolver.
“They spelled out how their popularity algorithm is designed to reflect real human use and exclude automated traffic (they said they’re good at this),” Greenland wrote on LinkedIn. “So something has evidently gone wrong internally. We should have two rankings: one representing trust and real human use, and another derived from raw DNS volume.”
Why might it be a good idea to wholly separate malicious domains from the list? Greenland notes that Cloudflare Domain Rankings see widespread use for trust and safety determination, by browsers, DNS resolvers, safe browsing APIs and things like TRANCO.
“TRANCO is a respected open source list of the top million domains, and Cloudflare Radar is one of their five data providers,” he continued. “So there can be serious knock-on effects when a malicious domain features in Cloudflare’s top 10/100/1000/million. To many people and systems, the top 10 and 100 are naively considered safe and trusted, even though algorithmically-defined top-N lists will always be somewhat crude.”
Over this past week, Cloudflare started redacting portions of the malicious Aisuru domains from its Top Domains list, leaving only their domain suffix visible. Sometime in the past 24 hours, Cloudflare appears to have begun hiding the malicious Aisuru domains entirely from the web version of that list. However, downloading a spreadsheet of the current Top 200 domains from Cloudflare Radar shows an Aisuru domain still at the very top.
According to Cloudflare’s website, the majority of DNS queries to the top Aisuru domains — nearly 52 percent — originated from the United States. This tracks with my reporting from early October, which found Aisuru was drawing most of its firepower from IoT devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon.
Experts tracking Aisuru say the botnet relies on well more than a hundred control servers, and that for the moment at least most of those domains are registered in the .su top-level domain (TLD). Dot-su is the TLD assigned to the former Soviet Union (.su’s Wikipedia page says the TLD was created just 15 months before the fall of the Berlin wall).
A Cloudflare blog post from October 27 found that .su had the highest “DNS magnitude” of any TLD, referring to a metric estimating the popularity of a TLD based on the number of unique networks querying Cloudflare’s 1.1.1.1 resolver. The report concluded that the top .su hostnames were associated with a popular online world-building game, and that more than half of the queries for that TLD came from the United States, Brazil and Germany [it’s worth noting that servers for the world-building game Minecraft were some of Aisuru’s most frequent targets].
A simple and crude way to detect Aisuru bot activity on a network may be to set an alert on any systems attempting to contact domains ending in .su. This TLD is frequently abused for cybercrime and by cybercrime forums and services, and blocking access to it entirely is unlikely to raise any legitimate complaints.
Football season is in full swing — tailgates, rivalries, fantasy leagues, and Sunday afternoons glued to the screen. Alongside the highlights and heartbreaks, there’s another game playing out online: the rush to place bets.
Every break in the action brings another sportsbook promo — risk-free wagers, bonus bets, exclusive odds — flooding your feed and inbox. But what you don’t see between the ads and sponsorships is how much money is really in play, or how scammers have joined the lineup.
Last year, legally licensed online and retail sportsbooks took nearly $150 billion in bets, a 22.2% jump from 2023 according to the American Gaming Association. And with so much of that money flowing through apps and websites, scammers are finding creative new ways to cash in.
They’re setting up fake betting sites, phishing for logins, and spinning up unlicensed offshore platforms that operate without oversight. Even self-proclaimed “insider tipsters” are pitching guaranteed wins that never exist.
If sports betting is legal in your state and you’re planning to make some wagers this season, here’s how to keep your money — and your data — safe.
Since a U.S. Supreme Court ruling in 2018, individual states can determine their own laws for sports betting. Soon after, sports betting became legal in waves. In all, 39 states and Washington D.C. currently offer sports betting through licensed retail locations. Of them, 31 further offer legal sports betting through licensed online apps and websites. The map below offers a quick view as to how all that plays out.
Image from https://sportsdata.usatoday.com/legality-map
Even as online sportsbooks must be licensed to operate legally, be aware that the terms and conditions they operate under vary from service to service. Per the Better Business Bureau (BBB), that calls for closely reading their fine print. For one, you might come across language that says the company can “restrict a user’s activity,” meaning that they can freeze accounts and the funds associated with them based on their terms and conditions. Also, the BBB cautions people about those promo offers that are often heavily advertised, because “like any sales pitch, these can be deceptive.”
Fake betting sites
This form of scam follows the same playbook scammers use for all kinds of bogus sites in general. They cook up a copycat site that looks like a legitimate betting site, create a web address that looks like it could be legitimate, and then flood the web with sponsored search results, ads, and social media posts to drive traffic to them. From there, scammers capture payment info and take bogus bets that they never pay out on. Once the site gets discovered as a scam, they pull it down and spin up other scam sites. With the aid of AI tools to help with the process, scammers can turn around scam sites quickly.
Sports app phishing scams
Scammers piggyback on legitimate betting apps and sites another way. They’ll create phony customer support sites that they promote online, with the addition of scam texts and emails to lure in victims. Under the guise of support, they gain a victim’s login info, hack the account, and clean out the victim’s cash.
Unlicensed offshore platforms
These form a gray area when it comes to scams. Some of these offshore platforms, while unlicensed, are legitimate to varying degrees. What makes them dangerous is that they have no regulatory oversight, which means they can do things like charge hidden costs, lock accounts, and refuse payment without users having any way to dispute those actions. Some of these platforms might have suspect security measures as well, which could lead to account hacks. And of course, some of these offshore platforms are simply fake betting sites, as mentioned above.
Handicapper scams
Earlier this year, the BBB shared word of a growing scam where self-proclaimed experts with “insider information to place sure-thing bets” reach out to victims via email and social media posts. Per the BBB, “A handicapper’s goal isn’t to win bets for their members, it’s to get people to buy their picks. Once you’ve purchased their picks, the handicapper has already won. It doesn’t matter if the pick wins or loses, the handicapper keeps the payment.”
Of course, that “insider info” is entirely fake. It’s all just a smokescreen to draw in victims.
1) Stick with legitimate betting sites and apps. Use only legal, regulated sportsbooks when you place a bet.
If you’re a sports fan, you probably know the names, like BetMGM, DraftKings, FanDuel, bet365 and Fanatics Sportsbook. In addition, check out the organization’s BBB listing at BBB.org. Here you can get a snapshot of customer ratings, complaints registered against the organization, and the organization’s response to the complaints, along with its BBB rating, if it has one.
2) Use a secure payment method other than your debit card. Credit cards are a good way to go when buying, or betting, online.
One reason why is the Fair Credit Billing Act, which offers protection against fraudulent charges on credit cards by giving you the right to dispute charges over $50 for goods and services that were never delivered or otherwise billed incorrectly. Your credit card companies may have its own policies that improve upon the Fair Credit Billing Act as well. Debit cards don’t get the same protection under the Act.
3) Protect yourself from fake betting sites and bogus offers.
You can steer clear from all kinds of fake sites and bogus offers with the combination of our Web Protection and Scam Detector, found in our McAfee+ plans. They’ll alert you if a link might take you to a sketchy site, and they’ll block those sites if you accidentally tap or click on a bad link.
In addition to the latest virus, malware, spyware, and ransomware protection, it also includes strong password protection by generating and automatically storing complex passwords to keep your winnings and payment info safer from hackers and crooks.
If gambling is a problem for you or someone you know, you can seek assistance from a qualified service or professional. Several states have their own helplines, and nationally you can reach out to resources like http://www.gamblersanonymous.org/ or https://www.ncpgambling.org/help-treatment/.
The post Kickoffs and Rip-offs—Watch Out for Online Betting Scams This Football Season appeared first on McAfee Blog.
A Ukrainian man indicted in 2012 for conspiring with a prolific hacking group to steal tens of millions of dollars from U.S. businesses was arrested in Italy and is now in custody in the United States, KrebsOnSecurity has learned.
Sources close to the investigation say Yuriy Igorevich Rybtsov, a 41-year-old from the Russia-controlled city of Donetsk, Ukraine, was previously referenced in U.S. federal charging documents only by his online handle “MrICQ.” According to a 13-year-old indictment (PDF) filed by prosecutors in Nebraska, MrICQ was a developer for a cybercrime group known as “Jabber Zeus.”
Image: lockedup dot wtf.
The Jabber Zeus name is derived from the malware they used — a custom version of the ZeuS banking trojan — that stole banking login credentials and would send the group a Jabber instant message each time a new victim entered a one-time passcode at a financial institution website. The gang targeted mostly small to mid-sized businesses, and they were an early pioneer of so-called “man-in-the-browser” attacks, malware that can silently intercept any data that victims submit in a web-based form.
Once inside a victim company’s accounts, the Jabber Zeus crew would modify the firm’s payroll to add dozens of “money mules,” people recruited through elaborate work-at-home schemes to handle bank transfers. The mules in turn would forward any stolen payroll deposits — minus their commissions — via wire transfers to other mules in Ukraine and the United Kingdom.
The 2012 indictment targeting the Jabber Zeus crew named MrICQ as “John Doe #3,” and said this person handled incoming notifications of newly compromised victims. The Department of Justice (DOJ) said MrICQ also helped the group launder the proceeds of their heists through electronic currency exchange services.
Two sources familiar with the Jabber Zeus investigation said Rybtsov was arrested in Italy, although the exact date and circumstances of his arrest remain unclear. A summary of recent decisions (PDF) published by the Italian Supreme Court states that in April 2025, Rybtsov lost a final appeal to avoid extradition to the United States.
According to the mugshot website lockedup[.]wtf, Rybtsov arrived in Nebraska on October 9, and was being held under an arrest warrant from the U.S. Federal Bureau of Investigation (FBI).
The data breach tracking service Constella Intelligence found breached records from the business profiling site bvdinfo[.]com showing that a 41-year-old Yuriy Igorevich Rybtsov worked in a building at 59 Barnaulska St. in Donetsk. Further searching on this address in Constella finds the same apartment building was shared by a business registered to Vyacheslav “Tank” Penchukov, the leader of the Jabber Zeus crew in Ukraine.
Vyacheslav “Tank” Penchukov, seen here performing as “DJ Slava Rich” in Ukraine, in an undated photo from social media.
Penchukov was arrested in 2022 while traveling to meet his wife in Switzerland. Last year, a federal court in Nebraska sentenced Penchukov to 18 years in prison and ordered him to pay more than $73 million in restitution.
Lawrence Baldwin is founder of myNetWatchman, a threat intelligence company based in Georgia that began tracking and disrupting the Jabber Zeus gang in 2009. myNetWatchman had secretly gained access to the Jabber chat server used by the Ukrainian hackers, allowing Baldwin to eavesdrop on the daily conversations between MrICQ and other Jabber Zeus members.
Baldwin shared those real-time chat records with multiple state and federal law enforcement agencies, and with this reporter. Between 2010 and 2013, I spent several hours each day alerting small businesses across the country that their payroll accounts were about to be drained by these cybercriminals.
Those notifications, and Baldwin’s tireless efforts, saved countless would-be victims a great deal of money. In most cases, however, we were already too late. Nevertheless, the pilfered Jabber Zeus group chats provided the basis for dozens of stories published here about small businesses fighting their banks in court over six- and seven-figure financial losses.
Baldwin said the Jabber Zeus crew was far ahead of its peers in several respects. For starters, their intercepted chats showed they worked to create a highly customized botnet directly with the author of the original Zeus Trojan — Evgeniy Mikhailovich Bogachev, a Russian man who has long been on the FBI’s “Most Wanted” list. The feds have a standing $3 million reward for information leading to Bogachev’s arrest.
Evgeniy M. Bogachev, in undated photos.
The core innovation of Jabber Zeus was an alert that MrICQ would receive each time a new victim entered a one-time password code into a phishing page mimicking their financial institution. The gang’s internal name for this component was “Leprechaun,” (the video below from myNetWatchman shows it in action). Jabber Zeus would actually re-write the HTML code as displayed in the victim’s browser, allowing them to intercept any passcodes sent by the victim’s bank for multi-factor authentication.
“These guys had compromised such a large number of victims that they were getting buried in a tsunami of stolen banking credentials,” Baldwin told KrebsOnSecurity. “But the whole point of Leprechaun was to isolate the highest-value credentials — the commercial bank accounts with two-factor authentication turned on. They knew these were far juicier targets because they clearly had a lot more money to protect.”
Baldwin said the Jabber Zeus trojan also included a custom “backconnect” component that allowed the hackers to relay their bank account takeovers through the victim’s own infected PC.
“The Jabber Zeus crew were literally connecting to the victim’s bank account from the victim’s IP address, or from the remote control function and by fully emulating the device,” he said. “That trojan was like a hot knife through butter of what everyone thought was state-of-the-art secure online banking at the time.”
Although the Jabber Zeus crew was in direct contact with the Zeus author, the chats intercepted by myNetWatchman show Bogachev frequently ignored the group’s pleas for help. The government says the real leader of the Jabber Zeus crew was Maksim Yakubets, a 38-year Ukrainian man with Russian citizenship who went by the hacker handle “Aqua.”
Alleged Evil Corp leader Maksim “Aqua” Yakubets. Image: FBI
The Jabber chats intercepted by Baldwin show that Aqua interacted almost daily with MrICQ, Tank and other members of the hacking team, often facilitating the group’s money mule and cashout activities remotely from Russia.
The government says Yakubets/Aqua would later emerge as the leader of an elite cybercrime ring of at least 17 hackers that referred to themselves internally as “Evil Corp.” Members of Evil Corp developed and used the Dridex (a.k.a. Bugat) trojan, which helped them siphon more than $100 million from hundreds of victim companies in the United States and Europe.
This 2019 story about the government’s $5 million bounty for information leading to Yakubets’s arrest includes excerpts of conversations between Aqua, Tank, Bogachev and other Jabber Zeus crew members discussing stories I’d written about their victims. Both Baldwin and I were interviewed at length for a new weekly six-part podcast by the BBC that delves deep into the history of Evil Corp. Episode One focuses on the evolution of Zeus, while the second episode centers on an investigation into the group by former FBI agent Jim Craig.
Image: https://www.bbc.co.uk/programmes/w3ct89y8
Article tags
Your digital life is being stitched together—one purchase, one search, one swipe at a time.
Data brokers collect and combine fragments of your personal information to build detailed profiles they can sell to advertisers, employers, and anyone willing to pay.
While you can request that these brokers delete your data, many make it almost impossible to do so.
A joint investigation by CalMatters and The Markup found that 35 data brokers had intentionally hidden their opt-out pages from search results, making it harder for people to remove their information.
The result: a patchwork version of you exists online—a Frankenstein of your data, stitched together without your consent.
Moreover, practically anyone can purchase this sensitive info. That ranges from advertisers to law enforcement and from employers to anyone on the street who wants to know a lot more about you.
Here’s what’s happening, and what you can do about it.
As part of the article, reporters analyzed 499 data broker sites registered in the state of California. Of them, 35 had search-blocking code. Additionally per the article, many opt out pages “required scrolling multiple screens, dismissing pop-ups for cookie permissions, and newsletter sign-ups and then finding a link that was a fraction the size of other text on the page.”[i]
Once the publications contacted the data brokers in question, multiple companies halted the practice, some responding that they were unaware their site had search-blocking code. Several others didn’t respond by the time the article was published and kept their practices in place.
There are several ways information brokers can get your info about you …
Sources available to the public: Some of your personal records are easily available to the public. Data brokers can collect public records like your voter registration records, birth certificate, criminal record, and even bankruptcy records. By rounding them up from multiple sources and gathering them in one place, it takes someone seconds to find out all these things about you, rather than spending hours poring over public records.
Search, browsing, and app usage: Through a combination of data collected from internet service providers (ISPs), websites, and apps, data brokers can get access to all kinds of activity. They can see what content you’re interested in, how much time you spend on certain sites, and even your daily travels thanks to location data. They also use web scraping tools (software that pulls info from the web), to gather yet more. All this data collecting makes up a multi-billion-dollar industry where personal data is gathered, analyzed, sold, and then sold again and again—all without a person’s knowledge.
Online agreements: As it is with smartphone apps, you’ll usually have to sign an agreement when signing up for a new online service. Many of these agreements have disclosures in the fine print that give the company the right to collect and distribute your personal info.
Purchase history: Data brokers want to know what products or services you’ve purchased, how you paid for them (credit card, debit card, or coupon), and when and where you purchased them. In some cases, they get this info from loyalty programs at places like supermarkets, drugstores, and other retailers. Kroger, one of the largest grocery chains, is a good example of how purchasing insights end up in the hands of others. According to Consumer Reports, the company draws 35% of its net income from selling customer data to other companies.
For starters, there aren’t any data privacy laws on the federal level. That, so far, has fallen to individual states to enact. As such, data privacy laws vary from state-to-state, with California having some of the earliest and strongest protections on record, via the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
In all, 20 states currently have comprehensive privacy laws in place, with five others that have put narrower privacy protections in place, covering data brokers, internet service providers, and medical/biometric data.
States with Comprehensive Data Privacy Laws
| · California
· Virginia · Colorado · Connecticut · Utah · Iowa · Indiana · Tennessee · Texas |
· Florida
· Montana · Oregon · Delaware · New Hampshire · New Jersey · Kentucky · Nebraska · Rhode Island |
For specific laws in your state and how they can protect you, we suggest doing a search for “data privacy laws [your state]” for more info.
Even if your state has no or narrow data privacy laws in place, you still have several ways you can take back your privacy.
The first thing you can do is keep a lower profile online. That can limit the amount of personal info they can get their hands on:
The list of data brokers is long. Cleaning up your personal data online can quickly eat up your time, as it requires you to reach out to multiple data brokers and opt out.
Rather than removing yourself one-by-one from the host of data broker sites out there, you have a solution: our Personal Data Cleanup.
Personal Data Cleanup scans data broker and people search sites and shows you which ones are selling your personal info. It also provides guidance on how you can remove your data from those sites. And if you want to save time on manually removing that info, you have options. Our McAfee+ Advanced and Ultimate plans come with full-service Personal Data Cleanup, which sends requests to remove your data automatically.
If the thought of your personal info getting bought and sold in such a public way bothers you, our Personal Data Cleanup can put you back in charge of it.
The post Frankenstein Data: How Data Brokers Stitch Together—and Sell—Your Digital Self appeared first on McAfee Blog.
They’re not hiding in dark alleys—they’re hiding in plain sight. Airports, cafés, hotels, even libraries can harbor dangerous Vampire Wi-Fi networks.
These vampires pass themselves off as legitimate public Wi-Fi hotspots, using names that look innocent enough, such as “FREE_WIFI” and “AT&T_FREE_WIFI”. These can potentially be “evil twin networks,” they often mimic the name of the airport you’re in, or the place where you’re grabbing a quick coffee and some laptop time while you’re on the road. In fact, when you connect to a vampire or evil twin network, you’re connecting to a hacker.
These networks are relatively easy to set up. With just a few hundred dollars of gear, attackers can set up these digital bloodsuckers anywhere. The moment you log on, they begin feeding on your data, using tools called packet sniffers to capture and analyze every bit you send.
So say you’re on the road and log into one of these networks, a hacker on the network can see what you’re connecting to and what data you’re passing along. Your credit card number while you shop. Your password when you bank. That confidential contract you just sent to a client. And your email password when your app regularly checks for mail every few minutes or so.
What tools let hackers snoop? Network analyzers, or packet sniffers as many call them. A bad actor can gather up data with a packet sniffer, analyze it, and pluck out the sensitive bits of info that are of value. Before you know it, you’re a victim of identity theft.
Another common vampire Wi-Fi ploy is to set up a phony login screen that asks for a username and password, often for popular online services like Google and Apple. In this case, the hacker gets the keys to all the personal info, apps, files, and financial info connected to them.
Hackers typically take lengths to make these networks look legitimate, but they may give off signs:
Still, even with some of these flags, they can be tough to spot. And that’s a reason why our mobile security apps for iOS and Android analyze Wi-Fi networks before you connect to them—letting you know if a connection is Safe, Risky, or altogether Unsafe.
Your best bet when using any public Wi-Fi at all is to use a VPN.
A VPN is an app that you install on your device to help keep your data safe as you browse the internet. With your VPN on, your device makes a secure connection to a VPN server that routes internet traffic through an encrypted “tunnel.” This keeps your online activity private on any network, shielding it from prying eyes.
While you’re on a VPN, you can browse and bank with the confidence that your passwords, credentials, and financial info are secure. If a hacker attempts to intercept your web traffic, they’ll only see garbled content, thanks to your VPN’s encryption functionality.
With that, choosing a secure and trustworthy VPN provider is a must. A VPN like ours has both your security and privacy in mind. In a VPN, look for:
Not every VPN offers these features. Selecting one that does gives you the protection you want paired with the privacy you want. You’ll find them all in our VPN, which is also included as part of our McAfee+ plans.
Several other straightforward steps can keep you safer from vampire and evil twin Wi-Fi—and safer while using public Wi-Fi in general:
Vampire Wi-Fi networks aren’t going anywhere. Hackers will keep setting up these traps because they work. People see “free Wi-Fi” and click without thinking twice. But now you know better. You’ve got the tools to spot the red flags, the habits to stay protected, and most importantly, you understand why a quality VPN isn’t optional anymore—it’s essential.
McAfee+ gives you everything we’ve talked about: bank-level encryption, zero-logging policies, independent security audits, and that smart auto-connect feature that kicks in when you need it most. Plus, unlimited data across all your devices, because who has time to ration their security?
Your personal information is worth protecting. Your financial data, your work files, your private conversations, they’re all valuable to the wrong people. Don’t hand them over just because someone dangled “free Wi-Fi” in front of you.
Ready to stop gambling with your data? Get comprehensive protection with McAfee+ and never worry about vampire networks again.
The post Vampire Wifi: How Public Wi-Fi Traps Travelers in Cyber Attacks appeared first on McAfee Blog.
Remember that website where you bought a T-shirt in 2013? No?
Hackers do. And it’s one way they can steal your personal info.
Consider this website, and other forgotten sites like it, an example of a “Ghost Account,” a place where one of your long-unused logins lives on and puts your identity at risk.
Ghosts aside, old accounts like these are very real.
Think of all the times you’ve created a one-off account to make a single purchase, take an online quiz, or get more information about an event or a sale. For all the accounts you remember, there are plenty more you’ve probably completely forgotten about.
Even as estimates vary, it’s likely the average person has somewhere between 100 to 200 online accounts, where varying degrees of their personal and financial info are stored.
And all those accounts add up to plenty of exposure. Those companies still have your address, payment information, and other personal details in their system.
In a time where data breaches of varying sizes hack 3.5 million accounts on average each day, the odds of an old account of yours getting compromised are higher than you may realize. The more places your info resides, the more exposure to risk you have, namely data breaches, which can quickly lead to identity theft and fraud.
Compounding the problem is human nature. People tend to reuse passwords, or use highly similar passwords, all in an effort to maintain some degree of sanity across all the accounts they’re juggling. Hackers love that too. With one password in hand, they potentially get the keys to several other accounts, also with varying levels of personal and financial info, which (again) can lead to identity theft and fraud.
Our Online Account Cleanup can do the work for you, which you can find in all our McAfee+ plans.
It finds and deletes old accounts to reduce your risk of data exposure. In our McAfee+ Ultimate plans, you get full-service Online Account Cleanup, which sends the data deletion requests for you.
With each scan, you get an all-up view of accounts in your name. From there, it shows which are riskiest to keep, along with a look at what personal info is typically included in those accounts, which helps you decide what you’d like to keep and what you’d like to delete. Again, with McAfee+ Ultimate, you can request to delete accounts with a single click.
And because you add accounts and passwords from time to time, Online Account Cleanup gives you a monthly report. That way, you can keep tabs on your ever-evolving list of accounts and delete any you don’t want over time.
Yes, with all those accounts come passwords. While you’re cleaning up your old accounts, you can better protect the ones you keep with our Password Manager. It’s a simple and highly secure way you can create strong, unique passwords for each and every one of your accounts. That offers you yet one more line of defense against data breaches, because hackers know so many people reuse their passwords.
Lastly, it’s convenient. You only need to remember one password. Our password manager securely stores all your passwords, where one primary password grants access to them all.
Whether it’s for an old online gaming account, a streaming service you never use anymore, or a login for a doctor’s office you don’t visit anymore, delete it. The less personal and financial info you have sitting in a database somewhere is less info a hacker can steal and use to commit identity theft or fraud.
We all have our “ghosts” floating around online, and today you have an easy way to get rid of them for good.
The post Ghost Accounts: How Old, Forgotten Logins Put You at Risk for Identity Theft appeared first on McAfee Blog.
Aisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this year, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their traffic. Experts say a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts tied to various artificial intelligence (AI) projects, helping content scrapers evade detection by routing their traffic through residential connections that appear to be regular Internet users.
First identified in August 2024, Aisuru has spread to at least 700,000 IoT systems, such as poorly secured Internet routers and security cameras. Aisuru’s overlords have used their massive botnet to clobber targets with headline-grabbing DDoS attacks, flooding targeted hosts with blasts of junk requests from all infected systems simultaneously.
In June, Aisuru hit KrebsOnSecurity.com with a DDoS clocking at 6.3 terabits per second — the biggest attack that Google had ever mitigated at the time. In the weeks and months that followed, Aisuru’s operators demonstrated DDoS capabilities of nearly 30 terabits of data per second — well beyond the attack mitigation capabilities of most Internet destinations.
These digital sieges have been particularly disruptive this year for U.S.-based Internet service providers (ISPs), in part because Aisuru recently succeeded in taking over a large number of IoT devices in the United States. And when Aisuru launches attacks, the volume of outgoing traffic from infected systems on these ISPs is often so high that it can disrupt or degrade Internet service for adjacent (non-botted) customers of the ISPs.
“Multiple broadband access network operators have experienced significant operational impact due to outbound DDoS attacks in excess of 1.5Tb/sec launched from Aisuru botnet nodes residing on end-customer premises,” wrote Roland Dobbins, principal engineer at Netscout, in a recent executive summary on Aisuru. “Outbound/crossbound attack traffic exceeding 1Tb/sec from compromised customer premise equipment (CPE) devices has caused significant disruption to wireline and wireless broadband access networks. High-throughput attacks have caused chassis-based router line card failures.”
The incessant attacks from Aisuru have caught the attention of federal authorities in the United States and Europe (many of Aisuru’s victims are customers of ISPs and hosting providers based in Europe). Quite recently, some of the world’s largest ISPs have started informally sharing block lists identifying the rapidly shifting locations of the servers that the attackers use to control the activities of the botnet.
Experts say the Aisuru botmasters recently updated their malware so that compromised devices can more easily be rented to so-called “residential proxy” providers. These proxy services allow paying customers to route their Internet communications through someone else’s device, providing anonymity and the ability to appear as a regular Internet user in almost any major city worldwide.
From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. Proxy services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence. But they are massively abused for hiding cybercrime activity (think advertising fraud, credential stuffing) because they can make it difficult to trace malicious traffic to its original source.
And as we’ll see in a moment, this entire shadowy industry appears to be shifting its focus toward enabling aggressive content scraping activity that continuously feeds raw data into large language models (LLMs) built to support various AI projects.
Riley Kilmer is co-founder of spur.us, a service that tracks proxy networks. Kilmer said all of the top proxy services have grown substantially over the past six months.
“I just checked, and in the last 90 days we’ve seen 250 million unique residential proxy IPs,” Kilmer said. “That is insane. That is so high of a number, it’s unheard of. These proxies are absolutely everywhere now.”
Today, Spur says it is tracking an unprecedented spike in available proxies across all providers, including;
LUMINATI_PROXY 11,856,421
NETNUT_PROXY 10,982,458
ABCPROXY_PROXY 9,294,419
OXYLABS_PROXY 6,754,790
IPIDEA_PROXY 3,209,313
EARNFM_PROXY 2,659,913
NODEMAVEN_PROXY 2,627,851
INFATICA_PROXY 2,335,194
IPROYAL_PROXY 2,032,027
YILU_PROXY 1,549,155
Reached for comment about the apparent rapid growth in their proxy network, Oxylabs (#4 on Spur’s list) said while their proxy pool did grow recently, it did so at nowhere near the rate cited by Spur.
“We don’t systematically track other providers’ figures, and we’re not aware of any instances of 10× or 100× growth, especially when it comes to a few bigger companies that are legitimate businesses,” the company said in a written statement.
Bright Data was formerly known as Luminati Networks, the name that is currently at the top of Spur’s list of the biggest residential proxy networks. Bright Data likewise told KrebsOnSecurity that Spur’s current estimates of its proxy network are dramatically overstated and inaccurate.
“We did not actively initiate nor do we see any 10x or 100x expansion of our network, which leads me to believe that someone might be presenting these IPs as Bright Data’s in some way,” said Rony Shalit, Bright Data’s chief compliance and ethics officer. “In many cases in the past, due to us being the leading data collection proxy provider, IPs were falsely tagged as being part of our network, or while being used by other proxy providers for malicious activity.”
“Our network is only sourced from verified IP providers and a robust opt-in only residential peers, which we work hard and in complete transparency to obtain,” Shalit continued. “Every DC, ISP or SDK partner is reviewed and approved, and every residential peer must actively opt in to be part of our network.”
Even Spur acknowledges that Luminati and Oxylabs are unlike most other proxy services on their top proxy providers list, in that these providers actually adhere to “know-your-customer” policies, such as requiring video calls with all customers, and strictly blocking customers from reselling access.
Benjamin Brundage is founder of Synthient, a startup that helps companies detect proxy networks. Brundage said if there is increasing confusion around which proxy networks are the most worrisome, it’s because nearly all of these lesser-known proxy services have evolved into highly incestuous bandwidth resellers. What’s more, he said, some proxy providers do not appreciate being tracked and have been known to take aggressive steps to confuse systems that scan the Internet for residential proxy nodes.
Brundage said most proxy services today have created their own software development kit or SDK that other app developers can bundle with their code to earn revenue. These SDKs quietly modify the user’s device so that some portion of their bandwidth can be used to forward traffic from proxy service customers.
“Proxy providers have pools of constantly churning IP addresses,” he said. “These IP addresses are sourced through various means, such as bandwidth-sharing apps, botnets, Android SDKs, and more. These providers will often either directly approach resellers or offer a reseller program that allows users to resell bandwidth through their platform.”
Many SDK providers say they require full consent before allowing their software to be installed on end-user devices. Still, those opt-in agreements and consent checkboxes may be little more than a formality for cybercriminals like the Aisuru botmasters, who can earn a commission each time one of their infected devices is forced to install some SDK that enables one or more of these proxy services.
Depending on its structure, a single provider may operate hundreds of different proxy pools at a time — all maintained through other means, Brundage said.
“Often, you’ll see resellers maintaining their own proxy pool in addition to an upstream provider,” he said. “It allows them to market a proxy pool to high-value clients and offer an unlimited bandwidth plan for cheap reduce their own costs.”
Some proxy providers appear to be directly in league with botmasters. Brundage identified one proxy seller that was aggressively advertising cheap and plentiful bandwidth to content scraping companies. After scanning that provider’s pool of available proxies, Brundage said he found a one-to-one match with IP addresses he’d previously mapped to the Aisuru botnet.
Brundage says that by almost any measurement, the world’s largest residential proxy service is IPidea, a China-based proxy network. IPidea is #5 on Spur’s Top 10, and Brundage said its brands include ABCProxy (#3), Roxlabs, LunaProxy, PIA S5 Proxy, PyProxy, 922Proxy, 360Proxy, IP2World, and Cherry Proxy. Spur’s Kilmer said they also track Yilu Proxy (#10) as IPidea.
Brundage said all of these providers operate under a corporate umbrella known on the cybercrime forums as “HK Network.”
“The way it works is there’s this whole reseller ecosystem, where IPidea will be incredibly aggressive and approach all these proxy providers with the offer, ‘Hey, if you guys buy bandwidth from us, we’ll give you these amazing reseller prices,'” Brundage explained. “But they’re also very aggressive in recruiting resellers for their apps.”
A graphic depicting the relationship between proxy providers that Synthient found are white labeling IPidea proxies. Image: Synthient.com.
Those apps include a range of low-cost and “free” virtual private networking (VPN) services that indeed allow users to enjoy a free VPN, but which also turn the user’s device into a traffic relay that can be rented to cybercriminals, or else parceled out to countless other proxy networks.
“They have all this bandwidth to offload,” Brundage said of IPidea and its sister networks. “And they can do it through their own platforms, or they go get resellers to do it for them by advertising on sketchy hacker forums to reach more people.”
One of IPidea’s core brands is 922S5Proxy, which is a not-so-subtle nod to the 911S5Proxy service that was hugely popular between 2015 and 2022. In July 2022, KrebsOnSecurity published a deep dive into 911S5Proxy’s origins and apparent owners in China. Less than a week later, 911S5Proxy announced it was closing down after the company’s servers were massively hacked.
That 2022 story named Yunhe Wang from Beijing as the apparent owner and/or manager of the 911S5 proxy service. In May 2024, the U.S. Department of Justice arrested Mr Wang, alleging that his network was used to steal billions of dollars from financial institutions, credit card issuers, and federal lending programs. At the same time, the U.S. Treasury Department announced sanctions against Wang and two other Chinese nationals for operating 911S5Proxy.
The website for 922Proxy.
In recent months, multiple experts who track botnet and proxy activity have shared that a great deal of content scraping which ultimately benefits AI companies is now leveraging these proxy networks to further obfuscate their aggressive data-slurping activity. That’s because by routing it through residential IP addresses, content scraping firms can make their traffic far trickier to filter out.
“It’s really difficult to block, because there’s a risk of blocking real people,” Spur’s Kilmer said of the LLM scraping activity that is fed through individual residential IP addresses, which are often shared by multiple customers at once.
Kilmer says the AI industry has brought a veneer of legitimacy to residential proxy business, which has heretofore mostly been associated with sketchy affiliate money making programs, automated abuse, and unwanted Internet traffic.
“Web crawling and scraping has always been a thing, but AI made it like a commodity, data that had to be collected,” Kilmer said. “Everybody wanted to monetize their own data pots, and how they monetize that is different across the board.”
Kilmer said many LLM-related scrapers rely on residential proxies in cases where the content provider has restricted access to their platform in some way, such as forcing interaction through an app, or keeping all content behind a login page with multi-factor authentication.
“Where the cost of data is out of reach — there is some exclusivity or reason they can’t access the data — they’ll turn to residential proxies so they look like a real person accessing that data,” Kilmer said of the content scraping efforts.
Aggressive AI crawlers increasingly are overloading community-maintained infrastructure, causing what amounts to persistent DDoS attacks on vital public resources. A report earlier this year from LibreNews found some open-source projects now see as much as 97 percent of their traffic originating from AI company bots, dramatically increasing bandwidth costs, service instability, and burdening already stretched-thin maintainers.
Cloudflare is now experimenting with tools that will allow content creators to charge a fee to AI crawlers to scrape their websites. The company’s “pay-per-crawl” feature is currently in a private beta, and it lets publishers set their own prices that bots must pay before scraping content.
On October 22, the social media and news network Reddit sued Oxylabs (PDF) and several other proxy providers, alleging that their systems enabled the mass-scraping of Reddit user content even though Reddit had taken steps to block such activity.
“Recognizing that Reddit denies scrapers like them access to its site, Defendants scrape the data from Google’s search results instead,” the lawsuit alleges. “They do so by masking their identities, hiding their locations, and disguising their web scrapers as regular people (among other techniques) to circumvent or bypass the security restrictions meant to stop them.”
Denas Grybauskas, chief governance and strategy officer at Oxylabs, said the company was shocked and disappointed by the lawsuit.
“Reddit has made no attempt to speak with us directly or communicate any potential concerns,” Grybauskas said in a written statement. “Oxylabs has always been and will continue to be a pioneer and an industry leader in public data collection, and it will not hesitate to defend itself against these allegations. Oxylabs’ position is that no company should claim ownership of public data that does not belong to them. It is possible that it is just an attempt to sell the same public data at an inflated price.”
As big and powerful as Aisuru may be, it is hardly the only botnet that is contributing to the overall broad availability of residential proxies. For example, on June 5 the FBI’s Internet Crime Complaint Center warned that an IoT malware threat dubbed BADBOX 2.0 had compromised millions of smart-TV boxes, digital projectors, vehicle infotainment units, picture frames, and other IoT devices.
In July, Google filed a lawsuit in New York federal court against the Badbox botnet’s alleged perpetrators. Google said the Badbox 2.0 botnet “compromised more than 10 million uncertified devices running Android’s open-source software, which lacks Google’s security protections. Cybercriminals infected these devices with pre-installed malware and exploited them to conduct large-scale ad fraud and other digital crimes.”
Brundage said the Aisuru botmasters have their own SDK, and for some reason part of its code tells many newly-infected systems to query the domain name fuckbriankrebs[.]com. This may be little more than an elaborate “screw you” to this site’s author: One of the botnet’s alleged partners goes by the handle “Forky,” and was identified in June by KrebsOnSecurity as a young man from Sao Paulo, Brazil.
Brundage noted that only systems infected with Aisuru’s Android SDK will be forced to resolve the domain. Initially, there was some discussion about whether the domain might have some utility as a “kill switch” capable of disrupting the botnet’s operations, although Brundage and others interviewed for this story say that is unlikely.
A tiny sample of the traffic after a DNS server was enabled on the newly registered domain fuckbriankrebs dot com. Each unique IP address requested its own unique subdomain. Image: Seralys.
For one thing, they said, if the domain was somehow critical to the operation of the botnet, why was it still unregistered and actively for-sale? Why indeed, we asked. Happily, the domain name was deftly snatched up last week by Philippe Caturegli, “chief hacking officer” for the security intelligence company Seralys.
Caturegli enabled a passive DNS server on that domain and within a few hours received more than 700,000 requests for unique subdomains on fuckbriankrebs[.]com.
But even with that visibility into Aisuru, it is difficult to use this domain check-in feature to measure its true size, Brundage said. After all, he said, the systems that are phoning home to the domain are only a small portion of the overall botnet.
“The bots are hardcoded to just spam lookups on the subdomains,” he said. “So anytime an infection occurs or it runs in the background, it will do one of those DNS queries.”
Caturegli briefly configured all subdomains on fuckbriankrebs dot com to display this ASCII art image to visiting systems today.
The domain fuckbriankrebs[.]com has a storied history. On its initial launch in 2009, it was used to spread malicious software by the Cutwail spam botnet. In 2011, the domain was involved in a notable DDoS against this website from a botnet powered by Russkill (a.k.a. “Dirt Jumper”).
Domaintools.com finds that in 2015, fuckbriankrebs[.]com was registered to an email address attributed to David “Abdilo” Crees, a 27-year-old Australian man sentenced in May 2025 to time served for cybercrime convictions related to the Lizard Squad hacking group.
Update, Nov. 1, 2025, 10:25 a.m. ET: An earlier version of this story erroneously cited Spur’s proxy numbers from earlier this year; Spur said those numbers conflated residential proxies — which are rotating and attached to real end-user devices — with “ISP proxies” located at AT&T. ISP proxies, Spur said, involve tricking an ISP into routing a large number of IP addresses that are resold as far more static datacenter proxies.
Article tags
Cybercriminals are turning to TikTok to spread new scams that promise “free upgrades” or access to premium versions of popular apps.
According to Bleeping Computer, scammers are posting videos that look like tech tutorials, offering so-called activation hacks for software like Windows, Adobe Premiere, or Photoshop, and even fake “premium” services for Netflix and Spotify.
But instead of unlocking anything, these videos trick people into running hidden malware on their devices. Once that happens, attackers can steal passwords, cryptocurrency wallet details, or access to social media and bank accounts.
These “ClickFix” scams, as researchers call them, are spreading quickly because they rely on trust and curiosity. The videos look legitimate. Many use the same tone and layout as real how-to tech content, but behind the scenes, they’re designed to take control of your device and your data.
The scam works because it blends the look and feel of ordinary TikTok tutorials with social proof, think comments, hashtags, and even fake success stories, that make it seem credible.
Security researchers say the same technique has been spotted in similar scams spreading via fake CAPTCHA pages and cracked game downloads. The goal is always the same: convince users to “verify,” “activate,” or “fix” something, when in reality, they’re opening the door to attackers.
McAfee Labs has been tracking a related wave of attacks using fake CAPTCHA pages and cracked download sites to deliver info-stealing malware. In both campaigns, scammers prey on everyday habits such as downloading software, clicking “I’m not a robot,” or following quick tech fixes that seem safe.
Our researchers found that these scams spread through multiple channels, including phishing emails and fake support sites, all designed to look familiar. The end result is the same: stolen credentials, compromised devices, and exposed personal information.
These patterns mirror the rise of TikTok-based scams reported by Bleeping Computer. The methods may evolve, but the psychology is the same: social engineering that turns trust into a weapon.
Scammers are getting smarter about how they reach people. They’re blending into everyday content like short-form videos, social challenges, and viral tips. Then they’re using those moments of distraction to plant malware.
Tools like McAfee’s built-in Scam Detector, included in all core plans, are designed to spot this new kind of threat early. It automatically detects scams across text, email, and video, blocks dangerous links, and even identifies AI-manipulated content like deepfakes, helping stop harm before it happens.
As scammers adapt, your best defense is awareness and technology that adapts just as fast.
The post This New “Verification” Trick Fools You Into Installing Malware appeared first on McAfee Blog.
FreshRSS