Login
Agents with the Federal Bureau of Investigation (FBI) briefed Capitol Hill staff recently on hardening the security of their mobile devices, after a contacts list stolen from the personal phone of the White House Chief of Staff Susie Wiles was reportedly used to fuel a series of text messages and phone calls impersonating her to U.S. lawmakers. But in a letter this week to the FBI, one of the Senate’s most tech-savvy lawmakers says the feds aren’t doing enough to recommend more appropriate security protections that are already built into most consumer mobile devices.
A screenshot of the first page from Sen. Wyden’s letter to FBI Director Kash Patel.
On May 29, The Wall Street Journal reported that federal authorities were investigating a clandestine effort to impersonate Ms. Wiles via text messages and in phone calls that may have used AI to spoof her voice. According to The Journal, Wiles told associates her cellphone contacts were hacked, giving the impersonator access to the private phone numbers of some of the country’s most influential people.
The execution of this phishing and impersonation campaign — whatever its goals may have been — suggested the attackers were financially motivated, and not particularly sophisticated.
“It became clear to some of the lawmakers that the requests were suspicious when the impersonator began asking questions about Trump that Wiles should have known the answers to—and in one case, when the impersonator asked for a cash transfer, some of the people said,” the Journal wrote. “In many cases, the impersonator’s grammar was broken and the messages were more formal than the way Wiles typically communicates, people who have received the messages said. The calls and text messages also didn’t come from Wiles’s phone number.”
Sophisticated or not, the impersonation campaign was soon punctuated by the murder of Minnesota House of Representatives Speaker Emerita Melissa Hortman and her husband, and the shooting of Minnesota State Senator John Hoffman and his wife. So when FBI agents offered in mid-June to brief U.S. Senate staff on mobile threats, more than 140 staffers took them up on that invitation (a remarkably high number considering that no food was offered at the event).
But according to Sen. Ron Wyden (D-Ore.), the advice the FBI provided to Senate staffers was largely limited to remedial tips, such as not clicking on suspicious links or attachments, not using public wifi networks, turning off bluetooth, keeping phone software up to date, and rebooting regularly.
“This is insufficient to protect Senate employees and other high-value targets against foreign spies using advanced cyber tools,” Wyden wrote in a letter sent today to FBI Director Kash Patel. “Well-funded foreign intelligence agencies do not have to rely on phishing messages and malicious attachments to infect unsuspecting victims with spyware. Cyber mercenary companies sell their government customers advanced ‘zero-click’ capabilities to deliver spyware that do not require any action by the victim.”
Wyden stressed that to help counter sophisticated attacks, the FBI should be encouraging lawmakers and their staff to enable anti-spyware defenses that are built into Apple’s iOS and Google’s Android phone software.
These include Apple’s Lockdown Mode, which is designed for users who are worried they may be subject to targeted attacks. Lockdown Mode restricts non-essential iOS features to reduce the device’s overall attack surface. Google Android devices carry a similar feature called Advanced Protection Mode.
Wyden also urged the FBI to update its training to recommend a number of other steps that people can take to make their mobile devices less trackable, including the use of ad blockers to guard against malicious advertisements, disabling ad tracking IDs in mobile devices, and opting out of commercial data brokers (the suspect charged in the Minnesota shootings reportedly used multiple people-search services to find the home addresses of his targets).
The senator’s letter notes that while the FBI has recommended all of the above precautions in various advisories issued over the years, the advice the agency is giving now to the nation’s leaders needs to be more comprehensive, actionable and urgent.
“In spite of the seriousness of the threat, the FBI has yet to provide effective defensive guidance,” Wyden said.
Nicholas Weaver is a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif. Weaver said Lockdown Mode or Advanced Protection will mitigate many vulnerabilities, and should be the default setting for all members of Congress and their staff.
“Lawmakers are at exceptional risk and need to be exceptionally protected,” Weaver said. “Their computers should be locked down and well administered, etc. And the same applies to staffers.”
Weaver noted that Apple’s Lockdown Mode has a track record of blocking zero-day attacks on iOS applications; in September 2023, Citizen Lab documented how Lockdown Mode foiled a zero-click flaw capable of installing spyware on iOS devices without any interaction from the victim.
Earlier this month, Citizen Lab researchers documented a zero-click attack used to infect the iOS devices of two journalists with Paragon’s Graphite spyware. The vulnerability could be exploited merely by sending the target a booby-trapped media file delivered via iMessage. Apple also recently updated its advisory for the zero-click flaw (CVE-2025-43200), noting that it was mitigated as of iOS 18.3.1, which was released in February 2025.
Apple has not commented on whether CVE-2025-43200 could be exploited on devices with Lockdown Mode turned on. But HelpNetSecurity observed that at the same time Apple addressed CVE-2025-43200 back in February, the company fixed another vulnerability flagged by Citizen Lab researcher Bill Marczak: CVE-2025-24200, which Apple said was used in an extremely sophisticated physical attack against specific targeted individuals that allowed attackers to disable USB Restricted Mode on a locked device.
In other words, the flaw could apparently be exploited only if the attacker had physical access to the targeted vulnerable device. And as the old infosec industry adage goes, if an adversary has physical access to your device, it’s most likely not your device anymore.
I can’t speak to Google’s Advanced Protection Mode personally, because I don’t use Google or Android devices. But I have had Apple’s Lockdown Mode enabled on all of my Apple devices since it was first made available in September 2022. I can only think of a single occasion when one of my apps failed to work properly with Lockdown Mode turned on, and in that case I was able to add a temporary exception for that app in Lockdown Mode’s settings.
My main gripe with Lockdown Mode was captured in a March 2025 column by TechCrunch’s Lorenzo Francheschi-Bicchierai, who wrote about its penchant for periodically sending mystifying notifications that someone has been blocked from contacting you, even though nothing then prevents you from contacting that person directly. This has happened to me at least twice, and in both cases the person in question was already an approved contact, and said they had not attempted to reach out.
Although it would be nice if Apple’s Lockdown Mode sent fewer, less alarming and more informative alerts, the occasional baffling warning message is hardly enough to make me turn it off.
Article tags
Picture this: You’ve just arrived at a bustling airport, exhausted from your journey but excited for your vacation. While waiting for your connecting flight, you pull out your phone to share that first travel selfie or check your hotel reservation. You spot the airport’s free Wi-Fi network and connect without a second thought. What you don’t realize is that you may have just handed cybercriminals the keys to your digital life.
Tourist hotspots—airports, hotels, cafes, and popular destinations have become hunting grounds for hackers who exploit the very convenience that makes these locations attractive to travelers. The combination of rushed tourists, ubiquitous free Wi-Fi, and relaxed security awareness creates the perfect storm for cybercrime.
The statistics paint an alarming picture of just how dangerous public Wi-Fi can be for travelers:
These aren’t just numbers—they represent real people whose vacations turned into identity theft nightmares, drained bank accounts, and compromised personal information that can haunt them for years.
Airport Wi-Fi is known to be a “hacker honeypot” due to typically lax security. Think about it: thousands of tired, distracted travelers pass hrough daily, each carrying devices loaded with personal and financial information. Just one airport network could hold hundreds to thousands of potential targets.
Unsecured hotel networks can be accessed by anyone near the hotel, allowing them to monitor traffic to connected devices. Many hotels prioritize convenience over security, offering open networks that make it trivially easy for cybercriminals to intercept your data.
Popular cafes, restaurants, and tourist attractions often offer free Wi-Fi as a customer amenity. However, public Wi-Fi networks are typically unencrypted, meaning data transmitted over these networks can be intercepted by hackers.
Cybercriminals are now updating an old cybercrime tactic called “evil twin” attacks. Here’s how it works: hackers create fake Wi-Fi networks with names that closely resemble legitimate ones. Instead of connecting to “Airport_WiFi,” you might accidentally connect to “Airport_Wi-Fi” or “Airport_Free_WiFi.” The miniaturization of digital twinning technology has made this kind of cyberattack more appealing to hackers, with the technology to pull it off available for less than $500.
The biggest threat to free Wi-Fi security is the ability for hackers to position themselves between you and the connection point. Instead of your data going directly to its intended destination, it first passes through the hacker’s system, giving them access to everything: emails, passwords, credit card information, and even business credentials.
Hackers use packet sniffing tools to capture and analyze traffic, extracting personal information from unsuspecting users. This sophisticated technique allows cybercriminals to intercept and read data that isn’t properly encrypted, turning your private communications into an open book.
Hackers can use an unsecured Wi-Fi connection to distribute malware. Some have even managed to hack connection points themselves, causing pop-up windows to appear offering fake software updates that actually install malicious code on your device.
“When on vacation, people tend to forget about their online security,” said cybersecurity expert Daniel Markuson. The excitement of travel combined with the stress of navigating unfamiliar places creates a perfect storm where normal security awareness takes a backseat to convenience.
“It is typical to scroll through your phone while waiting for a flight or train. However, when on vacation, people tend to forget about their online security. Hackers take advantage of that and use the public Wi-Fi network weaknesses in airports and train stations to get their hands onto sensitive personal or corporate data”.
Understanding these threats is the first step, but protection requires the right tools. McAfee Mobile Security, available on both the Google Play Store and iOS App Store for iPhones, provides comprehensive protection designed specifically for the challenges travelers face.
McAfee’s automatic VPN proxy ensures secure browsing and hides your IP address for added privacy, while the network scanner and Wi-Fi security verify connections, keeping you safe on public networks.
Receive alerts when connecting to an unsecured Wi-Fi network or hotspot. Wi-Fi scan analyzes networks for security and ensures a safer online connection. This feature acts as your personal network security expert, warning you before you connect to potentially dangerous networks.
Safe Browsing Protection: Block malicious websites automatically so you can browse safely. Safe browsing alerts protect you from phishing and leaking personal info.
Text and Email Scam Detection: Text scam protection filters risky messages and phishing attempts, and blocks harmful sites. Identify risky emails and get scam warnings with email scam protection.
For Android Users: McAfee Mobile Security is available on the Google Play Store. The app combines antivirus protection, VPN security, and identity monitoring in one comprehensive package.
For iPhone Users: iOS users can download McAfee Security from the App Store, providing the same robust protection optimized for Apple devices.
While McAfee’s mobile security provides robust protection, combining it with smart travel habits creates an impenetrable defense:
Verify Network Names Always confirm the exact Wi-Fi network name with establishment staff. Hackers create fake Wi-Fi hotspots that have convincing names designed to trick travelers.
Use Mobile Hotspot When Possible “My favorite way to avoid evil twin attacks is to use your phone’s mobile hotspot if possible,” said cybersecurity expert Brian Callahan. This creates a secure, personal network that only you control.
Disable Auto-Connect Set your mobile device to ‘ask’ before it connects to a Wi-Fi network, rather than automatically connecting to an available network. This simple setting prevents your device from automatically connecting to malicious networks.
Keep Software Updated Updates often include security patches that address vulnerabilities and protect against emerging threats. Before traveling, ensure all your devices and security software are current.
Consider the true cost of a security breach while traveling:
Compare this to the minimal cost of McAfee Mobile Security, which provides comprehensive protection for less than the price of a coffee at most airport cafes.
As cyber threats evolve, traditional security measures like VPNs may no longer be sufficient on their own. However, McAfee’s mobile security suite evolves continuously, incorporating the latest threat intelligence and protection technologies to stay ahead of cybercriminals.
The integration of AI-powered threat detection, real-time network analysis, and behavioral monitoring means your protection improves automatically as new threats emerge.
Don’t let cybercriminals turn your dream vacation into a digital nightmare. Before your next trip:
With the right cybersecurity tools, it’s easy to surf the web securely while exploring new destinations. McAfee Mobile Security ensures that your only worry while traveling is choosing which adventure comes next not whether your personal information is safe.
Your journey should be about creating memories, not dealing with the aftermath of cybercrime. With McAfee Mobile Security protecting your digital life, you can focus on what really matters: enjoying every moment of your travels while staying completely secure. Ready to protect your travels? Download McAfee Mobile Security today from the Google Play Store or iOS App Store and travel with confidence, knowing your digital life is secure no matter where your adventures take you.
The post Why Public Wi-Fi at Tourist Hotspots is a Goldmine for Hackers appeared first on McAfee Blog.
Reports last week detail a “16 billion password leak”, with major news outlets worldwide proclaiming this as one of the “largest data breach in history. The exposed dataset appears to be a massive compilation of previously leaked login credentials combined with recent information harvested from devices infected with a type of malware called an infostealer. The vast amount of stolen login credentials, especially from the platforms people use and rely on every day, serves as a powerful reminder of the need for up-to-date online security combined with strong cyber hygiene.
If cybercriminals get hold of your login credentials, the consequences can be serious—think hijacked social media accounts, stolen identities, phishing attacks launched from your personal email account, and potentially even financial loss. The good news? You can take action right now to boost your security and stay protected from scammers.
Don’t let the “old data” narrative fool you into complacency. As McAfee CTO Steve Grobman notes: “With over 16 billion login credentials exposed worldwide, the scale of this breach is a stark reminder of the prevalence of data leaks and the importance of practicing good cyber hygiene.”
This compilation represents a significant threat because:
Password Reuse Amplifies Risk: If you reuse passwords across multiple sites, one stolen credential can unlock multiple accounts.
Social Media Account Takeovers: “Email and social media logins are particularly valuable, as they allow scammers to reset passwords and dig even deeper into someone’s digital life, even impersonating victims,” Grobman explains.
Identity theft: With access to information, like the username and password for your banking or financial account, cybercriminals could steal your identity to open new accounts, apply for loans, and commit fraud.
Increase in Phishing Attacks: In Grobman’s words: “For cybercriminals, this data is gold. It gives them everything they need to scam, impersonate, and steal. With a trove of personal information circulating widely, people should be on high alert for targeted scam emails and texts that look like they’re from trusted brands or known contacts.”
Ongoing Infostealer Infections on Unprotected Devices: New databases appear “every few weeks” with “fresh, weaponizable intelligence” which means that without the right protection you may have malware on your device silently stealing your data. And according to the researchers, the problem isn’t getting better—it’s accelerating.
Following McAfee’s official guidance, here’s what you need to do immediately:
Before changing any passwords, scan your devices for malware. If you’re concerned that an infostealer might be present on your computer, scan your device with a trusted antivirus program before changing any passwords. Otherwise, newly entered credentials could be stolen as well.
Steve Grobman’s recommendation is clear: “Now is the time to update passwords – especially for email, banking, and shopping accounts.” You should:
Enable Two-Factor Authentication everywhere possible. As our CTO recommends: “Enable two-factor authentication wherever possible” to add that crucial second layer of security.
Use authenticator apps, such as Google Authenticator, Duo, and Authy, and do not use SMS. You should avoid using SMS texts to receive 2FA codes, as threat actors can conduct SIM-swapping attacks to hijack your phone number and obtain them.
Given the elevated risk of targeted scams using your real information, Grobman specifically recommends: ” Use scam detection technology, like McAfee’s Scam Detector, to help flag risky messages before they cause harm.”
While this specific data compilation may contain both older and newer data, it highlights a fundamental truth: your credentials are constantly being targeted by cybercrooks.
The infostealer problem has gotten so pervasive that manual monitoring simply isn’t sufficient anymore. You need automated, professional-grade protection that works 24/7.
Traditional approaches wait for you to discover you’ve been compromised. McAfee’s approach is different:
There are thousands, if not hundreds of thousands, of similarly leaked archives being shared online, resulting in billions of credentials records released for free. This 16 billion record compilation is just the latest in an ongoing parade of massive credential dumps.
The Trend Is Accelerating: As infostealers have become so abundant and commonly used, threat actors release massive compilations for free on Telegram, Pastebin, and Discord to build reputation and attract customers to their paid services.
Given the scale of credential theft over the years, assume some of your information is already in criminal hands. This mindset shift changes everything:
Your credentials are valuable to criminals, and they’re actively working to steal and exploit them. The question isn’t whether your information will appear in future compilations—it’s whether you’ll be protected when it does.
McAfee Identity Monitoring provides timely dark web alerts, complete with guidance on how to quickly secure your info if they’re found in breaches.
Get McAfee+, with all-in-one scam, privacy, and identity protection and gain immediate access to:
Remember: Take this opportunity to update your passwords immediately and improve your cybersecurity habits — because the threat is real, ongoing, and growing.
The post 16 Billion Stolen Logins for Apple, Google, Facebook and More: How to Stay Safe appeared first on McAfee Blog.
As we continue to evolve the field of AI, a new branch that has been accelerating recently is Agentic AI. Multiple definitions are circulating, but essentially, Agentic AI involves one or more AI systems working together to accomplish a task using tools in an unsupervised fashion. A basic example of this is tasking an AI Agent with finding entertainment events I could attend during summer and emailing the options to my family.
Agentic AI requires a few building blocks, and while there are many variants and technical opinions on how to build, the basic implementation typically includes a Reasoning LLM (Large Language Model) – like the ones behind ChatGPT, Claude, or Gemini – that can invoke tools, such as an application or function to perform a task and return results. A tool can be as simple as a function that returns the weather, or as complex as a browser commanding tool that can navigate through websites.
While this technology has a lot of potential to augment human productivity, it also comes with a set of challenges, many of which haven’t been fully considered by the technologists working on such systems. In the cybersecurity industry, one of the core principles we all live by is implementing “security by design”, instead of security being an afterthought. It is under this principle that we explore the security implications (and threats) around Agentic AI, with the goal of bringing awareness to both consumers and creators:
With the proliferation of Agentic AI, we will see both opportunities to make our life better as well as new threats from bad actors exploiting the same technology for their gain, by either intercepting and poisoning legitimate users AI Agents, or using Agentic AI to perpetuate attacks. With this in mind, it’s more important than ever to remain vigilant, exercise caution and leverage comprehensive cybersecurity solutions to live safely in our digital world.
The post Navigating cybersecurity challenges in the early days of Agentic AI appeared first on McAfee Blog.
New online threats emerge every day, putting our personal information, money and devices at risk. In its 2024 Internet Crime Report, the Federal Bureau of Investigation reports that 859,532 complaints of suspected internet crime—including ransomware, viruses and malware, data breaches, denials of service, and other forms of cyberattack—resulted in losses of over $16 billion—a 33% increase from 2023.
That’s why it is essential to stay ahead of these threats. One way to combat these is by conducting virus scans using proven software tools that constantly monitor and check your devices while safeguarding your sensitive information. In this article, we’ll go through everything you need to know to run a scan effectively to keep your computers, phones and tablets in tip-top shape.
Whether you think you might have a virus on your computer or devices or just want to keep them running smoothly, it’s easy to do a virus scan.
Each antivirus program works a little differently, but in general the software will look for known malware with specific characteristics, as well as their variants that have a similar code base. Some antivirus software even checks for suspicious behavior. If the software comes across a dangerous program or piece of code, the antivirus software removes it. In some cases, a dangerous program can be replaced with a clean one from the manufacturer.
Before doing a virus scan, it is useful to know the telltale signs of viral presence in your device. Is your device acting sluggish or having a hard time booting up? Have you noticed missing files or a lack of storage space? Have you noticed emails or messages sent from your account that you did not write? Perhaps you’ve noticed changes to your browser homepage or settings? Maybe you’re seeing unexpected pop-up windows, or experiencing crashes and other program errors. These are just some signs that your device may have a virus, but don’t get too worried yet because many of these issues can be resolved with a virus scan.
Free virus scanner tools, both in web-based and downloadable formats, offer a convenient way to perform a one-time check for malware. They are most useful when you need a second opinion or are asking yourself, “do I have a virus?” after noticing something suspect.
However, it’s critical to be cautious. For one, cybercriminals often create fake “free” virus checker tools that are actually malware in disguise. If you opt for free scanning tools, it is best to lean on highly reputable cybersecurity brands. On your app store or browser, navigate to a proven online scanning tool with good reviews or a website whose URL starts with “https” to confirm you are in a secure location.
Secondly, free tools are frequently quite basic and perform only the minimum required service. If you choose to go this path, look for free trial versions that offer access to the full suite of premium features, including real-time protection, a firewall, and a VPN. This will give you a glimpse of a solution’s comprehensive, multi-layered security capability before you commit to a subscription.
If safeguarding all your computers and mobile devices individually sounds overwhelming, you can opt for comprehensive security products that protect computers, smartphones and tablets from a central, cloud-based hub, making virus prevention a breeze. Many of these modern antivirus solutions are powered by both local and cloud-based technologies to reduce the strain on your computer’s resources.
This guide will walk you through the simple steps to safely scan your computer using reliable online tools, helping you detect potential threats, and protect your personal data.
When selecting the right antivirus software, look beyond a basic virus scan and consider these key features:
The process of checking for viruses depends on the device type and its operating system. Generally, however, the virus scanner will display a “Scan” button to start the process of checking your system’s files and apps.
Here are more specific tips to help you scan your computers, phones and tablets:
If you use Windows 11, go into “Settings” and drill down to the “Privacy & Security > Windows Security > Virus & Threat Protection” tab, which will indicate if there are actions needed. This hands-off function is Microsoft’s own basic antivirus solution called Windows Defender. Built directly into the operating system and enabled by default, this solution provides a baseline of protection at no extra cost for casual Windows users. However, Microsoft is the first to admit that it lags behind specialized paid products in detecting the very latest zero-day threats.
Mac computers don’t have a built-in antivirus program, so you will have to download security software to do a virus scan. As mentioned, free antivirus applications are available online, but we recommend investing in trusted software that is proven to protect you from cyberthreats.
If you decide to invest in more robust antivirus software, running a scan is usually straightforward and intuitive. For more detailed instructions, we suggest searching the software’s help menu or going online and following their step-by-step instructions.
Smartphones and tablets are powerful devices that you likely use for nearly every online operation in your daily life from banking, emailing, messaging, connecting, and storing personal information. This opens your mobile device to getting infected through malicious apps, especially those downloaded from unofficial stores, phishing links sent via text or email, or by connecting to compromised wi-fi networks.
Regular virus scans with a mobile security software are crucial for protecting your devices. Be aware, however, that Android and IOS operating systems merit distinct solutions.
Antivirus products for Android devices abound due to this system’s open-source foundation. However, due to Apple’s strong security model, which includes app sandboxing, traditional viruses are rare on iPhones and iPads. However, these devices are not immune to all threats. You can still fall victim to phishing scams, insecure Wi-Fi networks, and malicious configuration profiles. Signs of a compromise can include unusual calendar events, frequent browser redirects, or unexpected pop-ups.
Apple devices, however, closed platform doesn’t easily accommodate third-party applications, especially unvetted ones. You will most likely find robust and verified antivirus scanning tools on Apple’s official app store.
Before you open any downloaded file or email attachment, it’s wise to check it for threats. To perform a targeted virus scan on a single file, simply right-click the file in Windows Explorer or macOS Finder and select the “Scan” option from the context menu to run the integrated virus checker on a suspicious item.
For an added layer of security, especially involving files from unknown sources, you can use a web-based file-checking service that scans for malware. These websites let you upload a file, which is then analyzed by multiple antivirus engines. Many security-conscious email clients also automatically scan incoming attachments, but a manual scan provides crucial, final-line defense before execution.
Once the scan is complete, the tool will display a report of any threats it found, including the name of the malware and the location of the infected file. If your antivirus software alerts you to a threat, don’t panic—it means the program is doing its job.
The first and most critical step is to follow the software’s instructions. It might direct you to quarantine the malicious file to isolate the file in a secure vault where it can no longer cause harm. You can then review the details of the threat provided by your virus scanner and choose to delete the file permanently, which is usually the safest option.
After the threat is handled, ensure your antivirus software and operating system are fully updated. Finally, run a new, full system virus scan to confirm that all traces of the infection have been eliminated. Regularly backing up your important data to an external drive or cloud service can also be a lifesaver in the event of a serious infection.
The most effective way to maintain your device’s security is to automate your defenses. A quality antivirus suite allows you to easily schedule a regular virus scan so you’re always protected without having to do it manually. A daily quick scan is a great habit for any user; it’s fast and checks the most vulnerable parts of your system. Most antivirus products regularly scan your computer or device in the background, so a manual scan is only needed if you notice something dubious, like crashes or excessive pop-ups. You can also set regular scans on your schedule, but a weekly full scan is ideal.
These days, it is essential to stay ahead of the wide variety of continuously evolving cyberthreats. Your first line of defense against these threats is to regularly conduct a virus scan. You can choose among the many free yet limited-time products or comprehensive, cloud-based solutions.
While many free versions legitimately perform their intended function, it’s critical to be cautious as these are more often baseline solutions while some are malware in disguise. They also lack the continuous, real-time protection necessary to block threats proactively.
A better option is to invest in verified, trustworthy, and all-in-one antivirus products like McAfee+ that, aside from its accurate virus scanning tool, also offers a firewall, a virtual private network, and identity protection. For complete peace of mind, upgrading to a paid solution like McAfee Total Protection is essential for proactively safeguarding your devices and data in real-time, 24/7.
The post How To Do A Virus Scan appeared first on McAfee Blog.
We use our smartphones for everything under the sun, from work-related communication to online shopping, banking transactions, and social media. For this reason, our phones store a lot of personal data, including contacts, account details, and bank account logins.
High online usage also makes your devices vulnerable to viruses, a type of malware that replicate themselves and spread throughout the entire system. They can affect your phone’s performance or, worse, compromise your sensitive information so that hackers can benefit monetarily.
In this article, we will give you a rundown of viruses that can infect your phone and how you can identify and eliminate them. We will also provide some tips for protecting your phone from viruses in the first place.
iPhones and Android devices run on different operating systems, hence differences in how they resist viruses and how these affect each system.
While iOS hacks can still happen, Apple’s operating system is reputed to be highly resistant from viruses because of its design. By restricting interactions between apps, Apple’s operating system limits the movement of a virus across the device. However, if you jailbreak your iPhone or iPad to unlock other capabilities or install third-party apps, then the security restrictions set by Apple’s OS won’t work. This exposes your iPhone and you to vulnerabilities that cybercriminals can exploit.
Android phones, while also designed with cybersecurity in mind, rely on open-source code, making them an easier target for hackers. Additionally, giving users the capability to install third-party apps from alternative app stores such as the Amazon or Samsung Galaxy app stores makes Android devices open to viruses.
Cybercriminals today are sophisticated and can launch a variety of cyberattacks on your smartphone. Some viruses that can infect your phone include:
Ultimately, contracting a virus on your phone or computer comes down to your browsing and downloading habits. These are the most common ways it could happen:
Now that you know how your phone could be infected by a virus, look out for these seven signs that occur when malicious software is present:
Most pop-up ads don’t carry viruses but are only used as marketing tools. However, if you find yourself closing pop-up ads more often than usual, it might indicate a virus on your phone. These ads might be coming from apps in your library that you didn’t install. In this case, uninstall them immediately as they tend to carry malware that’s activated when the app is opened or used.
When you accidentally download apps that contain malware, your device has to work harder to continue functioning. Since your phone isn’t built to support malware, there is a good chance it will overheat.
If your contacts receive unsolicited scam emails or messages on social media from your account, especially those containing suspicious links, a virus may have accessed your contact list. It’s best to let all the recipients know that your phone has been hacked so that they don’t download any malware themselves or forward those links to anybody else.
An unusually slow-performing device is a hint of suspicious activity on your phone. The device may be slowing down because it is working harder to support the downloaded virus. Alternatively, unfamiliar apps might be taking up storage space and running background tasks, causing your phone to run slower.
Are you finding credit card transactions in your banking statements that you don’t recognize? It could be an unfamiliar app or malware making purchases through your account without your knowledge.
A sudden rise in your data usage or phone bill can be suspicious. A virus might be running background processes or using your internet connection to transfer data out of your device for malicious purposes.
An unusually quick battery drain may also cause concern. Your phone will be trying to meet the energy requirements of the virus, so this problem is likely to persist for as long as the virus is on the device.
You may have an inkling that a virus resides in your phone, but the only way to be sure is to check. An easy way to do this is by downloading a trustworthy antivirus app that will prevent suspicious apps from attaching themselves to your phone and secures any public connections you might be using.
Another way to check your phone is to follow these step-by-step processes, depending on the type of phone you use:
Once you have determined that a virus is present on your iPhone or Android device, there are several things you can do.
Caring for your phone is a vital practice to protect your information. Follow these tips to stay safe online and help reduce the risk of your phone getting a virus.
You have come to heavily rely on your smartphones for many online activities and storage of much of your personal data, including contacts, account details, and bank account logins. This puts your devices at high risk of being infected by viruses that impact not just your phone’s performance but also of being compromised by cybercriminals.
To help you protect your device and personal information, the award-winning McAfee Mobile Security solution regularly scans for threats transmitted through suspicious links in text messages, emails or downloads, and blocks them in real time. McAfee Mobile Security is a reputable security application that filters risky emails and phishing attempts so your inbox stays secure, while providing a secure virtual private network. It is also capable of spotting deepfake videos so you can stay ahead of misinformation. With McAfee, you can rest easy knowing your mobile phone is protected from the latest cyberthreats.
The post 7 Signs Your Phone Has a Virus and What You Can Do appeared first on McAfee Blog.
The modern family juggling act has never been more complex—or more dangerous. If you’re caring for aging parents while raising children, you’re part of what researchers call the “Sandwich Generation.” According to Pew Research, nearly half (47%) of adults in their 40s and 50s find themselves wedged between these dual responsibilities. But in today’s digital landscape, this demographic faces a uniquely modern threat: becoming the primary target of an unprecedented scam epidemic.
As a cybersecurity professional who has witnessed the evolution of online threats over two decades, I can tell you that today’s scam landscape is unlike anything we’ve seen before. The stakes are higher, the tactics more sophisticated, and the Sandwich Generation is squarely in the crosshairs.
McAfee’s recent State of the Scamiverse report paints a troubling picture of digital life in the UK. The statistics are staggering: 60% of Brits report either falling victim to an online scam or knowing someone who has. When these attacks succeed, the financial impact is severe—victims lose an average of £936, with some reporting devastating losses exceeding £7,980.
Perhaps most alarming is the speed at which these crimes unfold. A shocking 68% of victims said it took less than an hour to be defrauded, with 48% reporting that fraud occurred within just 30 minutes of engaging with a scammer. This isn’t the slow-burn con artistry of yesteryear—this is lightning-fast digital predation.
The financial losses, while significant, represent only part of the damage. The psychological impact cuts deeper than many realize. Our research shows that 32% of Brits who fell for online scams experienced moderate to significant distress, including anxiety, depression, and damaged self-esteem. For the Sandwich Generation, already stretched thin emotionally and financially, this psychological burden can be overwhelming.
Consider the compounding effects: 80% of scam victims reported that the experience impacted their self-esteem and ability to trust others. When you’re responsible for protecting not just yourself but also tech-savvy teenagers and digitally-vulnerable parents, this erosion of confidence can have far-reaching consequences for your entire family’s digital safety.
From a cybercriminal’s perspective, the Sandwich Generation represents the perfect storm of vulnerability. Here’s why you’re in their crosshairs:
Overwhelm and Distraction: Scam tactics are most effective when targets are tired, rushed, or mentally overloaded. The constant juggling act of work, children’s needs, and aging parents’ care creates exactly these conditions.
Multiple Attack Vectors: You’re not just protecting yourself—you’re managing the digital lives of three generations. Children who overshare on social media and parents who may trust too readily both create entry points for scammers.
The “Family Tech Lead” Burden: In most households, one person becomes the de facto IT support for everyone. If that’s you, you’re essentially protecting three generations of users with the cybersecurity knowledge and tools designed for one.
Time Poverty: When you’re constantly switching between helping with homework, managing medical appointments, and handling your own responsibilities, the careful scrutiny required to spot sophisticated scams becomes nearly impossible.
The repeat victimization rate is particularly concerning. Once scammers identify a successful target, they often share that information within criminal networks, leading to sustained harassment and repeated attempts.
Protecting Your Children (The Digital Natives)
Despite their technological fluency, young people face unique vulnerabilities:
Social Media Saturation: 28% of 18-24-year-olds receive scam messages via social media platforms. The integration of these platforms into daily life makes detection more challenging.
Gaming Community Exploitation: Scammers infiltrate gaming communities with fake giveaways, cryptocurrency cons, and phishing attempts disguised as game-related communications.
Celebrity Deepfake Scams: AI-generated celebrity endorsements for cryptocurrency schemes or investment opportunities are becoming increasingly sophisticated and harder to detect.
Overconfidence Bias: Young people often believe their digital nativity makes them immune to scams, leading to less cautious behavior online.
Protecting Your Parents (The Trusting Generation)
Older adults face different but equally serious threats:
Email-Based Attacks: 67% of over-55s encounter scams primarily through email, a medium they often trust more than social media.
Authority Impersonation: Tech support scams, fake government communications, and bank impersonation attempts exploit older adults’ respect for authority and institutions.
Voice Cloning Threats: 21% of Brits have encountered AI voice scams impersonating loved ones—a particularly dangerous development for older users who may be more trusting of familiar voices.
Isolation Exploitation: Scammers often target older adults during periods of loneliness or health concerns, when they’re more likely to engage with unexpected communications.
Mobile Device Security
Mobile scams have reached epidemic proportions in the UK, with 35% of Brits falling victim to SMS or call-based scams in the past year. The most common mobile threats include:
Package Delivery Scams (33%): “Your parcel couldn’t be delivered” texts that lead to fake websites designed to steal personal information or payment details.
Subscription Renewal Cons (23%): Messages claiming services like Netflix require payment information updates, leading to credential theft or unauthorized charges.
Social Engineering Openers (16%): Simple “Hey, how are you?” messages that gradually build trust before introducing investment or romance scams.
Computer and Email Security
Email remains the primary attack vector, with 32% of Brits falling victim to phishing attempts last year. The sophistication of these attacks has increased dramatically—while 78% of people believe they can spot scams, today’s emails often perfectly mimic legitimate communications.
Artificial intelligence has revolutionized scamming, with 21% of Brits encountering AI-generated scams. The challenge is significant: 53% of people admit that deepfakes are difficult to spot, and the technology improves daily.
Just as you have a fire escape plan, your family needs a comprehensive fraud response strategy. This should include:
Technology alone cannot solve this crisis. The most effective defense combines good security tools with open family communication and ongoing education. Regular conversations about online safety should be as normal as discussions about physical safety.
For Children: Focus on critical thinking skills rather than fear-based messaging. Teach them to question unexpected opportunities and verify information through multiple sources.
For Parents: Emphasize that asking for help with suspicious communications is a sign of wisdom, not weakness. Create an environment where they feel comfortable seeking guidance.
For Everyone: Establish family rules about financial communications—for example, agreeing that no family member will ever ask for money or personal information via text or email without prior verbal confirmation.
The scam landscape evolves constantly, driven by technological advancement and criminal innovation. As someone who has tracked these trends for two decades, I can tell you that the only constant is change. What worked last year may be ineffective today, and tomorrow will bring new challenges.
The key is building adaptable defenses: security awareness that can evolve with threats, technology solutions that update automatically, and family communication patterns that encourage ongoing vigilance without creating paranoia.
The Sandwich Generation faces unique challenges in today’s digital world, but you’re not powerless. By understanding the threat landscape, implementing appropriate security measures, and fostering open communication about online safety, you can protect your family’s financial security and emotional well-being.
Remember that in the UK today, encountering scam attempts isn’t rare—it’s daily. The goal isn’t to avoid all contact with potential threats but to recognize them quickly and respond appropriately. With the right preparation and tools, you can maintain your family’s digital confidence while staying one step ahead of the scammers.
Your role as the family’s digital guardian is challenging, but it’s also crucial. You’re not just protecting money—you’re protecting your family’s trust, confidence, and peace of mind in an increasingly connected world.
Stay vigilant, stay informed, and remember: when in doubt, pause, check, and verify. Your family’s digital safety depends on it.
The post How the Sandwich Generation Can Fight Back Against Scams appeared first on McAfee Blog.
Late last year, security researchers made a startling discovery: Kremlin-backed disinformation campaigns were bypassing moderation on social media platforms by leveraging the same malicious advertising technology that powers a sprawling ecosystem of online hucksters and website hackers. A new report on the fallout from that investigation finds this dark ad tech industry is far more resilient and incestuous than previously known.
Image: Infoblox.
In November 2024, researchers at the security firm Qurium published an investigation into “Doppelganger,” a disinformation network that promotes pro-Russian narratives and infiltrates Europe’s media landscape by pushing fake news through a network of cloned websites.
Doppelganger campaigns use specialized links that bounce the visitor’s browser through a long series of domains before the fake news content is served. Qurium found Doppelganger relies on a sophisticated “domain cloaking” service, a technology that allows websites to present different content to search engines compared to what regular visitors see. The use of cloaking services helps the disinformation sites remain online longer than they otherwise would, while ensuring that only the targeted audience gets to view the intended content.
Qurium discovered that Doppelganger’s cloaking service also promoted online dating sites, and shared much of the same infrastructure with VexTrio, which is thought to be the oldest malicious traffic distribution system (TDS) in existence. While TDSs are commonly used by legitimate advertising networks to manage traffic from disparate sources and to track who or what is behind each click, VexTrio’s TDS largely manages web traffic from victims of phishing, malware, and social engineering scams.
Digging deeper, Qurium noticed Doppelganger’s cloaking service used an Internet provider in Switzerland as the first entry point in a chain of domain redirections. They also noticed the same infrastructure hosted a pair of co-branded affiliate marketing services that were driving traffic to sketchy adult dating sites: LosPollos[.]com and TacoLoco[.]co.
The LosPollos ad network incorporates many elements and references from the hit series “Breaking Bad,” mirroring the fictional “Los Pollos Hermanos” restaurant chain that served as a money laundering operation for a violent methamphetamine cartel.
The LosPollos advertising network invokes characters and themes from the hit show Breaking Bad. The logo for LosPollos (upper left) is the image of Gustavo Fring, the fictional chicken restaurant chain owner in the show.
Affiliates who sign up with LosPollos are given JavaScript-heavy “smartlinks” that drive traffic into the VexTrio TDS, which in turn distributes the traffic among a variety of advertising partners, including dating services, sweepstakes offers, bait-and-switch mobile apps, financial scams and malware download sites.
LosPollos affiliates typically stitch these smart links into WordPress websites that have been hacked via known vulnerabilities, and those affiliates will earn a small commission each time an Internet user referred by any of their hacked sites falls for one of these lures.
The Los Pollos advertising network promoting itself on LinkedIn.
According to Qurium, TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling “push notifications,” a cross-platform browser standard that allows websites to show pop-up messages which appear outside of the browser. For example, on Microsoft Windows systems these notifications typically show up in the bottom right corner of the screen — just above the system clock.
In the case of VexTrio and TacoLoco, the notification approval requests themselves are deceptive — disguised as “CAPTCHA” challenges designed to distinguish automated bot traffic from real visitors. For years, VexTrio and its partners have successfully tricked countless users into enabling these site notifications, which are then used to continuously pepper the victim’s device with a variety of phony virus alerts and misleading pop-up messages.
Examples of VexTrio landing pages that lead users to accept push notifications on their device.
According to a December 2024 annual report from GoDaddy, nearly 40 percent of compromised websites in 2024 redirected visitors to VexTrio via LosPollos smartlinks.
On November 14, 2024, Qurium published research to support its findings that LosPollos and TacoLoco were services operated by Adspro Group, a company registered in the Czech Republic and Russia, and that Adspro runs its infrastructure at the Swiss hosting providers C41 and Teknology SA.
Qurium noted the LosPollos and TacoLoco sites state that their content is copyrighted by ByteCore AG and SkyForge Digital AG, both Swiss firms that are run by the owner of Teknology SA, Giulio Vitorrio Leonardo Cerutti. Further investigation revealed LosPollos and TacoLoco were apps developed by a company called Holacode, which lists Cerutti as its CEO.
The apps marketed by Holacode include numerous VPN services, as well as one called Spamshield that claims to stop unwanted push notifications. But in January, Infoblox said they tested the app on their own mobile devices, and found it hides the user’s notifications, and then after 24 hours stops hiding them and demands payment. Spamshield subsequently changed its developer name from Holacode to ApLabz, although Infoblox noted that the Terms of Service for several of the rebranded ApLabz apps still referenced Holacode in their terms of service.
Incredibly, Cerutti threatened to sue me for defamation before I’d even uttered his name or sent him a request for comment (Cerutti sent the unsolicited legal threat back in January after his company and my name were merely tagged in an Infoblox post on LinkedIn about VexTrio).
Asked to comment on the findings by Qurium and Infoblox, Cerutti vehemently denied being associated with VexTrio. Cerutti asserted that his companies all strictly adhere to the regulations of the countries in which they operate, and that they have been completely transparent about all of their operations.
“We are a group operating in the advertising and marketing space, with an affiliate network program,” Cerutti responded. “I am not [going] to say we are perfect, but I strongly declare we have no connection with VexTrio at all.”
“Unfortunately, as a big player in this space we also get to deal with plenty of publisher fraud, sketchy traffic, fake clicks, bots, hacked, listed and resold publisher accounts, etc, etc.,” Cerutti continued. “We bleed lots of money to such malpractices and conduct regular internal screenings and audits in a constant battle to remove bad traffic sources. It is also a highly competitive space, where some upstarts will often play dirty against more established mainstream players like us.”
Working with Qurium, researchers at the security firm Infoblox released details about VexTrio’s infrastructure to their industry partners. Just four days after Qurium published its findings, LosPollos announced it was suspending its push monetization service. Less than a month later, Adspro had rebranded to Aimed Global.
A mind map illustrating some of the key findings and connections in the Infoblox and Qurium investigations. Click to enlarge.
In March 2025, researchers at GoDaddy chronicled how DollyWay — a malware strain that has consistently redirected victims to VexTrio throughout its eight years of activity — suddenly stopped doing that on November 20, 2024. Virtually overnight, DollyWay and several other malware families that had previously used VexTrio began pushing their traffic through another TDS called Help TDS.
Digging further into historical DNS records and the unique code scripts used by the Help TDS, Infoblox determined it has long enjoyed an exclusive relationship with VexTrio (at least until LosPollos ended its push monetization service in November).
In a report released today, Infoblox said an exhaustive analysis of the JavaScript code, website lures, smartlinks and DNS patterns used by VexTrio and Help TDS linked them with at least four other TDS operators (not counting TacoLoco). Those four entities — Partners House, BroPush, RichAds and RexPush — are all Russia-based push monetization programs that pay affiliates to drive signups for a variety of schemes, but mostly online dating services.
“As Los Pollos push monetization ended, we’ve seen an increase in fake CAPTCHAs that drive user acceptance of push notifications, particularly from Partners House,” the Infoblox report reads. “The relationship of these commercial entities remains a mystery; while they are certainly long-time partners redirecting traffic to one another, and they all have a Russian nexus, there is no overt common ownership.”
Renee Burton, vice president of threat intelligence at Infoblox, said the security industry generally treats the deceptive methods used by VexTrio and other malicious TDSs as a kind of legally grey area that is mostly associated with less dangerous security threats, such as adware and scareware.
But Burton argues that this view is myopic, and helps perpetuate a dark adtech industry that also pushes plenty of straight-up malware, noting that hundreds of thousands of compromised websites around the world every year redirect victims to the tangled web of VexTrio and VexTrio-affiliate TDSs.
“These TDSs are a nefarious threat, because they’re the ones you can connect to the delivery of things like information stealers and scams that cost consumers billions of dollars a year,” Burton said. “From a larger strategic perspective, my takeaway is that Russian organized crime has control of malicious adtech, and these are just some of the many groups involved.”
As KrebsOnSecurity warned way back in 2020, it’s a good idea to be very sparing in approving notifications when browsing the Web. In many cases these notifications are benign, but as we’ve seen there are numerous dodgy firms that are paying site owners to install their notification scripts, and then reselling that communications pathway to scammers and online hucksters.
If you’d like to prevent sites from ever presenting notification requests, all of the major browser makers let you do this — either across the board or on a per-website basis. While it is true that blocking notifications entirely can break the functionality of some websites, doing this for any devices you manage on behalf of your less tech-savvy friends or family members might end up saving everyone a lot of headache down the road.
To modify site notification settings in Mozilla Firefox, navigate to Settings, Privacy & Security, Permissions, and click the “Settings” tab next to “Notifications.” That page will display any notifications already permitted and allow you to edit or delete any entries. Tick the box next to “Block new requests asking to allow notifications” to stop them altogether.
In Google Chrome, click the icon with the three dots to the right of the address bar, scroll all the way down to Settings, Privacy and Security, Site Settings, and Notifications. Select the “Don’t allow sites to send notifications” button if you want to banish notification requests forever.
In Apple’s Safari browser, go to Settings, Websites, and click on Notifications in the sidebar. Uncheck the option to “allow websites to ask for permission to send notifications” if you wish to turn off notification requests entirely.
Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public.
The sole zero-day flaw this month is CVE-2025-33053, a remote code execution flaw in the Windows implementation of WebDAV — an HTTP extension that lets users remotely manage files and directories on a server. While WebDAV isn’t enabled by default in Windows, its presence in legacy or specialized systems still makes it a relevant target, said Seth Hoyt, senior security engineer at Automox.
Adam Barnett, lead software engineer at Rapid7, said Microsoft’s advisory for CVE-2025-33053 does not mention that the Windows implementation of WebDAV is listed as deprecated since November 2023, which in practical terms means that the WebClient service no longer starts by default.
“The advisory also has attack complexity as low, which means that exploitation does not require preparation of the target environment in any way that is beyond the attacker’s control,” Barnett said. “Exploitation relies on the user clicking a malicious link. It’s not clear how an asset would be immediately vulnerable if the service isn’t running, but all versions of Windows receive a patch, including those released since the deprecation of WebClient, like Server 2025 and Windows 11 24H2.”
Microsoft warns that an “elevation of privilege” vulnerability in the Windows Server Message Block (SMB) client (CVE-2025-33073) is likely to be exploited, given that proof-of-concept code for this bug is now public. CVE-2025-33073 has a CVSS risk score of 8.8 (out of 10), and exploitation of the flaw leads to the attacker gaining “SYSTEM” level control over a vulnerable PC.
“What makes this especially dangerous is that no further user interaction is required after the initial connection—something attackers can often trigger without the user realizing it,” said Alex Vovk, co-founder and CEO of Action1. “Given the high privilege level and ease of exploitation, this flaw poses a significant risk to Windows environments. The scope of affected systems is extensive, as SMB is a core Windows protocol used for file and printer sharing and inter-process communication.”
Beyond these highlights, 10 of the vulnerabilities fixed this month were rated “critical” by Microsoft, including eight remote code execution flaws.
Notably absent from this month’s patch batch is a fix for a newly discovered weakness in Windows Server 2025 that allows attackers to act with the privileges of any user in Active Directory. The bug, dubbed “BadSuccessor,” was publicly disclosed by researchers at Akamai on May 21, and several public proof-of-concepts are now available. Tenable’s Satnam Narang said organizations that have at least one Windows Server 2025 domain controller should review permissions for principals and limit those permissions as much as possible.
Adobe has released updates for Acrobat Reader and six other products addressing at least 259 vulnerabilities, most of them in an update for Experience Manager. Mozilla Firefox and Google Chrome both recently released security updates that require a restart of the browser to take effect. The latest Chrome update fixes two zero-day exploits in the browser (CVE-2025-5419 and CVE-2025-4664).
For a detailed breakdown on the individual security updates released by Microsoft today, check out the Patch Tuesday roundup from the SANS Internet Storm Center. Action 1 has a breakdown of patches from Microsoft and a raft of other software vendors releasing fixes this month. As always, please back up your system and/or data before patching, and feel free to drop a note in the comments if you run into any problems applying these updates.
Image: Mark Rademaker, via Shutterstock.
Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of shadowy proxy and anonymity services that are nested at some of America’s largest Internet service providers (ISPs).
The findings come in a report examining how the Russian invasion has affected Ukraine’s domestic supply of Internet Protocol Version 4 (IPv4) addresses. Researchers at Kentik, a company that measures the performance of Internet networks, found that while a majority of ISPs in Ukraine haven’t changed their infrastructure much since the war began in 2022, others have resorted to selling swathes of their valuable IPv4 address space just to keep the lights on.
For example, Ukraine’s incumbent ISP Ukrtelecom is now routing just 29 percent of the IPv4 address ranges that the company controlled at the start of the war, Kentik found. Although much of that former IP space remains dormant, Ukrtelecom told Kentik’s Doug Madory they were forced to sell many of their address blocks “to secure financial stability and continue delivering essential services.”
“Leasing out a portion of our IPv4 resources allowed us to mitigate some of the extraordinary challenges we have been facing since the full-scale invasion began,” Ukrtelecom told Madory.
Madory found much of the IPv4 space previously allocated to Ukrtelecom is now scattered to more than 100 providers globally, particularly at three large American ISPs — Amazon (AS16509), AT&T (AS7018), and Cogent (AS174).
Another Ukrainian Internet provider — LVS (AS43310) — in 2022 was routing approximately 6,000 IPv4 addresses across the nation. Kentik learned that by November 2022, much of that address space had been parceled out to over a dozen different locations, with the bulk of it being announced at AT&T.
IP addresses routed over time by Ukrainian provider LVS (AS43310) shows a large chunk of it being routed by AT&T (AS7018). Image: Kentik.
Ditto for the Ukrainian ISP TVCOM, which currently routes nearly 15,000 fewer IPv4 addresses than it did at the start of the war. Madory said most of those addresses have been scattered to 37 other networks outside of Eastern Europe, including Amazon, AT&T, and Microsoft.
The Ukrainian ISP Trinity (AS43554) went offline in early March 2022 during the bloody siege of Mariupol, but its address space eventually began showing up in more than 50 different networks worldwide. Madory found more than 1,000 of Trinity’s IPv4 addresses suddenly appeared on AT&T’s network.
Why are all these former Ukrainian IP addresses being routed by U.S.-based networks like AT&T? According to spur.us, a company that tracks VPN and proxy services, nearly all of the address ranges identified by Kentik now map to commercial proxy services that allow customers to anonymously route their Internet traffic through someone else’s computer.
From a website’s perspective, the traffic from a proxy network user appears to originate from the rented IP address, not from the proxy service customer. These services can be used for several business purposes, such as price comparisons, sales intelligence, web crawlers and content-scraping bots. However, proxy services also are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.
IPv4 address ranges are always in high demand, which means they are also quite valuable. There are now multiple companies that will pay ISPs to lease out their unwanted or unused IPv4 address space. Madory said these IPv4 brokers will pay between $100-$500 per month to lease a block of 256 IPv4 addresses, and very often the entities most willing to pay those rental rates are proxy and VPN providers.
A cursory review of all Internet address blocks currently routed through AT&T — as seen in public records maintained by the Internet backbone provider Hurricane Electric — shows a preponderance of country flags other than the United States, including networks originating in Hungary, Lithuania, Moldova, Mauritius, Palestine, Seychelles, Slovenia, and Ukraine.
AT&T’s IPv4 address space seems to be routing a great deal of proxy traffic, including a large number of IP address ranges that were until recently routed by ISPs in Ukraine.
Asked about the apparent high incidence of proxy services routing foreign address blocks through AT&T, the telecommunications giant said it recently changed its policy about originating routes for network blocks that are not owned and managed by AT&T. That new policy, spelled out in a February 2025 update to AT&T’s terms of service, gives those customers until Sept. 1, 2025 to originate their own IP space from their own autonomous system number (ASN), a unique number assigned to each ISP (AT&T’s is AS7018).
“To ensure our customers receive the best quality of service, we changed our terms for dedicated internet in February 2025,” an AT&T spokesperson said in an emailed reply. “We no longer permit static routes with IP addresses that we have not provided. We have been in the process of identifying and notifying affected customers that they have 90 days to transition to Border Gateway Protocol routing using their own autonomous system number.”
Ironically, the co-mingling of Ukrainian IP address space with proxy providers has resulted in many of these addresses being used in cyberattacks against Ukraine and other enemies of Russia. Earlier this month, the European Union sanctioned Stark Industries Solutions Inc., an ISP that surfaced two weeks before the Russian invasion and quickly became the source of large-scale DDoS attacks and spear-phishing attempts by Russian state-sponsored hacking groups. A deep dive into Stark’s considerable address space showed some of it was sourced from Ukrainian ISPs, and most of it was connected to Russia-based proxy and anonymity services.
According to Spur, the proxy service IPRoyal is the current beneficiary of IP address blocks from several Ukrainian ISPs profiled in Kentik’s report. Customers can chose proxies by specifying the city and country they would to proxy their traffic through. Image: Trend Micro.
Spur’s Chief Technology Officer Riley Kilmer said AT&T’s policy change will likely force many proxy services to migrate to other U.S. providers that have less stringent policies.
“AT&T is the first one of the big ISPs that seems to be actually doing something about this,” Kilmer said. “We track several services that explicitly sell AT&T IP addresses, and it will be very interesting to see what happens to those services come September.”
Still, Kilmer said, there are several other large U.S. ISPs that continue to make it easy for proxy services to bring their own IP addresses and host them in ranges that give the appearance of residential customers. For example, Kentik’s report identified former Ukrainian IP ranges showing up as proxy services routed by Cogent Communications (AS174), a tier-one Internet backbone provider based in Washington, D.C.
Kilmer said Cogent has become an attractive home base for proxy services because it is relatively easy to get Cogent to route an address block.
“In fairness, they transit a lot of traffic,” Kilmer said of Cogent. “But there’s a reason a lot of this proxy stuff shows up as Cogent: Because it’s super easy to get something routed there.”
Cogent declined a request to comment on Kentik’s findings.
Summer vacation season is upon us, and millions of families are booking accommodations for their dream getaways. But with the surge in travel bookings comes an unfortunate reality: accommodation scams are on the rise, and they’re becoming increasingly sophisticated. As a cybersecurity professional, I’ve seen how devastating these scams can be—not just financially, but emotionally, when your family vacation turns into a nightmare.
The good news? With the right knowledge and proactive measures, you can protect yourself and your family from these predators. Even better, if you do fall victim to a scam, there are specific steps you can take to minimize the damage and potentially recover your losses.
Travel accommodation fraud has skyrocketed in recent years. Scammers have become expert at creating convincing fake listings on legitimate platforms like Airbnb, Booking.com, and even creating entirely fraudulent websites that mimic well-known hotel chains. They steal photos from real properties, craft compelling descriptions, and even create fake reviews to lure unsuspecting travelers.
What makes these scams particularly insidious is the emotional investment. You’re planning a special family vacation, perhaps saving for months, and the excitement of finding what seems like the “perfect” place clouds your judgment. Scammers exploit this vulnerability ruthlessly.
I can tell you that prevention is always your best defense. Here are the warning signs that should make you pause before clicking “book now”:
If you’ve fallen victim to an accommodation scam, time is critical. Here’s what you need to do immediately:
One of the most effective ways to protect your family from travel scams and other online threats is to implement comprehensive digital protection. Solutions like McAfee’s family protection plans offer multiple layers of security that work together to keep scammers at bay.
Modern family protection services provide several key features that directly combat travel scams:
Real-Time Scam Protection: Advanced scam detection technology automatically identifies and blocks fraudulent websites, phishing emails, and suspicious links before you interact with them. This means if you accidentally click on a fake booking site, the protection software will warn you before you enter any personal information.
Secure VPN for Travel Research: When researching accommodations on public Wi-Fi networks (like those in airports or coffee shops), a VPN encrypts your connection, preventing scammers from intercepting your personal information or redirecting you to fake websites.
Financial Transaction Monitoring: Comprehensive protection plans monitor your bank accounts and credit cards for unusual activity (US only), sending immediate alerts if suspicious transactions occur. This early warning system can help you catch fraudulent charges within hours rather than weeks.
Identity Monitoring and Dark Web Surveillance: These services continuously scan the dark web and other sources where stolen personal information is traded, alerting you if your data appears in places it shouldn’t. This is particularly valuable since accommodation scammers often sell stolen personal information to other criminals.
Personal Data Cleanup: Many protection services help identify and remove your personal information from data broker sites that scammers often use to research potential victims and make their approaches more convincing.
For families, comprehensive protection plans typically cover up to six family members, providing each person with their own monitoring and protection while giving parents oversight of their children’s online activities. With identity theft coverage up to $2 million per family and 24/7 restoration assistance, these services provide both prevention and recovery support.
Twenty years in cybersecurity has taught me that the cost of prevention is always less than the cost of recovery. Whether it’s taking time to properly research accommodations, investing in comprehensive family protection software, or educating your family about scam tactics, these upfront investments pay dividends in peace of mind and financial security.
Travel scams prey on our excitement and trust during what should be joyful family times. By staying vigilant, using proper protection tools, and knowing how to respond quickly if something goes wrong, you can ensure your family’s summer vacation memories are made for all the right reasons.
Remember: legitimate accommodation providers want to build trust and will readily provide verification. If anyone pressures you to skip verification steps or pay through unusual methods, walk away. Your family’s safety and financial security are worth more than any “deal” that seems too good to be true.
Safe travels, and remember—the best vacation is one where the only surprises are pleasant ones.
The post What to Do If You Book a Hotel or Airbnb and It Turns Out to Be a Scam appeared first on McAfee Blog.
FreshRSS