Reading view

Nearly 7 Million Driver’s Licenses Exposed in Assurance Breach: This Week in Scams

Millions of Americans hand over personal information every day. They share their data with insurance companies, banks, investment apps, and other services they trust. 

And that’s exactly why cybercriminals target and impersonate those services.

This week, an insurance provider disclosed a breach reportedly affecting nearly 7 million people’s driver’s license numbers, while a California journalist shared how a convincing fake Robinhood text ultimately cost her more than $70,000. 

Here’s what happened, why these scams work, and what you can do to protect yourself This Week in Scams. 

Nearly 7 Million Driver’s License Numbers Exposed in Insurance Data Breach 

One of the largest U.S. data breaches of the year has exposed sensitive information belonging to 6.9 million people. 

According to reporting from TechCrunch, insurance provider AssuranceAmerica confirmed that hackers accessed customer information after compromising an employee account. The company says the stolen data includes names, contact information, driver’s license numbers, insurance policy details, vehicle information, and claims data. 

While the company has not said exactly how the employee’s credentials were compromised, it noted that the attackers targeted an employee account before accessing company systems. 

Why driver’s license numbers matter 

Unlike a password, you can’t simply change your driver’s license number. 

Combined with your name, address, phone number, or other information from previous breaches, driver’s license numbers can be used by criminals to: 

  • Open fraudulent accounts  
  • Impersonate victims during identity verification  
  • Make phishing scams more convincing  
  • Support broader identity theft schemes  

This is also part of a larger trend. In recent months, multiple breaches have exposed government-issued identity documents as more organizations collect IDs for identity verification and age-check requirements. 

If you receive a notice that your information was involved in a breach, monitor your financial accounts closely, consider placing a fraud alert or credit freeze, and remain cautious of unexpected emails, texts, or phone calls referencing your insurance or driver’s license information. 

Unfortunately, scammers will reach out saying they’re trying to “help” secure your stolen information, only to try and steal more personal data from you.

How McAfee Can Help Before, During, and After a Data Breach

Before a breach

Personal Data Cleanup helps reduce your digital footprint by removing your personal information from many data broker sites, limiting what scammers can easily find about you.

During a breach

Identity Monitoring alerts you if your personal information appears on the dark web or in known data leaks, helping you respond faster if your information is exposed.

After a breach

Scam Detector helps identify suspicious texts, emails, and links that often follow major breaches, while Web Protection helps block malicious websites designed to steal additional information or credentials.

Fake Robinhood Text Scam Costs Former News Anchor More Than $70,000 

Even people who report on scams can become victims. 

A former California television news anchor recently shared how she lost more than $70,000 after receiving what appeared to be a legitimate text message claiming there was suspicious activity on her Robinhood investment account. 

The message instructed her to call a phone number for assistance. Once connected, the caller posed as Robinhood support before transferring her to a fake “fraud department.” 

Believing she was protecting her investments from hackers, she was convinced to move her money into what she thought was a secure account. Instead, it went directly to scammers. 

She later contacted Robinhood through the official app, but by then the money had already been transferred. 

Why investment scams are becoming more convincing 

Investment scams rely on urgency, authority, and impersonation rather than obvious phishing emails. 

Rather than asking targets to “invest” immediately, many scams begin by convincing people that their existing account is under attack and immediate action is needed. 

At McAfee, we’ve also seen scammers impersonate Robinhood, Charles Schwab, cryptocurrency platforms, and other investment services through fraudulent text messages and malicious links promising AI-powered investing, exclusive bonuses, or unusually high returns. 

Whether the message claims your account has been compromised or promises incredible profits, the goal is often the same: get you to click, call, or transfer money before you have time to verify what’s happening. 

Investment Safety Checklist 

Before responding to any message about your investments: 

✅ Never call the phone number provided in a text message or email. Instead, contact your financial institution using the number listed in its official app or website. 

✅ Slow down when someone creates urgency. Claims that your account is being hacked or frozen are designed to make you act before you think. 

✅ Be skeptical of guaranteed returns or AI-powered investment opportunities. Promises of extraordinary profits are a common hallmark of investment fraud. 

✅ Verify alerts through your account directly. If you receive a suspicious notification, log in through the official app, not a link in the message. 

How McAfee Can Help   

With McAfee+, multiple layers work together before any damage is done:  

Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 

Secure VPN keeps your data private, especially on public Wi-Fi  

Web Protection helps block risky sites, even if you do accidentally click 

Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you

Device Security helps detect malicious apps or downloads   

Identity Monitoring alerts you if your personal info appears online in places it shouldn’t, so you can act fast

Personal Data Cleanup helps remove your information from sites selling it. 

Online Account Cleanup assists in taking down your old, forgotten accounts across the web 

Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

The post Nearly 7 Million Driver’s Licenses Exposed in Assurance Breach: This Week in Scams appeared first on McAfee Blog.

  •  

Imposter Scams Are Evolving. Here Are the 10 Identities Scammers Pretend to Be Most.

Imposter scams remain the most reported type of fraud in America for the fifth year in a row, according to new data from the Federal Trade Commission (FTC).  

Americans submitted more than 1 million reports of imposter scams in 2025, making them the agency’s top fraud category once again. Victims reported more than $3.5 billion in losses, though the real number is likely much higher since many scams go unreported.  

But “imposter scam” is a broad category. It doesn’t tell you what these scams actually look like when they land in your inbox, texts, social media DMs, or phone calls. 

To better understand what consumers are encountering every day, McAfee surveyed more than 7,500 people for its State of the Scamiverse report. The results show scammers aren’t just pretending to be one type of person or company. They’re impersonating the brands, services, and people we trust most.  

This week’s edition of This Week in Scams is here ahead of the holiday weekend with the 10 most common identities scammers pretend to be. 

10. Someone Who “Texted the Wrong Number” (20%)

Common scam: An innocent conversation that turns into something more. 

These scams often begin with a harmless message intended for “someone else.” Once you reply, the scammer slowly builds trust over days or even weeks before introducing investment opportunities, romance, or requests for money. 

Unlike traditional phishing, these scams don’t always include suspicious links. 

Why it works: They feel like genuine human conversations rather than obvious scams. 

Learn more about wrong number and pig-butchering scams. 

9. Technology Companies (21%)

Common scam: “Your device has been compromised.” 

These messages impersonate technology companies or cybersecurity brands, claiming your computer or phone has been infected or involved in a security breach. 

Some direct victims to fake technical support, while others encourage downloads of malicious software. 

Why it works: Security alerts are designed to grab attention, and convincing impersonation can make fake warnings look legitimate. 

Learn more about tech support scams. 

8. Banks and Financial Institutions (21%)

Common scam: “We’ve detected suspicious activity on your account.” 

Bank impersonation scams create immediate urgency, asking customers to confirm transactions, secure their accounts, or verify their identity. 

Many direct victims to fake websites or connect them with fraudulent customer support representatives. 

Why it works: Financial security messages naturally demand attention, making people more likely to react before verifying the sender. 

Learn more about banking scams and financial fraud. 

 7. Subscription Services (21%)

Common scam: “Your payment couldn’t be processed.” 

Scammers impersonate streaming services, software subscriptions, and other recurring services, warning that your account will be canceled unless you update your payment information. 

Why it works: Consumers are used to recurring billing notifications, making these messages blend into everyday digital life. 

Learn more about mobile payment and subscription scams. 

6. Auto Warranty Providers (22%)

Common scam: “Your vehicle warranty is about to expire.” 

One of the oldest impersonation scams is still one of the most common. Fraudsters claim your warranty is ending and pressure you to purchase coverage immediately or provide personal information. 

Why it works: Many people aren’t sure when their warranty expires, making the claim difficult to verify on the spot. 

Learn more about these types of robocallers. 

5. Rewards Programs and Survey Companies (22%)

Common scam: “You’ve won a prize.” 

These scams promise gift cards, rewards, or exclusive offers but require you to “verify” your identity or enter payment information to claim them. 

Why it works: The promise of something free lowers skepticism, especially when the message appears to come from a familiar brand. 

Learn more about survey and prize scams.  

4. Retailers and Merchants (26%)

Common scam: Fake invoices for purchases you never made. 

Receiving an invoice for an expensive purchase can trigger panic. Scammers count on victims clicking quickly to dispute the charge, often leading them to malicious websites or fake customer support numbers. 

Why it works: Consumers naturally want to stop fraudulent purchases as quickly as possible. 

Learn more about shopping scams. 

3. Payment Services (27%)

Common scam: “Verify your PayPal account.” 

Messages claiming there’s a problem with your payment account often direct you to fake login pages designed to steal your username, password, or financial information. 

While PayPal is one common example, scammers impersonate many digital payment platforms. 

Why it works: Payment notifications are common, and many consumers don’t think twice before signing in to resolve what appears to be a routine issue. 

Learn more about mobile payment scams.  

2. Social Media Platforms (27%)

Common scam: “Verify your account or it will be suspended.” 

Scammers frequently impersonate platforms like Facebook, Instagram, TikTok, or X, claiming there’s unusual activity or that your account violates community guidelines. 

The goal is usually to steal your login credentials or two-factor authentication codes. 

Why it works: Many people rely on social media for work, business, or staying connected, making the threat of losing access feel urgent. 

Learn more about social media scams.  

1. Delivery Companies (31%)

Common scam: “Your package couldn’t be delivered.” 

Whether you’re waiting for a birthday gift, an online order, or an important package, fake delivery notifications prey on the fact that most people are expecting something to arrive. 

These messages often claim there’s a shipping issue, unpaid delivery fee, or missed package and urge you to click a link immediately. 

Why it works: Package updates have become part of daily life, making fake notifications feel routine rather than suspicious. 

Learn more about delivery scams. 

The Common Thread 

While these scams may look different, they all rely on the same tactic: impersonation. 

“AI has lowered the barrier for creating convincing impersonation scams,” said Abhishek Karnik, Head of Threat Research at McAfee.  

“Scammers can now produce professional-looking emails, realistic websites, and even convincing voices or videos at scale. The result isn’t necessarily more scam types, it’s far more believable versions of the scams people already encounter every day.” 

That mirrors a broader trend McAfee identified in its State of the Scamiverse research: scams are becoming more realistic, more personalized, and harder to distinguish from legitimate communications.  

Americans now receive an average of 14 scam messages every day, spend 114 hours each year deciding what’s real and what’s fake, and one in three say they feel less confident spotting scams than they did a year ago.  

How to Protect Yourself From Impersonation Scams 

If you notice this…  ✅ Do this instead 
A message creates a sense of urgency (“Your account will be suspended,” “Package delivery failed,” “Fraud detected”)  Pause before acting. Scammers want you to make a quick decision before verifying the message. 
You’re asked to click a link or scan a QR code  Open the company’s official website or app yourself instead of using the link in the message. 
The message asks you to verify your account, payment information, or identity  Never enter credentials through an unsolicited message. If you’re concerned, contact the company directly using a trusted phone number or website. 
Someone asks for passwords, one-time verification codes, or payment over text, email, or phone  Legitimate companies won’t ask for this. Don’t share the information, even if the request seems convincing. 
A “wrong number” text quickly becomes unusually friendly or shifts toward investing, crypto, or money  Stop responding and block the sender. Modern scams often begin as seemingly harmless conversations. 

How McAfee Can Help   

With McAfee+, multiple layers work together before any damage is done:  

  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 
  • Secure VPN keeps your data private, especially on public Wi-Fi  
  • Web Protection helps block risky sites, even if you do accidentally click 
  • Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
  • Device Security helps detect malicious apps or downloads   
  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast   
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Online Account Cleanup assists in taking down your old, forgotten accounts across the web 
  • Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

The post Imposter Scams Are Evolving. Here Are the 10 Identities Scammers Pretend to Be Most. appeared first on McAfee Blog.

  •  

McAfee Mobile Security Earns a Perfect AV-TEST Score Yet Again

McAfee Mobile Security has once again earned a perfect score from AV-TEST, one of the cybersecurity industry’s most respected independent testing organizations. 

In AV-TEST’s latest Android security evaluation, McAfee achieved a flawless 18 out of 18 points, receiving perfect 6/6 scores in Protection, Performance, and Usability 

The result also earned McAfee AV-TEST’s highest certification for mobile security. 

More importantly, this isn’t a one-time achievement. McAfee has earned top certification in every AV-TEST Mobile Security evaluation since testing began in 2013, demonstrating more than a decade of consistently delivering industry-leading protection for Android users. 

What is AV-TEST? 

AV-TEST is one of the world’s leading independent cybersecurity testing laboratories. Rather than relying on vendor claims, AV-TEST evaluates security products under controlled, real-world conditions using the same types of threats consumers face every day. 

Its certifications are widely referenced by: 

  • Security experts and reviewers  
  • Technology publications  
  • Product comparison sites  
  • Consumers researching antivirus software  

Because every product is tested using the same methodology, AV-TEST provides an objective benchmark for comparing mobile security solutions. 

How McAfee Was Tested 

For this evaluation, AV-TEST examined 12 Android mobile security products across three equally weighted categories: 

Category  What It Measures 
Protection  Ability to detect and block real-world Android malware and emerging threats 
Performance  Whether the security app slows down your device or drains system resources 
Usability  Accuracy of detections and avoidance of false alarms or unnecessary interruptions 

McAfee earned the maximum possible score in all three categories: 

  • Protection: 6/6  
  • Performance: 6/6  
  • Usability: 6/6 

Overall Score: 18/18 

That means McAfee not only blocked threats effectively, but did so without slowing devices down or generating unnecessary false positives. 

Why These Results Matter 

Mobile devices have become one of our primary ways to bank, shop, communicate, and manage our digital lives. As cybercriminals increasingly target smartphones with malware, phishing attacks, malicious apps, and credential theft, effective mobile protection matters more than ever. 

Independent testing helps separate marketing claims from measurable performance. 

McAfee’s latest AV-TEST results demonstrate that users don’t have to choose between strong security and a smooth mobile experience. The protection works quietly in the background, helping keep devices secure without getting in the way. 

Even more importantly, this latest certification continues a streak that spans more than a decade. Consistently earning perfect scores across changing threat landscapes reflects McAfee’s ongoing investment in protecting customers against today’s evolving mobile threats. 

Mobile Protection You Can Count On 

The award-winning protection recognized by AV-TEST is included in: 

  • McAfee+ Premium  
  • McAfee+ Advanced  
  • McAfee+ Ultimate  
  • McAfee Total Protection  
  • McAfee LiveSafe  
  • McAfee Internet Security  
  • McAfee Business Protection  

Whether you’re protecting your own phone or your entire family’s devices, you’re getting the same independently tested mobile security that continues to earn top marks from one of the industry’s most trusted testing organizations. 

Ready to get protection that doesn’t slow you down? Explore McAfee+ Plans →  

The post McAfee Mobile Security Earns a Perfect AV-TEST Score Yet Again appeared first on McAfee Blog.

  •  

AI Can Find Your Location 91% of the Time Using Just One Photo

summer travel with a smartphone

How AI uses simple details in your photos to pinpoint where you are and why that’s a gold mine for scammers

McAfee Labs Safer Summer Travel Report | Summer 2026 

A Photo Is Worth a Thousand Data Points 

You just got back from a week in Central America. You posted a few shots: the colorful streets of Tulum, a picture of the ancient ruins of Tikal, a close-up of your shrimp tacos. No location tag. No caption naming the city. Just a good photo. 

A few days later, you get a message. It references your bank. It mentions suspicious activity “while traveling internationally.” It feels oddly specific, with details about where you were and when. It feels real. 

These types of personalized scam messages are a growing tactic. And your own photos may have helped write it.

McAfee Labs set out to understand exactly how much location information exists inside an ordinary travel photo, and what that means for the roughly 244 million Americans who travel each year.  

What we found should change the way you think about what you share online: Some AI models have a more than 90% accuracy rate at detecting the location a photo was taken based on the visuals in the photo alone. And critically, that level of accuracy is now achievable using tools that are free and widely accessible. 

That’s why we’ve built tools like McAfee’s Scam Detector that are designed to help spot these kinds of highly targeted, convincing messages before they lead to costly mistakes. 

What We Tested And Why 

The question McAfee Labs wanted to answer was deceptively simple: Can AI look at a travel photo and figure out where it was taken, even without GPS data or location tags? 

Not metadata. Not embedded coordinates. Just the image itself: the background, the architecture, the signage, the light; the visual context that any photo naturally captures. 

To find out, we built an automated testing pipeline and ran it against a dataset of 21,236 travel images sourced from publicly available image sets. We also conducted a separate, more controlled review of 102 additional images to pressure-test our findings. 

We tested two publicly available, large-scale AI vision models that are both freely available. Neither required special access, proprietary data, or advanced technical expertise to run. We used the same tools a scammer could access today. 

Each image was analyzed using a consistent automated prompt asking the model to identify the location depicted (city, country, or region) based solely on visual content. Results were then reviewed by human analysts to validate accuracy and flag edge cases.

What We Found: AI Has a Whopping 91% Accuracy Rate 

The results were striking. 

Gemma3 27B correctly identified the city and country of a travel photo 87% of the time. Qwen3 VL 30B performed even better, reaching 91% accuracy across the same dataset. 

That means in roughly 9 out of 10 cases, an AI model that’s available for free, to anyone, could look at an ordinary travel photo and correctly name where it was taken. This kind of analysis is also how AI tools understand images more broadly, shaping not just scams, but how information shows up in AI-powered answers. 

And when the exact city wasn’t identified, the country alone was almost always correct. For a scammer, that’s more than enough. It’s also enough to turn a vague, generic scam into one that feels specific, timely, and believable. 

What Makes a Photo Easy to Place? 

Certain types of images were identified with even higher confidence: 

  • Photos featuring famous landmarks or recognizable skylines 
  • Images taken in popular tourist destinations with distinctive visual signatures 
  • Photos with visible signage, unique street markings, or local architecture 
  • Images that captured cultural context: transportation, storefronts, food stalls 

Less recognizable scenery, like a generic beach, a rural road, or a hotel room, lowered accuracy. But even in those cases, country-level identification remained high. 

We Tried it. And We Were Spooked. 

To illustrate how simple this was to replicate, we moved outside of McAfee’s labs and asked our less-technical colleagues to try it themselves. No research background required. No special tools. 

Employees uploaded their own personal travel photos, images pulled straight from their camera rolls and never posted publicly, to ChatGPT, Claude, and Copilot, and simply asked each one to identify where the photo was taken. 

The results made people uncomfortable. 

Accuracy dropped compared to our controlled lab tests. But not by much. The models still correctly identified country-level location at a rate that would be more than enough for a scammer to craft a convincing, targeted message. 

The takeaway isn’t that AI has “seen” your photos somewhere before. It’s that a photograph inherently contains an enormous amount of locating information, in the architecture, the light, the signage, the landscape, simply by virtue of existing in the world. You don’t need to geotag a photo for it to give away where you’ve been. 

See It for Yourself 

The following section shows real examples of AI geo-location detection in action, using personal travel photos submitted by our research team. No location tags. No metadata. Just the image and what AI found in it. 

We started with somewhat recognizable structures in the background, and then tried increasingly more obscure backgrounds, trying to reduce faces and backgrounds to foliage only. This is what happened:

Example 1 

Brooke’s honeymoon pictures: This example features a more prominent landmark, helping AI determine the location  specifically. When there’s something recognizable, AI really recognizes it, down to giving you the exact spot on the map you’re at, the history of the location, and tourist information.

Screenshot of ChatGPT conversation identifying the location of a photo
Here, we see AI correctly state this photo was taken in front of “Temple II, Temple of the Masks.”

Example 2 

Sandra’s sunset photoThis example gets more difficult for AI by removing major landmarks and people. ChatGPT was still able to correctly identify the location as Hastings-on-Hudson. 

screenshot of AI correctly identifying location

 

 

Example 3 

Rob’s close-up shot of flowers: Just the close-up image of these tulips was enough for Claude to accurately detect that this photo was taken at Keukenhof gardens in the Netherlands.

AI was able to identify the location of these flowers in a close up.
AI was able to identify the location of these flowers in a close up.

How a Photo Becomes a Scam 

Knowing where someone is or where they’ve recently been is one of the oldest tricks in a scammer’s playbook. But until recently, getting that information required either knowing the person or getting lucky. 

AI removes the guesswork, allowing attackers to build highly specific, contextual scams at scale. 

With geo-location inference this accurate, scammers no longer need to cast a wide net and hope a generic phishing message lands. Instead, they can use publicly shared photos to build a believable context around an attack: 

  • “We detected unusual account activity while you were traveling in [city].” 
  • “Your card was flagged for a transaction in [country] — please verify immediately.” 
  • “Hi, we’re reaching out regarding your recent stay at a hotel in [destination].” 
  • “Hi, it’s [your name], I’m in Mexico and all my cards are being declined. Could you send me $$?” (a message targeting your friends or loved ones) 
  • “We noticed a login attempt from your location in [destination] — please confirm your identity.” 
  • “Your reservation in [city] requires reconfirmation — click here to secure your booking.” 
This is an example of a scam text detected by our research team. Now, imagine if scammers had more information, like the exact tour you were on, where you were, or the stores you shopped at. These details could make messages like this even more convincing and personalized.
This is an example of a scam text detected by our research team. Now, imagine if scammers had more information, like the exact tour you were on, where you were, or the stores you shopped at. These details could make messages like this even more convincing and personalized.

These messages don’t need to be perfectly accurate. They just need to feel plausible and close enough. That is the entire strategy. Familiarity lowers skepticism. Skepticism is what protects you. 

This is what turns mass phishing into hyper-personalized phishing at scale, and it’s why even cautious, digitally savvy travelers are getting caught. 

The Scammer’s New Workflow 

Here’s how straightforward this pipeline can become: 

  1. Find publicly shared travel photos on Instagram, Facebook, or X, no hacking required 
  2. Run them through a freely available AI vision model 
  3. Identify the likely destination, timeframe, and context 
  4. Craft a targeted message referencing that location 
  5. Send it during or shortly after the travel window, when the victim is most likely to believe it 

Steps 1 through 5 can be automated. The whole process scales easily. And the resulting messages feel personal in a way that generic scams never could. 

The Broader Scam Landscape Travelers Face 

Geo-location inference doesn’t exist in a vacuum. It’s one tool in a growing arsenal that scammers deploy specifically against travelers.  

Travelers are operating outside their normal routines, using unfamiliar networks, and making quick financial decisions under time pressure. These behaviors are exactly what make photo-based location inference more actionable for scammers. 

New McAfee consumer research found that more than 1 in 3 Americans have encountered a travel-related cyberthreat, and 41% of those impacted lost money, often exceeding $500. At the same time, rising travel costs and time pressure are pushing people toward faster, riskier decisions. Those are exactly the conditions scammers are built to exploit. 

The data reveals just how exposed travelers make themselves without realizing it. Nearly two-thirds of Americans connect to public Wi-Fi while traveling (63%), and a similar share scan QR codes without verifying where they lead (62%). Almost half use airport Wi-Fi specifically (49%), and 41% admit to trusting travel-related messages without checking the sender. One in five logs into financial apps while on public networks, and the same group shares travel plans in real time on social media. Twenty percent click travel-related links without verifying the source first. And finally, around 1 in 5 (22%) admit to sharing travel plans in real time.  

That last behavior is worth pausing on. Sharing travel plans in real time, on public or semi-public social accounts, is precisely what creates the photo-based location signals this research examines. These behaviors and geo-location exposure are not separate issues. They feed each other. 

Location inference is the key that makes all of those existing vulnerabilities more exploitable. A scammer with a rough idea of where you are does not just have a data point. They have a script. 

Methodology: How We Conducted This Research 

Transparency matters. Here is exactly how this research was conducted. 

Dataset: 21,236 travel images that are publicly available for research, plus a separate controlled set of 102 images contributed by McAfee internal volunteers (never previously posted publicly). 

Models tested: 

  • Gemma3 27B — a multi-model and vision-language model from Google DeepMind 
  • Qwen3 VL 30B — a multi-model and vision-language model from Alibaba’s Qwen team 

It’s important to note that we conducted our testing using large language models running locally on our own computers, rather than through public services such as ChatGPT.  

This more closely reflects how an attacker might operate at scale. Running models locally allows unrestricted, automated generation of large volumes of malicious content without relying on a third-party provider.  

By contrast, cloud-based AI services typically monitor for abuse and may impose rate limits, suspend accounts, or block requests when they detect activity associated with phishing or other malicious behavior. 

Process: An automated Python script submitted each image to both models using a standardized prompt requesting location identification based solely on visual content. No metadata, EXIF data, or file naming conventions were used as inputs. Results were logged programmatically. 

Validation: Image labels were pre-assigned prior to analysis. In cases where geographic names or landmarks could reasonably be interpreted in more than one way, a human reviewer compared the pre-labeled locations and model outputs to ensure consistent categorization.  

For example, the reviewer determined whether Vatican City should be grouped with Rome and whether “Washington D.C.” and “Washington, D.C.” should be treated as the same location. The reviewer did not alter either the original labels or the model results, but instead applied judgment to reconcile ambiguous naming conventions and edge cases. 

Accuracy definition: A result was counted as correct when the model identified the correct city and country. Country-only identification was tracked separately. Both metrics are reported. 

What this research does not claim: This research does not suggest that every travel photo will be correctly identified, or that all publicly available AI tools perform at this level. Results varied by image type, landmark density, and geographic region. The point is not perfect identification,  it’s that accuracy is high enough, and accessible enough, to enable targeted scams at scale. 

About the Consumer Research McAfee commissioned a consumer survey fielded in March 2026 examining travel intentions, travel scam experiences and perceptions, and digital behaviors while traveling. Results referenced here represent a subset of 1,000 U.S. adults over the age of 18. The full study included responses from 6,000 participants across Australia, France, Germany, Japan, the United States, and the United Kingdom. 

How to Protect Yourself 

Knowing the risk exists is the first step. Here’s what to actually do about it. 

Think before you post, especially in real time. The highest-risk window is when you’re still traveling. Posting while you’re in a location gives scammers a live signal. When possible, post after you’ve returned home or delay sharing location-identifiable content by a few days. 

Audit your social media privacy settings. Photos shared publicly are the easiest targets. Restricting your posts to people you know significantly limits the pool of images that can be scraped and analyzed. 

Be skeptical of urgency tied to your location. If a message references where you’ve been, even correctly, treat that as a red flag, not a credibility signal. Scammers use location familiarity precisely because it feels reassuring. 

Go directly to the source. If you receive a message claiming to be from your bank, airline, hotel, or card provider while traveling, don’t click any link in the message. Open a new browser tab and navigate directly to the company’s official website, or call the number on the back of your card. 

Use a travel-specific email or alias. Some travelers use a separate email address for bookings, reservations, and travel apps. This limits the cross-referencing scammers can do between your social media presence and your financial accounts. 

Trust the skepticism, not the familiarity. Modern scams are designed to feel familiar before they feel suspicious. If something creates a sense of urgency around your financial accounts while you’re traveling, slow down. The pressure itself is the warning sign. 

How McAfee Protects You Before, During, and After Travel 

As prices rise and decisions happen in real time, it’s easy to prioritize convenience over caution. But that’s exactly the moment when small checks matter most. 

Stage of Travel  What’s Happening  How McAfee Helps 
Before You Book  Comparing deals, clicking promotions, booking flights and hotels under time pressure  Scam Detector checks links, messages, and booking sites before you click, helping you avoid fake deals and scam listings 
During Your Trip  Connecting to public Wi-Fi, scanning QR codes, receiving travel updates and alerts  VPN helps secure your connection on public Wi-Fi, while Scam Detector flags suspicious messages and unsafe links in real time 
After Your Trip  Accounts remain active, travel data stored across platforms, potential exposure from breaches  Identity Monitoring alerts you if your personal information appears online, helping you act quickly before damage spreads 

With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done.  

So you can focus on your trip, and not on whether that notification is a scam. 

Final Thought 

A travel photo is a memory. It’s also, increasingly, a data point. 

That doesn’t mean you should stop sharing your experiences. It means understanding that the same visual richness that makes a great photo is exactly what AI systems are trained to read. 

Scammers know this. Now you know how to protect yourself. 

This report was produced by McAfee Labs. Research was conducted in 2025–2026 as part of McAfee’s ongoing monitoring of AI-enabled scam vectors. 

The post AI Can Find Your Location 91% of the Time Using Just One Photo appeared first on McAfee Blog.

  •  

Silent Swap: A Crypto Clipper Extension Campaign

Authored by Neil Tyagi

Executive Summary 

McAfee Advanced Threat Research has identified an active browser-extension campaign designed to steal cryptocurrency by silently substituting wallet addresses the moment a user initiates a transaction. The campaign is delivered through unsigned installers — observed in both .NET and Golang variants — that deploy a malicious Chromium extension masquerading as a benign “Google Notes” utility.  

This campaign is related to a previous blog published by McAfee Labs, Sinkholing CountLoader: Insights into Its Recent Campaign, as the threat actor appears to be the same behind both operations. In that earlier research, we analyzed a crypto clipper payload that was injected directly into memory. Here, we examine a different variant of the final-stage payload: a browser-based malicious extension designed to intercept and manipulate cryptocurrency transactions.  

In this report, we detail how the extension operates and provide a technical analysis of the mechanisms that make this threat particularly unique. The extension behaves as a clipboard-aware crypto clipper: it monitors copy-and-paste activity, identifies wallet addresses across multiple blockchains, and swaps them for attacker-controlled addresses just before the victim pastes the content. Because most Blockchain transactions are irreversible, even a single uninterrupted execution is enough to cause permanent financial loss. 

Two characteristics elevate this campaign above the typical clipper threat: 

  1. Chromium trust-layer abuse. The installer secretly forces a malicious browser extension into Chromium-based browsers like Google Chrome, Brave, and Microsoft Edge by modifying protected browser settings files. Normally, these browsers store security verification data (hash/HMAC values) alongside sensitive settings to detect unauthorized changes. The malware recalculates and updates these security values after tampering with the files, tricking the browser into believing the malicious extension was installed legitimately. This allows the extension to bypass the normal extension web store installation process and load silently without user approval. However for updated Chrome and edge browser, Victim must manually turn on the developer mode for the extension to load properly, but people with outdated versions of chromium based browsers, remain at high risk. Moreover, for latest versions as well threat attacker can employ social engineering tactics to enable developer mode.
  2. Blockchain-resolved command-and-control. The extension does not contain a hardcoded C2 domain. Instead, it queries a public blockchain RPC endpoint, invokes a read-only smart-contract method, and decodes the response at runtime to reveal its active C2 observed at the time of analysis as Zebregts[.]com 

    This technique, often referred to as “EtherHiding,” complicates takedown efforts because the attacker can rotate infrastructure by updating a smart-contract value rather than redeploying malware. 

McAfee telemetry indicates a globally distributed infection footprint with a pronounced concentration in India. The breadth of the geography suggests opportunistic targeting of consumer cryptocurrency users rather than a region-specific operation. 

Geographical Prevalence  

A map of the world showing countries impacted by this cybersecurity threat.
Our research shows that these are the most affected regions of the globe.

Telemetry analysis indicates that infections are globally distributed, with a significantly higher concentration observed in India compared to other regions.  

The widespread geographic presence highlights the campaign’s broad reach, suggesting opportunistic targeting rather than a region-specific attack. 

The Malicious Extension: “Google Notes” 

This malware is masquerading as a seemingly harmless Google Notes extension. 

The malicious Google Chrome extension.
Figure 1. This image shows the malicious extension at the center of this campaign

 

The dropped extension presents as a minimalist, legitimate-looking note-taking application branded as “Google Notes,” complete with a clean icon and a functional (& simplistic) user interface.  

The cover is calculated: a user who manually opens the extension finds something that behaves as advertised, dampening suspicion. The extension’s malicious logic is implemented in background service-worker scripts and content scripts that operate entirely out of view of the UI. 

A major red flag first appears when adding the extension, which requests  security permissions and access that are disproportionate to a typical notes application: 

  • Access to all URLs , granting content-script injection into every site the user visits. 
  • Browsing history access. 
  • Read and write access to the clipboard. 

Mitigation and Recommendations 

For Consumers 

  1. Before confirming any cryptocurrency transaction, visually verify the first and last six characters of the recipient address against the original source — ideally on a separate device. This single habit defeats the overwhelming majority of clipper attacks. 
  2. Install browser extensions exclusively from the official Chrome Web Store, Edge Add-ons store, or equivalent. An extension that appears in your installed list without a clear memory of having installed it should be treated as suspicious. 
  3. Review the permissions granted to every installed extension. A note-taking tool has no legitimate need for access to all websites, browsing history, or the clipboard. 
  4. Avoid running unsigned executables obtained from non-authoritative sources, particularly those offering free or cracked versions of paid software — a common delivery vector for this category of installer. 
  5. Keep endpoint protection up to date and enabled; McAfee customers are protected against this specific campaign as described below. 

McAfee security solutions help safeguard users at multiple levels: 

1. McAfee detects this threat as CryptoStealer.NE and keeps our customers safe 

Figure 2. This image shows McAfee Antivirus blocking this threat for consumers.
Figure 2. This image shows McAfee Antivirus blocking this threat for consumers.

2. Malicious Download Protection

The installer’s behavior—downloading and executing remote payloads—is flagged and blocked by McAfee before infection completes. All the malicious domains and URLs are blocked by McAfee in our tests. 

3. Network Protection

Connections to known malicious infrastructure (C2 servers) are blocked by McAfee, preventing Wallet address retrieval 

4. Real-Time Threat Intelligence

Because this threat was identified in McAfee telemetry, protections can be rapidly deployed to: 

  • Block similar variants 
  • Detect related infrastructure 
  • Protect customers globally 

How The Threat Campaign Works 

What the Malware Does  

  1. Installs a browser extension silently (web extension sideloading) 
  2. Monitors what you copy and paste (especially crypto addresses) 
  3. Works when you are making a crypto transaction 
  4. Silently replaces the wallet address with the attacker’s address 
  5. Your funds are sent to the attacker instead of the intended recipient 

Because cryptocurrency transactions are typically non-reversible, victims may permanently lose funds. 

Figure 3. How the extension works in a nutshell
Figure 3. How the extension works in a nutshell

 

Key Capabilities Identified 

1. Silent Extension Installation 

The malware does not use the official browser store. Instead, it directly modifies browser files to make the extension appear installed. (Sideloading Browser Extension) 

This bypasses normal security prompts and user awareness. 

Figure 4. Procmon logs showing BaseZipInstaller (malicious web installer) writing into chrome and edge secure preference files
Figure 4. Procmon logs showing BaseZipInstaller (malicious web installer) writing into Chrome and Edge secure preference files

2. Full Browser Access 

Figure 5. Chrome extension Permissions required
Figure 5. Chrome extension Permissions required
Figure 6. Manifest file for web extension
Figure 6. Manifest file for web extension

The malicious extension requests excessive permissions such as: 

  • Access to all websites 
  • Reading browsing history 
  • Reading and modifying clipboard content 

3. Crypto Address Interception

The extension contains logic to detect wallet addresses across multiple cryptocurrencies, including: 

Figure 7. Hardcoded cryptocurrency Regex and fallback address
Figure 7. Hardcoded cryptocurrency Regex and fallback address
  • The fallback wallet addresses shown in the code are not used for every transaction; instead, they serve as a backup mechanism when dynamic address retrieval from the attacker-controlled server fails.  
  • Under normal operation, the extension fetches replacement addresses from a remote server, enabling dynamic and potentially per-victim wallet assignment.  
  • Fallback addresses ensure the attack remains functional even if the command-and-control infrastructure is temporarily unavailable or blocked. 
Figure 8. Malicious extension performing dynamic crypto address resolution
Figure 8. Malicious extension performing dynamic crypto address resolution
  • This function is responsible for obtaining the attacker-controlled replacement wallet address corresponding to a victim’s original address.  
  • It sends the intercepted wallet address to the attacker backend and uses the response to dynamically substitute the original address.  
  • If the backend request fails, the function falls back to a predefined hardcoded wallet address, ensuring uninterrupted malicious activity. 
  • 3J98t1Wxxxx is the address that was copied in the clipboard 

4Detection evasion and stealth 

Figure 8. settings.js file which shows config
Figure 8. Settings.js file which shows config
  • The configuration includes a hardcoded API key, which is used by the extension to authenticate communication with attacker-controlled infrastructure.  
  • An RPC URL pointing to a public blockchain node is leveraged to dynamically resolve backend server information, allowing the attacker to hide critical infrastructure behind decentralized systems.  
  • The presence of a smart contract address and method indicates that the malware retrieves its command-and-control (C2) domain indirectly via blockchain queries, making takedown and tracking more difficult. 
  • Blacklisted domains contains a list of blockchain inspection related websites where the web extension will not work , this is done to not alert the victim while he is trying to paste his own address and view the balance of his wallet or inspect his wallet transactions 
Figure 9. Resolving attacker c2 domain via etherium smart contract (etherhiding)
Figure 9. Resolving attacker C2 domain via Ethereum smart contract (etherhiding)
Figure 10. Request payload with Ethereum contract address
Figure 10. Request payload with Ethereum contract address
  • Dynamic analysis revealed that the malware resolves its command-and-control domain via a blockchain smart contract, which returned the domain devops-offensive[.]cc at runtime.  
  • The response from the blockchain is decoded at runtime, revealing the active C2 domain (devops-offensive.cc).  
  • This domain is not hardcoded, enabling the attacker to update infrastructure without modifying the malware.  
  • The resolved domain is cached locally to maintain persistence and reduce repeated network queries. 
Figure 11. This image shows the long-encoded string with the malicious domain
Figure 11. This image shows the long-encoded string with the malicious domain

This Longencoded string is decoded using this function to give the final attacker domain.

Figure 12. This image shows the final attacker domain
Figure 12. This image shows the final attacker domain

Persistence and Evasion Techniques 

The campaign’s persistence and evasion posture is deliberate and layered. The operator has clearly optimized for two properties: low visibility to the end user, and high resilience against takedown and static analysis. 

Persistence 

  • Extension registration through Secure Preferences tampering ensures the extension loads on every subsequent browser launch without requiring any auxiliary Windows persistence mechanism — no registry Run keys, scheduled tasks, or services that endpoint hunters typically inspect. 
  • Developer mode is enabled programmatically where required, allowing unpacked extensions to persist without triggering the periodic “unpacked extensions warning” flow that Chromium displays to dissuade sideloading. 
  • The cached C2 domain allows the extension to continue operating against a known-good backend even if the blockchain RPC endpoint is briefly unavailable. 

Evasion 

  • The extension’s visible identity — a simple “Google Notes” note-taking application — provides plausible cover against casual inspection of the installed extensions list. 
  • Recomputed HMAC values satisfy Chromium’s integrity verification, avoiding the “extension installed by an unknown source” warning banner that would otherwise alert the user. 
  • The installer self-deletes after execution, removing the most obvious on-disk indicator of initial compromise. 
  • C2 resolution through a public blockchain means that there is no persistent C2 domain observable in the malware bundle itself; network-based detections built against hardcoded indicators will not fire until the domain is resolved and contacted. 
  • Multi-language installer variants (.NET and Golang) reduce the effectiveness of compile-artifact and binary-feature signatures. 
  • Per-address dynamic wallet substitution means that published attacker addresses age rapidly and do not generalize into durable blocklist entries — the defender must block the backend service itself, not the addresses it dispenses. 

Wallet Substitution Logic 

The clipper logic sits in two layers: a content-script layer that monitors clipboard activity and DOM input fields across every visited origin, and a background layer that communicates with the attacker backend to retrieve replacement addresses. 

When the extension observes a copy event, it applies a set of cryptocurrency-specific regular expressions to the clipboard payload. If a match is found, the intercepted address is transmitted to the attacker’s backend over an authenticated request (authenticated with the API key embedded in the configuration). The backend responds with a replacement address specific to the submitted original, and that replacement is written back to the clipboard, overwriting the legitimate address before the victim can paste. 

Testing against a reconstructed backend client — built by re-implementing the extension’s request format and response-decoding logic in Python — produced a revealing behavioural profile: 

  • Bitcoin (BTC), Ethereum, Bitcoin Cash, Ripple, and Dash: Each submitted address is mapped to a unique attacker-controlled address. Re-submitting the same original returns the same replacement, indicating a deterministic one-to-one mapping maintained server-side. 
  • Solana: All submitted addresses collapse to a single attacker address, suggesting the per-victim mapping feature is selectively implemented per chain 

Analyzing Attacker Crypto Wallets 

Based on the code snippets from the web extension responsible for retrieving replacement addresses, a Python script was prepared to programmatically extract attacker wallet addresses. The payload was crafted using the attacker’s own code, and the “get replacement address” snippet was lifted directly from it. The attacker’s logic for decoding data received from the C2 server was also faithfully reimplemented in the script. 

The script was then executed using a few test Bitcoin (BTC) wallet addresses. The results showed that for every Bitcoin address provided, a unique Bitcoin address was returned in response, and all of these returned addresses were valid BTC wallets. This indicates that for every BTC address supplied, the attacker dynamically generates a new wallet tied to that specific input address. Furthermore, when the same address was provided again, the same BTC address was returned — confirming that each victim BTC address is deterministically mapped to a single, specific attacker-controlled address. While some of these attacker wallets contained funds and others were empty, the unknown total number of attacker wallets makes it difficult to put a reliable estimate on how much cryptocurrency has been stolen overall. 

The same behavior was observed for Ethereum, where different wallet addresses were returned for each input. Interestingly, when the script was tested with Solana addresses, only a single address was returned regardless of how many different inputs were provided. This suggests that the attacker has implemented the per-address mapping feature only for specific cryptocurrencies, while others fall back to a single static drop wallet. Because the Solana address is shared across all victims, a noticeable bump in its balance is visible. Additionally, one of the Ethereum addresses uncovered was found to be holding approximately 1,902 USD worth of funds. 

In summary, the cryptocurrencies for which unique per-victim wallet addresses are generated include Bitcoin, Ethereum, Bitcoin Cash, Ripple, and Dash. 

Fig 13. Payload was crafted as attacker code
Fig 13. Payload was crafted as attacker code
Fig 14.Getting replacement address code snippet taken from attacker code
Fig 14. Getting the replacement address code snippet taken from attacker code
Fig 15. Attackers logic of decoding received data from c2 was also implemented
Fig 15. Attackers’ logic of decoding received data from C2 was also implemented

Running script with few test Bitcoin Wallet addresses 

Fig 16. Every bitcoin address a unique bitcoin address was returned and All addresses are valid BTC wallet address
Fig 16. Every unique Bitcoin address was returned and all addresses are valid BTC wallet addresses
Fig 17. Similarly, Ethereum saw unique addresses
Fig 17. Similarly, Ethereum saw unique addresses
Figure 18: Running Script for Test Solana Addresses
Figure 18: Running Script for Test Solana Addresses

Luckily for Solana we are getting only 1 address when given multiple addresses. This shows that the attacker has implemented this address mapping feature only on specific cryptocurrencies 

Fig. 19 Here you can see a bump in the balance amount
Fig. 19 Here you can see a bump in the balance amount
Fig 20. ETH address was found to be having 1902 USD
Fig 20. The ETH address was found to have 1902 USD

Technical Analysis for .net file (Extension installer) 

Fig. 21 BaseZipInstaller is a .NET installer which is unsigned
Fig. 21 BaseZipInstaller is a .NET installer which is unsigned

 

Fig. 22 Stored Config as seen in Dnspy
Fig. 22 Stored Config as seen in Dnspy
  • The malware embeds a complete configuration JSON directly within the binary, eliminating the need to fetch initial setup data from external sources.  
  • This embedded configuration includes critical details such as API keys, backend server URL, targeted wallet extensions, and the full extension manifest with extensive permissions.  
Fig 23: Main function from where execution starts
Fig 23: Main function from where execution starts
  • The installer retrieves and validates a remote ZIP archive (google-services[.]cc/base[.]zip), which serves as the primary payload for deploying the malicious browser extension, marking the transition from initial infection to browser-level compromise. 
Fig. 24 The extension is created at the following location In system with files which are downloaded as base.zip.
Fig. 24 The extension is created at the following location in the system with files that are downloaded as base.zip.
Fig. 25: Dnspy showing the list of targeted browsers
Fig. 25: Dnspy showing the list of targeted browsers
  • The installer iterates through multiple Chromium-based browsers, including Chrome, Edge, Opera, and Brave, identifying available user profiles on the system.  
  • For each detected profile, the malware forcibly terminates the browser process to safely modify configuration files without interference.  
  • It then injects the malicious extension by directly modifying Secure Preferences and Preferences, enabling the extension to be loaded without user interaction. 
more code
  • The malware identifies browser installation paths by querying standard system directories, enabling it to locate user data folders for Chrome, Edge, Opera, and Brave.  
  • It systematically enumerates browser profiles and specifically looks for the presence of the Secure Preferences file, which stores critical browser configuration and extension data.  
  • By targeting profiles with Secure Preferences, the malware ensures it modifies only valid browser environments, increasing the reliability of extension injection. 
We can see writefile Event on Secure preferences file of chrome and MS Edge , when details of downloaded extension are written to those config files
We can see writefile Event on Secure preferences file of chrome and MS Edge , when details of downloaded extension are written to those config files
Fig 27 Attacker logic to resign the secure preference files
Fig 27 Attacker logic to resign the secure preference files
  • The malware reads and modifies the browser’s Secure Preferences file, which controls installed extensions and their trust state.  
  • It injects the malicious extension into the configuration and attempts to re-sign the modified data, making the changes appear legitimate to the browser’s integrity checks.  
  • The updated configuration is then written back to disk, ensuring the extension is loaded automatically and persists across browser restarts. 
Fig 27B :Extension path is added to chrome secure preferences file
Fig 27B :Extension path is added to chrome secure preferences file
Fig 28: Logic to Manipulate defenses of Brave Bowser
Fig 28: Logic to Manipulate defenses of Brave Bowser
  • For browsers such as Brave and Opera, the malware injects the malicious extension directly into the browser’s configuration by adding entries under the extensions.settings (or extensions.opsettings) section.  
  • It also updates integrity-related fields (protection.macs) to make the injected extension appear trusted by the browser.  
  • Additionally, the malware attempts to enable developer mode programmatically, allowing unpacked extensions to run with fewer restrictions. 
Fig 29: Attacker logic to get device ID used to further calculate integrity Values
Fig 29: Attacker logic to get device ID used to further calculate integrity Values
  • The malware attempts to recompute browser integrity signatures by generating new MAC (Message Authentication Code) values for the modified Secure Preferences file.  
  • It uses system-specific identifiers, such as the machine SID, combined with a seed value to mimic Chrome’s internal verification mechanism.  
  • By recalculating these integrity checks (macs and super_mac), the malware tries to make its unauthorized modifications appear legitimate to the browser. 
Figure 30 Self Deletion Logic
Figure 30 Self-Deletion Logic
  • The malware includes a self-deletion mechanism designed to remove the installer executable after successful execution.  
  • It launches a hidden command prompt process that delays execution briefly before deleting the original file from disk. 

Conclusion 

This campaign is a concise illustration of where consumer-targeted cryptocurrency theft is heading. The operator has taken the oldest and simplest category of crypto malware — the clipper — and quietly upgraded three of its weakest links. Static attacker addresses have been replaced with a server-side, per-victim mapping. Fragile, hardcoded command-and-control domains have been replaced with a blockchain-resolved lookup that an operator can rotate with a single transaction. And a fragile dropper has been replaced with a Chromium extension that lives inside the user’s most trusted application, loaded under the browser’s own integrity signature. 

McAfee will continue to track this campaign and related infrastructure. Our customers are protected by existing detections and will benefit from telemetry-driven updates as new variants and rotated infrastructure are identified. 

Indicators of Compromise (IOC)

Type  Category  Value 
SHA-256  .NET Installer (BaseZipInstaller)  2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf 

053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0 

 

SHA-256  Golang-compiled Installer Variant  11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962   

1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d   

URL  Payload distribution  hxxps://google-services[.]cc/base[.]zip 
Domain  Command-and-Control (resolved via smart contract)  devops-offensive[.]cc 

Zebregts[.]com 

BTC wallet  Crypto wallet  3JvDBvKbS6YYMKjV3R9e9Zfd67f467fNLy 

1BbhVBxpniuZuAL1gGZnEMdQhmz9JGWpyT 

3AcPNVh7NyESwX3ECymy3rkdH4Ke2c26Tj 

1BVTrB47erypG3tevi1U9Fv6BbNUBEiuiX 

Artifact  Sideload target  Chromium Secure Preferences file (Chrome, Edge, Brave, Opera profiles) 
Extension files  manifest.json  

crypto-patterns.js 

 

Interceptor.js 

 

content-script.j  

 

cache.js  

 

domain-resolver.js 

 

service-worker.js 

 

api-client.js 

ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c  

daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b  

6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5 

 

a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01  

 

eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c  

6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8  

 

2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3  

ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2  

 

The post Silent Swap: A Crypto Clipper Extension Campaign appeared first on McAfee Blog.

  •  

The New DoorDash Scam Every Gig Worker Should Know About: This Week in Scams

Millions of Americans rely on apps and online services every day to work, shop, game, and manage their lives. Scammers know that, and they’re hijacking platforms and brands you already trust. 

This week, gig workers were targeted by fake DoorDash support calls designed to steal their earnings, while gamers searching for early access to Grand Theft Auto VI found fraudulent websites promising something Rockstar Games simply isn’t offering. 

Here’s what happened, how these scams work, and the other cybersecurity stories making headlines this week. 

The DoorDash Driver Scam That Can Empty Your Account 

A growing scam targeting DoorDash drivers starts with what appears to be a normal delivery request. 

According to Fox 9 in Minnesotascammers place fake DoorDash orders, then contact drivers while they’re actively completing the delivery. Because the call often arrives during a real order and can even appear to come from DoorDash, victims may believe they’re speaking with legitimate support. 

The caller typically claims there’s an issue with the order or the driver’s account and asks them to verify information or read back security codes. 

Once the scammer gains access, they can change account information, lock the driver out, and redirect earnings into their own accounts. In reported cases, victims lost hundreds of dollars and temporarily lost access to the platform they depend on for income. 

While today’s it’s DoorDash in the headlines, scammers are known to impersonate all types of delivery apps, so gig workers across companies should stay alert. 

How the fake delivery support scams work 

Step  What Happens 
1  Scammers place a fake DoorDash order. 
2  They call the driver pretending to be DoorDash Support. 
3  They request login information or verification codes. 
4  They take over the account and transfer the driver’s earnings. 

Red flags every delivery driver should know 

Pause if you experience: 

  • Unexpected calls asking for verification codes  
  • Requests to confirm login credentials  
  • Pressure to act immediately  
  • Anyone asking you to read a one-time authentication code over the phone  

Legitimate companies generally won’t ask you to share one-time security codes. If you receive an unexpected call, end it and contact support directly through the app. 

Fake GTA 6 Early Access Sites Are Everywhere 

Excitement around Grand Theft Auto VI has created another opportunity for scammers. 

According to Malwarebytes, fraudulent websites are claiming to sell “VIP Early Access” or exclusive versions of GTA 6 months before release. Many of the sites look polished, featuring convincing artwork, countdown timers, and professional checkout pages. 

The catch? They typically require payment in cryptocurrency. 

After victims pay, there’s no game to download because no legitimate early-access version exists. 

How to spot a GTA 6 scam 

If a website promises: 

  • Early access before Rockstar officially releases it  
  • Exclusive playable builds  
  • Secret download links  
  • Crypto-only payment  
  • “Limited VIP access”  

it’s almost certainly a scam. 

Rockstar has announced pre-orders through authorized retailers. Any website claiming to provide playable access before launch should be treated with skepticism. 

Other Scam and Security News This Week 

Police Officer Records Live Scam Call to Show How Social Engineering Works 

A police officer recorded a scam call in real time to demonstrate how quickly criminals try to establish trust, create urgency, and convince victims to share sensitive information. The recording serves as a reminder that scammers often sound calm, professional, and convincing because manipulation, not technology, is their primary weapon. 

Tata Electronics Cyber Incident Raises Supply Chain Questions 

Apple supplier Tata Electronics confirmed it experienced a cybersecurity incident after a ransomware group claimed to publish more than 200,000 files allegedly connected to the company. According to Cybernews and Reuters reporting, the leaked material allegedly includes manufacturing documents and employee information tied to Apple and Tesla. Apple says it is investigating while Tata has not confirmed whether the published files originated from its systems. 

Texas Parks and Wildlife Warns 3 Million Customers About Data Breach 

Texas Parks and Wildlife notified roughly three million hunting and fishing license customers that personal information stored by a third-party vendor may have been accessed during a cyber incident. According to Click2Houston, exposed information may include driver’s license numbers, contact information, and mailing addresses, though officials said Social Security numbers and payment card information were not involved. Impacted customers are being offered identity monitoring. 

How McAfee Can Help  

With McAfee+, multiple layers work together before any damage is done:  

  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 
  • Secure VPN keeps your data private, especially on public Wi-Fi  
  • Web Protection helps block risky sites, even if you do accidentally click 
  • Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
  • Device Security helps detect malicious apps or downloads   
  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast   
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Online Account Cleanup assists in taking down your old, forgotten accounts across the web 
  • Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

The post The New DoorDash Scam Every Gig Worker Should Know About: This Week in Scams appeared first on McAfee Blog.

  •  

Is That Delivery Text Real? How to Spot Package Smishing and Delivery Scams

You’re expecting a package. 

Maybe it’s a birthday gift. Maybe it’s a purchase from a major shopping event. Maybe it’s something you forgot you ordered three days ago. 

Then your phone buzzes. 

Your package couldn’t be delivered.  There’s a problem with your shipping address. 

A small fee is required before delivery can continue. 

“Click here immediately.”

The message feels plausible because so many of us are constantly waiting for packages. And scammers know it. 

According to McAfee’s State of the Scamiverse report, fake delivery and shipping notices are the single most commonly reported scam consumers encounter today, with 31% of people saying they’ve received one. Americans also receive an average of 14 scam messages every day across texts, email, social media, phone calls, and other channels.  

Delivery scams have become one of the internet’s most successful forms of phishing because they exploit something simple: people are already expecting the message. 

Here’s how to spot and stop these scams:

What Is a Delivery Scam? 

A delivery scam is a fraudulent message that pretends to come from a shipping company, retailer, postal service, or delivery provider. 

The goal is usually one of three things: 

  • Steal personal information  
  • Steal financial information  
  • Trick victims into downloading malware or visiting malicious websites  

These scams often impersonate organizations such as: 

  • USPS  
  • UPS  
  • FedEx  
  • DHL  
  • Amazon  
  • Royal Mail  
  • Australia Post  
  • Other local or regional delivery services  

Most delivery scams arrive through text messages, which is why they’re often called package smishing scams. 

What Is Smishing? 

Smishing is a type of phishing attack delivered through SMS text messages. 

The term combines: 

  • SMS (Short Message Service)  
  • Phishing 

Instead of arriving through email, the scam arrives directly on your phone and attempts to create a sense of urgency that encourages immediate action. 

Common examples include: 

  • “Your package could not be delivered.”  
  • “Delivery attempt failed.”  
  • “Update your shipping address.”  
  • “Pay a small customs fee.”  
  • “Confirm delivery information.” 
McAfee's Scam Detector lets you know when delivery messages are scams.
McAfee’s Scam Detector lets you know when delivery messages are scams.

Delivery Scam Red Flags and What to Do 

If You See This Red Flag  Why It’s Suspicious  What To Do 
A package alert when you’re not expecting a delivery  Scammers send messages in bulk hoping someone is waiting for a package  Ignore the message and do not click links 
A request to pay a small fee before delivery  Legitimate carriers rarely collect delivery fees through text messages  Visit the carrier’s official website directly 
A message claiming your address needs verification  Common tactic used to steal personal information  Check shipment status through your retailer or carrier account 
A shortened or unusual link  Scammers often disguise malicious websites  Avoid clicking and manually type the carrier’s website address 
Pressure to act immediately  Urgency is designed to override caution  Pause and verify independently 
Requests for passwords, payment information, or verification codes  Legitimate carriers will not ask for this through text messages  Delete the message and report it as spam 
A delivery app or file download request  May install malware on your device  Never download software from a text message 

Accidentally Clicked a Delivery Scam? Do This Immediately 

What Happened  What To Do 
You only clicked the link  Close the page and do not enter any information 
You entered login credentials  Change your password immediately and enable two-factor authentication 
You entered payment information  Contact your bank or credit card provider right away 
You downloaded a file or app  Delete it and run a security scan 
You’re unsure what information was exposed  Monitor accounts closely for unusual activity 

How McAfee Can Help  

With McAfee+, multiple layers work together before any damage is done:  

  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 
  • Secure VPN keeps your data private, especially on public Wi-Fi  
  • Web Protection helps block risky sites, even if you do accidentally click  helps block risky sites, even if you do accidentally click   
  • Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
  • Device Security helps detect malicious apps or downloads   
  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast   
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Online Account Cleanup assists in taking down your old, forgotten accounts across the web 
  • Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

The post Is That Delivery Text Real? How to Spot Package Smishing and Delivery Scams appeared first on McAfee Blog.

  •  

7 Shopping Scams Americans Report Seeing Most: This Week in Scams

Last week, McAfee warned that economic pressure and AI are creating ideal conditions for online shopping scams. 

This week, that warning got another real-world example. 

New reporting revealed that cloned shopping websites have appeared in AI-generated search results, potentially directing consumers to convincing fake storefronts designed to steal payment information and personal data.  

The incident reinforces what McAfee’s latest research found ahead of Prime Day: shoppers are moving faster, trusting deals more readily, and encountering increasingly sophisticated scams. 

Before the summer’s biggest shopping events kick into high gear, let’s get into the sales and Prime Day scams to be aware of and other cybersecurity news making headlines This Week in Scams. 

The Top 7 Shopping Scams to Watch for This Prime Day 

McAfee’s latest research found consumers most frequently encounter the following scams during major sales events: 

  1. Fake shipping confirmations and order updates (34%)  
  2. Delivery company impersonation scams (32%)  
  3. Requests for payment or account information (27%)  
  4. Suspicious account verification alerts (26%)  
  5. Retailer impersonation scams (25%)  
  6. Fake urgency and expiring deal messages (24%)  
  7. Suspicious discount codes and flash-sale offers (22%)  

These scams work because they exploit moments when consumers are already expecting packages, tracking orders, comparing prices, and making quick purchasing decisions. 

McAfee's latest research found consumers most frequently encounter the following scams during major sales events:  Fake shipping confirmations and order updates (34%)   Delivery company impersonation scams (32%)   Requests for payment or account information (27%)   Suspicious account verification alerts (26%)   Retailer impersonation scams (25%)   Fake urgency and expiring deal messages (24%)   Suspicious discount codes and flash-sale offers (22%)  

Prime Day Shopping Safety Checklist 

In McAfee’s new consumer research40% of Americans surveyed said they would trust a lower priced deal without verifying it. That means as costs are climbing, shoppers are less likely to second guess a too-good-to-be-true deal that could be a scam.   

“What the data reflects is that economic pressure has effectively done some of the scammer’s work for them,” says McAfee’s Head of Threat Research Abhishek Karnik.  

“When consumers are already primed to move quickly and prioritize price over authenticity, it takes far less effort to push them toward a bad click or a fraudulent purchase.”  

And reporting that fake shopping sites have appeared in ChatGPT results shows that scammers are adapting to ensure they show up wherever consumers search for products, including AI-powered search experiences. 

That means it’s more important than ever for shoppers to know the red flags, common scams, and protection measures to find deals safely. 

Safety Checklist 

Before making a purchase: 

✓ Verify the website URL 

✓ Compare prices across multiple retailers 

✓ Research unfamiliar sellers 

✓ Be skeptical of discounts exceeding 50-70% 

✓ Never trust a shopping link sent by text 

✓ Use a credit card instead of bank transfer, crypto, or gift cards 

✓ Check independent reviews 

✓ Verify shipping alerts directly through the retailer 

Other Scam and Security News This Week 

Nintendo Investigates Third-Party Employee Data Incident 

According to Kotaku, Nintendo is investigating an alleged data exposure involving TinyPulse, a third-party employee survey platform. An extortion group claiming responsibility for the incident says it possesses employee information and internal communications and demanded a $2 million ransom. Nintendo said its own systems were not compromised and that no customer financial or payment information was accessed. 

Madison Square Garden Data Allegedly Posted Online 

According to 404 Media, hackers linked to the ShinyHunters group have allegedly published data stolen from Madison Square Garden after an extortion attempt. Sample files reviewed by the outlet reportedly contained personal information, talent records, and contact details connected to sports personalities and business operations. 

Novo Nordisk Reports Clinical Trial Data Breach 

According to Yahoo Finance, Novo Nordisk disclosed a data breach involving individuals participating in clinical trials. The company is currently assessing the scope of the exposure while also managing ongoing supply constraints affecting its GLP-1 medications, including Wegovy. 

How McAfee Can Help  

With McAfee+ Premium, multiple layers work together before any damage is done:  

  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 
  • Secure VPN keeps your data private, especially on public Wi-Fi  
  • Web Protection helps block risky sites, even if you do accidentally click  helps block risky sites, even if you do accidentally click   
  • Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
  • Device Security helps detect malicious apps or downloads   
  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast   
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Online Account Cleanup assists in taking down your old, forgotten accounts across the web 
  • Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

Plus, click here to get McAfee’s limited-time deals on real-time protection this Amazon Prime Day, from June 23 to June 26.

The post 7 Shopping Scams Americans Report Seeing Most: This Week in Scams appeared first on McAfee Blog.

  •  

ServiceNow Data Exposure and a New VA Scam: This Week in Scams

Most people think a data breach starts with a hacker breaking into a system. 

In reality, and in many cases, it starts with human error or oversight. 

This week, cloud software giant ServiceNow disclosed that a software flaw allowed some customer data to be accessed without authentication, potentially exposing information that should never have been publicly available. 

The incident is a reminder that your personal information can be put at risk even when cybercriminals aren’t directly responsible. 

Here’s what happened and our other This Week in Scams news: 

ServiceNow Bug Left Customer Data Exposed 

ServiceNow, one of the world’s largest enterprise software providers, recently notified some customers that a software bug allowed unauthorized access to data stored on parts of its platform. 

According to reporting by TechCrunch, the flaw could have allowed individuals to access customer data without needing credentials such as a username or password. 

The company says the activity was identified by security researchers participating in vulnerability research rather than malicious hackers. ServiceNow told TechCrunch it found no evidence that bad actors were responsible for the observed activity and said researchers reported the issue through responsible disclosure channels. 

The company patched affected systems on June 5 and launched an investigation into the scope of the exposure. 

Why This Matters 

For consumers, this story highlights an important cybersecurity reality: not every data exposure is the result of a criminal attack. 

Sometimes information becomes accessible because of: 

  • Software bugs 
  • Misconfigured cloud systems 
  • Human error 
  • Security settings that fail to work as intended 

In this case, ServiceNow says the issue stemmed from a platform vulnerability rather than a breach by threat actors. 

However, the outcome can look similar from a customer’s perspective. Information that was intended to remain private may have been accessible to unauthorized parties. 

That’s why it’s important to pay attention to security notifications from companies you do business with, even when reports emphasize there was “no hack.” 

What You Should Do After Any Data Exposure 

Whether a company reports a breach, a vulnerability, or an accidental exposure, the recommended steps are often similar: 

  • Watch for notifications from the affected company. 
  • Change passwords if requested. 
  • Enable multi-factor authentication where available. 
  • Monitor financial and online accounts for unusual activity. 
  • Be alert for phishing emails and scam calls referencing the incident. 

Cybercriminals frequently use news of data exposures to launch follow-up scams targeting affected customers. 

Tools like McAfee Identity Monitoring, Identity Theft Restoration and Cleanup, and Personal Data Cleanup help protect you before and after data breaches.  

Other Scam News This Week 

Here are some other pieces of cybersecurity news making headlines this week.

Veterans Warned About Fake Benefits Postcard Scam 

The Department of Veterans Affairs is warning veterans about fraudulent postcards claiming recipients qualify for additional VA benefits, including healthcare, dental coverage, and other payments. 

The postcards often create urgency, encouraging recipients to call within a few days. Once contact is made, scammers attempt to build trust and collect sensitive information such as Social Security numbers, bank account details, and other personal data. 

The VA says veterans should avoid calling numbers listed on unsolicited mailers and should independently verify benefit information through official VA channels. 

This shows a fraudulent postcard sent
Image: Example Fraudulent Notice Courtesy of Shenandoah County Sheriff’s Office

Childcare Providers Targeted by Fake Check Scam 

The Federal Trade Commission has issued an alert to childcare providers about scammers posing as parents seeking urgent childcare services. 

The scam follows a familiar pattern. The supposed parent sends a check in advance that exceeds the expected payment amount and then asks for the difference to be returned through a payment app, wire transfer, gift card, or another method. 

The problem is that the original check is fake. 

Even if the money initially appears in a bank account, the check can later be reversed, leaving the childcare provider responsible for the loss. 

If someone sends a check and asks you to send part of the money back, that’s one of the clearest warning signs of a fake check scam. 

Microsoft Investigates Open Source Supply Chain Attack 

Microsoft temporarily removed dozens of open source repositories hosted on GitHub after discovering malicious code had been inserted into software projects used by developers. 

According to reportsthe malware was designed to steal passwords and other credentials from users working with AI development tools and cloud services. 

Researchers describe the incident as a supply-chain attack, a type of compromise where attackers target trusted software that may later be downloaded by thousands of users. 

Microsoft says it has notified a limited number of potentially affected customers. 

McAfee Safety Tips This Week 

Not every security incident starts with a hacker. 

Sometimes it’s a bug. Sometimes it’s a fake postcard. No matter how a scam starts, here are a few ways to stay safer: 

  • Verify benefit and financial information through official channels. 
  • Be skeptical of urgent requests involving money or personal information. 
  • Avoid downloading software promoted through social media tutorials. 
  • Never send money back to someone who claims they accidentally overpaid you. 
  • Enable multi-factor authentication on important accounts. 
  • Watch for phishing emails following major breach or exposure announcements. 

How McAfee Protects Your Identity and Privacy 

McAfee is built to stop threats before your identity, accounts, or money are compromised.  

McAfee+ Advanced includes multiple layers of protection: 

Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage   

Secure VPN keeps your data private, especially on public Wi-Fi    

Web Protection helps block risky sites, even if you do accidentally click  

Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you  

Device Security helps detect malicious apps or downloads     

Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast     

Personal Data Cleanup helps remove your information from sites selling it.   

Online Account Cleanup assists in taking down your old, forgotten accounts across the web   

Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks   

The common thread across nearly every scam is trust. Scammers count on people acting before they verify. 

We’ll be back next week with more scams making headlines. 

The post ServiceNow Data Exposure and a New VA Scam: This Week in Scams appeared first on McAfee Blog.

  •  

How to Protect Yourself from Doxxing and Lock Down Your Data

Woman gamer confused at computer

You post an opinion about a contentious issue on social media. Within hours, strangers have shared your home address, your employer’s phone number, and photos of your children’s school. Your inbox floods with threats. Someone calls your workplace demanding that you be fired. A crowd shows up outside your house. What started as online speech has become a safety crisis that follows you everywhere. You’ve been doxed.

If you’re looking for real answers about how to prevent doxxing before it happens or how to respond if you’re already facing harassment, this guide provides actionable strategies to lock down your digital footprint and protect your personal information. 

Key Takeaways

  • Protect yourself from doxxing by reducing exposed data on social media, data broker sites, and public records
  • Secure your accounts with strong passwords, multi-factor authentication, and privacy-focused security tools like a VPN or antivirus protection
  • Platform-specific strategies help prevent doxxing on Discord, Twitter, and other high-risk spaces
  • If you’ve been doxxed, act immediately to document everything, remove content, and involve authorities when threats escalate

What Is Doxing?

Doxxing (sometimes spelled doxing) is the act of publicly exposing someone’s personal information online without their consent. Doxxing is often intended to harass, intimidate, or cause real‑world harm. This information can include a home address, phone number, workplace, family details, or other identifying data.

For a foundational understanding of what doxxing is, why it’s escalating, real‑world examples, and how the law treats doxxing, see our full guide on what is doxxing.

How Do People Get Doxxed? 

Your digital footprint is a jigsaw puzzle spread across the internet, with each piece alone being harmless: a tagged photo here, a WHOIS domain record there, a mention of your hometown in an old forum post. Doxers piece together these fragments using open-source intelligence techniques like reverse image searches, username lookups, and metadata analysis.

Much of the information used in doxing also comes from data brokers, which aggregate public records and purchased data sets. Plus, there are information leaks from data breaches: billions of stolen email addresses, passwords, and personal details circulating on dark web forums.

That data can be cross-referenced with your online purchases, domain registrations, avatars, usernames, and even your writing style. Then there’s what you share and what others share about you on social media. In effect, you are leaving a trail of breadcrumbs every time you interact online. 

Taken together, all these pieces create a detailed profile that doxers weaponize. Once they have your information, they post it on social media, anonymous forums, or dedicated harassment sites along with inflammatory language urging others to contact you.

Campaigns are coordinated across platforms, escalating from online harassment to email and text message threats, and sometimes physical confrontations or swatting attempts that put you in immediate danger.

How to Protect Yourself From Doxing

You shouldn’t have to make yourself invisible online, but you can significantly reduce the information available to potential doxers and make yourself a harder target. Here’s what to do:

Lock Down Your Social Media Accounts

Starting with your social media accounts, go through your privacy settings on every platform you use and maximize protection:

Immediate actions:

  • Set all accounts to private or restrict visibility to friends/followers only
  • Hide your friend lists, location data, and tagged photos from public view
  • Remove personal details like phone numbers, email addresses, birth dates, and hometown from your profile
  • Disable location services and strip metadata from photos before posting
  • Turn off check-ins and location tagging features

Audit Your Digital History:

  • Search your own name and review what appears publicly
  • Delete or edit old posts that mention your home address, children’s schools, or exact workplace
  • Ask family and friends not to tag you in posts that reveal your location or personal details
  • Review and untag yourself from photos that expose identifying information

Platform-Specific Settings:

  • Facebook: Restrict who can see your friends list, past posts, and profile information; disable facial recognition; review tags before they appear on your profile
  • Instagram: Make your account private, disable activity status, restrict comments, and carefully review follower requests before accepting
  • Twitter/X: Protect your tweets, disable photo tagging, hide sensitive content behind warnings, and enable two-factor authentication on a separate device
  • Discord: Use a unique username not tied to other accounts, disable DMs from non-friends, never share your Discord tag publicly, and avoid voice chat in public servers where your voice can be recorded

Remove Your Data from People-Finder Data Broker Sites

Data brokers are companies that mine the internet and public records for financial and credit reports, social media accounts, and more. They then sell that data to advertisers, companies, or individuals who may use it to doxx you.

You might be surprised by how much sensitive information is available to anyone who wants it. Data brokers often have contact information including real names, current and former addresses, birth dates, phone numbers, social media profiles, political affiliations, and other information most consider private.

There are two ways you can remove your personal information from data brokers or people-finder sites: manually or with an automated solution

The Manual Approach:

While you can remove your private information from many data broker sites, they tend to make the process tedious and frustrating. You’ll need to:

  • Identify which sites have your information (search for yourself on sites like Whitepages, Spokeo, BeenVerified, PeopleFinder)
  • Submit individual opt-out requests to each site
  • Follow unique removal processes for each broker (some require email verification, others need physical mail)
  • Re-check periodically as your information may reappear

The Automated Solution:

McAfee Personal Data Cleanup makes this process dramatically easier. Enter your name, date of birth, and home address, and we’ll scan it across high-risk data broker sites and help you remove it automatically.

If you plan to employ other automated data broker removal services, verify that they are reputable before handling over your information. 

Secure WHOIS Records and Domain Privacy

If you own a website, your WHOIS record publicly lists your name, address, phone number, and email unless you take action. Use WHOIS privacy protection (also called domain privacy) through your registrar to replace your personal details with the registrar’s contact information, keeping your personal data out of public domain records. Most registrars offer this service for free or a nominal fee.

Fortify Your Account Security

Anyone who gains access to your email or social media accounts through phishing or a data breach could expose your private conversations, documents, and personal details. Protect yourself with robust security measures: 

Use Strong, Unique Passwords:

  • Use passwords with at least 12-16 characters. Avoid personal information like pet names, birthdates, or family members
  • Never reuse passwords across accounts
  • Use a password manager to generate and store complex passwords securely
  • Change passwords immediately if a service you use reports a data breach

Use Multi-Factor Authentication (MFA):

  • Enable MFA on all critical accounts (email, social media, banking, work accounts)
  • Use app-based authenticators (Google Authenticator, Authy) rather than SMS when possible
  • Store backup codes in a secure location separate from your primary device

Be Vigilant against Phishing:

  • Be suspicious of unexpected emails, texts, or messages requesting login credentials
  • Always verify the sender before clicking links or providing information
  • Check URLs carefully. Phishing sites often use slight misspellings
  • Never enter credentials on a site you reached via a link in an email

Secure Your Document Storage

Keep sensitive documents, such as tax records, passport scans, and financial statements, out of easily searchable email folders or cloud storage that might be compromised. If you store them digitally, use encrypted storage with strong access controls.

Use Privacy and Security Tools

No single tool can prevent all doxing, but layered protection makes a big difference. 

Identity Monitoring Services:

Consider using identity monitoring services that alert you when your personal information appears in new data breaches, on the dark web, or elsewhere it shouldn’t be. Early detection will allow you to act before the information is weaponized.

Comprehensive security suite:

A comprehensive security suite such as McAfee+ helps protect your devices from phishing attacks, malicious websites, and malware that could compromise your accounts. 

Virtual Private Network (VPN):

When browsing on public Wi-Fi networks, your data is at greater risk of being intercepted. A virtual private network gives you an additional layer of protection by hiding your IP address and browsing activities when you’re on an unsecured network.

Encrypted Messaging:

For sensitive conversations, use end-to-end encrypted messaging apps like Signal or WhatsApp rather than standard SMS or unencrypted email.

Educate Your Family, Friends, and Colleagues

You might take every precaution, but if your partner posts a photo of your new house with the address or your colleague tags you in a work event with the location, your efforts are undermined. 

Have honest conversations:

  • Explain why you’re cautious about personal information online
  • Share specific examples of what information should stay private
  • Encourage those close to you to adopt similar privacy practices

Set Family Guidelines:

For the digitally active, younger adults and teens in your family who may not fully understand the risks of oversharing, set family guidelines about what can be posted publicly and what should remain offline. 

Workplace Training:

If you work in education, government, or a high-visibility field, suggest brief safety training sessions for staff to recognize and respond to doxing threats.

What to Do if You’ve Already Been Doxxed

If your information is already out there and you’re facing harassment, here’s how to respond quickly and effectively.

1. Assess the immediate situation

If you’re receiving threats, someone is showing up at your home with the intent to harm, or you believe you’re at risk of swatting, contact local law enforcement immediately. Your physical safety comes first. 

2. Document Everything Thoroughly

Create comprehensive evidence:

  • Take screenshots of every post, message, and webpage that shares your information or threatens you. 
  • Take note of URLs, usernames, timestamps, and platform names 
  • Save original messages and emails. Don’t just screenshot; save the actual files.
  • Record any phone calls if legally permitted in your jurisdiction
  • Keep a detailed timeline of events

These pieces of evidence are essential for pursuing legal action, getting content removed from platforms, and demonstrating the severity of the harassment to law enforcement. 

3. Get Your Content Removed

Platform Reporting:

Use the reporting tools on every platform where your private information has been illegally shared. Platforms can be slow to act, but be persistent and keep submitting reports and escalating through support channels. Clearly cite violations of the platform’s terms of service (most prohibit doxxing), and invoke your legal right to have your personal details removed. 

Remove Data from Website Operators:

If your personal information appears on websites or forums, contact the site administrators directly and request removal. Many will comply, especially if the information was posted without your consent.

Remove Data from Search Results:

Google offers a removal request process for certain types of content:

  • Doxing content (name, address, phone number)
  • Non-consensual intimate images
  • Financial information like bank account numbers
  • Government identification numbers

Submit removal requests through Google’s removal request page.

4. File a Police Report

Consider involving authorities in cases involving:

  • Explicit threats of violence
  • Stalking (repeated, unwanted contact that causes fear)
  • Swatting attempts
  • Targeted campaigns that severely disrupt your life
  • Hacking or unauthorized access to your accounts

Prepare for law enforcement:

  • Bring all your documentation (screenshots, timelines, messages)
  • Be prepared to explain what doxxing is and how it’s affecting you
  • If local police aren’t responsive, reach out to specialized cybercrime units at the state or federal level
  • Consider consulting a lawyer familiar with online harassment cases who can advocate on your behalf

5. Seek Support and Expert Guidance

Don’t face this alone. Seek support from your family, trusted friends, and professionals. Crisis communications organizations or reputation management professionals should be able to offer guidance or connect you with legal resources.

Platform-Specific Protection: Discord, X (Twitter), and Beyond

Different platforms present unique doxxing risks. Here’s how to protect yourself on high-risk spaces:

How to Avoid Getting Doxxed on Discord

Discord’s voice chat and community-focused structure create specific vulnerabilities:

Account Security:

  • Use a unique username not connected to other social media accounts or your real name
  • Enable two-factor authentication
  • Never share your email address, phone number, or Discord tag publicly
  • Use Discord’s privacy settings to limit who can DM you (friends only)

Voice Chat Precautions:

  • Be aware that voice chat can be recorded without your knowledge in public servers
  • Avoid discussing personal details, location information, or identifiable stories
  • Consider using voice modulation software for high-risk conversations

Server Safety:

  • Only join servers from trusted communities
  • Be cautious about clicking links in Discord (they can lead to IP-grabbing sites)
  • Report suspicious users immediately to server moderators

How to Prevent Doxxing on Twitter

Twitter’s public nature and engagement-driven algorithm make it a prime target for harassment campaigns:

Profile Protection:

  • Protect your tweets (make account private) if you’re at high risk
  • Remove location information from your profile and tweets
  • Don’t use your full legal name as your display name
  • Disable photo tagging to prevent being tagged in revealing photos

Engagement Strategies:

  • Be cautious about what you share publicly, especially during controversial discussions
  • Don’t share photos that reveal your location, workplace, or home
  • Block aggressive users immediately—don’t engage
  • Report coordinated harassment to Twitter’s support team

Advanced Privacy:

  • Use a separate email address for your Twitter account that doesn’t contain your real name
  • Turn on login verification (two-factor authentication)
  • Regularly review connected apps and revoke access to any you don’t recognize or use

How to Avoid Getting Doxxed as a Creator or Public Profile (TikTok, YouTube, Twitch)

Creators and public‑facing accounts face unique risks because content, schedules, and personal details are often shared at scale:

Account & Identity Separation:

  • Use creator accounts that are completely separate from personal email addresses and phone numbers
  • Never link personal social media accounts in public bios or “about” sections
  • Use business contact emails that don’t contain your real name
  • Enable two‑factor authentication on all creator platforms and connected email accounts

Content & Filming Precautions:

  • Be mindful of what appears in the background of photos and videos (windows, street signs, landmarks)
  • Avoid showing mail, packages, or documents with identifying information
  • Delay posting content shot in real‑time to prevent location tracking
  • Disable automatic location tagging and metadata whenever possible

Livestream & Interaction Safety:

  • Avoid sharing schedules, routines, or future travel plans publicly
  • Use chat moderation tools and trusted moderators during live streams
  • Immediately ban users who ask probing personal questions
  • Be cautious with donation messages or alerts that may reveal personal information

Take Control of Your Digital Footprint Today

Doxxing has become an escalating threat in our increasingly connected digital world. But you’re not powerless. By taking proactive steps to reduce your exposed data, secure your accounts, and understand how to respond if targeted, you significantly reduce your risk and increase your ability to protect yourself and your loved ones.

Start with the basics: tighten your social media settings, remove your information from data broker sites, and secure your accounts with strong passwords and multi-factor authentication. Consider installing identity monitoring services, security software, and privacy features to detect threats early and give you time to respond. McAfee+ can help you stay one step ahead of anyone trying to weaponize your information.

If you’ve been doxxed, document everything, report to platforms persistently, and involve law enforcement when threats escalate. You don’t have to face this alone; support resources and professionals are available to help you through the process.

The post How to Protect Yourself from Doxxing and Lock Down Your Data appeared first on McAfee Blog.

  •  

McAfee Wins SE Labs’ Highest Honor for Home Anti-Malware Protection

McAfee is proud to be recognized with the SE Labs Home Anti-Malware Award 2026, one of the most respected independent recognitions in consumer cybersecurity. This marks the second year in a row that McAfee is being recognized with the Home Anti-Malware Award, proving our continued excellence and efficiency.  

Now in its eighth year, the SE Labs Awards honor cybersecurity providers delivering outstanding protection across consumer, small business, and enterprise markets. And McAfee has earned top recognition in the Home Anti-Malware category two years in a row. 

Certificate SE Labs Awards

What Are the SE Labs Awards? 

SE Labs is an independent cybersecurity testing and certification organization. Unlike awards based on self-reported data or marketing claims, SE Labs recognition is grounded in: 

  • Continuous public testing: Products are evaluated through ongoing, real-world assessments, not one-time snapshots 
  • Private assessments: Winners are also evaluated through confidential testing that mirrors actual threat environments 
  • Eight years of credibility: The SE Labs Awards have built a track record as a trusted benchmark for both consumers and industry professionals

This makes the SE Labs Award a comprehensive measure of real-world security performance, not just lab scores. 

What the Home Anti-Malware Award Means 

The Home Anti-Malware category specifically recognizes consumer security products that demonstrate exceptional ability to detect, block, and remedy malware threats targeting everyday users. 

Winning this award means McAfee’s protection performed at a level SE Labs considers outstanding, not just effective on paper, but proven against the kind of threats real households face: ransomware, trojans, spyware, phishing-delivered payloads, and more. 

Simon Edwards, Founder and CEO of SE Labs, offered this comment on the 2026 winners: 

“The SE Labs Awards recognises the vendors that are making a real difference in keeping systems secure. Winning an award is a significant achievement. It reflects not only strong product performance in our tests but also the commitment of the teams behind the technology. Congratulations to McAfee on its success.” 

Independent Validation. Not a Marketing Claim 

There’s an important distinction between a company saying its product is effective and an independent lab proving it. 

SE Labs operates separately from the vendors it tests. Its methodology is transparent, its testing is repeatable, and its results are used by journalists, analysts, and buyers to make real purchasing decisions.  

When SE Labs names McAfee a winner, that recognition carries the weight of a process that can’t be paid for or manufactured. 

That’s what makes this award meaningful, and what separates it from a badge a company designs for itself. 

How McAfee Fights Malware 

Malware today doesn’t just arrive as a suspicious download. It hides in phishing texts, fake links, malicious QR codes, and compromised websites. And by the time most people realize something is wrong, the damage is already done. 

McAfee is built to stop threats at every point in that chain. 

Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage  

Secure VPN keeps your data private, especially on public Wi-Fi   

Web Protection helps block risky sites, even if you do accidentally click 

Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you 

Device Security helps detect malicious apps or downloads    

Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast    

Personal Data Cleanup helps remove your information from sites selling it.  

Online Account Cleanup assists in taking down your old, forgotten accounts across the web  

Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks  

Together, these protections are designed to address the broader range of online risks people face every day.  

Which McAfee Plans Include This Protection? 

The same AI-powered threat protection that earned the SE Labs Home Anti-Malware Award is available across every major McAfee plan: 

  • McAfee+ Premium 
  • McAfee+ Advanced 
  • McAfee+ Ultimate 
  • McAfee Total Protection 
  • McAfee LiveSafe

Whether you’re protecting one device or an entire household, you’re getting independently verified, award-winning malware protection under the hood. 

Ready to get protection recognized by the industry’s toughest independent testers? Explore McAfee+ Plans → 

The post McAfee Wins SE Labs’ Highest Honor for Home Anti-Malware Protection appeared first on McAfee Blog.

  •  

New Research: Rising Costs Are Driving Consumers to Ignore Scam Instincts for Better Deals

Most people don’t get scammed because they ignore warning signs. 

They get scammed because they find a reason to explain those warning signs away. 

The website looks a little off, but the deal is incredible. The text message is unexpected, but they’re already waiting for a package. The seller is unfamiliar, but the discount is too good to pass up. 

That’s what makes major shopping events such fertile ground for scammers.  

New McAfee research suggests that economic pressure may be making that problem worse, as 40% of consumers say they would trust a lower priced deal without verifying it. That means as costs are climbing, shoppers are less likely to second guess a too-good-to-be-true deal that could be a scam. 

“Anyone who has ever fallen for a scam thought they would recognize one first,” McAfee’s Head of Threat Research Abhishek Karnik reminds shoppers. 

“That confidence is part of what scammers count on,” he says. “Tools like McAfee exist precisely for those moments, flagging suspicious links, messages, and offers in real time, before a split-second decision becomes a costly one.” 

New McAfee Research Reveals the Cost of Deal Hunting 

While most shoppers believe they can spot a scam, McAfee’s new research suggests many are engaging in behaviors that increase their risk. 

Rising Prices Are Driving Riskier Shopping Decisions 

Economic pressure is changing how people shop online. 

McAfee found: 

  • 82% prioritize finding the cheapest deal when shopping online 
  • 55% spend more time hunting for deals 
  • 40% would trust a lower-priced deal without verifying it first 
  • 29% would skip researching a seller if the deal seemed especially good 
  • 27% are more likely to consider unfamiliar sellers because of lower prices 
  • 23% feel pressure to act quickly before deals disappear 

The same behaviors that help shoppers find bargains can also make them more vulnerable to fraud. 

“What the data reflects is that economic pressure has effectively done some of the scammer’s work for them,” says Karnik. “When consumers are already primed to move quickly and prioritize price over authenticity, it takes far less effort to push them toward a bad click or a fraudulent purchase.” 

Infographic, 6 ways rising prices are driving risky shopping behavior

Shopping Scams Are Already Costing Americans Real Money 

The financial impact is significant: 

  • 37% say they have lost money due to online shopping scams or fraud 
  • 45% of victims lost more than $100 
  • 25% lost between $100 and $499 
  • 20% lost $500 or more 
  • 36% were unable to recover any of their money 
5 financial realities of online shopping scams infographic

AI Is Making Shopping Scams Harder to Spot 

Consumers are increasingly aware that artificial intelligence is changing the scam landscape. 

According to McAfee research: 

  • 70% agree AI-generated content is making shopping scams harder to identify 
  • Nearly three-quarters have encountered shopping content they believed was suspicious or AI-generated 

“The signs people have historically relied on, poor grammar, low-quality images, obviously off branding, are no longer reliable,” advises Karnik. “AI has lowered the production cost of a convincing fake to nearly zero.” 

It’s not just a fake landing page fraudsters are creating.  

“AI is being used to make fake review sections, impersonation messages that look exactly like it came from a major retailer, realistic logos, believable URLS,” Karnik says. “When you’re shopping online, you need to adjust your expectations to match that new AI reality.” 

What Are the Most Common Shopping Scams During Major Sales Events? 

Scammers follow consumer attention. 

Whenever millions of people are searching for deals at the same time, scammers create fake websites, impersonate retailers and delivery companies, and use urgency to pressure shoppers into acting before they think. 

Here are some of the most common shopping scams consumers encounter during major sales events, as well as the red flags consumers can watch for: 

Scam Type  How It Works  Red Flags 
Fake shopping websites  Fraudulent websites mimic real retailers and disappear after collecting payments  Prices far below competitors, little company information, newly created websites 
Fake social media ads  Ads promote products that never arrive or are counterfeit  Too-good-to-be-true discounts, limited reviews, unfamiliar brands 
Delivery notification scams  Fake package alerts claim there is an issue with your shipment  Unexpected texts, suspicious links, requests for payment 
Retailer impersonation scams  Messages claim there is a problem with your account or order  Urgent language, login requests, unfamiliar sender addresses 
QR code scams  QR codes redirect shoppers to fraudulent websites  Codes placed on flyers, posters, packages, or public locations 
Brushing scams  Unsolicited packages arrive at your home  Items you never ordered, requests to scan codes or leave reviews 
Fake recall scams  Messages claim a recent purchase has been recalled  Requests for payment, account credentials, or personal information 

 According to McAfee research, consumers most commonly report encountering fake shipping notifications, delivery scams, retailer impersonation scams, account alerts, and suspicious discount offers during major shopping periods. 

How McAfee Can Help 

With McAfee+ Premium, multiple layers work together before any damage is done:  

  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 
  • Secure VPN keeps your data private, especially on public Wi-Fi  
  • Web Protection helps block risky sites, even if you do accidentally click  helps block risky sites, even if you do accidentally click   
  • Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
  • Device Security helps detect malicious apps or downloads   
  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast   
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Online Account Cleanup assists in taking down your old, forgotten accounts across the web 
  • Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

Plus, click here to get McAfee’s limited-time deals on real-time protection this Amazon Prime Day, from June 23 to June 26.

About our consumer research 

McAfee surveyed 1,000 U.S. adults in May 2026 as part of a broader study of 5,000 respondents across the U.S., UK, France, Germany, and Japan, focused on online shopping intentions, scam awareness, and purchase behaviors. 

The post New Research: Rising Costs Are Driving Consumers to Ignore Scam Instincts for Better Deals appeared first on McAfee Blog.

  •  

GTA Cheat Users Exposed in Breach as Minecraft Malware Hits 116,000 Players

One gaming cyberattack this week exposed nearly 64,000 users. 

Another has already infected more than 116,000 players.  

Both are connected by the same common gaming behavior: looking for a cheat, mod, or shortcut. 

This week in scam news, a popular Grand Theft Auto V cheat service was hacked, exposing tens of thousands of users. At the same time, McAfee researchers uncovered a massive malware campaign spreading through fake Minecraft mods, cheats, and game clients. 

The takeaway is simple: some of the biggest threats facing gamers aren’t happening inside games. They’re hiding in the downloads, websites, and tools players use around them. 

Let’s start with the GTA breach. 

GTA Cheat Service Breach Exposes Nearly 64,000 Users 

Atlas Menu, a cheat service for Grand Theft Auto V, was reportedly hacked, exposing data belonging to nearly 64,000 users. 

According to reports, the leaked information included: 

  • Email addresses 
  • Usernames 
  • Scrambled passwords 
  • IP addresses 
  • Customer support tickets

The hacker who claimed responsibility later posted the data online. 

Why This Matters 

Many players think of cheats as harmless tools that unlock special abilities, provide advantages, or simply make games more entertaining. 

But unofficial cheat services often operate outside the protections offered by legitimate gaming platforms. 

That means users may be: 

  • Sharing personal information with unknown developers 
  • Downloading unverified software 
  • Exposing themselves to malware 
  • Putting gaming accounts at risk 

And that brings us to an even bigger threat. 

Minecraft Malware Campaign Has Already Infected 116,000 Players 

McAfee researchers recently uncovered a large-scale malware operation targeting gamers searching for Minecraft mods, clients, and cheats. 

The campaign is called WeedHack. 

What Is WeedHack? 

WeedHack is a type of Malware-as-a-Service (MaaS). 

That means cybercriminals package malware into a subscription service that other attackers can use. 

Researchers found that: 

  • More than 116,000 victims have been infected since January 
  • The campaign continues to add roughly 2,000 to 3,000 new victims every day 
  • More than 3,800 malicious files have been identified 
  • More than 240 malicious download URLs have been linked to the operation 

Premium versions reportedly cost as little as $5 per month and include tools that allow attackers to remotely access victims’ devices and webcams. 

What WeedHack Can Steal 

Once installed, the malware can collect: 

  • Minecraft account credentials and session IDs 
  • Discord, Steam, and Telegram credentials 
  • Browser passwords and cookies 
  • Cryptocurrency wallet information 
  • Screenshots and device information 
  • Files stored on a victim’s computer 

Premium versions can also provide: 

  • Live webcam access 
  • Live screen sharing 
  • Remote keyboard and mouse control 
  • Keylogging capabilities 
  • Full remote access to the infected device

Get the full explainer here. 

How McAfee+ Advanced Helps Protect Gamers 

Gaming malware campaigns rely on three things: 

  1. Getting users to visit malicious websites 
  2. Convincing them to download infected files 
  3. Encouraging them to ignore security warnings  

With McAfee+ Advanced, multiple layers work together before any damage is done:  

  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 
  • Secure VPN keeps your data private, especially on public Wi-Fi  
  • Web Protection helps block risky sites, even if you do accidentally click  helps block risky sites, even if you do accidentally click   
  • Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
  • Device Security helps detect malicious apps or downloads   
  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast   
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Online Account Cleanup assists in taking down your old, forgotten accounts across the web 
  • Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day.

Other Scam and Cybersecurity News This Week 

Here are some other important headlines to be aware of: 

Carnival Data Breach Impacts Nearly 6 Million Customers 

Carnival Corporation disclosed a data breach affecting nearly six million customers after a social engineering attack allowed an unauthorized individual to gain access to part of the company’s IT systems. 

Exposed information may include: 

  • Names 
  • Addresses 
  • Email addresses 
  • Phone numbers 
  • Dates of birth 
  • Government-issued identification numbers

Affected customers should be alert for phishing emails, fake customer support calls, and identity theft attempts. 

Instagram AI Support Tool Exploit Raises Security Questions 

Instagram says it has fixed an issue that reportedly allowed attackers to manipulate its AI-powered support chatbot and gain access to other users’ accounts. 

According to reports, attackers were allegedly able to influence the account recovery process and associate new email addresses with targeted accounts. 

The incident highlights a growing challenge for AI-powered customer support systems: convenience cannot come at the expense of identity verification. 

AI Voice Cloning Scams Continue to Surge 

Voice cloning scams continue to grow as AI tools make it easier than ever to imitate friends, family members, and coworkers. 

According to FBI data cited this week, Americans lost more than $893 million to AI-related scams last year. 

These scams included: 

  • Voice cloning attacks 
  • AI-generated phishing emails 
  • Romance scams 
  • Other AI-assisted fraud schemes 

If someone calls claiming to be a loved one in distress and urgently requests money, verify the situation through another communication channel before taking action. 

McAfee Safety Tips This Week 

Whether you’re downloading a Minecraft mod or answering an unexpected phone call, the same rule applies: 

Slow down before you click, download, or share information. 

Here are a few ways to stay safer: 

  • Download mods, clients, and game tools only from trusted sources. 
  • Be skeptical of download links shared in YouTube comments, Discord servers, or social media posts. 
  • Never disable antivirus software to install a game mod. 
  • Enable multi-factor authentication on gaming, Discord, and email accounts. 
  • Use unique passwords for gaming accounts. 
  • Treat “free cheats,” exclusive hacks, and too-good-to-be-true downloads with caution. 

We’ll be back next week with more scams making headlines. 

The post GTA Cheat Users Exposed in Breach as Minecraft Malware Hits 116,000 Players appeared first on McAfee Blog.

  •  

New Malware Targeting Minecraft Infects 2K Daily, and Teens are Becoming Attackers

McAfee Labs has discovered a massive, ongoing malware campaign called WeedHack that disguises itself as free Minecraft mods and game clients to infect players’ computers. Since January 2026, it has logged more than 116,000 victim infections, averaging 2,000 to 3,000 new hits every single day. 

What makes WeedHack different from most malware is how cheap and easy it is to use. 

Typically, a hacker would pay hundreds of dollars per month to access attack tools through underground criminal networks. WeedHack offers a free version to anyone with a Discord account and an internet connection. A premium upgrade, which includes the ability to secretly watch victims through their own webcam, starts at just $5 a month. 

This low barrier has attracted a younger crowd of would-be attackers, many of them appear to be teenagers or young adults. Our researchers were startled to discover teens using these tools not just for financial theft, but to harass and bully their peers, a pattern we’ve documented and that makes this campaign especially concerning. 

The good news for McAfee users: Web Protection actively blocks the sites distributing WeedHack, and Threat Explainer tells you exactly why a flagged file is dangerous, so you’re never left guessing. 

Key Facts at a Glance 

What  Details 
Campaign name  WeedHack 
Active since  January 2026 
Total victims logged  116,464+ 
New infections per day  ~2,000–3,000 
Malicious files discovered  3,820+ unique files 
Malicious download URLs  240+ 
Free tier available?  Yes. Anyone can sign up 
Premium price  Starting at $5/month; $24.99 lifetime 
Who is being targeted  Minecraft players worldwide 
Most affected country  United States, followed by Germany, India, the UK, Italy, and others 
What attackers can access  Once installed, it can steal passwords, hijack accounts, and, for paying customers, it can give the attacker live access to the victim’s screen, webcam, and files. 
The financial impact  It can steal Discord tokens, crypto wallet credentials, Minecraft account credentials.  

Hackers will hold your information for ransom, requiring a large payment in exchange for your data. 

Read our research team’s full report here.

What Is WeedHack? 

WeedHack is a Malware-as-a-Service (MaaS) campaign, meaning it’s a criminal business that sells hacking tools to customers, the same way a legitimate software company sells subscriptions. 

The “product” is malware that gets secretly installed on a victim’s computer when they download what they think is a Minecraft mod or client. Once installed, it can steal passwords, hijack accounts, and, for paying customers, it can give the attacker live access to the victim’s screen, webcam, and files. 

The campaign operates a polished, professional-looking dashboard hosted openly on the internet (not the dark web). That dashboard lets customers track their victims, download stolen data, and launch remote access features, all from a browser. 

What it looks like to buy a subscription from WeedHack.
What it looks like to buy a subscription from WeedHack.

The Cyberbullying Problem 

One of the most disturbing findings from our investigation is how WeedHack is being used. 

While monitoring the campaign’s Telegram channel, which had over 850 members during the time of our research, we observed that many customers appear to be teenagers and young adults, and a significant portion are using the remote access tools not for financial gain, but to harass and intimidate other players 

We observed attackers recording victims through their webcams without consent and sharing those recordings in the Telegram channel as trophies. Others used knowledge of victims’ IP addresses and system access to threaten them. 

It’s important to note that, at the current time of publishing, the Telegram channel has been taken down, and no replacement channel has appeared. McAfee is continuing to monitor any new channels that may be established by the threat actors for further communication. 

Still, what we observed is a form of cyberbullying with unusually invasive tools behind it. If you or your child has been contacted by someone online claiming they have hacked your computer, have your webcam footage, or know your IP address, take it seriously. 

What to do if this happens: 

  • Do not follow the attacker’s instructions, it makes things worse 
  • Tell a trusted adult immediately (parent, guardian, school counselor) 
  • Contact your local law enforcement, this may constitute criminal conduct.  
  • Do not engage with the attacker or attempt to negotiate 
The Telegram channel uncovered by McAfee.
The Telegram channel uncovered by McAfee.

How Do People Get Infected? 

WeedHack spreads in two main ways, and the campaign even provides its customers with step-by-step tutorials on how to carry out both. 

1. Fake YouTube Videos

Attackers create convincing YouTube videos reviewing or demonstrating Minecraft clients and mods.  

The videos are well-produced, some include voiceover narration, and link to malicious download sites in the description and comments. 

One video McAfee identified had over 7,500 views before being flagged. Comments are also sometimes planted by the attackers claiming the files are safe. 

2. Fake Mod Websites

WeedHack instructs customers to build convincing-looking websites that mimic official Minecraft mod pages. These sites are deliberately designed to show up high in search engine results for popular mod names, a tactic called SEO poisoning 

Some fake sites include fake security warnings, Discord links, and GitHub references to appear legitimate. In one case, a site warned players to “only download from us,” while actively distributing malware. 

Minecraft clients and mods specifically targeted include: Meteor Client, Radium Client, Wurst Client, LiquidBounce, Impact Client, Future Client, and others. 

An example of a video hiding a malicious link in the description.
An example of a video hiding a malicious link in the description.

What Happens When You’re Infected? 

Infection happens in four stages that happen silently in the background after a victim opens the downloaded file. 

Stage 1 – First Contact: The malicious file launches quietly (without showing a console window), connects to a hidden network, and phones home to receive further instructions. It uses a sophisticated technique involving the Ethereum blockchain to locate its command server in a way that’s difficult to block or take down. 

Stage 2 – Taking Hold: The malware disables Windows Defender protections, gathers detailed information about the victim’s computer (processor, graphics card, RAM, operating system), and takes a screenshot of their screen. It then steals Discord tokens and browser passwords and cookies. For McAfee users, this is where Web Protection would prevent users from visiting the site, and where our Antivirus would prevent any downloaded malware from taking hold. 

Stage 3 – Digging In: The malware installs itself so that it automatically restarts every time the victim logs into their computer. It sets up a hidden scheduled task that runs continuously, even at the highest system privileges. 

Stage 4 – Full Access: For premium customers, an additional component is installed that connects the attacker to the victim’s computer in real time. This includes live screen sharing with keyboard and mouse control, webcam access, keylogging (recording every keystroke), a reverse shell (full command-line access to the computer), and the ability to upload or download any files. 

A separate component specifically hunts for Telegram credentials and cryptocurrency wallets, sending that data to a different server every five minutes. 

What if I’m Infected? 

Visit our guide: How to Quickly Remove Malware in 2026.  

What Can Attackers Steal? 

Free tier steals: 

  • Minecraft session IDs (used to hijack Minecraft accounts) 
  • Saved passwords and cookies from 36 different browsers 
  • Credentials from Discord, Steam, and Telegram 
  • Browser-based crypto wallets (56 supported) and desktop crypto wallets (12 supported) 
  • Files matching 24 different search keywords 
  • Screenshots of the victim’s screen 
  • System information (computer name, IP address, hardware specs) 

Premium tier adds: 

  • Live webcam access 
  • Live screen sharing with keyboard and mouse control 
  • Keylogging (every key the victim types) 
  • Full remote shell (command-line control of the computer) 
  • File management (upload, download, delete files remotely) 

What Parents Need to Know 

Minecraft’s mod ecosystem is enormous and largely unregulated. Kids routinely search YouTube and Google for performance-boosting clients, cosmetic mods, and gameplay cheats, exactly the kinds of things WeedHack exploits.  

Here’s a practical guide for families: 

Red Flag  ✅ Safe Practice 
The mod isn’t on the developer’s official website  Only download from CurseForge, Modrinth, or the mod’s verified GitHub 
A site or video tells you to disable your antivirus to run the file  Never disable antivirus for a game mod. Legitimate mods don’t ask you to 
A site you’ve never heard of claims to be the “only official” source  If you can’t verify the site is official, don’t download from it 
Download links are in YouTube comment sections  Treat comment section links as a red flag, always 
Your antivirus flags a file as malware, but they try to tell you to ignore it, it’s a “false alarm”  Use McAfee’s Threat Explainer to find out why this is malicious. Don’t disable antivirus 

One of the best ways parents can protect their families is with McAfee’s award-winning antivirus and Web Protection, which are specifically designed to detect threats like WeedHack and help block malicious downloads before a device can be compromised. 

Are McAfee Users Protected? 

McAfee has been actively tracking WeedHack samples and detects this threat under the following signatures: 

  • Trojan:Win/Weedhack.AA through Trojan:Win/Weedhack.AE 

McAfee provides multiple layers of protection against threats like WeedHack. 

  • Web Protection helps block access to malicious websites distributing infected Minecraft mods, stopping the threat before a file is ever downloaded.  
  • Award-winning antivirus detects and blocks malware if a malicious file does make it onto your device.  
  • Threat Explainer shows exactly why a file was flagged, helping users understand what happened and avoid similar scams in the future.  

Together, these protections help proactively block risky downloads, reactively stop malware, and explain what to watch for next. 

McAfee Labs continues to monitor WeedHack and will update coverage as new samples and domains are identified. For the full technical report including indicators of compromise, see the McAfee Labs analysis. 

Key Terms Explained 

Term  What it means 
Malware-as-a-Service (MaaS)  A criminal business model where hackers sell or rent attack tools to other people, just like a software subscription 
RAT (Remote Access Trojan)  Malware that gives an attacker remote control over a victim’s device — screen, files, camera, and more 
Infostealer  Malware designed to silently collect and transmit passwords, cookies, and account credentials 
SEO Poisoning  Manipulating search engine results so a malicious website appears near the top when someone searches for a legitimate product 
Minecraft Client/Mod  Third-party software that modifies or enhances the Minecraft game experience. Legitimate ones are common; WeedHack fakes them 
Minecraft Session ID  A token that proves you’re logged into Minecraft. Stealing it lets an attacker take over your account without your password 
Keylogger  Software that secretly records every key a person types — including passwords, messages, and search queries 
Reverse Shell  A connection from the victim’s computer back to the attacker that gives the attacker full command-line control 
EtherHiding  A technique that hides a malware’s server address inside the Ethereum blockchain, making it very difficult to block 
Discord Token  A credential that lets someone access your Discord account. Stealing it gives attackers full access without needing your password 

 

The post New Malware Targeting Minecraft Infects 2K Daily, and Teens are Becoming Attackers appeared first on McAfee Blog.

  •  

Game Over: WeedHack – The Rise of Minecraft Malware-as-a-Service Campaigns

Authored by Aayush Tyagi 

Introduction  

Minecraft is a 2011 sandbox game developed and published by Mojang Studios. It is the best-selling video game in the world and has sold over 350 million copies worldwide. Its popularity has spanned over a decade due to its versatile gameplay, offering multiple game modes, including one of the most memorable Story Mode in gaming history.

It allows players to create and host multiplayer servers with a variety of gameplay options and offers a wide range of custom launchers, game mods, and cheats to choose from.

Its massive popularity and widespread use of third-party tools have also given rise to a dark side of the Minecraft ecosystem, which is filled with Remote Access Trojans (RATs), credential stealers, keyloggers and other malware threats.   

McAfee Labs has recently uncovered a colossal Minecraft-focused Malware-as-a-Service (MaaS) campaign named ‘Weedhack’, that allows threat actors to remotely access and manipulate the victims’ screen, webcam and file system through a dashboard hosted on the clear net, making it easily accessible to anyone with a Discord account and an internet connection. 

Key Findings 

  • ‘Weedhack’ has been active since January 2026 and masquerades as genuine Minecraft clients and mods to infect users.  
  • We’ve discovered over 3820 unique malicious JAR files that are part of this attack and over 240 URLs responsible for distributing this malware.  
  • This campaign utilizes SEO poisoning and YouTube to generate traffic to these malicious URLs. We also found two YouTube channels and multiple videos that demonstrate Minecraft Mods and Clients and redirect viewers to these URLs. 
  • The campaign has accumulated a total of 116,464 hits, averaging approximately 2000 to 3,000 hits per day. 
  • The campaign provides an enterprise-grade dashboard that allows customers to view stolen credentials and system information, download the payload, configure notifications, access tutorials, and remotely monitor their victims.  
  • This campaign deploys EtherHiding, a technique that uses Ethereum blockchain to fetch its latest C2 domain. The responses are RSA-signed and verified before execution, helping protect the network from campaign takeover attempts. 
  • We’ve uncovered 10 domains that host the next stage payloads and host the malware dashboard for the Weedhack campaign.  
  • We’ve identified 11 domains that hosted similar MaaS campaigns in the past, orchestrated by the same threat actor.  
  • We’ve unearthed the threat actor’s Telegram account and uncovered a Telegram channel for customers, with over 850 members, as of writing this blog. 
  • This campaign offers two service tiers: free and premium.  
  • The free tier includes a comprehensive infostealer capable of targeting Minecraft session IDs and four Minecraft launchers, collecting system information, and stealing cookies and passwords from 36 different browsers. It also targets 56 browser-based crypto wallets and 12 desktop crypto wallets, along with Discord, Steam, and Telegram credentials. It can search for files using 24 different keywords and includes screenshot capture capabilities. 
  • For premium users, with subscriptions starting at $5 per month, it offers additional remote-access capabilities such as webcam access, keylogging, reverse shell execution, screen sharing with keyboard and mouse access, and file management features for uploading and downloading files.  
  • While monitoring the Telegram channel, we found that WeedHack malware is a major catalyst for cyberbullying. Many of its customers appear to be teenagers and young adults and are using remote access capabilities to threaten, harass and monitor their victims, which are around the same age.

The post Game Over: WeedHack – The Rise of Minecraft Malware-as-a-Service Campaigns appeared first on McAfee Blog.

  •  

Are Your World Cup Tickets Legit? 40% of Fans May Risk Unofficial Sellers

Whether you’re planning a once-in-a-lifetime trip or just hoping to catch a match while it’s in your city, the 2026 FIFA World Cup is already driving a surge in ticket searches, travel bookings, and last-minute plans. 

But where there’s high demand and big money, scammers aren’t far behind. 

The World Cup is one of those events where excitement and cost collide,” says Abhishek Karnik, Head of Threat Research at McAfee. “Tickets have been expensive, and for many people, especially families or fans traveling, the costs add up quickly between tickets, flights, hotels, and everything else that comes with attending.”

When prices feel out of reach, people naturally start looking for better deals or cheaper options. That is where things can get tricky. If someone suddenly offers what feels like a great price compared to everything else out there, it can feel like a rare opportunity worth jumping on. Scammers understand that.” 

Let’s break down the new McAfee research, what scams to watch for, and how McAfee’s tools help you stay safe.

New McAfee Research Finds a Gap Between Awareness and Risk 

New research from McAfee shows that while most fans are aware of World Cup-related scams, many are still willing to take risks to secure tickets.  

In fact, 40% say they would consider buying from an unofficial source if they can’t get tickets through the official FIFA site, as many expect tickets to sell out and hope to find affordable resale options. 

That tension is what makes events like the World Cup especially vulnerable for scams. 

With limited ticket availability, rising prices, and the pressure to act quickly, even informed fans can find themselves making decisions they normally wouldn’t, like buying tickets from a reseller on TikTok.  

And scammers are counting on it. 

Survey takeaways: 

  • 76% of fans are interested in getting World Cup tickets 
  • 35% have already started searching online 
  • 43% are willing to spend over $500 on tickets 
  • 66% say they’re aware of World Cup-related scams 
  • 66% say they’re concerned about being scammed 
  • 40% would consider buying tickets from unofficial sources 

The Most Common World Cup Scams to Watch For 

Usually, it is not just one thing that gives a scam away,” Karnik says. “It is when a few warning signs start adding up at once, pressure to act quickly, prices that feel unusually low, or details that seem slightly off.” 

“One of the biggest is urgency around pricing. If someone is pushing a deal that feels dramatically cheaper than similar tickets, claiming prices are about to go up, or creating pressure to buy immediately, that is worth paying attention to. Creating artificial urgency around a ‘great deal’ is one of the easiest ways scammers get people excited enough to move quickly.”

Below is a comprehensive breakdown of the most common scams tied to major global sporting events like the World Cup, including how they work and what to look for. 

McAfee’s Scam Detector,  Safe Browsing tools, VPN, and Password Manager work together to help you spot scams like these as they happen by flagging suspicious messages, blocking risky websites, and helping you make safer decisions before you click, pay, or share information. 

 ⚽ Scam Type    What It Is    How It Works    Red Flags 
Fake Ticket Resale Scam  Fraudulent tickets sold through unofficial sites or individuals  Scammers create fake listings or duplicate real tickets and sell them to multiple buyers  Prices far below or above market, refusal to use official transfer systems, pressure to act fast 
Social Media Ticket Scam  Tickets sold through platforms like Instagram, Facebook, TikTok, or X  Fake or hacked accounts post “last-minute” ticket offers and move conversations to DMs  Urgent language (“only 2 left”), new or suspicious profiles, requests to pay outside the platform 
Duplicate QR Code Scam  One legitimate ticket is resold multiple times  Multiple buyers receive the same QR code, but only the first scan works  Screenshots instead of official transfers, identical tickets sold repeatedly 
Fake Ticket Website Scam  Websites designed to look like official ticket platforms  Victims enter payment info or purchase tickets that don’t exist  Slightly misspelled URLs, unfamiliar domains, lack of official branding verification 
Travel & Accommodation Scam  Fake hotels, rentals, or travel packages  Listings appear legitimate but either don’t exist or are already booked  Prices that seem unusually low, requests for upfront payment, lack of verified reviews 
Booking Impersonation Scam  Fraudsters pose as airlines, hotels, or booking platforms  Victims receive messages about “issues” with bookings and are asked to click links or provide info  Unexpected messages, requests for login or payment details, links that don’t match official sites 
Public Wi-Fi & Phishing Scam  Data theft through unsecured networks while traveling  Scammers intercept data or create fake login portals on public Wi-Fi  Open networks with no password, login pages asking for unnecessary information 
Fake Giveaway Scam  Promotions claiming free tickets or VIP access  Victims are asked to enter personal data, click links, or pay “processing fees”  “You’ve won” messages you didn’t enter, requests for payment to claim prizes 
Betting & Prediction Scam  Fake betting tips or “guaranteed wins” tied to matches  Scammers sell fake predictions or direct users to malicious betting sites  Claims of guaranteed outcomes, requests for upfront payment, unfamiliar platforms 
Merchandise Scam  Counterfeit World Cup gear sold online  Buyers receive low-quality or no product at all  Unverified sellers, poor site quality, deals that seem too good to be true 

How AI is Making These Scams More Convincing

Unfortunately, with the continued improvement of AI, these scams are becoming more convincing. 

AI tools allow scammers to create: 

  • More realistic websites and messages 
  • Personalized outreach that feels legitimate 
  • Fake endorsements, images, or promotions 

That means traditional advice like “look for typos” is no longer enough on its own. 

Today’s scams often look polished, professional, and believable. 

The website shows a scam operation detected by McAfee Labs. It has incredibly realistic seat-selection options and ticket-buying features. But it’s fake.
The website above shows a scam operation detected by McAfee Labs. It has incredibly realistic seat-selection options and ticket-buying features. But it’s fake.
Here you can see just how realistic the website looks. But these tickets are not actually for sale.
Here you can see just how realistic the website looks. But these tickets are not actually for sale.

What “Official” Actually Means (and Why It Matters) 

For the World Cup, official ticket sales happen through designated FIFA sales phases and platforms. 

Buying outside those channels increases the risk of: 

  • Invalid or duplicate tickets 
  • Inflated pricing without guarantees 
  • No recourse if something goes wrong 

Even if a ticket looks legitimate, it may be: 

  • Sold to multiple buyers 
  • Already voided 
  • Rejected at the gate

When in doubt, go directly to the official FIFA website instead of clicking links from messages or ads. You can also visit their comprehensive FAQ section for all your ticket and event questions. 

How to Stay Safe When Buying Tickets or Traveling 

Here are practical steps fans can take to reduce risk: 

Safety Check  What To Do 
Buy from official sources  Use FIFA’s official ticket platform whenever possible 
Avoid clicking links in messages  Navigate directly to official websites instead. McAfee’s Safe Browing tools help prevent you from opening malicious links. 
Be cautious with resale offers  Verify platforms and avoid direct peer-to-peer payments 
Check QR codes before you scan them  You can check for QR code scams on-demand with Scam Detector 
Don’t pay with untraceable methods  Avoid wire transfers, gift cards, or crypto-only payments 
Double-check URLs  Look for misspellings or unusual domains 
Use secure connections  Avoid making purchases on public Wi-Fi, or use a VPN like McAfee’s. 
Protect your accounts  Use strong passwords and enable two-factor authentication. Consider a password manager like McAfee’s.  
Verify before you buy  If something feels off, pause and check before sending money 

What to Do If You Think You’ve Been Scammed 

If you think you may have purchased a fraudulent ticket, clicked a suspicious link, or shared information with a scammer, acting quickly can help limit the impact. 

Immediate steps to take 

Stop communication immediately
Do not send additional money or information, even if the sender claims you need to “complete” a transaction. It’s also a good idea to take screenshots of messages in case the scammer disappears. 

Contact your bank or payment provider
Report the transaction as soon as possible. Many institutions can help reverse charges or flag fraudulent activity if caught early. 

Secure your accounts
Change passwords for any accounts that may be affected, especially email, banking, and ticketing platforms. Our password manager and free password generator help create unique passwords every time.  

Enable two-factor authentication (2FA)
Adding an extra layer of security can help prevent unauthorized access, even if your password was exposed. 

Scan your device for threats
If you clicked a suspicious link or downloaded a file, run a security scan to check for malware or malicious software. Check out our free security scan. 

Monitor for unusual activity
Keep an eye on financial accounts, email logins, and any services tied to your personal information. Our free WebAdvisor helps protect you from malware and phishing attempts while you surf. 

The image above shows malicious apps masquerading as sports betting sites or promising unique World Cup coverage. But when users download, their devices are infected.
The image above shows malicious apps masquerading as sports betting sites or promising unique World Cup coverage. But when users download, their devices are infected.

How McAfee Helps You Spot Scams in the Moment 

McAfee offers more than traditional antivirus, combining multiple layers of digital protection in one app to help you stay safer while searching, clicking, and buying online. 

Scam Detector helps flag suspicious texts, emails, and videos automatically, so you can spot a scam before it hits you and your wallet 

Safe Browsing tools help block risky websites, alert you to phishing attempts, and guide you away from malicious links 

VPN helps keep your connection private on public Wi-Fi, protecting your personal and payment information 

Password Manager helps create and store strong, unique passwords to reduce the risk of account takeover 

Identity Monitoring and Alerts notify you if your personal information appears where it shouldn’t, so you can quickly take steps to fix it 

Personal info removal helps find and remove your personal info from data broker sites and close out old forgotten accounts 

Device and Account Security helps protect the devices and accounts you use every day 

Final Thoughts 

The World Cup isn’t just another event, it’s a moment when millions of people are making fast decisions involving real money, travel plans, and personal information. 

What McAfee’s research makes clear is that the biggest risk isn’t a lack of awareness. Most fans already know scams exist. The risk is what happens next. 

When prices feel out of reach, people naturally start looking for better deals or cheaper options. That is where things can get tricky. If someone suddenly offers what feels like a great price compared to everything else out there, it can feel like a rare opportunity worth jumping on,” Karnik says. “Scammers understand that.”

“If somebody claims they have hard-to-get tickets at an unusually good price, especially for a popular match, people may feel pressure to act quickly before the opportunity disappears.” 

As demand continues to build toward the tournament, more fans will be searching, comparing, and purchasing online.  

The takeaway is simple: Staying safe isn’t just about knowing scams exist. It’s about slowing down, verifying before you buy, and using tools that help you make informed decisions in the moment. 

*McAfee is not affiliated with or endorsed by FIFA. 

The post Are Your World Cup Tickets Legit? 40% of Fans May Risk Unofficial Sellers appeared first on McAfee Blog.

  •  

Trevor Lawrence’s Viral “Haircut” is a Lesson in Deepfakes: This Week in Scams

Trevor Lawrence didn’t actually cut his hair. 

But millions of people thought he did. 

The Jacksonville Jaguars recently released a viral schedule announcement video that appeared to show their star quarterback chopping off his signature long blond hair. The clip spread quickly online, pulling in nearly 4 million views on X and triggering reactions from fans, friends, and even Lawrence’s grandmother. 

The catch? It wasn’t real. 

The team later confirmed the moment was partially staged, partially AI-generated and part of the joke. Even Lawrence admitted the fake looked convincing. 

And that’s exactly the problem. 

What started as a harmless sports prank is also a reminder of how realistic AI-generated videos have become and how easily scammers can use the same technology to fool people online. 

Why Deepfake Scams Are Growing Fast 

Deepfake scams use artificial intelligence to clone someone’s face, voice, or likeness to create fake videos, ads, phone calls, or social media posts that appear real. 

And increasingly, scammers are using celebrities, influencers, athletes, and trusted public figures to do it. 

According to McAfee research: 

  • 72% of Americans say they’ve seen fake celebrity or influencer endorsements online 
  • 39% say they’ve clicked on one 
  • 1 in 10 victims lost money or personal data 
  • Average losses reached $525 per person 

Why does it work? Because scammers know familiarity lowers our guard. 

When people see a recognizable face, whether it’s Trevor Lawrence, Taylor Swift, Tom Hanks, or a favorite influencer, they’re more likely to trust what they’re seeing before stopping to question it. 

From Funny Sports Videos to Real Financial Scams 

The Jaguars video was meant as entertainment. 

But scammers are already using the same technology for fraud. 

McAfee researchers recently identified a growing wave of celebrity deepfake scams involving fake giveaways, investment schemes, romance scams, and fraudulent ads. 

Some recent examples include: 

  • Fake videos of TV personalities promoting “miracle” products 
  • AI-generated celebrity investment ads pushing crypto scams 
  • Romance scammers using deepfake video calls to impersonate celebrities 
  • Fake emergency videos designed to create panic and urgency 

In one high-profile case, a woman reportedly lost nearly $900,000 to scammers impersonating Brad Pitt using AI-generated images and messages. 

The technology is getting good enough that “seeing is believing” no longer applies online. 

How to Spot a Deepfake Scam 

Here are some of the biggest red flags to watch for: 

Red Flag  What to Watch For 
Emotional urgency  “Act now,” “limited time,” or panic-driven messaging 
Too-good-to-be-true offers  Free giveaways, investment promises, miracle products 
Slightly unnatural video details  Off-sync lips, robotic speech, strange blinking, awkward lighting 
Fake verified-looking accounts  Usernames with extra characters or copied profile photos 
Requests for money or personal data  Especially through DMs, crypto links, gift cards, or wire transfers 

How McAfee Helps Protect You 

AI scams are evolving fast, but layered protection can help you stay ahead of them. 

McAfee’s Scam Detector, included in all core McAfee plans, can help identify suspicious links, messages, videos, and deepfake-related scams across texts, email, and social platforms before you click. 

Additional protections like Web Protection and Identity Monitoring can also help reduce your risk if scammers attempt to steal your credentials or personal information. 

Other Scam News This Week 

Charter Confirms Data Breach 

Charter Communications confirmed a data breach tied to a third-party vendor, exposing customer information. Whenever breaches like this happen, scammers often follow up with phishing emails and fake customer support calls pretending to help affected users. 

7-Eleven Data Breach Reports Surface 

Reports surrounding a potential 7-Eleven data breach are circulating online. Consumers should stay alert for fake password reset emails, loyalty account phishing attempts, and scam texts impersonating retailers. 

‘Tom Selleck’ Celebrity Scam Highlights Rise of AI Impersonation Fraud 

A tragic case tied to an alleged Tom Selleck impersonation scam is drawing attention to the growing threat of celebrity AI fraud. Experts warn that scammers are increasingly using fake celebrity profiles, AI-generated messages, cloned voices, and deepfake videos to build trust with victims online, especially older adults.  

The case underscores how emotionally manipulative and financially devastating these scams can become. 

Hackers Are Exploiting AI Chatbot “Personalities” 

Researchers told The Verge that attackers are beginning to manipulate chatbot behavior and personalities to trick users into unsafe actions, highlighting growing concerns around AI trust and social engineering. 

Fake Inheritance Email Scams Are Getting More Convincing 

A phishing scam making headlines this week uses fake inheritance notices and “unclaimed estate” emails to pressure victims into sharing personal information. 

Unlike older scam emails full of spelling mistakes, newer versions look polished and professional, often using legal-sounding language, fake reference numbers, and urgent 48-hour deadlines designed to trigger panic before people stop to verify the message. 

McAfee Safety Tips This Week 

The next deepfake won’t always look fake. That’s what makes these scams dangerous. 

Here are some practical, go-to tips  

  • Pause before clicking celebrity endorsements or viral videos 
  • Verify accounts through official sources before trusting promotions 
  • Never send money or personal data based on social media messages alone 
  • Be skeptical of urgency, especially “limited time” threats 
  • Use AI-powered scam protection tools to help identify suspicious content before you engage 

And we’ll be back next week with more.

The post Trevor Lawrence’s Viral “Haircut” is a Lesson in Deepfakes: This Week in Scams appeared first on McAfee Blog.

  •  

Do Windows PCs and Macs Need Antivirus Software? How McAfee Goes Beyond Built-In Security

Couple looking at computers

Your Windows PC or Mac already includes built-in security features, and that’s a good thing. These tools provide an important first layer of protection against malware and other common threats users encounter every day. 

But today, staying safe online is about much more than blocking viruses.  

Scam texts arrive daily. Phishing emails imitate trusted brands. Fake websites are designed to steal passwords and payment information. Personal details can appear on data broker sites. AI Deepfakes are more convincing than ever. And most households use multiple devices, from laptops and phones to tablets and Chromebooks. 

That’s why McAfee+ Advanced combines device security with scam protection, identity monitoring, personal info removal, web protection, and secure VPN to help protect the many parts of your digital life. 

Let’s break down what built-in security does, and what McAfee does differently: 

What Built-In Security Does Well 

Both Windows 11 and macOS include a range of built-in security features designed to help protect your device. Depending on your operating system and the apps you use, these may include: 

  • Malware detection and removal  
  • Firewalls  
  • Browser warnings about suspicious websites  
  • Password management tools  
  • Privacy and app permission controls  

Together, these features provide an important first layer of protection and help many users stay safer online.  

Why Many People Want More Than Basic Device Protection 

Built-in security tools are primarily focused on protecting the device itself. However, today’s online threats often target something even more valuable: your identity, your money, and your personal information. 

Recent McAfee research found that Americans receive an average of 14 scam messages every day, and more than three in four have encountered an online scam. 

Threats now commonly include: 

  • Scam texts pretending to be banks, toll agencies, and delivery companies  
  • Fake job offers via text, email, or social media 
  • Phishing emails  
  • QR code scams  
  • AI-generated voice and video impersonations  
  • Identity theft via smishing and quishing, including hijacking entire social profiles 
  • Exposure of personal information on data broker sites  

These risks can follow you across all your devices, not just the computer sitting on your desk. 

Built-In Security vs. McAfee Protection 

Here are the key differences between built-in security alone, vs additional protection like McAfee.  

Built-In Security Has  McAfee+ Advanced Adds 
Detecting viruses and malware  Scam protection for suspicious texts, emails, links, QR codes, and deepfakes 
Basic privacy controls  Secure VPN to protect your connection on public Wi-Fi 
Saving passwords  Password manager with unique password generation and storage. 
Warning about some risky websites  Web Protection to help block dangerous sites before they load 
Security on one device  Antivirus coverage across your PCs, Macs, phones, and tablets 
Doesn’t have this support  Identity monitoring, so you know when your SSN and other info is exposed. Plus personal info removal, so your old data isn’t left spread out across the web. 

Why McAfee Stands Out: Speed and Comprehensive Protection 

Unlike the old stereotype that stronger protection means a slower computer, independent testing shows McAfee is also the lightest on performance.  

In the latest AV-Comparatives PC Performance Test, McAfee Total Protection posted the lowest system impact score of all 20 products tested: just 3.3, compared with the industry average of 12.8.  

It also earned the highest possible rating, ADVANCED+. That means McAfee is not just adding more layers of protection. It is doing so while staying out of your way. 

For consumers looking for security that goes beyond basic antivirus to help protect against scams, identity theft, privacy risks, and threats across all their devices, that combination is hard to ignore. 

Protection Across All Your Devices 

Most people no longer rely on a single computer. A typical household may use: 

  • Windows PCs  
  • Macs  
  • iPhones  
  • Android phones  
  • Tablets  
  • Chromebooks

Managing security separately on every device can be difficult. McAfee+ Advanced is designed to provide coverage across your devices under one subscription, helping simplify online protection for individuals and families. 

How McAfee+ Advanced Goes Beyond Built-In Security 

With McAfee+ Advanced, multiple layers work together before any damage is done:  

  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 
  • Secure VPN keeps your data private, especially on public Wi-Fi  
  • Web Protection helps block risky sites, even if you do accidentally click  helps block risky sites, even if you do accidentally click   
  • Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
  • Device Security helps detect malicious apps or downloads   
  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast   
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Online Account Cleanup assists in taking down your old, forgotten accounts across the web 
  • Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

So, Do Windows PCs and Macs Need Antivirus Software? 

Built-in security tools provide an important starting point, but with scam attempts becoming more convincing and personal information more widely exposed, many people need a more comprehensive approach to staying safe online. 

McAfee+ Advanced combines device security, scam protection, identity monitoring, privacy tools, and VPN coverage to help you browse, bank, shop, and connect with greater confidence. 

The post Do Windows PCs and Macs Need Antivirus Software? How McAfee Goes Beyond Built-In Security appeared first on McAfee Blog.

  •  

How Scammers Used Deepfake Video to Dupe a Company Out of Millions

blog deepfake dupe company

It’s the video call that cost $25 million.

According to reports from Hong Kong police in February, a finance worker at a multinational company joined a video conference call with the company’s chief financial officer. On the call, the CFO directed the finance worker to transfer more than $25 million in funds to several bank accounts.

The finance worker reportedly had reservations about the request, thinking that the CFO looked “a little off.” The finance worker then reportedly turned to the other participants on the call for confirmation. They all agreed to the request. With that, the transfers went through. More than $25 million in funds were moved out of the company. Right into the hands of fraudsters.

As it turns out, the CFO on the worker’s call was a video deepfake. Along with everyone else.

Hong Kong’s public broadcaster, RTHK, quoted senior police superintendent Baron Chan as saying that AI deepfake technology was used to dupe the worker.

“[The fraudster] invited the informant [worker] to a video conference that would have many participants. Because the people in the video conference looked like the real people, the informant … made 15 transactions as instructed to five local bank accounts, which came to a total of HK$200 million,” he said.

Fraudsters now use AI deepfakes to pull off corporate scams

Businesses now face an altogether new security threat: video deepfakes. In real time, scammers can pose as company officers, vendors, partners, and so on. Put plainly, we live in a time where the person on the other end of that video call might be a fake.

Scammers face several challenges before they can pull off a deepfake attack. The primary challenge they have is obtaining source material. To create a deepfake, they need images, video, and audio of the person they want to impersonate. Consider, though, that some company officials have relatively high profiles. They speak at conferences, hold webinars, and participate in earnings calls. Throw in a few photos and videos lifted from the target’s social media accounts, and scammers have the source material they need to create a deepfake.

The next challenge … scammers need a good story, one with emotional levers they can pull and coerce a victim to act. In the case of the Hong Kong scam, the deepfakes plied their victim with a mix of urgency and authority. The “CTO” wanted to move money and move that money immediately. With the other deepfakes on the call concurring with the CTO, the victim did as asked. In all, it was a classic case of a hand-picked victim subjected to a classic execution of social engineering.

Understandably, this story drew major coverage given the use of deepfakes and the haul they brought in. Moreover, the fact that the fraudsters orchestrated not just one but a host of deepfakes makes it that much more newsworthy. In light of this, companies and their employees have a new threat to look out for. And, better yet, prepare themselves for deepfakes.

Preventing corporate AI deepfake scams

While AI deepfakes hopping onto video conference calls certainly marks new territory in security, several long-standing measures for preventing corporate fraud remain the same. Additionally, some new preventive measures are called for.

Look for the signs of AI deepfakes

Earlier, we mentioned how the victim in the Hong Kong attack mentioned that the CFO looked “a little off” on the video call. AI deepfakes, while convincing, sometimes have the tell-tale markers of a fake.

However, that’s changing. Quickly. As the tools for creating deepfakes continually improve, deepfakes become increasingly difficult to spot.

Earlier generations of deepfake tools had difficulty tracking excessive head movement, like when the deepfake turned for a profile shot. Further, earlier tools required users to keep their hands off their faces. Placing a hand on the chin or over the mouth would break up the face of the deepfake. Another marker of earlier deepfake tools can be found in the eyes. They often had a glassy look, like they weren’t catching the light right. The same went for skin tones and lighting.

So yes, a deepfake might look “a little off.” Consider that a huge red flag. Yet don’t entirely count on this method of detection. As AI deepfake tools evolve, they’re able to remove such blemishes from the video.

Confirm, confirm, and confirm

Any time that sensitive info or sums of money are involved, get confirmation of the request. Place a phone call to the person after receiving the request to ensure it’s indeed legitimate. Better yet, meet the individual in person if possible. In all, contact them outside the email, message, or call that initially made the request to ensure you’re not dealing with an imposter.

In the wake of targeted attacks on key stakeholders, some organizations have restructured how they handle requests for data, funds, and other sensitive information. They require two or three people to fulfill such a request. This makes it tougher for scammers to run their cons. For starters, they have the burden of targeting two or more people. Then they face the further burden of convincing them all. This oversight gives companies a chance to fully validate requests, and potentially catch “urgent” bogus requests from scammers.

Fraudsters do their research — keep your guard up

Fraudsters select their victims carefully in these targeted attacks. They hunt down employees with access to info and funds, and then do their research on them. Using public records, data broker sites, “people finder” sites, and info from social media, fraudsters collect intel on their marks. Armed with that, they can pepper their conversations with references that sound more informed, more personal, and thus more convincing. Just because what’s being said feels or sounds somewhat familiar doesn’t always mean it’s coming from a trustworthy source.

Clean up your online presence

With that, employees can reduce the amount of personal info others can find online. Features likeMcAfee Personal Data Cleanup can help remove personal info from some of the riskiest data broker sites out there. I also keep tabs on those sites if more personal info appears on them later. Additionally, employees can set their social media profiles to private by limiting access to “friends and family only,” which denies fraudsters another avenue of info gathering. Using our Social Privacy Manager can make that even easier. With just a few clicks, it can adjust more than 100 privacy settings across their social media accounts, making them more private.

Defense against AI deepfake attacks

Moving forward, we can expect to see more of these corporate AI deepfake attacks. On all manner of scales. The availability and power of AI tools make it likely. However, as with many forms of targeted attacks, there’s something both fishy and uncanny about them. As we’ve seen, the employee targeted in the Hong Kong attack held suspicions … something was wrong about that call. Yet, who would expect a video conference call full of AI deepfakes? With this attack, companies should consider that such calls fall within the realm of possibility today.

As AI detection technologies evolve, companies will have additional tools to prevent these attacks. Yet the human factor remains an essential element of defense. These are scams, pure and simple. And scams have signs. Fraudsters use all kinds of social engineering tricks to get their victims to act. They’ll impose themselves as authority figures. They’ll add elements of urgency to their requests. And they’ll use people’s personal info in ways to make themselves appear familiar and trustworthy.

This is where we stand today: a basic understanding of AI deepfake technology, what it’s capable of, and the tricks that fraudsters can play with it can bolster a company’s defense against AI deepfake attacks. Indeed, they’re within the realm of possibility today. And a prepared workforce can help stop them in their tracks before they can do any harm.

The post How Scammers Used Deepfake Video to Dupe a Company Out of Millions appeared first on McAfee Blog.

  •  

How Romance Scammers are Using Deepfakes to Swindle Victims

blog romance scammers deepfakes

Romance scammers now use face-swapping tech in video chats, all to swindle love-seekers online.

It’s finally come to pass. We indeed live in a time where that person on the other end of a video call might be an absolute imposter. The way they look and the way they sound, all a lie.

A recent article in WIRED shows just how this new form of romance scam works. With a laptop or a couple of smartphones, the cons transform their looks and voices entirely with stock-and-trade AI tools. In real time, they become someone else entirely, with AI mirroring every expression they make as they chat on a video call. It all appears quite real.

Yet a deepfake it is.

Deep feelings and deepfakes fire up AI romance scams

Chilling as this striking new form of attack sounds, you can protect yourself. In fact, many of the same tried-and-true means of avoiding a romance scam still apply.

Even when scammers use real-time deepfakes, the heart of these romance scams remains the same. It plays out like a script. And when you know the script, you can spot the scammer following it.

Romance scams play out a bit like this …

The scammer contacts a love-seeker online, often through direct messages on social media or via text or messaging apps. Sometimes the message is targeted and personalized. In other cases, the scammer might start things off with a simple “hi.” Either way, the scammer aims to kick off a conversation. A long one in which the scammer builds trust with a victim over time.

Days, weeks, and even months pass as the scammer woos their victim. Patiently, they wait for the right moment to pounce by finally asking the victim for money. Maybe it’s gift cards. Maybe it’s prepaid debit cards. A wire transfer, perhaps. Almost always, it’s a form of payment that’s tricky, if not impossible, to recover after victims realize they’ve been scammed. Scammers have even asked for cryptocurrency in some cases.

The reasons for requesting money vary. The scammer might say it’s for a plane ticket to come visit or simply a few bucks to help them in a pinch. Other scammers heap on yet more elaborate lies. Some pose as members of the military stationed in a remote overseas location. They’ll say they want some extra money for a video game console or other creature comfort. Some scammers brazenly claim they’re a doctor working in a remote village and need money for medicine. The list goes on.

As outlandish as the stories and requests might be, victims fall for them. After all, the scammer has been fawning over the victim for some time by that point. The victim truly feels like they’re truly in love with someone who truly loves them. They’ll do anything for their love interest, who turns out to be a scammer and, one day, disappears entirely.

That’s how a romance scam plays out. And it happens often enough. According to the Federal Bureau of Investigation’s 2023 Internet Crime Report, losses to reported cases of romance scams topped more than $650 million.

How not to fall deeply for a deepfake online

Scammers have ready access to deepfake tools, ones that make them look and sound convincingly real. Moreover, these deepfake tools continually improve. With each generation of deepfakes, they become increasingly difficult to detect.

As a result, we can’t take things at face value. Everything we see and hear online requires scrutiny. And scrutiny is what it takes to protect yourself from deepfake romance scams.

Watch the person’s movements on the call

Less sophisticated deepfake tools struggle to track body movement. As such, scammers do their best to hold their heads steady and avoid turning around. Otherwise, that kind of movement ruins the deepfake effect. It’s quite obvious when it happens. With that, see if you can get a suspected deepfake to move around, stand up, turn for a sideways profile, or place their hands on their face. Lesser deepfakes will reveal themselves when they do.

Talk with trusted friends or family members

Beyond keeping a sharp eye out for glitches, you have another detection tool at your disposal — friends and family. When a new relationship starts heating up, share the news with some trusted people in your life. Talk about your interactions with the person, even share a message they’ve sent or two. Victims often miss or overlook inconsistencies in a romance scammer’s stories, particularly as the supposed relationships develop.

Friends and family can help you spot those inconsistencies. They can also point out when parts of the relationship start to sound sketchy. Given the way that scammers pull all kinds of strings on their victims, this can help clear up any clouded judgment.

When a stranger you’ve only met online brings up money, consider it a scam

Money talk is an immediate sign of a scam. The moment a person you’ve never met in person asks for money, put an end to the conversation. Whether they ask for bank transfers, cryptocurrency, money orders, or gift cards, say no.

End the conversation

You might say no, and the scammer might back off — only to bring up the topic of money again later. This is a signal to end the conversation. That persistence is a sure sign of a scam. Recognize that ending an online relationship might be far easier said than done, as the saying goes. Scammers worm their way into the lives of their victims. A budding friendship or romance might be at stake, at least that’s what a scammer wants you to think. They deal in emotional blackmail to get what they want. Tough as it is, end the relationship.

How to make it tougher for a romance scammer to target you

Scammers have to track you down in some way or other. And they have plenty of online resources to do it. Some romance scammers take an extra step. They profile their potential victims before contacting them. With the info they’ve gathered online, they can fine-tune their approach.

For example, we’ve seen cases where scammers target widowers with bogus profile pics that share similarities with the widower’s deceased spouse.

While you can’t keep a scammer from reaching out to you, you can make it tougher for them to find you and use your own info against you.

Make your social media more private

Our new McAfee Social Privacy Manager personalizes your privacy based on your preferences. It does the heavy lifting by adjusting more than 100 privacy settings across your social media accounts in only a few clicks. This makes sure that your personal info is only visible to the people you want to share it with. It also keeps it out of search engines, where the public can see it. Including scammers.

Watch what you post on public forums

As with social media, scammers harvest info from online forums dedicated to sports, hobbies, interests, and the like. If possible, use a screen name on these sites so that your profile doesn’t immediately identify you. Likewise, keep your personal details to yourself. When posted on a public forum, it becomes a matter of public record. Anyone, including scammers, can find it.

Remove your info from data brokers that sell it

McAfee Personal Data Cleanup helps you remove your personal info from many of the riskiest data broker sites out there. That includes your contact info. Running it regularly can keep your name and info off these sites, even as data brokers collect and post new info. Depending on your plan, it can send requests to remove your data automatically.

The post How Romance Scammers are Using Deepfakes to Swindle Victims appeared first on McAfee Blog.

  •  
❌