Reading view
Sinkholing CountLoader: Insights into Its Recent Campaign

Authored by Harshil Patel and Sakshi Jaiswal
McAfee Labs has recently uncovered a large scale CountLoader campaign that uses multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems. The infection process relies on several layers of loaders, including PowerShell scripts, obfuscated JavaScript executed through mshta.exe, and in memory shellcode injection, each stage decrypting and launching the next. The attackers employ a custom encrypted communication protocol to interact with their C2 servers. By registering a backup domain used by the malware, we were able to sinkhole the traffic and observe thousands of infected machines connecting to the C2 infrastructure. Final payload deployed in this campaign is a cryptocurrency clipper, which monitors clipboard activity and replaces copied wallet addresses with attacker controlled ones to redirect cryptocurrency transactions.
Sinkholing
Sinkholing is a defensive technique in which researchers take control of malicious domains or infrastructure used by malware. Instead of allowing infected systems to communicate with attacker controlled C2 servers, the traffic is redirected to a researcher controlled server. This approach enables researchers to monitor infected hosts, collect telemetry, measure the scale and spread of a campaign.
Key Findings
- McAfee researchers identified a large-scale CountLoader campaign using multi-stage payload delivery and heavy obfuscation techniques.
- Researchers successfully sinkholed malware communication using a backup C2 domain, enabling visibility into the campaign’s infrastructure and infected hosts.
- The sinkhole received approximately 5,000 connections per minute from infected systems.
- Telemetry collected during the investigation revealed around 86,000 unique infected machines.
- The malware also spreads through USB drives, with approximately 9,000 infections attributed to removable media.
- The final payload deployed in this campaign is cryptocurrency clipper malware that hijacks clipboard data to redirect cryptocurrency transactions.
C2 Sinkholing and Geographical Prevalence
As the malware contacts the C2 servers in the reverse order and only hell1-kitty[.]cc was used by attackers, we were able to register hell10-kitty[.]cc and were able to gain insights into the campaign.

On average, around 5,000 infected clients contacted our server every minute.
In total, we observed approximately 86,000 unique infections.
Telemetry collected revealed that this CountLoader campaign has a broad global footprint. The highest number of infections were observed in India, followed by Indonesia, the United States, and several countries across Southeast Asia.

Conclusion
CountLoader is a multistage malware loader that uses obfuscated JavaScript and trusted Windows utilities to deliver additional payloads. It ensures persistence via scheduled tasks and uses multiple fallback C2 domains to maintain reliability. Malware employs in-memory execution and security bypass techniques to evade detection.
In recent campaigns, it has been observed deploying cryptocurrency clipper malware to silently hijack transactions.
McAfee Researchers identified a flaw in its communication mechanism and were able to exploit it to gain insights into the campaign.
Technical Analysis
The following diagram illustrates the complete infection chain used in this CountLoader campaign, from the initial execution to the deployment of the final payload.

The infection begins when an EXE file is executed. This file launches a PowerShell command, which downloads and executes an obfuscated JavaScript loader known as CountLoader. The loader is executed using mshta.exe, a legitimate Windows utility often abused by malware to run scripts.
Once executed, it performs several tasks:
- Establishes persistence by creating a scheduled task that runs every 30 minutes.
- Contacts multiple C2 servers, trying them in reverse order until a connection is successful.
- Attempts to spread via USB drives by replacing files with malicious LNK shortcuts that execute the malware when opened.
- Wait for the C2 server to issue commands to download and execute payloads.
The payload execution chain consists of several stages:
Launcher: A secondary JavaScript component creates another scheduled task that runs every 60 minutes, ensuring long term persistence.
PowerShell Packer: The launcher executes an obfuscated PowerShell script that acts as a packer. This script decrypts and launches the next stage.
Injector: The next PowerShell stage disables security mechanisms such as AMSI and injects shellcode into a legitimate process.
Shellcode Execution: The injected shellcode unpacks the final payload directly in memory.
Final Payload: The final payload is executed under the process systeminfo.exe. In this campaign, the deployed payload was identified as a cryptocurrency clipper malware, which monitors clipboard activity and replaces copied cryptocurrency wallet addresses with attacker controlled addresses.
Stage 1– Exe
The infection chain begins with the execution of a malicious EXE file, it immediately runs a PowerShell one-liner as shown in the below image.

Stage 2 – PowerShell
The PowerShell script fetched from the URL decodes a Base64-encoded string and executes the resulting content. It also employs an unusual obfuscation technique, where the variable names are crafted to resemble the highlighted pattern, making the script harder to read and analyze.

Multiple such variables are used to create a complete base64 string which is then decoded and executed through Invoke-Expression.

Stage 3 – CountLoader
The file is a HTA file with JavaScript that uses string obfuscation technique to evade detection.

It starts by hiding the mshta window to ensure that the malicious activity runs silently in the background without alerting the user.
The script then attempts to delete its own file in case it was executed locally. If the script determines that it is not being executed from a URL, it terminates immediately.

Then the script tries to contact C2 servers, iterating through the list in reverse order.


A handshake process is performed to verify connectivity with the server. The client sends an encrypted “checkStatus” message, and the server responds with an encrypted “success” message if the connection is valid
All communications between the client and the server are encrypted, with slightly different encryption schemes used for each direction:
- Client to Server: text → (key+(base64encode(utf16le(xor(text, key)))))
- Server to Client: text → (key+(base64encode(xor(text, key))))
The key is a randomly generated six digit number created for each message.
If the handshake is successful, the corresponding domain is selected as the active C2 server, which is used for all subsequent communications.
To maintain persistence on the infected system, the malware creates a scheduled task if one does not already exist.

The scheduled task command line is slightly different if it detects CrowdStrike or Reason AV installed on the system, likely as an attempt to evade detection from these AVs.
After establishing persistence, the malware gets a JWT token from the C2 server, which is used to authenticate further requests.

The get_jwt_token function sends system information about the infected host to the server.

This includes details related to cryptocurrency usage, such as installed wallets and browser extensions, allowing the attackers to determine whether the victim is likely involved with cryptocurrency.
Finally, the malware gets commands from the C2 server, which is then executed on the compromised system.

Each command contains a taskType value that determines the action to be performed on the infected system.
The table below shows the command codes and their actions.
| Code | Command |
| 1 | execute exe file |
| 2 | execute python file |
| 3 | execute dll file |
| 4 | uninstall itself |
| 5 | send domain info to C2 |
| 6 | execute msi file |
| 9 | spread by infecting usb files |
| 10 | execute HTA file |
| 11 | execute powershell file |
We observed two commands from the above list being sent to the malware as highlighted below:
Spreading via USB drives (taskType – 9)
When instructed by the C2 server to spread via USB drives, the malware replaces certain file types on all connected external drives with LNK shortcut files. These shortcuts are crafted so that when a user opens them, the malware executes while simultaneously opening the original file to avoid suspicion.
Targeted file types are exe , pdf , doc and docx.
The build ID of the malware is appended with “_usb”.

Deploying payload using powershell (taskType – 11)
The CountLoader is capable of running many types of executable files, In this campaign, it deploys a separate execution chain that ultimately leads to a clipper malware.
CountLoader launches the next stage using the following command line:

Payload Launcher
The Payload Launcher is very similar to CountLoader in terms of both functionality and obfuscation techniques.
However, unlike CountLoader, which retrieves tasks from the C2 server, the launcher contains hard-coded task information.

For persistence, it creates a scheduled task which executes “mshata.exe {domain}/{name}“ every 60 minutes.

In the task configuration:
“url” specifies the url of the payload.
“taskType” is set to 11, indicating that the payload should be executed as a PowerShell script.

Powershell Packer
The PowerShell script executed by the launcher acts as a simple packer. It is obfuscated using the same obfuscation technique mentioned earlier. Its primary function is to decrypt and execute another PowerShell script.

Injector
The next stage is another PowerShell script responsible for injecting shellcode into a running process.
Before performing the injection, the script disables AMSI (Antimalware Scan Interface) using script from GitHub – S3cur3Th1sSh1t/Amsi-Bypass-Powershell.

After disabling AMSI, the script executes code that performs shellcode injection,

And injects in one of these legitimate processes:

Shellcode
The injected shellcode unpacks and loads the final payload directly into memory,
Final Payload
The payload observed in this campaign is a clipper malware. This type of malware changes cryptocurrency address in clipboard to that of attacker’s when user copies any address.
It starts by fetching the C2 server address, which it gets by a technique called EtherHiding, where the C2 server address is fetched from Ethereum blockchain.

Once the C2 server address is obtained, the malware begins reporting system activity to the server.
It then continuously monitors the clipboard contents.


McAfee Coverage
McAfee provides extensive coverage against CountLoader:
Trojan:Script/CountLoader4.DES
Trojan:Script/JSBackdoor.HELK!2
Trojan:Shortcut/LNKDownloader.HK
Trojan:Shortcut/Worm.HELK
Trojan:Script/ObfuPS.HELK
Trojan:Script/AMSIBypass.STS!1
Ti!5F9FF671955A
Ti!DC602CB53A9C
Indicators Of Compromise
| IOC | |
| EXE (stage 1) | 5f9ff671955a6d551595f9838aed063c496da5039be0d222fe84f96cb3e1d32a |
| PS url (stage 2) | https://memory-scanner[.]cc/Presentation[.]pdf |
| PS (stage 2) | 3c278499c5e3ced3bf1a6a7287808c5267075f1dec0aa5c7be2c4c444f33f2bc |
| CountLoader download URLs | https://memory-scanner[.]cc/ |
| https://hell1-kitty[.]cc/update1_usb_usb_usb[.]VOcx4wEV8 | |
| CountLoader v3.3 | c68e436d4cb984db026210806f50d0c81eec5f6e4860197dab91fab6f31ef796 |
| CountLoader v4.1 | e2faad8111e7d47349cbc549b85e62231b8678057906bc813aad7242fa95ae63 |
| e5e1d8ec4cd109df290752ee3d4b2cbc9de6df4360e9983548f1bc6b1d088540 | |
| CountLoader C2 Domains | hell1-kitty[.]cc |
| alphazero1-endscape[.]cc | |
| api-microservice-us1[.]com | |
| bucket-aws-s1[.]com | |
| bucket-aws-s2[.]com | |
| fileless-storage-s3[.]cc | |
| globalsnn1-new[.]cc | |
| globalsnn2-new[.]cc | |
| globalsnn3-new[.]cc | |
| handle-me-sv1[.]com | |
| hardware-office[.]cc | |
| health-smooth-eu1[.]com | |
| health-smooth-eu2[.]com | |
| health-smooth-eu3[.]com | |
| holiday-updateservice[.]com | |
| memory-protection-layer1[.]cc | |
| memory-protection-layer2[.]cc | |
| microservice-update-s1-bucket[.]cc | |
| microservice-update-s2-bucket[.]cc | |
| my-smart-house1[.]com | |
| polystore9-servicebucket[.]cc | |
| s3-updatehub[.]cc | |
| usb lnk files | 10593dbe9edfde7943fdaadd7882f190216b2f6502667daf701088a6e810deaf |
| 0a69a9cc75d65774e5eb90a4a739bd4335d33b176dc4923acb691bd45af66bdf | |
| 27c6a6bda2c0ef3ecb78dad9c6bb7c3abaf2e32b3ad96f372a0102c0c9c0f08d | |
| 2cd449f1bb24f05d2e240812a74bd62f2583bbbe4d0ccc9ae5736240e29a0068 | |
| 30dcd5c71beb76d2f8df768d5fd9e9145cb8fbbfc951a63b969d26d3b64002b9 | |
| dd4c7f5aae404816cf447b8090b620c1a1971a35c6791116aa3f871f00ae011b | |
| 42a1fc74334c9a3b8720c79df55f84c7398bd31609eb10581e8c7155835498e3 | |
| 9c0d334aac5a6f66016dc5ce8df75c46d519a4e6d16c68cf2b1405c81189186d | |
| 44f6313e9542c0d51937a70160fe4137012905d8c79ad27ccc0021788ecfaa4e | |
| payload launcher url | https://hell1-kitty[.]cc/gamecenter[.]fileManager |
| https://hardware-office[.]cc/foundation[.]halflife | |
| payload launcher | cbdfb46b9265a3dfb3bc6b0aade472dde28b1660dbd3ded3b67b1530b4497cca |
| packer url | http://45[.]156[.]87[.]118:3015/select |
| http://45[.]156[.]87[.]62:3443/production | |
| http://104[.]253[.]1[.]137/content | |
| packer | 4a5e1d6ee1217e1fbacf54fc6017fbf9d24a25078266b02358d56a9c7437ceb7 |
| injector | 05becb67d8bf1e49fcfccb0d346b82368a2b1c2bf07316078c364c7b020154de |
| shellcode | 44daa1b68737b55a711963eec211c7c018bcba4cb6d68c286a4b45ea781a7d73 |
| payload | dc602cb53a9c24abfcdaadf0ca8256b5fb5cac6d91d20ed8431bdaaf51c0cafe |
| payload C2 | https://edr-security-bucket1[.]cc/ |
The post Sinkholing CountLoader: Insights into Its Recent Campaign appeared first on McAfee Blog.
WhatsApp Adds Meta AI Chats That Are Built to Be Fully Private
Foxconn Ransomware Attack Shows Nothing Is Safe Forever
Iran Is Using Tiny ‘Mosquito’ Boats to Shut Down the Strait of Hormuz
The New Grad’s Guide to Job and Recruitment Scams

Graduation season should be about launching your career, not dodging scams.
But for many new grads, the job search now comes with a hidden risk: fake recruiters, fraudulent job offers, and convincing messages designed to steal money, personal information, or both.
The threat is larger than many people realize. According to McAfee’s 2026 State of the Scamiverse report, 76% of Americans have encountered a scam, and the average person receives 14 scam messages every day through text, email, and social media. Americans now spend an estimated 114 hours each year trying to figure out what is real online and what is not.
Young adults are among the most heavily targeted groups. Nearly 3 in 10 people ages 18 to 24 (28%) report receiving conversational scams that begin with casual outreach such as “Hey, how are you?” or a “wrong number” text. Those same tactics increasingly appear in fake recruiter messages, LinkedIn outreach, and texts promoting remote job opportunities.
Today’s job scams can look highly professional. Scammers build polished LinkedIn profiles, clone legitimate company websites, and even use AI-generated interviews to appear credible. Many scams unfold quickly, with nearly half completed in less than an hour, creating pressure to act before candidates have time to verify what is real.
That’s where tools like McAfee’s Scam Detector come in—flagging suspicious emails, texts, links, and messages before you engage, so you can tell what’s real before you click.
Here’s how to avoid job scams and stay safe with McAfee:
How Job Scams Actually Work
|
Step |
What Happens |
Red Flags |
What Scammers Want |
|
1. The Outreach |
You’re contacted via email, text, or social media about a job |
Unsolicited offer, vague role, overly enthusiastic recruiter |
Your attention |
|
2. The Build-Up |
They walk you through interviews or onboarding steps |
No video calls, inconsistent details, fast timeline |
Your trust |
|
3. The Ask |
They request personal info or payment |
SSN requests, bank info, “training fees” |
Identity + money |
|
4. The Trap |
They escalate the situation or disappear |
More payment requests or sudden silence |
Continued financial gain |
A Real Example: How People Get Pulled In
Even experienced professionals fall for these scams.
In one case, a tech expert with decades of experience lost $13,000 after accepting what looked like a legitimate part-time role reviewing products.
The opportunity seemed real:
- A polished website
- Structured onboarding
- A small initial payout
Then came the shift. He was told he needed to deposit money to continue working and kept paying more to “unlock” earnings that never came.
This type of advance fee scam is increasingly common in job fraud, and it works because it builds trust first.
What the Data Says
Recent graduates are entering the workforce at a time when scams are more sophisticated, more personalized, and harder to spot than ever before. McAfee’s 2026 State of the Scamiverse report highlights why younger job seekers should be especially cautious.
Young Adults Face Higher Risk
- Younger adults report the highest rates of repeat scam victimization. McAfee’s research found that scam victims under 35 are more likely than older adults to be targeted again, suggesting that early-career professionals may be especially vulnerable as they navigate job searches, salaries, and onboarding for the first time.
Scam Messages Are Constant
- Americans receive 14 scam messages per day on average.
- 76% of Americans say they have encountered an online scam.
- People spend 114 hours per year, nearly three full workweeks, trying to determine what is real and what is fake online.
Professional Platforms Are Not Immune
- 7% of respondents reported encountering scams on LinkedIn.
- 44% have replied to suspicious messages that contained no link at all.
Many modern scams begin with a simple message such as “I came across your profile” or “We’d like to discuss an opportunity,” rather than an obviously suspicious URL.
Job Scams Move Fast
- The average scam unfolds in just 38 minutes.
Scammers often create urgency by claiming a role is limited, an offer will expire quickly, or onboarding must begin immediately.
AI Makes Fake Recruiters More Convincing
- 35% of Americans are not confident they can spot deepfake scams.
- McAfee predicts job scams will become increasingly personalized as scammers use AI to create tailored outreach, onboarding documents, and contracts that closely match a candidate’s background.
Job Scams Are a Growing Financial Threat
- FTC-reported job scam losses rose nearly 40% year over year, increasing from $543 million in 2024 to $752 million in 2025.
For new graduates eager to land their first job, the lesson is simple: if an opportunity seems rushed, asks for money, or feels too good to be true, take a step back and verify before you respond.
Where McAfee Comes In
Job scams don’t just happen in one moment. They unfold in stages—first a message, then a conversation, then a request for information or money.
That’s why protection needs to work the same way: across the entire experience. McAfee’s comprehensive protection helps you stay ahead of job scams at every step:
McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:
- Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
- Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
- Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
- Safe Browsing helps block risky sites if you do click
- Device Security helps detect malicious apps or downloads
- Secure VPN keeps your data private, especially on public Wi-Fi
The Biggest Red Flags to Watch For
These patterns show up again and again in job scams:
|
Red Flag |
What It Looks Like |
Why It’s a Problem |
What to Do Instead |
|
Requests for Sensitive Information Too Early |
Asked for your Social Security number, banking info, or ID details early in the process |
Scammers use this to steal your identity or access your accounts |
Only share sensitive info after accepting a verified job—and through secure onboarding systems |
|
You’re Asked to Pay to Work |
Fees for training, equipment, onboarding, or background checks |
Legitimate employers don’t charge candidates to get hired |
Walk away immediately—this is one of the clearest signs of a scam |
|
The Job Sounds Too Good to Be True |
High pay, low hours, minimal experience required, vague responsibilities |
Designed to hook attention and lower your guard |
Research typical salaries and ask detailed questions about the role |
|
The Hiring Process Moves Too Fast |
Immediate job offers or rushed decisions without interviews |
Real hiring processes involve multiple steps and evaluations |
Be cautious of offers that skip standard hiring steps |
|
No Real Interaction |
Communication only via email or chat, refusal to do video or phone calls |
Scammers avoid real-time interaction to stay anonymous |
Request a video call or verify the recruiter through official company channels |
How to Protect Yourself
You don’t need to overcomplicate it. Stick to a few grounded habits:
- Verify the company independently: Search the company, check official sites, confirm recruiter identities
- Keep communication on trusted platforms: Be cautious with offers coming from unexpected channels
- Never pay upfront for a job: That’s a dealbreaker
- Pause before sharing personal information: Especially early in the process
- Use tools that flag risks automatically: Scam Detector helps catch what looks legitimate, but isn’t
What to Do If You Think It’s a Scam
If something feels off:
- Stop communication immediately
- Do not send money or personal information
- Report the scam to the FTC
- Monitor your accounts for suspicious activity
If you’ve already shared sensitive information, act quickly to secure your accounts.
With McAfee’s comprehensive protection, you’re not left to figure it out on your own.
From blocking risky links to monitoring your identity and helping you respond quickly, it’s designed to help you stay one step ahead, and recover faster if needed. Because job searching is stressful enough without scammers, and you deserve to land your next job with confidence.
The post The New Grad’s Guide to Job and Recruitment Scams appeared first on McAfee Blog.
Hackable Robot Lawn Mower Unlocks a New Nightmare
How to Protect Yourself After the Canvas Education Data Breach + Fake Amazon Recall Texts

If you have ever checked your child’s grades online, submitted a college paper through a school portal, downloaded homework assignments, or received messages from a teacher through a classroom app, there is a good chance you have used Canvas, a nationwide learning management system that was just in a massive data breach.
This is exactly the moment McAfee+ Advanced was built for. With our built-in Scam Detector to flag risky links, QR codes, and deepfakes; Identity Monitoring that alerts you when your data appears where it shouldn’t; and Personal Data Cleanup that removes your information from the dark web and data brokers, McAfee+ Advanced is an all-in-one solution for protection after a data breach.
Now let’s get into what you need to know about this breach:
Who Is Behind the Canvas Breach?
The ransomware group ShinyHunters is claiming responsibility for the attack. The group alleges it stole roughly 275 million records tied to nearly 9,000 schools and educational institutions worldwide.
How Did the Canvas Cyberattack Happen?
Instructure, the company behind Canvas, confirmed a cyber incident affecting its cloud-hosted environment. The attackers later posted claims about the breach on their leak site, where ransomware groups pressure organizations into paying by threatening to release stolen data publicly.
What Information Was Stolen in the Canvas Breach?
The stolen data reportedly includes:
- Student names
- Teacher and staff names
- Email addresses
- Student IDs
- Course and enrollment information
- School-related records
ShinyHunters claims the breach exposed roughly 275 million records and more than 231 million unique email addresses.
How Could the Canvas Data Breach Impact Families and Students?
Even if financial information was not exposed, this kind of data can still be extremely valuable to scammers. Criminals can use real school names, real classes, teacher names, and student information to create highly convincing phishing emails, fake school alerts, scholarship scams, tuition scams, or password reset messages.
A scam message referencing your child’s actual school or assignment is much harder to spot as fake.

This is a real message from Canvas from a community college professor after yours truly took an anthropology class for fun during the pandemic. It’s full of links to apply for programs and reach out to professors. It has exact details about courses I’ve taken.
While this correspondence is real, it’s exactly the type of messaging that scammers could fake and replicate, replacing real links with fake “paid” opportunities to pursue degrees.
Now think of the millions of messages and specific scenarios scammers have access to, to create dubious and convincing scams. That’s why protecting yourself after a breach is key.
What To Do Right Now
Here are some actions you can take immediately ot protect yourself after this breach:
- Change you or your child’s Canvas password immediately, and update any other accounts where they reuse that password
- Turn on multi-factor authentication (2FA) on parent and student accounts wherever the school permits it — Instructure’s own post-incident guidance specifically called out enforcing MFA as a recommended precaution
- Ask your school what identity protection is being offered if sensitive data was involved
- Consider placing a credit freeze on your or your child’s file to block new accounts from being opened in their name
- Avoid clicking links in any messages that reference the breach, go directly to the official site instead
And that, my friends, is issue number one in this week’s This Week in Scams. Let’s get into what else is on our radar in cybersecurity and scam news.
Fake Amazon Recall Texts Are Targeting Shoppers
Your phone buzzes. It’s a text from an unknown number, but the message looks official.
“Dear Amazon Customer, we are writing to inform you that an item from your March 2026 order has been identified for recall.” There’s an order number. A link at the top of the message. A note about quality standards and a refund waiting for you.
It looks real. It has the Amazon logo, the branded formatting, even a reference to the “Amazon Customer Safety Team.” The only thing it doesn’t have? Any connection to Amazon at all.

This is a fake Amazon recall scam, and it is making the rounds right now. The goal is to get you to click that link, which takes you to a site designed to harvest your login credentials, payment information, or both.
If you get a text like this, do not click the link. Go directly to amazon.com in your browser, log in, and check your orders and messages from there. Amazon does not initiate recall or refund processes through unsolicited texts with outside links.
What Is a Fake Amazon Recall Scam And How Does It Work?
A fake Amazon recall scam is a text message or email in which criminals impersonate Amazon to convince you that one of your recent orders has been flagged for a product recall. The message directs you to an external link leading to a phishing site designed to steal your Amazon credentials, credit card details, or personal information.
Red Flags To Watch For
- The text comes from an unknown number, not a short code or verified sender
- The link goes to a domain that is not amazon.com
- The message asks you to complete a refund through an external link
- Small typos or awkward phrasing appear in what looks like official communication
- The greeting says “Dear Amazon Customer” rather than your actual name
What To Do If You Get One
- Do not click the link
- Go to amazon.com directly and check your orders and account notifications
- Report the text to Amazon at stop-spoofing@amazon.com
- Block the number
Where McAfee Steps In (So You Don’t Have to Guess)
Scams today are layered. A fake email leads to stolen credentials. A breach leads to targeted phishing. And those follow-ups are getting harder to spot.
With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done:
- Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
- Personal Data Cleanup helps remove your information from sites selling it.
- Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage
- Safe Browsing helps block risky sites, even if you do accidentally click
- Device Security helps detect malicious apps or downloads
- Secure VPN keeps your data private, especially on public Wi-Fi
McAfee Safety Tips This Week
Our advice based on this week’s scams and stories:
- If your child’s school uses Canvas, update their password now and enable multi-factor authentication if available
- Consider a credit freeze for your child’s identity, especially if sensitive identifiers were part of the breach
- Never click links in unsolicited texts about refunds, recalls, or account issues — go directly to the official site instead
- Treat any message that references your recent orders or personal account details with extra skepticism, even if it looks legitimate
- Use Scam Detector to check suspicious links before engaging, and stay alert in the weeks and months after a breach, not just the first few days
And we’ll be back next week with more scams and cybersecurity news making headlines.
The post How to Protect Yourself After the Canvas Education Data Breach + Fake Amazon Recall Texts appeared first on McAfee Blog.
Meet Rassvet, Russia’s Answer to Starlink
The Canvas Hack Is a New Kind of Ransomware Debacle
How to Disable Google's Gemini in Chrome
Fixing the password problem is as easy as 123456
Now Available: Use ChatGPT with McAfee to Spot Scams Faster
Scam messages are getting smarter and faster.
According to McAfee’s 2026 State of the Scamiverse report, Americans now spend 114 hours a year trying to figure out what’s real and what’s fake online. That’s nearly three full workweeks lost to second-guessing messages, alerts, and links.
And when scams do succeed, they move quickly. The typical scam unfolds in about 38 minutes, leaving little room for hesitation.
That creates a gap: People want to check before they act, but the tools haven’t always met them in that moment.
ChatGPT + McAfee is designed to close that gap, bringing scam detection directly to a platform people are already using to ask questions and make decisions.
And it’s available to anyone. You don’t have to be a McAfee subscriber.
This isn’t just detection. It’s guidance in the exact moment you’re deciding what to do.
Instead of guessing, you can paste a message or drop in a screenshot and get a clear explanation of what’s risky, and what to do next, powered by McAfee’s threat intelligence.
What You Can Do with ChatGPT + McAfee
With this integration, checking something suspicious becomes as simple as asking a question.
Paste a message. Drop in a link. Upload a screenshot.
McAfee analyzes it and explains what’s going on clearly and in context.
Here’s how it works:
| Feature | What it does | How it protects you |
| Link safety check | Paste a suspicious URL and get a reputational analysis based on McAfee threat intelligence | Scam links are often designed to look legitimate. A quick check helps avoid phishing and malware |
| Message analysis | Submit texts, emails, or social messages for evaluation | Many scams now rely on urgency and tone. Analysis helps surface subtle red flags |
| Screenshot uploads | Upload screenshots of messages, emails, or posts for review | Scams don’t always come as clean text. This makes it easier to check what you’re actually seeing |
| Clear explanations | Get a breakdown of why something is flagged as risky or safe | Not just a warning—an explanation that helps you recognize patterns next time |
| Guided next steps | Receive recommendations on what to do next | Helps prevent escalation, especially in moments of uncertainty |
It’s a quick, accessible way to get answers in the moment. But it’s just one part of a broader system designed to protect you more comprehensively.
Add the app to your ChatGPT account here.

Built on McAfee’s Threat Intelligence
Behind the scenes, ChatGPT + McAfee is powered by the same intelligence that fuels McAfee’s broader scam protection ecosystem.
When you submit something for review:
- Links are checked against known threat signals
- Messages are analyzed for scam patterns and language cues
- Results are translated into clear, human-readable explanations
The goal isn’t just to flag risk. It’s to help you understand it.
A New Way to Stay Ahead of Scams
Scams aren’t slowing down. If anything, they’re becoming more convincing, more personalized, and harder to detect.
That’s where ChatGPT + McAfee comes in. But this is only one part of a much bigger system designed to protect you before, during, and after a scam attempt.
With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done:
- Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
- Personal Data Cleanup helps remove your information from sites selling it.
- Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage
- Safe Browsing helps block risky sites, even if you do accidentally click
- Device Security helps detect malicious apps or downloads
- Secure VPN keeps your data private, especially on public Wi-Fi
The ChatGPT experience gives you a fast, intuitive way to check something in the moment.
McAfee+ Advanced makes sure you’re protected across everything else.
The post Now Available: Use ChatGPT with McAfee to Spot Scams Faster appeared first on McAfee Blog.
Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web
A Kid With a Fake Mustache Tricked an Online Age-Verification Tool
Hackers Hate AI Slop Even More Than You Do
DHS Demanded Google Surrender Data on Canadian’s Activity, Location Over Anti-ICE Posts
Disneyland Now Uses Face Recognition on Visitors
Dangerous New Linux Exploit Gives Attackers Root Access to Countless Computers
Ad Impersonation Scams and Record-Breaking Social Media Fraud Losses: This Week in Scams

You’re scrolling through Facebook or TikTok and see it.
A flash sale from a brand you recognize. A limited-time investment opportunity. A job posting that promises quick money.
The ad has comments. The account looks polished. Maybe someone you follow even liked it.
So you click.
From there, things move fast. You’re pushed to act quickly, enter your information, or send payment before the “deal” disappears. And just like that, the money is gone or your account is compromised.
This isn’t an edge case anymore. According to new FTC data, nearly 30% of people who reported losing money to a scam in 2025 said it started on social media, with total losses hitting $2.1 billion.
That’s why McAfee+ Advanced includes comprehensive protection designed to help you spot and stop scams at every step, including McAfee’s Scam Detector, which flags suspicious links and messages and explains why they may be risky, along with identity and privacy tools that help protect your information if a scam slips through.
How Social Media Ad Scams Work
A social media ad scam is when scammers use paid ads, fake profiles, or hijacked accounts on platforms like Facebook, Instagram, or TikTok to promote fake products, services, or investment opportunities in order to steal money or personal information.
| Step | What happens | What to do | How McAfee helps |
| 1 | You see an ad, post, or DM promoting a deal, job, or investment | Don’t engage immediately, even if it looks legitimate | Scam Detector flags suspicious links and messages before you interact |
| 2 | The ad links to a website or moves you into DMs | Avoid clicking unfamiliar links or continuing off-platform | Safe Browsing helps block risky or newly created websites |
| 3 | You’re pressured to act quickly or “secure your spot” | Slow down and verify the company independently | Scam Detector explains urgency tactics and why they’re risky |
| 4 | You’re asked to pay, share login info, or download something | Never send money or credentials based on a social media interaction | Identity Monitoring helps protect your personal data if exposed |
| 5 | The product never arrives, the investment disappears, or your account is compromised | Report the scam and secure your accounts immediately | Personal Data Cleanup and monitoring help reduce ongoing exposure |
Red Flags To Watch For
- Deals that feel unusually cheap or urgent
- Ads linking to unfamiliar or slightly misspelled websites
- Requests to move conversations off-platform quickly
- Payment requests via apps, crypto, or wire transfer
- Accounts with limited history or inconsistent engagement
And that is the first part of This Week in Scams! This Friday we’re taking a different format to talk about this new FTC data and all that it reveals.
Let’s keep digging in:
FTC Report: Social Media Scams Are Now The Most Costly Fraud Channel
New data from the FTC shows just how dominant social media has become in the scam landscape.
- Social media scams drove $2.1 billion in reported losses in 2025
- Losses have increased eightfold since 2020
- Investment scams alone accounted for $1.1 billion of those losses
Where Scams Are Happening And What’s Changing
| Category | What to know |
| Most common scams | Shopping scams lead, with over 40% of victims reporting purchases from social media ads that never arrived |
| Most costly scams | Investment scams drive the biggest losses, often starting with ads or group chats showing fake success |
| What’s changing | Scammers are using platform tools like ads, targeting, and profile data to reach people more precisely than ever |
How Scams Play Out Across Platforms
| Platform | How scams typically start | What to watch for |
| Ads, Marketplace listings, hacked accounts | Fake stores, duplicate listings, urgent purchase pressure | |
| Sponsored posts, influencer impersonation | “Limited drop” scams, fake brand collaborations | |
| TikTok | Ads, stolen videos/profiles, comment links, bio links, | “Get rich quick” schemes, external link funnels, reselling via TikTok |
| Group chats, investment communities | Fake testimonials, coordinated pressure to invest |
How McAfee Protects You from Scams and Cyber Threats
McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:
- Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
- Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
- Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
- Safe Browsing helps block risky sites if you do click
- Device Security helps detect malicious apps or downloads
- Secure VPN keeps your data private, especially on public Wi-Fi
McAfee Safety Tips This Week
Our advice based on this week’s scams and schemes:
- Treat social media ads like any other unknown source, not a trusted recommendation
- Pause before clicking, especially when urgency is involved
- Verify brands by going directly to their official website
- Avoid sending money or personal information through social media
- Use tools like Scam Detector to check suspicious links before engaging
And we’ll be back next week with more scams making headlines.
The post Ad Impersonation Scams and Record-Breaking Social Media Fraud Losses: This Week in Scams appeared first on McAfee Blog.