Latest news with #LummaStealer
Associated Press
a day ago
- Business
- Associated Press
Gen Q1/2025 Threat Report
Foreword With this issue of the Gen Threat Report, we are introducing a more streamlined format, making it easier to digest and focusing more on key highlights, trends and emerging threats rather than attempting to catalog every detail. The Threat Landscape Highlights section will capture notable trends and evolving threat dynamics, and Featured Stories will now dive deeper into specific investigations. The threat landscape in Q1/2025 might look surprising to some. At first glance, the decline in the total number of blocked attacks compared to the previous quarter might seem like a welcome reduction in activity. However, this drop is not solely seasonal or due to reduced attacker activity. More importantly, this decrease highlights a deeper evolution in tactics: broad 'spray and pray' campaigns are giving way to more tailored, deceptive and persistent attacks. The threats that did emerge this quarter are more focused, strategic and reflect the growing sophistication of attackers. Financial threats showed new levels of innovation. The CryptoCore group executed one of its most refined campaigns to date, blending deepfake videos of public figures, compromised YouTube accounts and professionally cloned websites. This most recent campaign resulted in an estimated $3.8 million in illicit profits over 2,200 transactions (although the real number is likely far higher). Mobile financial threats also escalated. The Crocodilus banking trojan, most active in Spain and Turkey, abused accessibility features to overlay fake login pages and steal crypto wallet credentials. Meanwhile, our LifeLock insights showed rising levels of credit and transaction alerts, indicating both increased monitoring activity and more frequent fraud attempts targeting users' financial footprints. Data-stealing threats also continued to rise across multiple categories based on our telemetry. The number of data breach events — meaning instances where a company or platform was breached — increased by more than 36% quarter over quarter, while the total number of breached records — or personal data such as email, passwords, credit card numbers, etc. — surged by more than 186%. While large-scale service breaches made headlines, attackers were also using direct compromise of user data through infostealers such as Lumma Stealer (which has since been successfully taken down through a collaboration between Europol and Microsoft ). Furthermore, phishing continued to play a growing role in data compromise — we documented how adversaries are abusing low-code form-building platforms to host phishing campaigns on legitimate infrastructure, making detection and takedown significantly harder. Lastly, ransomware remained a high-risk threat, building over the last three quarters. The majority of cases continued to be driven by the usual suspect, Magniber, but new strains, such as FunkSec, also emerged. FunkSec, in particular, had been allegedly partially generated using AI and large language models (LLMs). Scam threats were marked by significant diversification and reach. We protected more than 4 million people from Scam-Yourself Attacks, a category that now spans platforms and operating systems. FakeCaptcha, once confined to Windows, expanded to macOS and began distributing the infamous infostealer AMOS (Atomic Stealer) under the guise of phishing protection. Touché. Moreover, social media remained a key vector for scams, with compromised Facebook and YouTube accounts used for both distribution and monetization. Attackers combined AI-generated personas, hired influencers and platform-native ad systems to lend legitimacy to fraudulent campaigns. In parallel, Fake Update attacks, another type of Scam-Yourself Attack in which people are asked to update their device or programs but are instead guided to infect their devices, targeted European users causing an unprecedented growth of 17 times of the risk exposure compared to last quarter. We hope you find the Q1/2025 Gen Threat Report engaging and informative and the new format easy to digest. Thank you for reading. Jakub Křoustek, Threat Research Director Threat Landscape Highlights While the list of the most prevalent threat type remains the same or nearly similar throughout the years, the threat landscape continuously evolves through the ways in which threat actors work to achieve their malicious ambitions. How the landscape shifts is inevitably affected by our digital activities, from the use of social media to online shopping and learning to recent events affecting the security of our digital lives, such as data breaches. In this section, we aim to provide insight into emerging threats, new techniques and trends and interesting changes in the otherwise expected behavior of the global threat landscape. Global Risk Snapshot Global risk ratio: 24.53% Cyber risk remained high in Q1/2025, with a global average risk ratio of 24.53%, consistent with the heightened levels observed in late 2024. However, exposure remained highly uneven across regions. The highest threat activity concentrated in parts of Asia and Eastern Europe. China topped the list with a risk ratio of 48.60%, followed by Georgia (44.51%) and Vietnam (39.06%). These figures reflect a mix of aggressive targeting, insufficient defensive infrastructure and high digital engagement. In contrast, major economies like Japan (16.12%), Germany (20.11%) and France (24.93%) reported significantly lower risk ratios, while Scandinavian countries like Finland (19.36%), Sweden (22.14%) and Norway (23.96%) continued to show resilience against attacks thanks to mature cybersecurity practices. South America remained a region of interest, with Brazil (20.14%) and Argentina (23.24%) experiencing spikes in mobile-specific threats. Meanwhile, countries with limited digital infrastructure — such as Haiti (18.44%) or the Democratic Republic of Congo (16.24%) — saw reduced exposure simply due to lower internet penetration. Personal Data at Stake: Data Breaches & Information Stealers Personal data is like digital gold to criminals, and risks to digital identities continue to increase. Based on our telemetry, data breach events - instances where a company or platform was breached - rose 36.12% quarter-over-quarter. Breached records increased by 186.26%, with breached user emails alone up 102.93%. More than 1.19 million records were reported with high or critical severity, meaning that the breached records also included plaintext passwords, potentially giving cybercriminals the figurative keys to over a million of people's personal accounts. Large-scale data breaches are no longer rare. Notable digital-identity events in Q1/2025 included: One of the protective measures we provide for our users is alerting them when a significant breach happens and their personal data is exposed or possibly affected by a recent data leak. These alerts give our customers the opportunity to responsibly react and secure their personal data in advance of fraudulent activity by attackers. In Q1/2025, alerted users increased too with notable spikes in: Data stealing efforts via information stealers also rose in Q1/2025, with a 8.24% increase in risk ratio, again driven by the Lumma Stealer which: Other prominent infostealers by their malware share were: The regions most impacted by information stealers were Turkey, Egypt, Indonesia and Argentina. Scams & Social Media Exploits Scams continue to evolve as one of the most widespread and adaptable cyberthreats, exploiting both traditional and modern delivery channels. In Q1/2025, we observed scammers leveraging everything from malvertising (malicious advertising) to social media platforms and push notifications to reach potential victims. This broad attack surface was amplified by the wealth of user data available online, enabling highly targeted and convincing scams. Below, we highlighted some of the key trends and tactics shaping the scam landscape this quarter: Social media also remained a favored delivery mechanism for scams and other related threat types. In Q1/2025, 63% of social-media-related threats were observed on Facebook, followed by YouTube with 22% platform share. Platforms like Reddit and Instagram remained a relevant threat, while X (formerly Twitter) held steady at 7%. LinkedIn, a business and employment-oriented social network, observed a rising trend with 26.23% increase of its share. The types of threats found on each social media site varied due to user demographics and usage patterns, with malvertising continuing to top the threat types on social media 30% of the total share, followed by phishing (21.72%). Q1 Scam Trends Revealed by Norton Genie Our Norton Genie scam detection tool shows the different type of scams reported by users: Ransomware: A Changing Battlefield The ransomware threat level remains elevated since Q4/2024. In Q1/2025: While the notable players maintain the largest share of ransomware threats, there is a new player on the ransomware scene, called FunkSec. Some of their tools were most likely generated by an LLM agent, a sign that AI tools are lowering the barrier for creating ransomware. This also applies to the template source code, where comments are written in perfect English (as opposed to very basic English in other mediums). Based on a report from Chainalysis, the total volume of ransom payments decreased year-over-year (YoY) by approximately 35%. There are a few reasons why the payments declined —companies have adapted to this type of cyber-threat and are understanding the need for cybersecurity while more frequently declining to pay ransomware gangs while law-enforcement agencies have increased pressure on ransomware infrastructure and crypto-mixers. The total amount paid in 2024 was $813 million. Mobile Threats on the Rise Mobile threats surged in Q1/2025, with a 25% increase in protected users across adware and spyware categories. Adware, particularly strains like HiddenAds and MobiDash, dominated the mobile threat landscape, while older families like FakeAdBlockers faded from view. Brazil, India, Argentina, and Mexico saw some of the largest country-specific spikes, with Mexico notably experiencing a 42% jump in protected monthly users. The evolving nature of mobile adware and spyware suggests these threats will continue to escalate in the coming quarters, particularly as attackers experiment with new delivery methods and leverage regional campaigns to maximize impact. Spyware, though growing more modestly (+6% protected users), revealed worrying trends with new or resurging strains like SpySolr, Tambir and SpyLend, targeting victims in Turkey and India with increasingly aggressive data theft and blackmail tactics. Spain stood out with a 96% spike in spyware risk, while Turkey followed closely behind at +84%. Patrik Holop, Researcher Luis Corrons, Security Evangelist Ladislav Zezula, Malware Researcher Jakub Vávra, Threat Operations Analyst Jan Rubín, Malware Researcher Alexej Savčin, Threat Analysis Engineering Manager Lukáš Zobal, Research Engineering Manager Featured Stories: Deception, Innovation and Exploited Trust The first quarter of 2025 demonstrated that cybercriminals are not merely refining their methods; they're rewriting the playbook entirely. Our Featured Stories expose how threat actors employed groundbreaking technologies, hijacked trusted platforms and used highly personalized deception to trap victims more effectively than ever. CryptoCore's manipulation of deepfake technology around President Donald Trump's 2025 inauguration illustrates how major media events can become powerful tools for financial fraud on a global scale. In parallel, cybercriminals exploit legitimate online website builders, rapidly deploying convincing phishing pages designed to bypass traditional security measures and deceive users into handing over their most sensitive data. We also explore the sophistication of Scam-Yourself Attacks, a disturbing trend where victims are deceived into willingly infecting their own devices. Attackers increasingly use realistic AI-generated personas, cleverly compromised social platforms and sophisticated cross-platform techniques to evade detection and persuade users to lower their defenses voluntarily. Together, these featured stories paint a clear picture of a threat landscape driven by innovation, deception and an alarming exploitation of trust. Hijacked Inauguration: How CryptoCore Used Deepfakes to Scam Millions CryptoCore, the sophisticated cybercriminal group that exploits the popularity of cryptocurrencies, has perfected the art of deception. By combining deepfake technology, hijacked YouTube accounts and professionally designed websites, they transform media events into launchpads for sophisticated scam operations targeting cryptocurrency users. Their approach exploits trust, manipulates public attention and turns fabricated reality into a convincing trap. We broke down their methods further in our article about CryptoCore. In Q1/2025, CryptoCore found the perfect stage. As the 2025 inauguration of U.S. President Donald Trump captured global headlines, the group launched one of its most aggressive deepfake campaigns yet, targeting cryptocurrency enthusiasts caught in the media frenzy. Our telemetry shows that during this period, CryptoCore's activity surged to over four times the typical baseline, reflecting the scale of the operation. CryptoCore significantly increased its activity on YouTube during the inauguration, hijacking more accounts and rebranding them to look like official accounts linked to Donald Trump. Deepfake technology was at the heart of the operation, creating realistic, fabricated videos featuring both Donald Trump and Elon Musk promoting fraudulent giveaway events. The scam narrative remained consistent: leveraging the inauguration's media spotlight to push cryptocurrency investment schemes, promising participants the chance to double their profits. The videos were carefully crafted, often reusing authentic footage with manipulated lip-syncing and embedded QR codes that redirected viewers to sophisticated fake websites. These sites were highly professional in appearance, featuring interactive elements and images of Trump and Musk to enhance their credibility. In addition to the inauguration event, Donald Trump's meme coin, $TRUMP, officially launched on January 18, 2025, just before Donald Trump's second inauguration. The coin quickly gained public attention, fueled by media coverage and the political spotlight. Seizing the opportunity, CryptoCore created a wave of scam promotional content featuring deepfakes of Trump and other high-profile figures. The scam once again promised exclusive benefits and double profit, this time tied to investments in the $TRUMP coin. Beyond the inauguration, CryptoCore maintained a stable trend of distributing fake videos exploiting the likenesses of other cryptocurrency personalities such as Vitalik Buterin, Michael Saylor and Brad Garlinghouse. These deepfakes were spread across hijacked platforms, extending the reach of their scams far beyond the political event. CryptoCore's operations in Q1/2025 resulted in estimated profits of $3.8M across 2,200 transactions, based on analysis of cryptocurrency wallets identified on fraudulent sites. As this estimate only includes tracked wallets and visible activity, the actual profit is likely much higher. CryptoCore's latest campaigns show how quickly attackers adapt, combining deepfake technology, hijacked trusted platforms, and media-driven moments to lure unsuspecting victims. Today's scams no longer rely on crude deception: they look polished, professional and dangerously convincing. It is crucial to stay vigilant and verify the authenticity of any cryptocurrency-related content, especially that tied to high-profile events or personalities, to avoid deception. The Hidden Threat of Phishing Attacks Through Online Forms Cybercriminals have always been on the lookout for simple, effective and low-cost ways to run phishing campaigns. While some invest in elaborate infrastructure—offering realistic phishing pages as part of paid 'phishing-as-a-service' kits—others opt for a cheaper, faster approach: abusing legitimate website builders. These low-effort alternatives abuse legitimate tools with drag-and-drop interfaces, enabling anyone to create a website without needing coding skills. This approach allows for a quick, although limited, way to create phishing pages on legitimate hosting domains. Such pages have a higher chance of bypassing standard email filters, which is a significant threat to ordinary users. Therefore, phishing links are predominantly sent via email. The main tactic is to create a sense of urgency about a blocked account or service limitation requiring immediate action. Another type of email is informational, requesting the review of a document accessible online, but only after logging in. Even though many of these websites can be spotted with a bit of scrutiny, they remain consistently present in the wild, and in some regions, increasingly so. They primarily mimic the login screens of major companies providing telecommunications, email and streaming services. Financial institutions and forms requiring payment information, social security numbers and other sensitive data are also common targets. Additionally, the phishing pages appear in various languages across all continents. Attackers often abuse popular website builders, e.g., Weebly or Wix, hosted on trusted domains and infrastructure. These tools are frequently free, making their misuse very simple and anonymous. Phishing pages typically have a legitimate second-level domain, which does not raise suspicion with spam filters or antivirus software. Additionally, attackers can choose arbitrary third-level domains, often using their names to evoke familiarity with the phished brand. A popular tactic is also typo squatting in the subdomain name, such as: Beyond website builders, attackers increasingly abuse dynamic DNS (DDNS) services and subdomain providers like DuckDNS to host phishing sites. These services allow the creation of custom subdomains that mimic well-known brands, further enhancing the deception. By leveraging such flexible infrastructure, attackers can quickly scale campaigns without requiring extensive technical knowledge, expanding their reach and impact. Some login pages are sophisticated and require greater attention to detect, especially if the legitimate login form is simple to copy. On the other and, there are also many obviously fraudulent pages where, e.g., the entered password is not masked, the footer displays the logo of the abused platform or the header contains links leading to unrelated sites. In any case, the login page sitting on the website builder domain is a red flag indicating that something is wrong. The figure below illustrates an example of an obvious phishing page. Notice the suspicious menu items, including irrelevant options unrelated to the site's purpose. The page layout is also inconsistent and unprofessional, with mismatched fonts and awkward formatting. One of the most obvious red flags, though, is that passwords are displayed in plain text rather than masked—an immediate giveaway that the site is not legitimate. Phishing attacks of this type are steadily increasing worldwide, with distinct spikes in specific regions. In the U.S., a significant campaign targeted AT&T and Xfinity customers in early 2025. Conversely, in Australia, we have observed a steadily increasing trend since February, relentlessly targeting Telstra email users. These regional waves reflect how attackers can easily localize their campaigns using publicly available tools, targeting specific providers, languages and users with minimal effort and maximum reach. The technique remains widely used for a reason: it's fast, cheap and often effective. Even when phishing pages are poorly made, their trusted hosting domains give them an edge, making them harder to filter and easier to overlook. Notably, Q1/2025 telemetry shows a rising number of phishing campaigns hosted on DDNS services and subdomain providers, adding to the already widespread abuse of site builders. While the overall phishing threat landscape remained relatively stable this quarter, these shifts in hosting methods point to an evolving playbook that emphasizes speed, flexibility and low operational costs. The Evolution of Scam-Yourself Attacks: Smarter, Sneakier and Cross-Platform The most dangerous attacks aren't always the ones that sneak in unnoticed — they are often the ones that make you open the door yourself. Scam-Yourself Attacks rely on well-crafted social engineering tactics, designed to trick users into infecting their own devices. The malicious steps don't hide in the background — they're laid out in front of the user, disguised as helpful instructions. It's malware you install yourself — and attackers are getting better at convincing you to do it. In Q1/2025 alone, we protected more than 4 million people from Scam-Yourself Attacks like ClickFix and FakeCaptcha, some of the most widespread and persistent threats across the globe. While the overall 'Fake' category, which includes Scam-Yourself Attacks, saw a slight decrease in global risk ratio by 8.96% this quarter, its impact remains massive, with persistent activity observed worldwide. AI Personas, Fake Finance Tools and the YouTube Trap One of the most striking evolutions we observed this quarter is how attackers use AI-generated personas, deepfake influencers and hired actors to deliver Scam-Yourself campaigns, primarily through compromised YouTube accounts. Meet Thomas Harris, also known as Thomas Roberts or Oscar Davies, among other names. He is very active on YouTube, providing advice on how to easily make money using otherwise paid extensions for TradingView, like ChatGPT AI Charts (no matter if such an extension actually exists or not). Typically present as an unlisted video on a compromised YouTube account, 'Thomas' verbally and visually explains how to proceed with the installation, effectively performing a Scam-Yourself Attack. The most shocking part is Thomas isn't real at all but is instead a rising star of an influencer who is completely deepfaked. Usually, the video is unlisted and is not visible on the compromised YouTube channel where it is hosted, and it cannot be searched for on YouTube. In order for the user to reach the video, the attackers frequently use YouTube's advertising system, recommending the scam videos when it recognizes the user is interested in the related topic. The attackers also use a lot of tricks to make the compromised accounts look as convincing as possible. To impersonate the original vendor, the attackers made some typical changes: Let us explain the last step more using the example below. Linked videos are a feature of YouTube where the user can link videos from different channels and present them on their own channel. In the screenshot below, we can see a compromised YouTube channel. Because the videos in this case point to the official TradingView channel, they look very convincing and legitimate – that's because they are legitimate — even though they don't belong to this channel at all. The user would need to click on the individual videos and observe that they are actually hosted on a different channel to recognize they're on not on the page of the company, account or vendor that they think they're on. For more details about this campaign, read our blogpost. Trading Bot Scam is yet another type of AI impersonation campaign we observed during Q1/2025 (and beyond). In the 500+ videos so far, we observed more than 15 different personas, and we are still counting. Either completely AI-generated, deepfaked, or performed by hired actors, all these personas carry out the Trading Bot Scam. All of the personas shown above advise users on how to get rich, quickly and easily, by exploiting price differences in cryptocurrency on blockchains. To do so, users are instructed to copy and paste a smart contract code into an online Integrated Development Environment (IDE platform) for the cryptocurrency contract. When the user adds money to the contract, their money is sent to the attacker's wallet instead. This method takes Scam-Yourself Attacks to the next level. Instead of simply tricking users into pasting malicious commands into their computers, it uses legitimate websites or tools to trick them into setting up a malicious smart contract on the blockchain. The attacker usually hosts their own fake coding platform on a website with a slightly misspelled name. This way, they avoid the warnings and pop-up messages that real platforms show to protect users from copying dangerous code. By self-hosting the IDE, the attackers are changing its implementation in such a way that these warnings are suppressed, making it a tradeoff between user noticing the typo-squatted domain and the warning dialogue. FakeCaptcha Gets Smarter (and More Cross-Platform) ClickFix and FakeCaptcha continue to evolve. One new tactic involves interactive image-based CAPTCHAs mimicking the classical 'select all the traffic lights' puzzle. However, after selecting the image (quite frankly, any image for that matter), the user is once again redirected to the common set of malicious steps which result in infecting the user's device. Another FakeCaptcha campaign focused on countries in Asia, uses typo-squatted URLs trying to impersonate well-known brands like Pepsi, McDonald's and Coca-Cola. In campaigns like this, we can observe usage of a variety of loaders — programs designed to secretly install malware on a victim's device, including the well-known Emmenhtal loader. In some cases, the loader is cleverly hidden inside a polyglot MP3 file, which can be played as normal audio but also contains malicious JavaScript. This hidden code is then run by a tool called to install Lumma Stealer malware. In FakeCaptcha attacks, attackers hide malicious code by adding comments that make the command look harmless. This way, the user only sees the supposed verification message and the malicious command is hidden just before the comment, as can be seen below: In Q1/2025, we saw an improvement of this technique. The attackers started to use Unicode characters in these comments in an attempt to avoid detection. Nothing really changed for the user, but under the hood, the byte representation varies significantly. FakeCaptcha also exploits the userinfo part of URLs (credentials before the '@' symbol) in requests. This is done to obfuscate the URL, so it seems like a common domain (see below), but in fact, the request is made to the attacker's hosted website. Additionally, FakeCaptcha is not just a Windows thing anymore. In early Q1/2025, this attack was observed on macOS. With a promise of protection against phishing attacks, by following the steps, the campaign was distributing AMOS, an information stealer also known as Atomic Stealer. In parallel, we also observed a considerable rise in Fake Update campaigns, where attackers trick victims into installing supposed browser updates (such as for Chrome or Opera) that actually deliver malware. These fake updates, designed to closely mimic legitimate prompts, caused a massive +1711% spike in global risk ratios during Q1. While situational, such campaigns can surge dramatically in short bursts before settling back into quieter periods. Notably, this particular wave hit countries like Belgium, Poland, Italy, New Zealand, Switzerland, Spain, the Netherlands, Germany and the United Kingdom especially hard. Scam-Yourself Attacks also allow previously dead malware strains to shine again. During Q1/2025, we observed a resurrection of Wincir RAT/dropper, also known as Legion Loader, which rose to popularity in 2022 before quickly beginning its steady decline. The attack starts with an unofficial third-party website for downloading software. This website is, however, hosted by the attacker and instead of a direct download, instructions on how to proceed are displayed to the user. Note that the instructions aren't infecting the victims' devices directly. Instead, the installer is simply downloaded and conveniently displayed to the user in a traditional Explorer window. After the user double-clicks on it, or presses enter, they execute Wincir manually on their own. Looking ahead, we anticipate Scam-Yourself Attacks will continue evolving in sophistication and scope. The blending of AI-generated personas, cross-platform malware delivery (including macOS), and advanced social engineering techniques suggests that these attacks will remain one of the most adaptive and challenging threat categories in the quarters to come. Regional surges, like those seen in the Fake Update campaigns, are likely to reappear as attackers test new angles and exploit localized opportunities. Martin Chlumecký, Malware Researcher Jan Rubín, Malware Researcher Luis Corrons, Security Evangelist In Closing The Gen Q1/2025 Threat Report revealed an evolving threat landscape where cybercriminals are becoming increasingly sophisticated, leveraging advanced technologies like AI, deepfakes, and cross-platform scams to exploit trust and target their victims. These issues aren't just technological; they're deeply personal, affecting real people and real lives. Key insights included a 186% surge in breached records, a growth in Fake Update Scams of 17 times the previous quarter's levels, and the rise of Scam-Yourself Attacks, which deceived millions of users into compromising their own systems. We saw new players on the ransomware scene, developing attacks created by AI that target businesses' bottom lines. Financial threats, like CryptoCore's deepfake-powered cryptocurrency scams, reaped millions in profits, while mobile threats took a deeply personal turn, targeting users' sensitive data through spyware and banking Trojans. While the overall volume of cyberattacks has not significantly increased, this signals a shift from broad, indiscriminate strategies to more targeted, innovative, and persistent tactics. Despite these challenges, there's hope. Awareness, proactive measures, and robust cybersecurity practices are critical in countering these threats. Together, we can build a digital future that's smarter, safer, and more resilient. Stay protected. Stay alert. Stay ahead. Download the full Q1-2024 Threat Report Whitepaper here. Visit our Glossary and Taxonomy for clear definitions and insights into how we classify today's cyberthreats. Visit 3BL Media to see more multimedia and stories from Gen Digital Inc.
Hindustan Times
5 days ago
- Hindustan Times
Over 184M passwords from Apple, Google, Facebook, Microsoft exposed in massive leak
A recent discovery has exposed a vast number of passwords and sensitive data from major online platforms. Cybersecurity expert Jeremiah Fowler uncovered an unsecured database containing more than 184 million passwords along with email addresses and authorisation links online. The leaked information involved popular services such as Apple, Google, Facebook, Microsoft, Instagram, and Snapchat. The exposed data goes beyond just passwords. It includes login details for banks, financial institutions, health services, and government portals. Unlike typical databases that protect such information through encryption, this database was stored as a plain text file, making the information easily accessible to anyone who found it online, The Indian Express reported. Also read: Microsoft launches Xbox Copilot beta on Android app to assist gamers with real-time support Fowler's investigation suggests that the data may have been collected using infostealing malware. This type of malicious software, such as Lumma Stealer, collects usernames, passwords, credit card details, and other sensitive information from compromised systems. The stolen data is often sold on the dark web to cybercriminals. Upon finding the unsecured file, Fowler notified the hosting provider responsible for storing the database. The hosting company quickly restricted public access to the file, but it declined to provide information about the owner. To verify the authenticity of the leak, Fowler reached out to several individuals whose details appeared in the database. They confirmed that their credentials had indeed been exposed. Also read: Uber users can now book Delhi Metro tickets within the app: Here's how to do it Experts warn that individuals who reuse the same password and username across multiple platforms face higher risks. Once cybercriminals access one account, they can exploit personal data for identity theft, fraud, and scams. The breach also included business accounts, which put company records and operations at risk. Threat actors could use such information to steal business data, conduct espionage, or launch ransomware attacks. The leak even contained login details for certain government services and private conversations. Also read: PlayStation Days of Play Sale: Spider-Man 2, God of War Ragnarök, and more games get big price cuts While no method guarantees full protection against data breaches, experts advise using strong, unique passwords and changing them regularly. Multi-factor authentication adds an extra layer of security. Additionally, Google offers a free tool to check if your credentials have appeared in data leaks online. Users should remain vigilant and update their security practices to reduce the impact of such incidents.
Indian Express
5 days ago
- Indian Express
Over 184 million passwords from Apple, Google, Facebook, and Microsoft leaked online, claims researcher
More than 184 million passwords may have been compromised in a new massive data leak. According to cybersecurity researcher Jeremiah Fowler, who first discovered and reported the massive data breach, an unsecured database that contained millions of emails, passwords and authorisation URLs for apps and websites, including Apple, Google, Facebook, Microsoft, Instagram, Snapchat and others, was found online. While passwords can be changed, what's more concerning is that the database also included sensitive information like login credentials for banks and financial accounts as well as those used to log in to health platforms and government portals. Moreover, unlike most databases, which encrypt sensitive information to prevent it from going into the wrong hands, this database was in the form of a plain, unencrypted text file. On further analysis, Fowler came to the conclusion that this data sensitive may have been captured by some sort of infostealing malware. For those unaware, cybercriminals often use infostealing malware like Lumma Stealer to grab sensitive information like usernames, passwords, credit card numbers from breached websites and systems and sell it on the dark web. Fowler says he also contacted the hosting provider storing the plain text file with more than 184 million passwords, after which the service made it inaccessible to the public. But when the security researchers asked about the file owner, the hosting service refused to share details. To see if the database was legitimate, the cybersecurity researchers did say that he emailed several people whose passwords and usernames had been leaked and found out that this exposed sensitive information was indeed real. He also noted that people who use the same username and passwords across services are the ones who are the most vulnerable to such threats. Also, once cybercriminals gain access to your account, they may use your personal information to commit online fraud, identity theft and even run scams. The researchers also said that the unsecured database contained business credentials, which could be used by threat actors to steal business records, conduct corporate espionage and plant ransomware. As it turns out, it also contained login credentials of several government services and people's conversations. While there is no surefire way to protect yourself from data breaches, it is recommended to use strong passwords, frequently change them and use multi-factor authentication whenever possible. Google also offers a free tool that lets you check if your credentials have been leaked on the dark web.
Scoop
6 days ago
- Business
- Scoop
Q1/2025 Gen Threat Report Reveals AI-Driven Scams Redefining Cybercrime
Press Release – Gen Auckland, 29 May, 2025 — Gen (NASDAQ: GEN), a global leader powering Digital Freedom with a family of trusted brands including Norton, Avast, LifeLock, MoneyLion and more, today released its Q1/2025 Gen Threat Report, highlighting the most significant shifts shaping the global Cyber Safety landscape observed between January and March 2025. Key report findings include a 186% surge in breached personal information, a 466% increase in phishing reports, growth in fake browser update scams by 17 times the previous quarter's levels, and more than 4 million people protected from Scam-Yourself Attacks, alongside the rise of mobile financial fraud and crypto-related US presidential inauguration scams. 'Online threats are evolving at a startling pace,' said Siggi Stefnisson, Cyber Safety CTO at Gen. 'Attackers are moving away from broad, indiscriminate campaigns to highly personalised, AI-enhanced deception. Breached data and AI tools are giving cybercriminals just enough personal information and design sophistication to more easily manipulate people. That's why we constantly evolve our cybersecurity solutions to be an interactive partner in fighting scams and to be one step ahead of cybercriminals.' Notable Trends from the Q1/2025 Gen Threat Report: Data Breaches Escalate Data breaches are on the rise, with a 36% increase in the number of breaches faced by companies compared to last quarter. Individual breached records surged by more than 186%, revealing sensitive information such as passwords, emails, and credit card details. Attackers employed more advanced infostealers like Lumma Stealer, making data compromise faster and harder to detect. Phishing Scams Designed to Bypass Security Filters Reports of phishing scams rose by a staggering 466% compared to the previous quarter, now making up nearly 32% of all scam submissions to the Norton Genie scam detector. According to the Norton Genie scam detector platform, phishing is the fastest-growing threat, second only to generic scams, which accounted for 51% of reports. The good news is that people are becoming more wary of potential phishing scams and reporting these messages. Telemetry data reveals a growing number of phishing campaigns that abuse dynamic DNS services and subdomain providers, as well as free website builders to create deceptive login pages. This means, that by mimicking legitimate login portals and leveraging trusted domains—like recent scams targeting AT&T, Telstra and Xfinity customers—attackers make phishing attempts harder to detect and more likely to succeed. Many of these campaigns create a sense of urgency for potential victims through emails claiming account issues or prompting people to review sensitive documents. Despite sometimes being poorly written, the use of familiar platforms and subdomain tricks allows these scams to bypass security filters and remain highly effective. Scam-Yourself Attacks and Fake Browser Updates on the Rise Example of a Fake Update popup in Firefox. The fake update mimics the branding, language, and layout of legitimate software. It often uses urgent language like: 'Your version is out of date, click to update now!' Gen helped protect over 4 million users from Scam-Yourself Attacks in which individuals, through sophisticated deception, are manipulated into infecting their own devices. In one of the most striking evolutions of this type of scam that we observed this quarter, attackers are using AI-generated personas, deepfake influencers and hired actors. They use these personas to deliver their malicious campaigns. This is primarily done through compromised YouTube accounts, leveraging interactive FakeCAPTCHAs and asking people to verify they are human but instead guiding them to give device permissions or download malware. Fake Update Scams grew to over 17 times last quarter's level. This type of Scam-Yourself Attack tricks people into installing malware under the guise of browser updates. Financial Threats Thrive on Mobile and Crypto Mobile financial threats continued to rise, fuelled by increasingly sophisticated tactics that target people directly through their smartphones. Malware, like banking trojans, now exploit accessibility features to overlay fake login pages, stealing sensitive data such as crypto wallet credentials. Combined with an uptick in credit and transaction fraud alerts, there's a growing trend of attackers focusing on mobile devices as gateways to people's financial lives. Digital currencies continue to be a target for financial threats. CryptoCore executed one of its most successful campaigns in early 2025, hinging on the US presidential inauguration. Attackers leveraged deepfake videos of public figures spread through compromised YouTube accounts to steal close to $4 million spread through more than 2,000 transactions. Gen is always innovating to stay one step ahead of today's evolving cyberthreats. Our trusted family of brands offers powerful solutions to help keep you safe—LifeLock helps people protect their identity, the Norton Cyber Safety lineup comes equipped with Norton Genie scam protection, and products like Avast Mobile Security offer protection for mobile devices, just to name a few. To learn more about the latest Cyber Safety tips and solutions, visit our blog at About Gen Gen (NASDAQ: GEN) is a global company dedicated to powering Digital Freedom through its trusted consumer brands including Norton, Avast, LifeLock, MoneyLion and more. The Gen family of consumer brands is rooted in providing financial empowerment and cyber safety for the first digital generations. Today, Gen empowers people to live their digital lives safely, privately and confidently for generations to come. Gen brings award-winning products and services in cybersecurity, online privacy, identity protection and financial wellness to nearly 500 million users in more than 150 countries. Learn more at
Scoop
6 days ago
- Business
- Scoop
Q1/2025 Gen Threat Report Reveals AI-Driven Scams Redefining Cybercrime
Press Release – Gen Example of a Fake Update popup in Firefox. The fake update mimics the branding, language, and layout of legitimate software. It often uses urgent language like: Your version is out of date, click to update now! Auckland, 29 May, 2025 — Gen (NASDAQ: GEN), a global leader powering Digital Freedom with a family of trusted brands including Norton, Avast, LifeLock, MoneyLion and more, today released its Q1/2025 Gen Threat Report, highlighting the most significant shifts shaping the global Cyber Safety landscape observed between January and March 2025. Key report findings include a 186% surge in breached personal information, a 466% increase in phishing reports, growth in fake browser update scams by 17 times the previous quarter's levels, and more than 4 million people protected from Scam-Yourself Attacks, alongside the rise of mobile financial fraud and crypto-related US presidential inauguration scams. 'Online threats are evolving at a startling pace,' said Siggi Stefnisson, Cyber Safety CTO at Gen. 'Attackers are moving away from broad, indiscriminate campaigns to highly personalised, AI-enhanced deception. Breached data and AI tools are giving cybercriminals just enough personal information and design sophistication to more easily manipulate people. That's why we constantly evolve our cybersecurity solutions to be an interactive partner in fighting scams and to be one step ahead of cybercriminals.' Notable Trends from the Q1/2025 Gen Threat Report: Data Breaches Escalate Data breaches are on the rise, with a 36% increase in the number of breaches faced by companies compared to last quarter. Individual breached records surged by more than 186%, revealing sensitive information such as passwords, emails, and credit card details. Attackers employed more advanced infostealers like Lumma Stealer, making data compromise faster and harder to detect. Phishing Scams Designed to Bypass Security Filters Reports of phishing scams rose by a staggering 466% compared to the previous quarter, now making up nearly 32% of all scam submissions to the Norton Genie scam detector. According to the Norton Genie scam detector platform, phishing is the fastest-growing threat, second only to generic scams, which accounted for 51% of reports. The good news is that people are becoming more wary of potential phishing scams and reporting these messages. Telemetry data reveals a growing number of phishing campaigns that abuse dynamic DNS services and subdomain providers, as well as free website builders to create deceptive login pages. This means, that by mimicking legitimate login portals and leveraging trusted domains—like recent scams targeting AT&T, Telstra and Xfinity customers—attackers make phishing attempts harder to detect and more likely to succeed. Many of these campaigns create a sense of urgency for potential victims through emails claiming account issues or prompting people to review sensitive documents. Despite sometimes being poorly written, the use of familiar platforms and subdomain tricks allows these scams to bypass security filters and remain highly effective. Scam-Yourself Attacks and Fake Browser Updates on the Rise Example of a Fake Update popup in Firefox. The fake update mimics the branding, language, and layout of legitimate software. It often uses urgent language like: 'Your version is out of date, click to update now!' Gen helped protect over 4 million users from Scam-Yourself Attacks in which individuals, through sophisticated deception, are manipulated into infecting their own devices. In one of the most striking evolutions of this type of scam that we observed this quarter, attackers are using AI-generated personas, deepfake influencers and hired actors. They use these personas to deliver their malicious campaigns. This is primarily done through compromised YouTube accounts, leveraging interactive FakeCAPTCHAs and asking people to verify they are human but instead guiding them to give device permissions or download malware. Fake Update Scams grew to over 17 times last quarter's level. This type of Scam-Yourself Attack tricks people into installing malware under the guise of browser updates. Financial Threats Thrive on Mobile and Crypto Mobile financial threats continued to rise, fuelled by increasingly sophisticated tactics that target people directly through their smartphones. Malware, like banking trojans, now exploit accessibility features to overlay fake login pages, stealing sensitive data such as crypto wallet credentials. Combined with an uptick in credit and transaction fraud alerts, there's a growing trend of attackers focusing on mobile devices as gateways to people's financial lives. Digital currencies continue to be a target for financial threats. CryptoCore executed one of its most successful campaigns in early 2025, hinging on the US presidential inauguration. Attackers leveraged deepfake videos of public figures spread through compromised YouTube accounts to steal close to $4 million spread through more than 2,000 transactions. Gen is always innovating to stay one step ahead of today's evolving cyberthreats. Our trusted family of brands offers powerful solutions to help keep you safe—LifeLock helps people protect their identity, the Norton Cyber Safety lineup comes equipped with Norton Genie scam protection, and products like Avast Mobile Security offer protection for mobile devices, just to name a few. To learn more about the latest Cyber Safety tips and solutions, visit our blog at About Gen Gen (NASDAQ: GEN) is a global company dedicated to powering Digital Freedom through its trusted consumer brands including Norton, Avast, LifeLock, MoneyLion and more. The Gen family of consumer brands is rooted in providing financial empowerment and cyber safety for the first digital generations. Today, Gen empowers people to live their digital lives safely, privately and confidently for generations to come. Gen brings award-winning products and services in cybersecurity, online privacy, identity protection and financial wellness to nearly 500 million users in more than 150 countries. Learn more at
