Background check provider DISA has disclosed a major data breach which may have affected over 3 million people.

Employment screening company DISA Global Solutions has filed a data breach notification after a cyber incident on their network.

DISA says a third party had access to its environment between February 9, 2024, and April 22, 2024. The attacker may have accessed over three million files containing personal information.

DISA is a third-party administrator of employment screening services, including drug and alcohol testing and background checks. DISA discovered the breach on April 22, 2024, and has since conducted an investigation with the help of third-party forensic experts.

This is one of these cases where a company most people have never heard of has amassed a mountain of information about many people. These data brokers gather information from several sources and sell them on to interested buyers. DISA provides these services to over 55,000 companies.

During the investigation, DISA was unable to determine the specifics of the stolen data, but everyone whose data may have been compromised will get a detailed breach notification letter, specifying the type of data.

This letter will also include details about free access to 12 months of credit monitoring and identity restoration services through Experian for which you must enrol by June 30, 2025.

Given the field that DISA is active in, that information could interest cybercriminals for use as background information for targeted phishing attempts or extortion. The Massachusetts breach report tracker that at least some Social Security Numbers were involved.

SSN Breached: yes

DISA states that it’s not aware of any attempts to abuse the stolen information:

> “While we are unaware of any attempted or actual misuse of any information involved in this incident, we are providing you with information about the incident and steps you can take to protect yourself, should you feel it necessary.”

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 Background check provider data breach affects 3 million people who may not have heard of the company 

The stolen information included listed contacts, call logs, text messages, photos, and the device’s location.

A malicious app claiming to be a financial management tool has been downloaded 100,000 times from the Google Play Store. The app— known as “Finance Simplified”—belongs to the SpyLoan family which specializes in predatory lending.

Sometimes malware creators manage to get their apps listed in the official app store. This is a great benefit for them since it lends a sense of legitimacy to the app, and they don’t have to convince users to sideload the app from an unofficial site.

So, it gives them a much larger audience, they can lean on the trust we invest in the official app stores and users don’t have to do anything they might perceive as suspicious.

While Google has enhanced security measures in place—including AI-powered threat detection and real-time scanning— that are designed to detect and block malicious apps more effectively, the cat-and-mouse game between cybercriminals and security measures continues, with each side trying to outsmart the other.

In this case, the loan app evaded detection on Google Play, by loading a WebView to redirect users to an external website from where they could download the app hosted on an Amazon EC2 server.

Predatory lending is any lending practice where the borrower is taken advantage of by the lender. Predatory lenders impose lending terms that are unfair or abusive.

The apps in the SpyLoan family offer attractive loan terms with virtually no background checks. But when the apps are installed, they steal information from the victim’s device that can be used to blackmail the victim. Especially when they miss any payments on the loan.

Among the stolen information are listed contacts, call logs, text messages, photos, and the device’s location.

Although the app has now been removed from Google Play, it may continue to run on affected devices, collecting sensitive information in the background.

The researchers found that the app only targets users in India with the recommended loan applications and the redirect to an external website.

The information stolen from users could well be used for malicious purposes or sold to other cybercriminals.

Losing data related to a financial account can have severe consequences. If you find an app from this family or another information stealer on your device, there are a few guidelines to follow to limit the damage:

*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Predatory app downloaded 100,000 times from Google Play Store steals data, uses it for blackmail 

This week on the Lock and Code podcast… Insurance pricing in America makes a lot of sense so long as you’re...

_This week on the Lock and Code podcast…_

Insurance pricing in America makes a lot of sense so long as you’re one of the insurance companies. Drivers are charged more for traveling long distances, having low credit, owning a two-seater instead of a four, being on the receiving end of a car crash, and—increasingly—for any number of non-determinative data points that insurance companies use to assume higher risk.

It’s a pricing model that most people find distasteful, but it’s also a pricing model that could become the norm if companies across the world begin implementing something called “surveillance pricing.”

Surveillance pricing is the term used to describe companies charging people different prices for the exact same goods. That 50-inch TV could be $800 for one person and $700 for someone else, even though the same model was bought from the same retail location on the exact same day. Or, airline tickets could be more expensive because they were purchased from a more expensive device—like a Mac laptop—and the company selling the airline ticket has decided that people with pricier computers can afford pricier tickets.

Surveillance pricing is only possible because companies can collect enormous arrays of data about their consumers and then use that data to charge individual prices. A test prep company was once caught charging customers more if they lived in a neighborhood with a higher concentration of Asians, and a retail company was caught charging customers more if they were looking at prices on the company’s app while physically located in a store’s parking lot.

This matter of data privacy isn’t some invisible invasion online, and it isn’t some esoteric framework of ad targeting, this is you paying the most that a company believes you will, for everything you buy.

And it’s happening right now.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Consumer Watchdog Tech Privacy Advocate Justin Kloczko about where surveillance pricing is happening, what data is being used to determine prices, and why the practice is so nefarious.  

“It’s not like we’re all walking into a Starbucks and we’re seeing 12 different prices for a venti mocha latte,” said Kloczko, who recently authored a report on the same subject. “If that were the case, it’d be mayhem. There’d be a revolution.”

Instead, Kloczko said:

> “Because we’re all buried in our own devices—and this is really happening on e-commerce websites and online, on your iPad, on your phone—you’re kind of siloed in your own world and companies can get away with this.”

Tune in today for the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Surveillance pricing is &#8220;evil and sinister,&#8221; explains Justin Kloczko (Lock and Code S06E04) 

A list of topics we covered in the week of February 17 to February 23 of 2025

February 21, 2025 - Healthcare security is failing patients time and again. This week DM Clinical Research and Helath Net Federal Services take the spotlight

February 20, 2025 - Beware before downloading Google Chrome from a Google search, you might get more than you expected.

February 20, 2025 - An infostealer known as ACRStealer is using legitimate platforms like Google Docs and Steam as part of an attack.

February 20, 2025 - South Korea says it's uncovered evidence that DeepSeek has secretly been sharing data with ByteDance, the parent company of popular social media app TikTok.

February 19, 2025 - Malwarebytes now protects ARM-based Windows devices, such as Microsoft’s Surface Pro X and Lenovo’s Yoga laptops.

 A week in security (February 17 &#8211; February 23) 

Healthcare security is failing patients time and again. This week DM Clinical Research and Helath Net Federal Services take the spotlight

Healthcare is one of the sectors that has the most sensitive information about us. At the same time it’s one of the worst at keeping them secret.

Because of its access and storage of our personal health information (PHI) and other personally identifiable information (PII), the healthcare sector should be one of the most secure ones, but due to lack of funding and other resources, it is not.

One of the most impactful data breaches last year was of Change HealthCare, which impacted an estimated 190 million people.

In recent news, security researcher Jeremiah Fowler, who specializes in finding unprotected databases, uncovered a non-password-protected database that contained over 1.6 million records belonging to DM Clinical Research.

DM Clinical Research is a Texas-based clinical trial network that conducts studies in 30 research centers across the US. The company connects patients with physicians to conduct studies for new or alternative medicines, providing clinical trials as a treatment option to patients.

Although the records belonged to DM Clinical Research, it is not known if the database was owned and managed directly by them or by a third-party contractor. It is also not known how long the database was exposed before Fowler discovered it or if anyone else gained access to it.

The unprotected database contained 1,674,218 records which included names, dates of birth, phone numbers, email addresses, vaccination statuses (including specific vaccines received), current medications, and other health conditions that the survey recipients may have.

Insurance companies have shown that their interest in buying specific medical information, like prescriptions that identify medical conditions—such as HIV, cancer, or psychiatric disorders. And data brokers that can get a hold of that type of information will gladly sell it to them.

Cybercriminals can use PHI against affected individuals to phish or extort them. But a breach can also have dire financial consequences for the healthcare organization in question.

As Health Net Federal Services (HNFS) and its parent company, Centene Corporation found out. HNFS allegedly failed to implement the required cybersecurity measures while administering health benefits for American military service members and their families. To make things worse, the Defense Health Agency of the US Department of Defense accused HNFS of falsely attesting compliance on at least three occasions.

HNFS denies all the allegations and maintains that no data breaches or loss of servicemember information occurred, but they still agreed to pay $11,253,400 to settle the allegations.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 Healthcare security lapses keep piling up 

Beware before downloading Google Chrome from a Google search, you might get more than you expected.

Criminals are once again abusing Google Ads to trick users into downloading malware. Ironically, this time the bait is a malicious ad for Google Chrome, the world’s most popular browser.

Victims who click the ad land on a fraudulent Google Sites page designed as a intermediary portal, similar to what we saw earlier this year with the massive Google accounts phishing campaign.

The final redirect eventually downloads a large executable disguised as Google Chrome which does install the aforementioned but also surreptitiously drops a malware payload known as SecTopRAT.

We have reported this incident to Google, but at the time of writing the fake Google Sites page is still up and running.

We identified a suspicious ad when searching for “_download google chrome_“. If you look at the URL embedded in the sponsored result, you will notice it shows “_https://sites.google.com_“, which is Google’s free website builder.

While most pages hosted on there are legitimate, it’s good to remember that they are user generated and that abuse is a part of any open platform. It’s also a way for criminals to cleverly appear as legitimate when building fake ads.

**Malware payload**

Once a user double clicks on _GoogleChrome.exe_ the fake Chrome installer connects to _hxxps\[://\]launchapps\[.\]site/getCode\[.\]php_ and retrieves the necessary instructions. Below, we can see how it requests to run as administrator in order to perform certain actions that require this access level.

A PowerShell command adds an exclusion path to the %appdata%\\Roaming directory so that Windows Defender does not trigger when the malware payload is extracted.

An encrypted data stream is downloaded from _hxxps\[://\]launchapps\[.\]site/3\[.\]php?uuid={}\_uuid_ and then decrypted:

The executable named _decrypted.exe_ (PDB path: _D:\\a\\wix4\\wix4\\build\\burn\\Release\\x64\\burn.pdb_) is then dropped to %\\AppData%\\Roaming\\BackupWin\\ and unpacks the final payload, _waterfox.exe_. Side note: it has the same name and icon as the Waterfox browser (an open-source fork of the Firefox web browser).

The malicious code is then injected into the legitimate _MSBuild.exe_ process which communicates with the attackers’ command and control infrastructure at the following IP: 45.141.84\[.\]208. From this, we identify the malware payload as SecTopRAT, a remote access Trojan with stealer capabilities.

Lastly, to make sure victims are completely fooled, it finishes by downloading and installing the legitimate Chrome browser. From the installation script, we see other campaigns the same threat actors are running in parallel for fake Notion and Grammarly installers.

**Conclusion**

Downloading and installing software provides an opportunity for threat actors as long as they are able to compromise the delivery chain. Search ads provide that entry point by leveraging the trust users have in their search engine. It is somewhat ironic but also damning when malicious ads impersonate the same platform that allows them in the first place.

The fake Chrome installer we reviewed in this blog post cleverly retrieved its malicious payload dynamically from a remote site and only decrypted it after making sure Windows Defender would not be able to scan it. The ruse was complete when the actual legitimate Google Chrome installer was downloaded and installed.

Malwarebytes users were already protected from this attack, with Browser Guard blocking the malicious ad and Premium Security Antivirus detecting the dropped payload.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Google Sites

sites\[.\]google\[.\]com/view/gfbtechd/

Fake Chrome download

chrome\[.\]browser\[.\]com\[.\]de  
chrome\[.\]browser\[.\]com\[.\]de/GoogleChrome.exe  
48fdfbe23eef7eddff071d3eda1bc654b94cf86036ca1cca9c73b0175e168a55

Payload host

launchapps\[.\]site

decrypted.exe

f0977c293f94492921452921181d79e8790f34939429924063e77e120ebd23d7

waterfox.exe

0f9b2870c4be5ebacb936000ff41f8075ec88d6535161a93df8e6cfea2d8db54

C2

45.141.84\[.\]208

 SecTopRAT bundled in Chrome installer distributed via Google Ads 

An infostealer known as ACRStealer is using legitimate platforms like Google Docs and Steam as part of an attack.

An infostealer known as ACRStealer is using legitimate platforms like Google Docs and Steam as part of an attack, according to researchers.

ACRStealer is often distributed via the tried and tested method of download as cracks and keygens, which are used in software piracy. The infostealer has been around since mid-2024 (as a beta test), but it’s only really taken off in 2025. ACRStealer is capable of:

*   Identifying which antivirus solution is on a device
*   Stealing crypto wallets and login credentials
*   Stealing browser information
*   Harvesting File Transfer Protocol (FTP) credentials
*   Reading all text files

With that kind of information, cybercriminals can go after your cryptocurrency and other funds. With the capture of usernames and passwords from web browsers, attackers can access your accounts, including email, social media, and financial services.

They may even gather enough personal data to be used for identity theft or sold on the dark web.

What stands out in the recently-found ACRStealer variants is the way they communicate with the command and control (C2) server—a computer which is used to send commands to systems compromised by malware and receive stolen data from a target network. Rather than hard-coding the IP address in the malware, they chose to use a method called Dead Drop Resolver (DDR), where the malware contacts a legitimate platform like Google Docs or Steam to read what the C2 domain is.

This is good for the cybercriminals as it means they can easily change the domain if one gets discontinued, seized, or blocked. All they need to do is update the Google Doc.

And outgoing calls to docs.google.com will not easily trigger an alarm, so it helps in staying under the radar.

**Stay safe from the ACRStealer**

Like many other information stealers, ARCStealer is operated under the Malware-as-a-Service (MaaS) model, where criminals rent out the malware and the infrastructure to other criminals. That makes it hard to know exactly how to defend yourself.

However, there are some things you can do:

*   Stay away from websites offering cracks and keygens
*   Download software from the official publisher wherever possible
*   Don’t click on links in unsolicited communications (email, texts, DMs, etc)
*   Don’t open unverified attachments
*   Use multi-factor authentication (MFA) wherever you can, so even if cybercriminals steal your login details they won’t be able to get into your account
*   Use an active and up-to-date anti-malware solution.

Malwarebytes recognizes new variants of ACRStealer by behavior, which will result in the detection name of Malware.AI.{ID-number}.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Google Docs used by infostealer ACRStealer as part of attack 

South Korea says it's uncovered evidence that DeepSeek has secretly been sharing data with ByteDance, the parent company of popular social media app TikTok.

A couple of weeks ago we reported on the concerns surrounding data collection and security at DeepSeek, the Chinese AI company which recently made headlines for shaking up the industry after seemingly appearing from nowhere to become top of the app download charts.

Now South Korea’s Personal Information Protection Commission (PIPC) says it has uncovered evidence that DeepSeek has secretly been sharing data with ByteDance, the parent company of popular social media app TikTok.

PIPC said that DeepSeek—an app with over one million downloads at the time of writin—automatically transmitted information to ByteDance servers every time users accessed the app, doing so without disclosure or explicit consent. PIPC told South Korea’s Yonhap News Agency that it was “yet to confirm what data was transferred and to what extent.”

In response to the investigation, South Korea has removed DeepSeek from app stores, advised users against sharing personal information through the app, and is considering strengthening regulations on foreign companies in the country.

TikTok and parent company ByteDance have faced significant controversy themselves in the past; coming under ongoing scrutiny for mishandling customer data, being labelled an “unacceptable security risk” by the FCC, and being reprimanded for misusing children’s data. These ongoing data protection issues prompted the US to initially instigate a ban on TikTok from January 18 before a presidential executive order issued by the new administration restored service and delayed the enforcement of the ban for an additional 75 days.

Although perhaps unsurprisingly, this controversy again raises serious questions and concerns about the crossover between the data-harvesting and sharing practices employed by emerging AI technologies and data protection, an especially critical issue as the use of AI accelerates and begins to play an ever more prominent and constant role in our everyday experiences of technology and media.

It also further illustrates the necessity for proper inquiry into these practices and may indicate an urgent need for transparent and comprehensive international regulations on data privacy, with some nations like Italy and Australia already leading the way in taking action against AI applications like DeepSeek over these issues.

**What can you do?**

*   **Avoid sharing personal information:** Never input sensitive or personal data into generative AI apps.
*   **Select AI apps carefully:** Choose generative AI apps with caution, prioritizing reputable ones that value user privacy and security.
*   **Disable chat saving:** Turn off chat history to minimize the storage of your conversations.
*   **Manage app permissions:** Review the app’s requested permissions carefully. Only grant them permission to access things they absolutely need.
*   **Review privacy policies:** Understand how your data will be used and stored by the app.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 DeepSeek found to be sharing user data with TikTok parent company ByteDance 

There is no excerpt because this is a protected post.

February 19, 2025 - Malwarebytes now protects ARM-based Windows devices, such as Microsoft’s Surface Pro X and Lenovo’s Yoga laptops.

February 19, 2025 - Google is allowing its advertizing customers to fingerprint website visitors. Can you stop it?

February 19, 2025 - Info stealers are thriving on Mac, with one specific variant accounting for 70% of all info stealer detections at the end of 2024.

February 18, 2025 - A flea market buyer found medical information about hundreds of patients on second hand decommissioned hard drives.

February 17, 2025 - A list of topics we covered in the week of February 10 to February 16 of 2025

 Protected: zQA Content Editing Styles 

Malwarebytes now protects ARM-based Windows devices, such as Microsoft’s Surface Pro X and Lenovo’s Yoga laptops.

For the last four years, Malwarebytes has been protecting ARM-based machines running on Apple’s M-series processors. Now, we’ve expanded our protection range to include ARM-based Windows machines such as Copilot+ PCs, including Microsoft Surface Pro, Lenovo Yoga Slim and ThinkPad, and Dell Inspiron, among others. 

ARM-based chips offer advantages such as improved performance, longer battery life, lower costs, and advanced features like on-device AI processing. 

And with ARM processors gaining popularity in the PC market—projections suggest that they could have 25% market share by 2027—there is no doubt that malware creators will expand their reach into this area. 

Malwarebytes helps you get ahead of these threats. With active protection layers that defend against system vulnerabilities, malicious links, and more, Malwarebytes has you covered across your devices. 

**Where can I get it?** 

Go to the Malwarebytes website and hit the Free Download button to try it yourself, or click the button below. Our installer will automatically detect if you have an ARM device.

We recommend Windows 11 or higher for this installation, because Windows 11 has been optimized to run on ARM processors.

Source

Malwarebytes