CEOs and business owners received personal, customized ransomware threats in a series of letters sent in the mail through USPS.

Business owners and CEOs across the United States received customized ransomware threats this month from the most unusual of places—letters in the mail.

The letters, which were first reported by multiple cybersecurity researchers, claim to come from a ransomware group called BianLian. But since Malwarebytes first started tracking BianLian nearly one year ago, our intelligence analysts have never seen the cybercriminal gang resort to sending physical letters to make their ransom demands, suggesting that the latest snail mail campaign could be the work of copycats.

The threat, however, is still quite real, especially for small business owners who rely either on themselves or contracted IT services to investigate any technical problems.

According to multiple examples discovered by researchers, the letters in this likely hollow threat were sent through the US Postal Service. The envelopes containing the letters are stamped with the words “TIME SENSITIVE READ IMMEDIATELY” and have the following return address listed:

> BianLian Group  
> 24 Federal St, Suite 100  
> Boston, MA, 02110

The letters themselves lobby a variety of urgent threats to their recipients: Their corporate network has been compromised, sensitive customer and employee data has been stolen, and there is immediately a 10-day deadline to pay a cryptocurrency ransom before the cybercriminals leak the stolen data online.

These threats are standard for ransomware groups today, especially those that have pivoted to not only encrypting a company’s data, but stealing it in the process of an attack to use as further leverage to extort a ransom payment. In fact last year, Malwarebytes wrote about BianLian abusing a common Microsoft tool to avoid cybersecurity detection while storing massive quantities of stolen data from victims.

But the similarities between the threats included in the letter and the recorded actions of BianLian end there. The letter senders claim that they “no longer negotiate with victims,” which is a rarity from ransomware gangs. In fact, the practice is so normalized that a cottage industry of ransomware “negotiators” has popped up to help victims caught in an attack. The letters themselves, researchers said, also include few grammatical errors and better sentence structure than a typical BianLian ransomware note.

One of the letters, in full, begins:

> Dear \[REDACTED\]
> 
> I regret to inform you that we have gained access to \[REDACTED\] systems and over the past several weeks have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, investor and shareholder information, invoices, and tax documents.

Interestingly, researchers noticed that some of the letters were customized based on their recipient. If a letter was sent to a healthcare CEO, for instance, the letter warned about the theft of patient data; if the letter was sent to a CEO of a product maker, the letter warned about breached customer orders and employee data.

The amounts demanded by the letters varied reportedly from $250,000 to $350,000.

While a “physical” cyberthreat may sound silly, these letters could cause significant harm to small and growing businesses.

These personalized letters convincingly threaten network compromise, password abuse, employee exploitation, and data theft, which can be difficult to verify for any lean organization. Think about it this way: If an everyday person would struggle to check whether their home router had been compromised, many small business owners would struggle to do the same regarding their corporate infrastructure, and that’s through no fault of their own.

If you receive one of these letters in the mail, notify your IT or security team immediately. They can provide the investigation necessary to verify the security of your business.

Whether you have dedicated IT staff or not, you can protect your small business with Malwarebytes Teams, which prevents malware attacks and notifies you about suspicious activity on your network.

 Ransomware threat mailed in letters to business owners 

Removing 24 malicious apps from the Google Play store and silencing some servers has almost halved the BadBox botnet.

Removing 24 malicious apps from the Google Play store and silencing some servers almost halved a botnet known as BadBox.

The BadBox botnet focuses on Android devices, but not just phones. It also affects other devices like TV streaming boxes, tablets, and smart TVs.

The German BSI (Federal Office for Information Security) started the disruption campaign in December by blocking the malware on 30,000 devices. BadBox is referred to as a botnet, because one of its capabilities is to set up the affected device to act as a proxy, allowing other people to use the device’s internet bandwidth and hardware to route their own traffic.

This traffic can for example serve in DDoS attacks or as a platform to spread fake news and disinformation. But BadBox can also steal two-factor authentication (2FA) codes, install further malware, and perform ad fraud.

Unfortunately, the 30,000 devices cut off by the BSI were only the tip of the iceberg. Estimates say there may be as many as one million affected devices. These devices have not necessarily been infected by installing malicious apps. It’s been suggested that Chinese manufacturers hide firmware backdoors in their devices, BadBox being one of them.

The BSI said it found:

> “The BadBox malware was already installed on the respective devices when they were purchased.”

According to Satori Threat Intelligence researchers:

> “Devices connected to the BADBOX 2.0 operation included lower-price-point, “off brand”, uncertified tablets, connected TV (CTV) boxes, digital projectors, and more. The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices.”

Off brand devices are devices which do not carry any specific brand name that you might recognize. They are often cheap and made by small manufacturers.

Following the botnet’s development after the German disruption, the researchers found new Command and Control (C2) servers which hosted a list of APKs targeting Android Open Source Project devices similar to those impacted by BadBox.

As part of the disruptions, the servers that were controlling the botnet have been sinkholed, which basically means that the traffic between those servers and the botnet clients gets redirected so it will no longer arrive at the intended destination.

**How to stay safe**

This disruption will likely not be the end of the story. The botnet operators will adapt again and rebuild their infrastructure. Given their supply chain of compromised devices the botnet will resurface soon enough.

So here are a few things you can do:

*   Check you don’t have the apps ‘Earn Extra Income’ and ‘Pregnancy Ovulation Calculator’, which had over 50,000 downloads each. You can recognize the malicious apps from the publisher name Seekiny Studio. If you find them on your device, remove them immediately.
*   Protect your Android devices with an active security solution that can remove malicious apps and block malicious traffic.
*   Google Play Protect automatically warns users and blocks apps known to exhibit BadBox 2.0-associated behavior at install time on Play Protect certified Android devices with Google Play Services. If a device isn’t Play Protect certified, carefully study its origin before purchasing it.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android botnet BadBox largely disrupted 

Task scams are increasing in volume. We followed up on an invitation by a task scammer to get a first hand look on how they work.

Tasks scam are surging, with a year over year increase of 400%. So I guess it should have been no surprise when I was contacted by a task scammer on X recently.

Task scammers prey on people looking for remote jobs by offering them simple repetitive tasks such as liking videos, optimizing apps, boosting product interest, or rating product images. These tasks are usually gamified—organized in sets of 40 tasks that will take the victim to a “next level” once they are completed. Sometimes the victim will be given a so-called double task that earns a bigger commission.

The scammers make the victim think they are earning money to raise trust in the system. But, at some point, the scammers will tell the victims they have to make a deposit to get the next set of tasks or get their earnings out of the app. Victims are likely to make that deposit, or all their work will have been for nothing.

So when the task scammer contacted me on X to offer me a nice freelance job, I was keen to see where it would take me.

Beginning the message with emojis, Birdie started the chat…

Group invitation on X

> “\[emoji intro\] Hello, I am a third-party agency from the UK, specializing in providing ranking and likes services for Booking+Airbnb hotel applications. The company is now recruiting freelancers worldwide. You only need a mobile phone to easily get it done, and the time and location are flexible. The daily salary is 100-300€, and the monthly salary of formal employees is 3000-10000€. Note (this article is not suitable for students under 22 years old, and African and Indian employees cannot be hired due to remittance issues) For more details please see the WhatsaPP link: \[shortened bit.ly URL\]”

In this case, I was asked to contact the scammer on WhatsApp, but I’ve also seen the same campaign asking the victims to reach out on Telegram.

Invitation to a Telegram conversation

The Telegram invitation was a bit more limited (European and American female users only) but extended to a larger group of 150 accounts on X. What the ones that reached out to me had in common was that they all found my profile on X. Mind you, my profile is not some honeytrap, it clearly says I blog for Malwarebytes.

So, last week I was up for some distraction and decided to follow up on the WhatsApp invitation which was still live. I reset an old phone to factory settings and bought a burner SIM card. With that phone in hand, I set up a Gmail account and installed WhatsApp. I added Birdie Steuber to my contacts with the phone number I found by following the URL. Then I reached out asking if they still had openings.

The bait was taken within minutes: hook, line, and sinker.

introductions

So, Birdie is actually Tina from Sheffield in the UK. The job is available and does not require any special skills or experience. Tina tells me all you need is internet access and you can start working for booking.com.

Next is a long-winded explanation of what the job entails with another mention of the fortune you can make. I suspect the explanation is meant to be slightly confusing, knowing the general population would be embarrassed to ask for a better explanation and just will go ahead and carry out the tasks.

explanation?

More explanations about the job are followed by a quick query whether I will be able to buy USDT, the “hottest cryptocurrency in the world” as Tina described it. (It isn’t.)

USDT required

Tina then asks me to create an account on a fake booking.com website.

create an account on a fake booking(dot)com site

Here’s that site.

the fake booking site

Once I’d set that up, Tina set me up with a training account to learn the tasks. The actual tasks consist of clicking two buttons labelled “Start task” and “Submit” which gets mind-numbing really quick. But, hey, I was wasting a scammers’ time, so it was worth it.

That training account had a balance of over 1,000 USDT, probably to make the victim even more interested.

balance training account

What happened next is likely a demonstration of another tactic the scammers will use to get people to deposit more USDT: A lucky order!

lucky order

I was shown a prompt that I had run into “a 4% lucky order”, which Tina called a merge task that rendered a 4% commission.

Next followed an elaborate explanation on how Tina had to top up the balance to make up for the negative “Pending Amount” and asked me to contact customer support for instructions.

negative pending amount needs to be topped up

But to my surprise this was not what I was asked to do the next day when we continued our conversation. However, Tina quickly revealed how they were expecting to get 100 USDT from me.

> “I forgot to tell you, it takes 100usdt to complete a new round of 40/40 orders to reset 40 new orders. Because 100usdt is to optimize the hotel 100usd reservation fee. Once you complete the 40/40 order task you can withdraw all funds. This is to help the hotel increase the number of real bookings and exposure to earn commission income. The commission income per order is 0.5 per cent. 100usdt will probably get 40-60usdt after completing the 40/40 order task.”

After I completed my first 40 tasks, I was shown this notification letting me know I had reached the maximum number of tasks for the day, at which point I was expected to top op my account at my own expense.

Please contact customer service to recharge and refresh the task

Once I convinced Tina we had purchased 100 USDT, I was told to contact customer support for instructions.

The instructions were similar to the ones I received a day earlier. But at this point I had to terminate because I didn’t want to give the scammers any actual money.

Checking the balance on the account numbers they provided me with during our conversation showed there are likely others who are handing over money. And they very well may have many more accounts.

balance in the USDT accounts belonging to the scammers

These scams are likely designed to be confusing. The actual tasks were nowhere near as difficult as the explanation of what the job entailed.

In the end I revealed to Tina that I was the one that wrote an article about task scams, but Tina did not give up that easily. She kept trying to convince me there was money to be made.

If you’d like to read the whole conversation I had with Tina you can find it here.

****How to avoid task scams****

As I pointed out, all the task scam invitations I received came to me in the form of Message requests on X. So, that’s a good place to be very cautious. Once you know the red flags, it is easier to avoid falling for task scams.

*   Do not respond to unsolicited job offers via text messages or messaging apps
*   Never pay to get paid
*   Verify the legitimacy of the employer through official channels
*   Don’t trust anyone who offers to pay you for something illegal such as rating or liking things online

It’s also important to keep in mind that legitimate employers do not ask employees to pay for the opportunity to work. And as with most scams, if it sound to good to be true, it probably is.

If you run into a task scam, please report them to the FTC at ReportFraud.ftc.gov. 

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 I spoke to a task scammer. Here&#8217;s how it went 

Android's March 2025 security update includes two zero-days which are under active exploitation in targeted attacks.

Google has issued updates to fix 43 vulnerabilities in Android, including two zero-days that are being actively exploited in targeted attacks.

The updates are available for Android 12, 12L, 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-03-05 or later then you can consider the issues as fixed.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

**Technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs assigned to the two zero-days are:

CVE-2024-43093: A possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege (EoP) with no additional execution privileges needed. Exploitation of this vulnerability requires user interaction. Google confirms that CVE-2024-43093 has been under limited, targeted exploitation.

A file path filter is supposed to prevent access to sensitive directories on a device. In this case the ‘shouldHideDocument’ function. However, due to incorrect Unicode normalization, an attacker might be able to bypass this filter. Unicode normalization refers to the process of standardizing Unicode characters to ensure that equivalent characters are treated as the same. Flaws in this process can lead to security issues, such as bypassing the filter, allowing an attacker access to normally off-limits files, such as system configuration files or sensitive data.

The specific nature of the required user interaction is not detailed in the available information. Typically, user interaction might involve opening a malicious app or file, clicking on a link, or performing another action that triggers the exploit.

CVE-2024-50302: An issue in the Linux Kernel which allowed unauthorized access to kernel memory reportedly exploited in Serbia by law enforcement using Cellebrite forensic tools to unlock a student activist’s device and attempt spyware installation.

This flaw lies in the Linux kernel’s driver used by Android for Human Interface Devices and allows an attacker to unlock devices that they have physical access to. The flaw was used in a chain of vulnerabilities which Amnesty International’s Security Lab found on a device unlocked by Serbian authorities.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android zero-day vulnerabilities actively abused. Update as soon as you can 

Phishers are once again using the Docusign API to send out fake documents, this time looking as if they come from PayPal.

PayPal scammers are using an old Docusign trick to enhance the trustworthiness of their phishing emails.

We’ve received several reports of this recently, so we dug into how the scam works.

The Docusign Application Programming Interface (API) allows “customers” to send emails that come from genuine Docusign accounts, and they can use templates to impersonate reputable companies.

To pull this off, the phishers set up a Docusign account and then use the templates provided by Docusign to send out legitimate looking invoices from PayPal.

Because the emails come from Docusign they can bypass many security filters.

This is an example of how these emails reach the targets.

> We’ve identified an unauthorized transaction made from your PayPal account to Coinbase:
> 
> Amount: $755.38  
> Transaction ID: PP-5284440
> 
> To safeguard your account and process an immediate refund, you must contact our Fraud Prevention Team at:  
> +1 (866) 379-5160
> 
> Our representatives are available 24/7 to assist you in resolving this issue and preventing any additional unauthorized activity.
> 
> Your account’s security is our top priority, and we’re fully committed to helping you address this matter swiftly. We appreciate your immediate attention to this alert.

If you know this is a scam, you’ll likely see some red flags. The “From” address is a Gmail address which seems unlikely to be something that the genuine PayPal Customer Care department would use. Also, it seems weird that Docusign has been used to send a document that doesn’t require a signature.

Looking deeper, there are some more red flags. The “To” address does not belong to the receiver. It doesn’t even exist.

We tried to contact the scammer through WhatsApp, the Gmail address, and by phone, but didn’t get any replies.

I’ve you’ve received an email like this and want to verify if it’s genuine, go directly to Docusign.com, click ‘Access Documents’ (upper right-hand corner), and enter the security code displayed in the email. If you get an error message, that means the document was removed or never even existed. That’s a huge red flag.

**What can I do?**

If you see an unauthorized PayPal payment linked to a Docusign activity, and you suspect it’s fraudulent, you should immediately report it to both PayPal and Docusign. Contact their customer service departments and using their respective reporting features, as these platforms can be used by scammers to make unauthorized charges under the guise of a legitimate document signing process.

If you think you are the victim of this type of phishing:

*   Check your PayPal account: Log in to your PayPal account and review your recent transactions to search for and identify the suspicious payment.
*   Report the incident to PayPal: To confirm an unauthorized payment, go to the PayPal Resolution Center and report the transaction as fraudulent.
*   If you believe your PayPal account has been compromised, contact any bank for which an account is linked to your PayPal account to check for and report potential fraudulent activity.
*   Check your Docusign account: Review if there has been any recent activity to see if there are any suspicious documents or signatures you don’t recognize.
*   Report to Docusign: You can report suspicious activity through its “Report Abuse” feature or by contacting its security team directly.

Docusign says its team investigates and closes suspicious accounts within 24 hours of the activity being detected or reported. When suspicious accounts are reported, the vast majority of those accounts have already been detected by Docusign’s systems and are either under investigation or have already been closed. Once an account is closed, all envelopes sent from the account are no longer accessible by the recipient or sender.

Key points to remember:

*   Never click on suspicious links in unsolicited emails.
*   Verify the sender: Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive but it can help you spot some attempts.
*   Go directly to the DocuSign site (not following links in the email or sponsored search results) to check if the document actually exists.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 PayPal scam abuses Docusign API to spread phishy emails 

The UK's ICO has started an investgation into how TikTok and other platforms assess age information and compliance with the children’s code for online privacy.

TikTok is the subject of yet another major investigation, reports BBC News. This time around, the UK’s Information Commissioner’s Office (ICO) is going to look at how the data of 13 to 17-year-olds feeds the algorithm that decides what further content to show.

The ICO introduced a children’s code for online privacy in 2021, which requires companies to take steps to protect children’s personal information online. Social media platforms use complex algorithms to decide which content will keep users engaged. This method tends to deliver content that increases in intensity and could end up delivering content that is considered harmful for children.

TikTok has defended itself, saying its recommender systems operate under “strict and comprehensive measures that protect the privacy and safety of teens”. TikTok also said the platform has “robust restrictions on the content allowed in teens’ feeds”.

The ICO said it expects to find that there will be many benign and positive uses of children’s data in TikTok’s algorithm but is concerned about whether these are “sufficiently robust to prevent children being exposed to harm, either from addictive practices on the device or the platform, or from content that they see, or from other unhealthy practices.”

This isn’t TikTok’s first run in with the ICO. In 2023, the ICO fined TikTok to the tune of $15.6M (£12.7M) for failing to protect 1.4 million UK children under the age of 13 from accessing its platform in 2020. The ICO imposed the fine after finding the company used children’s data without parental consent.

Tik Tok has been under scrutiny for many reasons in many countries. In the US, the ownership by the Chinese company ByteDance has been a main factor. Many governments have banned TikTok from government devices for that reason.

But the EU has also fined TikTok in the past for violating children’s privacy.

Last year, the Federal Trade Commission (FTC) announced it had referred a complaint against TikTok and parent company ByteDance to the Department of Justice. One of the main issues in that case was TikTok’s failure to get parental consent before collecting personal information from children under 13.

TikTok is not the only platform under investigation by the ICO, it’s also looking at the forum site Reddit and the image-sharing site Imgur. For the last two, the ICO investigation will focus on the companies’ use of age assurance measures, such as how they estimate or verify a child’s age.

The ICO stated:

> “If we find there is sufficient evidence that any of these companies have broken the law, we will put this to them and obtain their representations before reaching a final conclusion.”

**Advice for parents**

For parents whose children spend a lot of time on social media platforms like TikTok, here are some useful guidelines:

*   Establish rules and limits for social media use. This will be particular to your family and what you feel comfortable with.
*   Make use of built-in parental controls. TikTok for example offers Family Pairing which allows you to manage privacy settings, screen time, and set content restrictions.
*   Have regular, open conversations about your child’s online experiences. Show an interest in what they are sharing.
*   Teach your child about the importance of privacy settings and what you think is appropriate online behavior.
*   Teach you child to question sources, consider different perspectives, and be aware of potential biases in what they encounter online.
*   Talk to your child about what makes a good online citizen, including how they treat other people online.
*   Set a good example, so be mindful of your own screen time and online behavior.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 TikTok: Major investigation launched into platform&#8217;s use of children’s data 

A list of topics we covered in the week of February 24 to March 2 of 2025

March 3, 2025 - The UK's ICO has started an investgation into how TikTok and other platforms assess age information and compliance with the children’s code for online privacy.

February 27, 2025 - Malicious Google ads are redirecting PayPal users looking for assistance to fraudulent pay links embedding scammers' phone numbers.

February 27, 2025 - While countries and companies are fighting over access to encrypted files and chats, our data privacy may get crushed.

February 26, 2025 - Roblox and Discord are charged with the facilitation of child predators, and misleading parents into believing the platforms are safe to use for their children.

February 26, 2025 - The Android app SafetyCore was silently installed and looks at incoming and outgoing pictures to check their decency.

 A week in security (February 24 &#8211; March 2) 

Three more stalkerware apps have been found to leak data of both victims and customers alike: Spyzie, Cocospy, and Spyic

There are many reasons not to use stalkerware,  but the risk of getting exposed yourself seems to be a recurring deterrent, according to a new investigaton.

As we have reported many times before, stalkerware-type apps are coded so badly that it’s possible to gain access to the back-end databases and retrieve data about everyone that has the app on their device—and those are not just the victims.

By definition, stalkerware is a term used to describe the tools—software programs and mobile apps—that enable someone to secretly spy on another person’s private life via their mobile device. Many stalkerware-type applications market themselves as parental monitoring tools, but they can be and often are used to stalk and spy on a person. A commonly recorded use of stalkerware is in situations of domestic abuse, in which abusers will load these programs onto their partner’s computer or mobile device without their knowledge.

Stalkerware apps are notoriously badly coded and secured. In the past we have written about similar problems with:

*   mSpy, a mobile monitoring app which suffered multiple data breaches.
*   pcTattleTale, another stalkerware app that faced significant security issues. Among others, it was found to upload victim screenshots to an unsecured AWS server.
*   TheTruthSpy, exposed photographs of children the app took on the internet because of poor cybersecurity practices by the app vendor.

As reported by TechCrunch, researchers found a vulnerability in three very similar stalkerware apps called Spyzie, Cocospy, and Spyic. The bug not only exposes the data from the victim’s device like messages, photos, and location data, but also allowed the researcher to collect 518,643 unique email addresses of Spyzie customers, 1.81 million email addresses of Cocospy customers, and 880,167 email addresses of Spyic customers.

Apparently, the bug is so easy to exploit that TechCrunch and the researcher found it not advisable to reveal any details, since anyone would have been able to exploit it.

**Our advice, don’t use stalkerware**

If you are thinking about installing such an app, and you are reading this:

1.  Don’t!
2.  It definitely is illegal in almost every country, unless it’s done with government consent or to monitor your children (and even here, the rules can be murky).
3.  We have never heard of anyone who was able to solve a problem by using stalkerware. Usually resorting to stalkerware only makes the problems worse.
4.  Consider the consequences of someone finding out what you did and remember that is a very distinct possibility.
5.  Listen to this podcast.

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware, makes it a priority to detect and remove stalkerware from your device. It is good to keep in mind however that by removing any stalkerware-type app, you will alert the person spying on you that you know the app is there. If you are facing domestic abuse, we recommend that you first develop a safety plan with an organization like National Network to End Domestic Violence before removing any stalkerware-type app from your device.

Stalkerware apps are usually hidden or camouflaged as other apps, so to find them on your phone, we recommend scanning with an anti-malware app that is able to identify stalkerware.

Malwarebytes also provides a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 Millions of stalkerware users exposed again 

Malicious Google ads are redirecting PayPal users looking for assistance to fraudulent pay links embedding scammers' phone numbers.

We recently identified a new scam targeting PayPal customers with very convincing ads and pages. Crooks are abusing both Google and PayPal’s infrastructure in order to trick victims calling for assistance to speak with fraudsters instead.

Combining official-looking Google search ads with specially-crafted PayPal pay links, makes this scheme particularly dangerous on mobile devices due to their screen size limitation and likelihood of not having security software.

**Overview**

Scammers are creating ads impersonating PayPal from various advertiser accounts that may have been hacked. The ad displays the official website for PayPal, yet is completely fraudulent.

A weakness within Google’s policies for landing pages (also known as final URLs), allows anyone to impersonate popular websites so long as the landing page and display URL (the webpage shown in an ad) share the same domain.

The page victims are directed to has the following format:

paypal.com/ncp/payment/\[unique ID\]

This is PayPal’s “no-code checkout”, a feature for merchants to have a simple and yet secure option to take payments:

> Small businesses that want to accept payments online or in person can set up pay links, buttons, and QR codes to accept payments on the website. You don’t need a developer, coding knowledge, or a website to accept payments

Essentially, crooks are abusing this feature to create a bogus pay link. They can customize the page by creating various fields with text designed to trick users, such as promoting a fraudulent phone number as “PayPal Assistance”.

**Mobile experience**

Phones are the best medium for this type of scams due to the device’s constraints, but more than anything because that’s how victims will get in touch with bogus tech support agents.

In the screenshot below taken on an iPhone, we can see the top sponsored result from a Google search is impersonating PayPal. During our investigation, we often encountered more than one malicious ad, although they redirected to different kinds of pages, not abusing the same scheme.

Due to the reduced screen size, it would require scrolling past the ads and the AI Overview to see organic search results. This is not a coincidence of course, and is why search advertising is worth billions of dollars.

Screen size plays a factor again when users click on the ad and look at the browser’s address bar correctly identifying that the site is “**paypal.com**“. As we saw above, pay links are on the same domain as _paypal.com_, from which they inherit trust.

We did not follow-up with the provided phone number; however we believe it likely ends with victims handing over their personal information to scammers and getting fleeced.

**Conclusion**

Tech support scammers are like vultures circling above the most popular Google search terms, especially when it comes to any kind of online assistance or customer service.

We saw how easy it is to get an ad that mimics an official brand as long as the destination URL is on the same domain as the ad URL. The rest is just a matter of creativity on the part of scammers to forcefully inject their lure as spam, search queries, shopping lists, and more…

Whenever looking up an official phone number or website, it is safer to scroll past the ads and choose a more trusted organic link. There are also security solutions that can block ads and malicious links, such as Malwarebytes for mobile devices.

We have reported this campaign to Google and PayPal, but urge caution as new ads using the same trick are still appearing.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

**Indicators of Compromise**

Archived example:

https://urlscan.io/result/3ea0654e-b446-4947-b926-b549624aa8b0

Malicious pay links:

hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/8X7JHDGLK9Z46  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/7QUEXNXR84X3L  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/BHR4AMJAPWNZW  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/FTJBPVUQFEJM6  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/2X92RZVSG8MUJ  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/D8X74WYAM3NJJ

Scammers’ phone numbers:

1-802\[-\]309-1950  
1-855\[-\]659-2102  
1-844\[-\]439-5160  
1-800\[-\]782-3849

 PayPal&#8217;s &#8220;no-code checkout&#8221; abused by scammers 

While countries and companies are fighting over access to encrypted files and chats, our data privacy may get crushed.

Data privacy issues are a hot topic in a world where we apparently don’t know who to trust anymore.

A few weeks ago, we reported how the UK had secretly ordered Apple to provide blanket access to protected cloud backups around the world. This week, Apple decided to pull the plug on Advanced Data Protection (ADP) for UK users.

ADP is an opt-in data security tool designed to provide Apple users a more secure way to protect data stored in their iCloud accounts. Enabling ADP would ensure that even Apple could not access the data, which would mean that Apple was unable to hand over any information to law enforcement.

Something similar happened when Sweden’s law enforcement and security agencies started to push legislation which would force Signal and WhatsApp to create technical backdoors, allowing them to access communications sent over the encrypted messaging apps. The proposed bill prescribes that companies like Signal and WhatsApp need to store all messages sent using the apps.

President of the Signal Foundation, Meredith Whittaker, told Swedish SVT News that the company will leave Sweden if the bill becomes a reality.

So basically, by seeking to obtain encryption backdoors, which are not likely to remain exclusive, these governments are undermining the data privacy options of their citizens. A backdoor can and will eventually be found by those that we absolutely didn’t want to snoop around in our backups and chat logs.

It doesn’t just affect the countries at the heart of the request. The US director of national intelligence is reportedly going to investigate whether the UK broke a bilateral agreement by issuing the order that would allow the British to access backups of data in the company’s encrypted cloud storage systems,

The bilateral agreement in question is the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) Agreement, which—among other things—bars the UK from issuing demands for the data of US citizens and vice versa. The CLOUD Act primarily allows federal law enforcement to compel US-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data is stored in the US or on foreign soil. Provisions in the act state that the United Kingdom may not issue demands for data of US citizens, nationals, or lawful permanent residents, nor is it authorized to demand the data of persons located inside the US.

Globally, governments and law enforcement agencies continue to seek more control over data through new legislations and rules. States regulate data to protect national security and provide domestic firms access to user (and anonymous) data to boost competitiveness, ease law enforcement’s qualms when accessing data, and ward off foreign surveillance.

But at the end of the day, the criminals that law enforcement agencies are after, will end up using expensive private phone networks, and the general population will be left with tools that have been broken on purpose. Backdoors that have been created will be waiting for cybercriminals to find the cracks and access our “encrypted” data.

Meanwhile, privacy is recognized as a universal human right while data protection is not. And it should be. Even if we think we “have nothing to hide” cybercriminals will find a way to use that data against us, if only to make their phishing attempts more credible. Let alone, trade and economic secrets that could fall into the hands of competitors or “unfriendly” nations.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.