Facebook is reportedly switching out click identifiers for encryption, making it harder (if not impossible) to strip tracking from the URL.
The post Facebook gets round tracking privacy measure by encrypting links appeared first on Malwarebytes Labs.

A form of individual tracking specific to your web browser is at the heart of a currently contested privacy battle, and one which Facebook has just got the upper hand to.

This type of tracking involves adding additional parameters to the URLs that you click on a daily basis. When you click one of these parameter-laden links, the organisation which added the parameter to the URL knows that you’ve clicked it.

Sites make use of the added parameters in order to track your clicks across a range of sites or services, an activity which can be monetised for marketing or analytics. A company may also be able to know where you visit away from their own website. The marketing possibilities are endless, and so too are the privacy implications.

**Browsers tackle the problem of tracking parameters**

Major browsers have been looking at this issue for a while, and some now strip the tracking from urls.

At the end of June, Firefox rolled out something called “Query parameter stripping“. Now, when you click a link or copy and paste it, Firefox removes all forms of tracking appended to the URL you wish to visit. When you click the link and arrive at the other end, it’s as though the tracking aspect added to the URL was never there in the first place. It’s worth noting that this feature is disabled by default unless you’re using private browsing, and needs to be enabled in the Privacy & Security section of the browser options for it to work.

Firefox isn’t alone in this fight. Other browsers, like Brave, have been addressing this issue for some time already.

As Brave explains, removing and blocking other aspects of a site for security or privacy purposes can prevent the site from working correctly. For example, disabling JavaScript may reduce the risk of attacks in your browser, but it may _also_ break the websites that you visit. Blocking cookies may steer you away from invasive tracking, but it could _also_ prevent you from logging in.

However, unlike the two examples above, stripping tracking parameters from a link doesn’t generate usability issues. If you take one of them out, the site carries on working as intended.

So far, so good.

Unfortunately for those with a fondness for removing tracking parameters, this may not be the case for much longer. Some organisations which make use of added parameters are presenting browsers and surfers with a stark choice.

Keep the tracking…or break the site.

**Facebook: A knock-out blow?**

Up until now, Facebook was using “Fbclid” in its URLs for parameter tracking. You may well have seen this appear in your URL bar as part of the addresses you’ve been clicking on. Web browsers keep track of all the additional parameters added to URLs, and strip them out as they appear. If a site changes the text of their additional parameter, the browser would have to update its own lists to be able to continue stripping them out.

Instead of playing a never-ending game of changing their parameter additions, Facebook is trying something very different, which is sure to cause the browser developers some headaches on the parameter stripping front.

Facebook has now switched to encryption for its parameter tracking needs. What this means is that the encrypted part of the URL is essentially _part_ of the whole URL. If you remove it, you won’t be directed to the specific page you’re looking for. As per the example given on this Ghacks article: You’ll arrive on the main landing page for a site, but not the _article_ you’re looking for.

The only real workaround for this at present is to try and avoid as much as Facebook’s tracking as possible. This isn’t always something you’re easily able to do. At the bare minimum, you’d want to consider signing out of Facebook and blocking all Facebook-centric domains. This doesn’t solve the issue of encrypted URLs though, and it’s likely that anyone already happy to strip URLs may have been doing this in the first place.

Browser developers: your move.

Facebook gets round tracking privacy measure by encrypting links

Amazon's Ring is in hot water after revealing in a letter to Senator Ed Markey that it shared data without permission 11 times this year.
The post Ring shares data with police without consent (but it’s in good faith), says Amazon appeared first on Malwarebytes Labs.

Ring, the Amazon-owned company behind the popular smart doorbells, has admitted to giving doorbell data to law enforcement willy-nilly. All they have to do is fill out a form called the Amazon Law Enforcement Request Tracker—no need to ask for the data owner’s consent, give a warrant or court order. The company revealed this in response to a letter Senator Edward Markey (D-Mass.) sent Amazon in June 2022.

Senator Markey’s letter contains a request for updates regarding the steps Ring has taken “to remove private policing agencies from its Neighbors Public Safety Service (NPSS), reduce the potential for its products to be misused in harmful ways, and protect individuals’ right to privacy.” The NPSS is a means for public safety agencies, which include law enforcement, to connect with their local communities that can publicly share posts or video recordings to the Neighbors App feed.

Amazon responded in writing to Senator Markey’s letter, but the response was only revealed to the public recently. Below are some takeaway points from the response:

*   Ring refuses to change the default setting of automatically recording audio when recording videos via its doorbell camera.
*   Ring currently doesn’t have a voice recognition feature. But that doesn’t mean it won’t in the future.
*   There are currently 2,161 law enforcement agencies and 455 fire departments on the NPSS platform.
*   Ring generally doesn’t allow private security companies on NPSS, and it will only onboard such companies “if they are peace officers under state law and subject to constitutional restrictions.”
*   Ring affirms its right to respond immediately to law enforcement requests under emergency circumstances involving imminent danger of death or serious bodily harm. At times like these, it says, it will share details without asking for consent. And it has done so in 11 incidents this year.

Brendan Daley, Ring’s spokesperson, told Politico that although Ring doesn’t need user consent when handing footage to law enforcement with warrants, it does notify the owners of the video footages.

Speaking with Ars Technica, Policy Analyst for Electronic Frontier Foundation (EFF) Matthew Guariglia said, “There are always going to be situations in which it might be expedient for public safety to be able to get around some of the usual infrastructure and be able to get footage very quickly.”

> But the problem is that the people who are deciding what constitutes exigent circumstances and what constitutes the type of emergency, all of these very important safeguards, are Ring and the police, both of whom, as far as I know, don’t have a great reputation when it comes to deciding when it’s appropriate to acquire a person’s data.
> 
> ~ Matthew Guariglia, EFF

The Policing Project at New York University (NYU) School of Law recently concluded its two year audit of Ring to improve its products and services, focusing on NPSS. Ring admitted to making more than 100 changes to its products, policies, and legal practices. This includes the introduction of Requests for Assistance, which ensures transparency on the part of public safety agencies when asking for assistance from communities in the form of information or video as part of ongoing investigations. The company deliberately created Requests for Assistance to keep control of owners’ hands, not the requesting agencies.

When it comes to sharing private data, both the NYU and Guariglia have landed on the same conclusion: Policymakers need to lay more ground rules on how much private surveillance data police can rely on.

Ring shares data with police without consent (but it’s in good faith), says Amazon

The FBI has warned about fraudulent cryptocurrency investment apps that are defrauding victims.
The post Fraudulent cryptocurrency investment apps are duping investors appeared first on Malwarebytes Labs.

Together with the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), the FBI has released a warning about cybercriminals creating fraudulent cryptocurrency investment apps in order to defraud cryptocurrency investors.

The threat actors convince investors to download fraudulent mobile apps with the promise of huge opportunities and even larger gains.

And this new type of fraud turns out to be very profitable indeed, for the criminals at least—the FBI has identified 244 victims and estimates the approximate loss associated with this activity to be $42.7 million.

**Mobile apps**

It’s common for financial institutions to have a mobile app. These apps enhance the user experience and increase legitimate investment. Needless to say, threat actors sniffed out this opportunity to take advantage of the increased interest in mobile banking and cryptocurrency investing.

The FBI has observed threat actors using the names, logos, and other identifying information of legitimate financials in apps and websites.

**Examples**

While the basics are the same, there are some variants of this type of fraud which the FBI demonstrates with a few examples.

In the first one, victims were duped into downloading an app that used the name and logo of an actual US financial institution. Then the threat actors encouraged the victims to deposit cryptocurrency into wallets associated with their accounts on the app. But the app did not originate from the company the victims thought, and when they tried to withdraw funds from the app, they received an email stating they had to pay taxes on their investments before making withdrawals. After paying the supposed tax, the victims remained unable to withdraw funds.

Separately, threat actors operating under the name of a legitimate cryptocurrency exchange that closed in 2018 used the same method of having the victims pay taxes after which there was still no way to get a refund.

Then, threat actors using a name very similar to that of a currency exchange provider in Australia defrauded a victim by telling them that they had enrolled in a program requiring a minimum balance of $900,000. When the victim tried to cancel the subscription, they received instructions to deposit the requested funds or have all assets frozen.

**Mitigation**

To stay out of the claws of these imposters there are a few precautions you can take.

*   Be wary of unsolicited requests to download investment applications, especially from unexpected sources.
*   Verify the legitimacy of the app by checking out whether the company is legitimate and operates the app, and ensure that any financial disclosures or documents are tailored to the app’s purpose and the proposed financial activity.
*   Treat applications with limited and/or broken functionality with skepticism.

Financial institutions should warn their customers about fake websites and apps using their logos to dupe investors.

Defrauded financial institutions and their customers are encouraged to contact the FBI via the Internet Crime Complaint Center or their local FBI field office.

Stay safe, everyone!

Fraudulent cryptocurrency investment apps are duping investors

Scammers have created a PayPal phishing campaign that extensively asks for sensitive information, including government IDs and headshot photos.
The post PayPal phishing campaign goes after more than just your login credentials appeared first on Malwarebytes Labs.

A new phishing campaign targeting PayPal users aims to get extensive data from potential victims. The data it’s after includes government documents like passport, as well as selfie photos. In a nutshell, it’s an extensive form of information theft, the likes of which could result in someone’s identity being fully stolen and their financial and other online accounts being taken over.

PayPal phishing sites are a dime a dozen due to the number of people and companies using it as another form of payment method. However, what’s notable about this campaign is that all the phishing pages are hosted on legitimate WordPress sites.

Hundreds—if not thousands—of WordPress sites remain vulnerable and easily exploited by scammers because of their poor security and the use of weak passwords. This was evident after Akamai found an attacker had planted a phishing kit on its WordPress honeypot.

After successfully brute-forcing their way into the WordPress site using a list of common credentials, the attackers then installed a file manager plugin that let them upload the phishing kit to the compromised site.

To avoid detection, the phishing kit cross-referenced IP addresses to domains belonging to companies it wants to avoid. Naturally, some of these domains include those belonging to cybersecurity organizations.

**Blending into the background**

Akamai researchers also noticed how the scammers made an effort to make their phishing page as indistinguishable as possible from the legitimate one. For one thing, the actors used _.htaccess_ (short for hypertext access), a file that allows an admin to modify how a URL destination appears on the address bar.

In this case, the scammers wanted their phishing URL to make it look like it wasn’t a PHP file, so they edited out the “.php” bit of the URL. This makes sense because PayPal’s sign-in page doesn’t have an extension.

Oddly enough, the phish starts off asking users to type in the alphanumeric string they see on the “Security Challenge” page, under the guise of a means to verify that the user isn’t a bot.

This fake PayPal page asks you to enter what you see into a text box.  
(Source: Akamai)

The next page then asks for the user’s PayPal credentials. Normally, phishing kits would stop here, and the scammers would leave content with the PayPal credentials they can then misuse and abuse.

But not here. In this case they want more. This is just the start of a sophisticated work-up to get users to provide such sensitive information without them realizing it.

After users provide their PayPal credentials, they are then presented with a notice of “unusual activity” in the next screen.

(Source: Akamai)

Once users click the “Secure My Account” button, they are then directed to a page telling them to confirm all their card details. Here, Akamai noted that a ZIP code and CVV are normally sufficient.

(Source: Akamai)

Next, the scammers then ask users for yet more information, specifically their ATM PIN, social security number (SSN), and their mother’s maiden name—a bit of detail that could bypass an additional security layer for an account.

(Source: Akamai)

The PayPal phishing site then encourages users to link an email address to their PayPal account, giving the attackers a token, and therefore access, to that email account. It also encourages victims to upload official government documents, such as a passport, driver’s license, or national ID, to secure the account.

> Uploading government documents and taking a selfie to verify them is a bigger ballgame for a victim than just losing credit card information — it could be used to create cryptocurrency trading accounts under the victim’s name. These could then be used to launder money, evade taxes, or provide anonymity for other cybercrimes. 
> 
> ~ Akamai Security Research, Akamai

For a verification process for an account showing unusual activity, the amount of information being asked from users is ridiculous and overkill. However, Akamai researchers believe that socially engineering PayPal users to let them keep giving away their data is what makes this phishing kit successful.

“People judge brands and companies on their security measures these days,” said Akamai in the report. “Not only is it commonplace to verify your identity in a multitude of ways, but it’s also an expectation when logging in to sites with ultrasensitive information, such as financial or healthcare companies.”

Phishing, in general, has come a long way. Attackers have been learning from their mistakes thanks to our growing understanding of their tactics and social engineering techniques.

As users of online services, we, too, have an obligation over our own online security and privacy. And the only way one can tell apart two seemingly identical websites is to look at your browser’s address bar.

To rephrase a line: to err is human, to scrutinize URLs is divine.

Stay safe!

PayPal phishing campaign goes after more than just your login credentials

We take a look at a WordPress plugin, abandoned and open to JavaScript related exploitation. Uninstall it now!
The post Warning for WordPress admins: uninstall the Modern WPBakery plugin immediately! appeared first on Malwarebytes Labs.

WordPress admins are being warned to remove a buggy plugin or risk a total site takeover.

This particular threat relates to a plugin which is no longer in use: Modern WPBakery page builder addons. The vulnerability in the plugin, known as CVE-2021-24284, allows “unauthenticated arbitrary file upload via the ‘uploadFontIcon’ AJAX action”. This means that attackers could upload rogue PHP files to the WordPress site, leading to remote code execution and a complete site takeover.

There’s been a sudden increase in attacks related to this abandoned WordPress relic. In 2021, researchers discovered “several vulnerable endpoints” which could lead to injection of malicious JavaScript or even deletion of arbitrary files in Modern WPBakery. This time around, the aim of the game is to once again upload rogue PHP files then inject malicious JavaScript into the site.

Roughly 1.6 million sites have been scanned to check for the plugin’s presence by bad actors, and current estimates suggest somewhere in the region of 4,000 to 8,000 websites are still playing host to the plugin.

**Check and remove ASAP**

The current advice is to check for the plugin, and then remove it as soon as you possibly can. It’s been completely abandoned, and no security-related fixes will be forthcoming.

If you have it installed, you’re on your own, and it’s likely only a matter of time before the exploiters make their way to your Modern WPBakery hosting website and start getting up to mischief.

Do yourself and your site visitors a favour: Remove this outdated invitation to site-wide compromise as soon as you possibly can.

Warning for WordPress admins: uninstall the Modern WPBakery plugin immediately!

We take a look at reports that internal Roblox employee documents have been leaked by an as-yet unknown attacker.
The post Roblox breached: Internal documents posted online by unknown attackers appeared first on Malwarebytes Labs.

A data compromise situation has impacted Roblox Corporation, the developers of the massive smash-hit video game Roblox. An as-yet unknown attacker has breached an employee account, and is in the process of exposing the data they’ve collected.

Nobody knows if they’ve exhausted their newly-plundered treasure trove, or if more leaks will follow.

**Hacks and compromise: from myth to reality**

The Roblox player base is young, and naturally enough worried about risks from cheats and account compromise. As a result, Roblox spends a fair amount of time debunking hacking myths. The most well known of these debunks probably relates to its John Doe and Jane Doe developer managed accounts.

Sadly for Roblox, this time around it appears that the compromise is very real with one key difference. It’s the developers under attack, rather than the players. For the time being, at least, they remain unaffected.

**Internal employee information: leaked**

A Roblox forum post has been playing host to around 4GB of stolen data. This data includes identification documents, spreadsheets related to Roblox creators, and various email addresses. At time of writing, there’s no specifics with regard to the “identification documents”. This could mean driving licence, passport, employee ID scan…we simply don’t know at the moment.

Roblox informed Motherboard that the documents were “illegally obtained as part of an extortion scheme that we refused to cooperate with”.

While there isn’t much information available yet, extortion tactics could suggest a double extortion attempt. The first thing to spring to mind here would be a ransomware attack. If the victim refuses to pay the ransom, the malware authors threaten to leak files. This can be incredibly damaging for all concerned, especially as files are often published even when the ransom is paid.

Of course, the extortion could spring from another source. Motherboard mentions the cache being stolen from an employee. The employee may have been phished. In this scenario, there is no ransomware involvement. Whatever the reason for the attack origin, players will naturally enough be very concerned.

**What can you do to keep your Roblox account safe?**

We don’t know if data has been grabbed outside of what’s already been leaked. There’s no indication from Roblox that user data has been accessed, which may only be known for certain as the investigation into the attack wraps up.

This is how you can help to keep your own account safe from harm in the meantime:

**Watch out for phishing**. Phishing attacks often follow on from breaches, although it may take days, or even weeks for an attempt to land in your mailbox. Be wary of mails asking you to login, or claiming that there has been a problem with your account. We suggest navigating to the official Roblox site directly instead of clicking links sent to your email address.

**Set up two-step verification**. This will help keep your account secure even if you were to hand over your login to a bogus website. Visit your account settings page, and then from the security tab select the type of two-step verification that you’d prefer. Roblox allows for a variety of different authenticator apps for use with your account.

**Logout of public and shared devices**. Roblox is great to play on the go. However, leaving your account logged in at on a public computer could result in item or account theft. Make sure you’ve fully logged out of any device which doesn’t belong to you. Public device compromise is still a very easy way to lose account access, and one which younger gamers could easily forget about as a potential threat.

Roblox breached: Internal documents posted online by unknown attackers

The FTC will keep an eye on companies that mishandle and misuse data to protect reproductive healthcare data in post-Roe America.
The post The FTC will go after companies misusing location, health, and other sensitive data appeared first on Malwarebytes Labs.

After the overturning of _Roe V Wade_, many feared that using, having access to, and sharing reproductive and sexual health data—once done freely—would be outlawed with the practice of abortion in many states. To protect such data from falling into the wrong hands,  Congresswoman Sara Jacobs (D-CA) sponsored the “My Body, My Data Act of 2022” bill.

Four days after the bill entered the House of Representatives and the Senate, US President Joe Biden signed an Executive Order Protecting Access to Reproductive Health Care Services, an order aimed at safeguarding healthcare services and protecting patient privacy and access to accurate information, among others.

Following this, the FTC (Federal Trade Commission) has warned tech companies and data brokers about potentially misusing the health data the US government seeks to protect.

The interconnectedness of devices has made life easier for most of us, but it remains a major nightmare for privacy-conscious consumers and organizations.

And while location data (among others) is generated by apps, consumers regularly generate their own sensitive data, too, in the form of apps aiding them in testing their blood sugar, recording their sleep patterns, or capturing their biometric features to access devices. In matters related to personal reproductive health, this could be in the form of apps for tracking periods, monitoring fertility, or managing contraceptive use.

The FTC asserts that a combination of these generated data “creates a new frontier of potential harms to consumers”.

“The misuse of mobile location and health information—including reproductive health data—exposes consumers to significant harm,” said the FTC in a post. “Criminals can use location or health data to facilitate phishing scams or commit identity theft. Stalkers and other criminals can use location or health data to inflict physical and emotional injury.”

> The exposure of health information and medical conditions, especially data related to sexual activity or reproductive health, may subject people to discrimination, stigma, mental anguish, or other serious harms.

The FTC renewed its vow to go after companies that use American digital data unfairly or deceptively.

“The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy. We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data. The FTC’s past enforcement actions provide a roadmap for firms seeking to comply with the law.”

The regulator will closely scrutinize corporate claims that data is “anonymized”, as research has shown that it can be trivial to de-anonymize such data, even when they’re part of a seemingly homogenous data set. The FTC would also be after companies that gather more than what they ask users to consent for or those that retain data indefinitely.

The FTC will go after companies misusing location, health, and other sensitive data

This week on Lock and Code, we discuss how law enforcement can now use your data, ever since the Supreme Court overturned Roe v. Wade.
The post Roe v. Wade: How the cops can use your data: Lock and Code S03E15 appeared first on Malwarebytes Labs.

On the evening of June 23, in the United States, millions of women went to bed with a Constitutional right to choose to have an abortion, and they went to bed with the many assurances that are tied to that right—to speak about getting an abortion, to organize and provide support to those seeking abortions, to search for abortion services safely online, to digitally track their menstrual cycles, to record their reproductive plans, all without too much concern about who would be interested in that information.

But on June 24, that Constitutional right was removed by the Supreme Court.

Immediately, this legal story has become one of data privacy, as countless individuals ask themselves: What surrounding activity is now allowed?

Should Google be used to find abortion providers out of state? Can people write on Facebook or Instagram that they will pay for people to travel to their own states, where abortion is protected? Should people continue texting friends about their thoughts on abortion? Should they continue to use a period-tracking app? Should they switch to a different app that is now promising to technologically protect their data from legal requests? Should they clamp down on all their data? What should they do?

Today, on the Lock and Code podcast with host David Ruiz, we speak with two experts on this intersection of data privacy and legal turmoiil—Electronic Frontier Foundation staff attorney Saira Hussain and senior staff technologist Cooper Quintin.

As Quintin explains in the podcast, while much of the focus has recently been on the use of period-tracking apps, there are so many other forms of data out there that people should protect: 

> “Period-tracking apps aren’t the only apps that are problematic. The fact is that the majority of apps are harvesting data about you. Location data, data that you put into the apps, personal data. And that data is being fed to data brokers, to people who sell location data, to advertisers, to analytics companies, and we’re building these giant warehouses of data that could eventually be trawled through by law enforcement for dragnet searches.”

By spotlighting how benign data points—including shopping habits and locations—have already been used to reveal pregnancies and miscarriages and to potentially identify abortion-seekers, our guests explain what data could now be of interest to law enforcement, and how people at home can keep their decisions private and secure.

Tune in to hear all this and more on the most recent episode of Lock and Code.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “SCP-x5x (Outer Thoughts)” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Roe v. Wade: How the cops can use your data: Lock and Code S03E15

We take a look at reports of organised review bombing, leading to extortion threats to get the negative ratings removed.
The post Extortionists target restaurants, demand money to take down bad reviews appeared first on Malwarebytes Labs.

Restaurants and other eating establishments are being targeted by extortionists who post fake reviews online and then offer to remove them in exchange for a gift card.

The possibility has always existed to leave poor reviews on Google Maps and elsewhere. However, seeing fraudsters get organised and issue extortion threats alongside the review is a new development.

According to the New York Times, businesses are being “deluged” with the poor reviews. Extortion threats are then mailed to the business owners, apologising for the actions but insisting that $75 Google Play gift cards be purchased in order to have the poor reviews erased.

Card codes are mailed to a ProtonMail account, where the scammers pick up their bounty. The codes are likely sold on at this point to turn a tidy profit. We don’t know if anyone actually sent a card code to the relevant mail address, nor if any reviews were removed by the fraudsters in cases where a payment was made.

The group claims to be based in India, and is currently targeting businesses in San Francisco, New York, and Chicago.

**The bad review bombing technique**

Review bombing is something you’ve probably heard about in relation to gaming. When fans of certain titles become annoyed with changes in a game, or something is released which they object to, some turn to leaving bad reviews.

These reviews tend to be organised by groups, and plaster a product’s page with poor ratings. This has a negative impact on the title, and comes with a variety of side effects. It might even make the product less visible to other shoppers due to the product review score tanking.

Platforms selling games have had to take significant action against these tactics in recent years, developing new ways to spot inauthentic reviews and hiding them away from the public.

**Defending your business from bad review practices**

Google offers several guides for both reviewers and business owners where reviews are concerned.

Firstly, there’s detailed information about adding a review on Maps. While this is useful to know as a business owner, the really important information is on the How to remove reviews guide. Review removal requests are initiated via the Manage Reviews page. Before you submit, you need to check through the Prohibited and Restricted content section and see which category extortion attempts would fall under.

We suspect **Civil Discourse > Harassment**, or **Deceptive Content > Misrepresentation** would be good places to start.

*   We don’t allow users to post content to harass other people or businesses, or encourage others to participate in harassment.

*   Misleading information can impact the quality of information on Google Maps. For this reason, we don’t allow individuals to use Google Maps to mislead or deceive others, or make misrepresentations.

This includes:

*   False or misleading accounts of the description or quality of a good or service. 

No matter which rules you feel that your extortion-laced missives fall under, here’s how to report in both Maps and Search:

**Flag a review in Google Maps**

1.  On your computer, open Google Maps.
2.  Find your Business Profile.
3.  Find the review you’d like to report.
4.  Click **More >** **Flag as inappropriate**.

**Flag a review in Google Search**

1.  On your computer, go to Google.
2.  Find your Business Profile.
3.  Click **Google** **Reviews**.
4.  Find the review you’d like to report.
5.  Click **More >** **Report review**. Select the type of violation you want to report.

Extortionists target restaurants, demand money to take down bad reviews

The most important and interesting computer security stories from the last week.
The post A week in security (July 11 – July 17) appeared first on Malwarebytes Labs.

*   Partner Success Story
*   Marek Drummond
    
    Managing Director at Optimus Systems
    
    "Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected."
    
*   See full story