Google has released out-of-band fixes to address a high-severity security flaw in its Chrome browser for Windows that it said has been exploited in the wild as part of attacks targeting organizations in Russia. 
The vulnerability, tracked as CVE-2025-2783, has been described as a case of "incorrect handle provided in unspecified circumstances in Mojo on Windows." Mojo refers to a

Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks

Cybercriminals exploit AbyssWorker driver to disable EDR systems, deploying MEDUSA ransomware with revoked certificates for stealthy attacks.

Cybercriminals are exploiting custom and compromised drivers to disable endpoint detection and response (EDR) systems, facilitating undetected malicious activity. Elastic Security Labs (ESL) has identified a financially motivated campaign deploying MEDUSA ransomware, utilizing a loader paired with a revoked certificate-signed driver named AbyssWorker. This driver, originating from a Chinese vendor, is designed to neutralize EDR solutions.

As per ESL’s investigation, shared with Hackread.com, this tactic blinds security tools and allows malicious actors to operate freely, increasing the success rate of their attacks.

The AbyssWorker driver, originating from a Chinese vendor, is a key component in a campaign that installs itself on victim machines and systematically targets and silences various EDR solutions.

“This EDR-killer driver was recently reported by ConnectWise in another campaign, using a different certificate and IO control codes, at which time some of its capabilities were discussed. In 2022, Google Cloud Mandiant disclosed a malicious driver called POORTRY, which we believe is the earliest mention of this driver,” researchers noted in the blog post.

The actual filename of the malicious driver is identified as smuol.sys (a 64-bit Windows PE driver). It cleverly mimics a legitimate CrowdStrike Falcon driver, probably to blend into legitimate system processes. ESL identified multiple samples on VirusTotal dating from August 2024 to February 2025, all signed with revoked certificates from various Chinese companies, including Foshan Gaoming Kedeyu Insulation Materials Co., Ltd and FEI XIAO, among others. These certificates, while widely used across various malware campaigns, are not specific to AbyssWorker.

Upon initialization, AbyssWorker establishes a device and symbolic link, registering callbacks for major functions. A critical defence evasion mechanism involves stripping existing handles to its client process from other processes, preventing external manipulation. It also registers callbacks to deny access to handles of protected processes and threads.

The driver’s core functionality resides in its DeviceIoControl handlers, which execute a range of operations based on I/O control codes. These operations include file manipulation, process and driver termination, and API loading. A password is required to enable the driver’s malicious capabilities. For file operations, AbyssWorker uses I/O Request Packets (IRPs), bypassing standard APIs.

AbyssWorker can remove notification callbacks, replace driver major functions, detach mini-filter devices, terminate processes and threads, and restore hooked NTFS and PNP driver functions. Notably, it can trigger a system reboot using the undocumented HalReturnToFirmware function. These capabilities directly support MEDUSA ransomware’s ability to operate without security interference.

A key obfuscation technique AbyssWorker employs is calling “constant-returning functions” throughout the binary to complicate static analysis. However, Elastic deemed it inefficient, as they are easy to identify and declared it “an inefficient obfuscation scheme.”

Nevertheless, AbyssWorker represents a significant threat, demonstrating the increasing sophistication of kernel-level malware designed to disable security infrastructure. ESL has provided a client implementation example, offering researchers a means to further explore and experiment with this malware. To further aid in detection, Elastic Security has released YARA rules, available on their GitHub repository, enabling security professionals to identify instances of AbyssWorker within their environments.

Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the latest development, stating,

_“_The Medusa malware is living up to its name, finding new ways to infect hosts even after one method has been blocked. Using a batch file to disable system services is a short-term ploy as it can be detected and blocked. Security teams should be on alert for any systems that have a time change and review end-user permissions to prevent the user from stopping the time service._“_

Top/Featured Image by WaveGenerics from Pixabay

Medusa Ransomware Disables Anti-Malware Tools with Stolen Certificates

Google has admitted it accidentally deleted some Maps Timeline user data after what it calls a "technical issue".

Google has admitted it accidentally deleted some users’ Google Maps Timeline data after a “technical issue”.

As reported by Forbes on March 11, users started noticing that their Google Maps Timelines had completely disappeared. At the time, we didn’t know anything about the cause of this issue.

However, now we do, after some of the impacted users received a email from Google on March 21. Not with an apology, mind you, but with an explanation.

Google wrote that it had:

> “Briefly experienced a technical issue that caused the deletion of Timeline data for some people. If you have encrypted backups enabled, you may be able to restore your data.”

If you’re among those affected and you did have backups enabled, here’s how you can attempt to restore your data:

*   Make sure you have the latest version of the Google Maps app installed on your device.
*   Open Google Maps, tap on your profile picture in the top right corner, and select **Your Timeline**.
*   Look for a cloud icon at the top of the Timeline screen and tap it. Choose a backup to import your data.

This doesn’t seem to work for everyone though, with some users commenting that this method didn’t work for them.

If you didn’t have backups enabled, it might not be possible to recover your lost Timeline data.

**Planned deletion**

For those interested in keeping their Timeline, bear in mind that if you don’t take action soon, your visits and routes might be erased, and your Timeline settings disabled. Earlier this month, Google announced that it will begin deleting the last three months of Timeline data unless you take action to back it up, as part of a roll out of significant changes to Maps Timeline.

After you receive the notification from Google, you have about six months to save or transfer your Timeline data before deletion takes place. The sender of the email is “Google Location History,” with the subject line: “Keep your Timeline? Decide by \[date\].”

When you get the prompt, follow the instructions on how to adjust your settings on your device. If you don’t, your visits and routes will be erased, and your Timeline settings will be disabled.

**How to back up your Google Maps Timeline data**

Here’s how back up your Timeline data to prevent any future losses, and help preserve your data during the planned deletion:

*   Open the Google Maps app.
*   Tap your profile picture, then **Your Timeline**.
*   At the top right, tap the cloud icon.
*   If auto-delete is turned on, turn it off.
*   On the Backup screen, turn on **Backup**.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Oops! Google accidentally deletes some users&#8217; Maps Timeline data 

Crossing into the United States has become increasingly dangerous for digital privacy. Here are a few steps you can take to minimize the risk of Customs and Border Protection accessing your data.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

When Ryan Lackey has traveled to countries like Russia or China, he has taken certain precautions: Instead of his usual gear, the Seattle-based security researcher and chief security officer of a cryptocurrency insurance firm brings a locked-down Chromebook and an iPhone that's set up to sync with a separate, nonsensitive Apple account. He wipes both before every trip and loads only the minimum data he'll need. Lackey has gone so far as to keep separate travel sets for each country, so that he can forensically analyze the devices when he gets home to check for signs of each country's tampering.

Now, Lackey says, the countries that warrant that paranoid approach to travel might include not just Russia and China but also the United States—if not for Americans like him, then for anyone with a foreign passport who might come under the increasingly draconian and unpredictable scrutiny of US Customs and Border Protection (CBP). "All of this applies to America more than it has in the past," says Lackey. "If I thought I were likely to be a targeted person, I would go through this same level of protection."

Since the start of the second Trump administration, there appears to be an uptick in foreign visitors to the US being denied entry, resulting in people being sent back to their original destinations or being held in detention. Citizens from Germany, the UK, and France have all reported being detained, in some cases for weeks, or denied entry when attempting to enter the US—including several individuals who say they are legal residents with Green Cards. France’s education minister said one French scientist was denied entry after immigration officials searched his phone and found conversations where “he expressed a personal opinion on the Trump administration’s research policy.” The stricter enforcement of visa and travel permit regulations has led to officials in Germany and Britain to change their travel guidance, with Britain warning that rules are enforced “strictly.”

That de facto border crackdown is set to become far more explicit if the Trump administration follows through on a plan to enact a new “travel ban” on more than 40 countries, which would reportedly bar entry entirely from at least 10 nations and subject visitors from another five to new scrutiny and automatic interviews at the border. Another 26 countries would fall into a third category where their status will be decided in the 60 days after the policy goes into effect.

All of these changes suggest that US borders are about to become far less friendly places to foreigners and even to Americans returning from abroad. And these new border enforcement measures will no doubt be accompanied by aggressive attempts at surveillance extending to travellers’ electronic devices—a threat to digital privacy and free expression that extends to foreigners and US residents alike.

“We’re seeing extraordinarily disturbing examples of retaliatory action based on people's speech and political opinions,” says Nathan Wessler, the deputy director of the American Civil Liberties Union’s Speech, Privacy, and Technology Project. “When that’s combined with really sweeping authority to mine the contents of our phones and laptops, looking at things we've written, things people have sent us, it should be a particular cause for concern for people across the political spectrum—and people with all kinds of citizenship and immigration statuses.”

In fact, Customs and Border Protection has long considered US borders and airports a kind of loophole in the US Constitution's Fourth Amendment protections, one that allows them wide latitude to detain travelers and search their devices. For years, the agency has used that opportunity to hold border-crossers on the slightest suspicion and demand access to their computers and phones, with little formal cause or oversight.

Citizens are far from immune. CBP detainees from journalists to filmmakers to security researchers have all had their devices taken out of their hands by agents.

As those intrusions become more common and aggressive in the second Trump era, WIRED has assembled the following advice from legal and security experts to help preserve your digital privacy while crossing American borders. But take all of these strategies with caution: Given CBP’s unpredictable—and in many areas undocumented—practices, none of the experts WIRED spoke to claimed to have a privacy panacea for the American border.

_This article was first published in February 2017 and updated in March 2025 to reflect changes in technology and the second Trump administration. WIRED’s guide to protecting yourself against government surveillance includes more security and privacy advice._

**Phone Home**

First, if you have any reason to think you could be detained or questioned at the border, alert a lawyer or a loved one who can contact a lawyer _before_ going through customs, and contact them again when you get out. If you are detained, you may not be able to access your devices or otherwise have the opportunity to reach the outside world. And in the worst-case scenario of a lengthy detention, you'll want someone advocating for your release and legal representation.

**Lock Down Devices**

If customs officials do take your devices, don't make their intrusion easy. Encrypt your hard drive with tools like BitLocker, Veracrypt, or Apple's Filevault, and choose a strong passphrase. On your phone, set a strong PIN. Using hard-to-crack alphanumeric code to unlock your phone rather than a four digit PIN or biometrics is the strongest approach to securing the device. On an iPhone, disable Siri from the lock screen by switching off **Allow Siri When Locked** under the **Siri men**u in **Settings**.

Remember also to turn your devices off before entering customs: Hard-drive encryption tools offer full protection only when a computer is fully powered down. If you use FaceID, your iPhone is safest when it's turned off, too, since it requires a PIN rather than a face scan when first booted, resolving any ambiguity about whether border officials can compel you to unlock the device with your biometrics.

In recent years, Apple and Google have made it possible to separate sensitive apps from being shown with others on your phone—placing them in a separate folder from other apps and protecting them with another layer of authentication. Android’s Private Spaces can be turned on in the Security and privacy settings menu, while long pressing an app on iOS will bring up the option to place it in a hidden folder.

Finally, Wessler recommends that travelers be sure to update their operating systems on both laptops and phones before crossing the border. That’s because CBP could, in some cases, use tools like Cellebrite or GrayKey to exploit unpatched vulnerabilities in those devices, accessing them without the user unlocking them. “It may be that if your operating system is six months out of date, your device is vulnerable,” Wessler says. “The newest version may not be.”

**Keep Passwords Secret**

This is the tricky part. American citizens can't be deported for refusing to give up passwords for social media accounts or encrypted devices, says the ACLU's Wessler. That means if you stand your ground and don't reveal passwords or PINs, you may be detained and your devices confiscated—even sent off to a forensic facility—but you'll eventually get through with your privacy far more intact than if you divulge secrets. "They can seize your device, even for months while they try to break into it," says Wessler. "But you’re going to get home." (Despite the Trump administration’s shocking treatment in some cases of foreign permanent residents, this protection applies to green card holders too, Wessler says.)

Be warned, however, that denying customs officials access can at the very least lead to hours of uncertain detention in a bleak, windowless CBP office. At some US airports and in various states, court rulings have put limitations and restrictions on what CBP officials can do to access your devices, but there’s little guarantee those restrictions will be followed in practice if border agents have your computer or phone in their custody without oversight.

Broadly, the CBP outlines two types of device searches: basic, where an officer “manually” reviews a device’s content; and an advanced search where a device is connected to external equipment and its contents can be reviewed, copied, or analyzed. The latter search requires a “reasonable suspicion” of a crime, CBP says. The agency’s official guidance avoids explicitly saying people are required to hand over passwords, skirting around the issue by saying devices should be presented “in a condition that allows for the examination.”

“If the electronic device cannot be inspected because it is protected by a passcode or encryption or other security mechanism, that device may be subject to exclusion, detention, or other appropriate action or disposition,” the agency says online.

For non-Americans coming to the US on a visa or from a visa-waiver country, Wessler warns that they face a far starker dilemma: Refuse to give up a passcode or PIN and you may be denied entry. “There’s a very practical assessment people have to make about what's most important to them,” he says. “Getting into the country but sacrificing privacy or protecting your privacy—but risking that you may be turned around at the border.”

**Minimize the Data You Carry**

For the most vulnerable travelers, there’s one clear solution to that dilemma: The best way to keep customs away from your data is simply not to travel with it. Instead, like Lackey, set up travel devices that store the minimum of sensitive data. Don't link those "dirty" devices to your personal accounts, and when you do have to create a linked account—as with an Apple ID for iOS devices—create fresh ones with unique usernames and passwords. "If they ask for access and you can’t refuse, you want to be able to give them access without losing any sensitive information," says Lackey.

(Social media accounts, admittedly, can't be so easily ditched. Some security experts recommend creating secondary personas that can be offered up to customs officials while keeping a more sensitive account secret. But if CBP agents do link your identity with an account you tried to hide, the result could be longer detention and, for noncitizens, even denial of entry.)

If you can’t create a separate travel device, the Electronic Frontier Foundation also suggests logging out of apps and cloud services—such as Google Drive, or MicrosoftOne Drive—so that border agents can’t access documents or data you are storing remotely. Backing up data, such as photos or files, to the cloud services before you travel can help to remove data from the phone.

“The only sure way to protect yourself is to not carry information with you or to carry as little as possible,” says the ACLU’s Wessler. “As long as you have a device and there's stuff on it, that's potentially vulnerable to search.”

That vulnerability to search comes in part from the fact that privacy rights for digital devices at the border remains troublingly unsettled in US law, says UC Davis law professor Elizabeth Joh. While the Supreme Court decision in _Riley v. California_ in 2014 declared warrantless searches of devices at the time of arrest unconstitutional, no case has set such a precedent for the American border—much less for non-Americans seeking those same privacy rights.

Since 2014, several federal appeals courts have come to conflicting opinions about when it’s constitutional for customs and border agents to search electronic devices, but the Supreme Court has yet to weigh in. Until it does, the border zone will remain in a kind of legal limbo.

The government, after all, has the power to open bags crossing into its territory or even dismantle cars to search for contraband, Joh points out. "What does that mean in an age when people bring their digital devices across borders? The Supreme Court hasn’t spoken to that issue," Joh says. "The real problem here is there's still no good set of protections for a portal into your private life."

How to Enter the US With Your Digital Privacy Intact

Microsoft on Monday announced a new feature called inline data protection for its enterprise-focused Edge for Business web browser.
The native data security control is designed to prevent employees from sharing sensitive company-related data into consumer generative artificial intelligence (GenAI) apps like OpenAI ChatGPT, Google Gemini, and DeepSeek. The list will be expanded over time to

Microsoft Adds Inline Data Protection to Edge for Business to Block GenAI Data Leaks

A list of topics we covered in the week of March 17 to March 23 of 2025

March 21, 2025 - The release of the JFK assassination records also resulted in the leak of hundreds of Social Security Numbers

March 20, 2025 - The phishing campaign for valuable Google accounts continues with a new twist, going after the customers of a SasS platform.

March 20, 2025 - Experts are warning about the proliferating market for targeted spyware and espionage. Why should we be concerned?

March 19, 2025 - With financial stress at an all-time high, people are desperately seeking relief. Sadly, scammers know this all too well.

March 19, 2025 - Sperm donor giant California Cryobank has announced it has suffered a data breach that exposed customers' personal information.

 A week in security (March 17 &#8211; March 23) 

Companies in the EU are starting to look for ways to ditch Amazon, Google, and Microsoft cloud services amid fears of rising security risks from the US. But cutting ties won’t be easy.

The global backlash against the second Donald Trump administration keeps on growing. Canadians have boycotted US-made products, anti–Elon Musk posters have appeared across London amid widespread Tesla protests, and European officials have drastically increased military spending as US support for Ukraine falters. Dominant US tech services may be the next focus.

There are early signs that some European companies and governments are souring on their use of American cloud services provided by the three so-called hyperscalers. Between them, Google Cloud, Microsoft Azure, and Amazon Web Services (AWS) host vast swathes of the internet and keep thousands of businesses running. However, some organizations appear to be reconsidering their use of these companies’ cloud services—including servers, storage, and databases—citing uncertainties around privacy and data access fears under the Trump administration.

“There’s a huge appetite in Europe to de-risk or decouple the over-dependence on US tech companies, because there is a concern that they could be weaponized against European interests,” says Marietje Schaake, a nonresident fellow at Stanford’s Cyber Policy Center and a former, decade-long member of the European Parliament.

The moves may already be underway. On March 18, politicians in the Netherlands House of Representatives passed eight motions asking the government to reduce reliance on US tech companies and move to European alternatives. Days before, more than 100 organizations signed an open letter to European officials calling for the continent to become “more technologically independent” and saying the status quo creates “security and reliability risks.”

Two European-based cloud service companies, Exoscale and Elastx, tell WIRED they have seen an uptick in potential customers looking to abandon US cloud providers over the last two weeks—with some already starting to make the jump. Multiple technology advisers say they are having widespread discussions about what it would take to uproot services, data, and systems.

“We have more demand from across Europe,” says Mathias Nöbauer, the CEO of Swiss-based hosting provider Exoscale, adding there has been an increase in new customers seeking to move away from cloud giants. “Some customers were very explicit,” Nöbauer says. “Especially customers from Denmark being very explicit that they want to move away from US hyperscalers because of the US administration and what they said about Greenland.”

“It's a big worry about the uncertainty around everything. And from the Europeans’ perspective—that the US is maybe not on the same team as us any longer,” says Joakim Öhman, the CEO of Swedish cloud provider Elastx. “Those are the drivers that bring people or organizations to look at alternatives.”

Concerns have been raised about the current data-sharing agreement between the EU and US, which is designed to allow information to move between the two continents while protecting people’s rights. Multiple previous versions of the agreement have been struck down by European courts. At the end of January, Trump fired three Democrats from the Privacy and Civil Liberties Oversight Board (PCLOB), which helps manage the current agreement. The move could undermine or increase uncertainty around the agreement. In addition, Öhman says, he has heard concerns from firms about the CLOUD Act, which can allow US law enforcement to subpoena user data from tech companies, potentially including data that is stored in systems outside of the US.

Dave Cottlehuber, the founder of SkunkWerks, a small tech infrastructure firm in Austria, says he has been moving the company’s few servers and databases away from US providers to European services since the start of the year. “First and foremost, it’s about values,” Cottlehuber says. “For me, privacy is a right not a privilege.” Cottlehuber says the decision to move is easier for a small business such as his, but he argues it removes some taxes that are paid to the Trump administration. “The best thing I can do is to remove that small contribution of mine, and also at the same time, make sure that my customers’ privacy is respected and preserved,” Cottlehuber says.

Steffen Schmidt, the CEO of Medicusdata, a company that provides text-to-speech services to doctors and hospitals in Europe, says that having data in Europe has always “been a must,” but his customers have been asking for more in recent weeks. “Since the beginning of 2025, in addition to data residency guarantees, customers have actively asked us to use cloud providers that are natively European companies,” Schmidt says, adding that some of his services have been moved to Nöbauer’s Exoscale.

Harry Staight, a spokesperson for AWS, says it is “not accurate” that customers are moving from AWS to EU alternatives. “Our customers have control over where they store their data and how it is encrypted, and we make the AWS Cloud sovereign-by-design,” Straight says. “AWS services support encryption with customer managed keys that are inaccessible to AWS, which means customers have complete control of who accesses their data.” Staight says the membership of the PCLOB “does not impact” the agreements around EU-US data sharing and that the CLOUD Act has “additional safeguards for cloud content.” Google and Microsoft declined to comment.

The potential shift away from US tech firms is not just linked to cloud providers. Since January 15, visitors to the European Alternatives website increased more than 1,200 percent. The site lists everything from music streaming services to DDoS protection tools, says Marko Saric, a cofounder of European cloud analytics service Plausible. “We can certainly feel that something is going on,” Saric says, claiming that during the first 18 days of March the company has “beaten” the net recurring revenue growth it saw in January and February. “This is organic growth which cannot be explained by any seasonality or our activities,” he says.

While there are signs of movement, the impact is likely to be small—at least for now. Around the world, governments and businesses use multiple cloud services—such as authentication measures, hosting, data storage, and increasingly data centers providing AI processing—from the big three cloud and tech service providers. Cottlehuber says that, for large businesses, it may take many months, if not longer, to consider what needs to be moved, the risks involved, plus actually changing systems. “What happens if you have a hundred petabytes of storage, it's going to take years to move over the internet,” he says.

For years, European companies have struggled to compete with the likes of Google, Microsoft, and Amazon’s cloud services and technical infrastructure, which make billions every year. It may also be difficult to find similar services on the scale of those provided by alternative European cloud firms.

“If you are deep into the hyperscaler cloud ecosystem, you’ll struggle to find equivalent services elsewhere,” says Bert Hubert, an entrepreneur and former government regulator, who says he has heard of multiple new cloud migrations to US firms being put on hold or reconsidered. Hubert has argued that it is no longer “safe” for European governments to be moved to US clouds and that European alternatives can’t properly compete. “We sell a lot of fine wood here in Europe. But not that much furniture,” he says. However, that too could change.

Schaake, the former member of the European Parliament, says a combination of new investments, a different approach to buying public services, and a Europe-first approach or investing in a European technology stack could help to stimulate any wider moves on the continent. “The dramatic shift of the Trump administration is very tangible,” Schaake says. “The idea that anything could happen and that Europe should fend for itself is clear. Now we need to see the same kind of pace and leadership that we see with defense to actually turn this into meaningful action.”

Trump’s Aggression Sours Europe on US Cloud Giants

This week on the Lock and Code podcast, we speak with Carey Parker about what Google Chrome knows about you.

_This week on the Lock and Code podcast…_

Google Chrome is, by far, the most popular web browser in the world.

According to several metrics, Chrome accounts for anywhere between 52% and 66% of the current global market share for web browser use. At that higher estimate, that means that, if the 5.5 billion internet users around the world were to open up a web browser right now, 3.6 billion of them would open up Google Chrome.

And because the browser is the most common portal to our daily universe of online activity—searching for answers to questions, looking up recipes, applying for jobs, posting on forums, accessing cloud applications, reading the news, comparing prices, recording Lock and Code, buying concert tickets, signing up for newsletters—then the company that controls that browser likely knows a lot about its users.

In the case of Google Chrome, that’s entirely true.

Google Chrome knows the websites you visit, the searches you make (through Google), the links you click, and the device model you use, along with the version of Chrome you run. That may sound benign, but when collected over long periods of time, and when coupled with the mountains of data that other Google products collect about you, this wealth of data can paint a deeply intimate portrait of your life.

Today, on the Lock and Code podcast with host David Ruiz, we speak with author, podcast host, and privacy advocate Carey Parker about what Google Chrome knows about you, why that data is sensitive, what “Incognito mode” really does, and what you can do in response.

We also explain exactly why Google would want this money, and that’s to help it run as an ad company.

> “That’s what \[Google is\]. Full stop. Google is an ad company who just happens to make a web browser, and a search engine, and an email app, and a whole lot more than that.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 What Google Chrome knows about you, with Carey Parker (Lock and Code S06E06) 

New phishing scam targets Instagram business accounts using fake chatbots and support emails, tricking users into handing over login credentials.

A new phishing campaign has been tricking users into giving out access to their **Meta Business accounts** especially Instagram. The scam, detected by the Cofense Phishing Defense Center, uses fake chat support, detailed instructions, and attempts to add itself as a secure login method to hijack business accounts.

The phishing campaign starts with a fake Instagram alert email stating that the user’s ads are suspended due to a violation of advertising laws. The email, which appears to be from Instagram’s support team, asks the user to click on a “Check more Details” button to resolve the issue. However, the email is actually sent from a Salesforce address ([email protected]), not Instagram’s official support email.

The Instagram phishing email received by victims (Via Cofense)

This scam is a lot like the one that hit Facebook users back in February 2025, where scammers used automated Salesforce emails to trick people into giving up their login credentials by pretending to be **Facebook Copyright Notices**.

****Fake Chat Support via Chatbot, Phishing and 2FA – All in One Scam****

In the latest scam, when the user clicks on the link for more details, they are redirected to a fake page (businesshelp-managercom) that looks similar to a legitimate Meta Business page. The page informs the user that their account is at risk of suspension and termination and asks them to input their name and business email to proceed to a chat support agent.

The attacker then uses two methods to hijack the business account: a fake tech support chatbot or a supposed “setup guide” with step-by-step instructions. The chatbot asks the user for screenshots of their business account and personal information, while the setup guide provides instructions on how to add **Two-Factor Authentication (2FA)** to the user’s business account.

If the chatbot phishing attempt is unsuccessful, the attacker provides an instructional guide for adding Two-Factor Authentication (2FA) to the user’s business account. This guide mimics a do-it-yourself way to “fix” the user’s account. Users are directed to click on a “View Account Status” button, which reveals detailed instructions on how to start a “System Check” and fix the problem themselves. However, following these steps gives the attacker another way to log in to the Business Meta account via the hacker’s Authenticator app named “SYSTEM CHECK.”

Screenshot of the initial chat with the fake support chatbot (Via Cofense)

According to Cofence’s **blog post** shared with Hackread.com, the attackers have put a lot of effort into making the scam look legitimate. The emails and landing pages closely resemble official Meta communications, and the inclusion of live agent support adds a layer of deception. The attackers even provide video instructions detailing how to trick the user into adding them as a 2FA method.

****What Users Should Do****

This phishing campaign stands out from the usual scams and highlights why everyone who uses social media should be aware of common **social engineering tricks** that scammers use these days. Always double-check the sender and take a close look at the URL before clicking on anything. Using apps like Google Authenticator and Microsoft Authenticator can help block login attempts from suspicious places and unknown devices.

New Phishing Scam Uses Fake Instagram Chatbot to Hijack Accounts

Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay transactions from mobile devices located in China.

Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay transactions from mobile devices located in China.

Image: WLVT-8.

Authorities in Knoxville, Tennessee last week said they arrested 11 Chinese nationals accused of buying tens of thousands of dollars worth of gift cards at local retailers with mobile wallets created through online phishing scams. The Knox County Sheriff’s office said the arrests are considered the first in the nation for a new type of tap-to-pay fraud.

Responding to questions about what makes this scheme so remarkable, Knox County said that while it appears the fraudsters are simply buying gift cards, in fact they are using multiple transactions to purchase various gift cards and are plying their scam from state to state.

“These offenders have been traveling nationwide, using stolen credit card information to purchase gift cards and launder funds,” Knox County Chief Deputy **Bernie Lyon** wrote. “During Monday’s operation, we recovered gift cards valued at over $23,000, all bought with unsuspecting victims’ information.”

Asked for specifics about the mobile devices seized from the suspects, Lyon said “tap-to-pay fraud involves a group _utilizing Android phones to conduct Apple Pay transactions_ utilizing stolen or compromised credit/debit card information,” \[emphasis added\].

Lyon declined to offer additional specifics about the mechanics of the scam, citing an ongoing investigation.

**Ford Merrill** works in security research at SecAlliance, a CSIS Security Group company. Merrill said there aren’t many valid use cases for Android phones to transmit Apple Pay transactions. That is, he said, unless they are running a custom Android app that KrebsOnSecurity wrote about last month as a part of a deep dive into the sprawling operations of China-based phishing cartels that are breathing new life into the payment card fraud industry (a.k.a. “carding”).

How are these China-based phishing groups obtaining stolen payment card data and then loading it onto Google and Apple phones? It all starts with phishing.

If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the **U.S. Postal Service** to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.

These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “**smishing**” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the **Apple iMessage** service and through RCS, the functionally equivalent technology on **Google** phones.

People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution in response to a request by the fraudsters to link the phished card data to a mobile wallet.

If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control. These phones are then loaded with multiple stolen wallets (often between 5-10 per device) and sold in bulk to scammers on Telegram.

An image from the Telegram channel for a popular Chinese smishing kit vendor shows 10 mobile phones for sale, each loaded with 5-7 digital wallets from different financial institutions.

Merrill found that at least one of the Chinese phishing groups sells an Android app called “**Z-NFC**” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.

“I would be shocked if this wasn’t the NFC relay app,” Merrill said, concerning the arrested suspects in Tennessee.

Merrill said the Z-NFC software can work from anywhere in the world, and that one phishing gang offers the software for $500 a month.

“It can relay both NFC enabled tap-to-pay as well as any digital wallet,” Merrill said. “They even have 24-hour support.”

On March 16, the ABC affiliate in Sacramento (**ABC10**), Calif. aired a segment about two Chinese nationals who were arrested after using an app to run stolen credit cards at a local Target store. The news story quoted investigators saying the men were trying to buy gift cards using a mobile app that cycled through more than 80 stolen payment cards.

ABC10 reported that while most of those transactions were declined, the suspects still made off with $1,400 worth of gift cards. After their arrests, both men reportedly admitted that they were being paid $250 a day to conduct the fraudulent transactions.

Merrill said it’s not unusual for fraud groups to advertise this kind of work on social media networks, including TikTok.

A **CBS News** story on the Sacramento arrests said one of the suspects tried to use 42 separate bank cards, but that 32 were declined. Even so, the man still was reportedly able to spend $855 in the transactions.

Likewise, the suspect’s alleged accomplice tried 48 transactions on separate cards, finding success 11 times and spending $633, CBS reported.

“It’s interesting that so many of the cards were declined,” Merrill said. “One reason this might be is that banks are getting better at detecting this type of fraud. The other could be that the cards were already used and so they were already flagged for fraud even before these guys had a chance to use them. So there could be some element of just sending these guys out to stores to see if it works, and if not they’re on their own.”

Merrill’s investigation into the Telegram sales channels for these China-based phishing gangs shows their phishing sites are actively manned by fraudsters who sit in front of giant racks of Apple and Google phones that are used to send the spam and respond to replies in real time.

In other words, the phishing websites are powered by real human operators as long as new messages are being sent. Merrill said the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire.

For more on how these China-based mobile phishing groups operate, check out How Phished Data Turns Into Apple and Google Wallets.

The ashtray says: You’ve been phishing all night.

Tag

#google