2025-05-14 Post a Comment

Cyber attacks: What to do if you fear your personal information has been stolen

Story byÂ Athena Stavrou

In recent weeks, some of the UKâ€™s best-known brands and retailers haveÂ suffered cyber attacks.

Marks & Spencer, the Co-op and and luxury department store Harrods have all be affected byÂ hacks or attempted hacks, leaving customers concerned about their personal data.

On Tuesday, M&S admitted thatÂ customer personal data had been takenÂ by hackers after the retail giant was hit by a damaging cyber attack last month.

Chief executive Stuart Machin said the data had been accessed due to the â€œsophisticated nature of the incidentâ€ but stressed that this does not include payment or card details, or account passwords.

M&S has struggled to grapple with the fallout of the hack and retail experts have said it is likely to lead to a significant profit hit.

Hereâ€™s what to do if you are worried youâ€™re worried about the recent cyber-attacks:

(PA)

What should you do if you are concerned your information has been accessed?

Thereâ€™s no evidence stolen information from the recent cyber attacks as been shared, but consumer group Which? advises that it is wise to be cautious with any unsolicited emails or phone calls in the coming weeks.

It says if you suspect an email might be a scammer, to avoid clicking on links or downloading any attachments.

People are also warned to be cautious if your bank contacts you out of the blue, and to remember a bank will never ask for your pin, entire security number or password.

It also urges people to never reveal your full password, login details or account numbers and to instead hang up and call the company from their official phone number.

Though no passwords were lost in the cyber-attacks, M&S has advised customers to reset their passwords for â€œextra peace of mindâ€.

How to stay safe against cyber attacks

Co-op and M&S both suffered ransomware attacks, which is a type of virus that encrypts files on your computer or locks up its system. Hackers will then demand a ransom to give you access back.

According to a report, hackers who targetedÂ Marks & SpencerÂ andÂ the Co-opÂ tricked IT workers to gain access into their companies systems.

To protect yourself, donâ€™t download attachments you havenâ€™t been expecting or click links asking for personal details. Always keep your computer software updated and only download things from trusted sources.

Which? also advises people to set up a restore point on your device incase it is compromised so it can be restored from safe mode.

You should be able to do this by searching â€˜â€create a restore pointâ€ on your device.

It is also advised to get a quality antivirus software for the best protection.

Co-op shops were affected by a major cyber attack (Co-op)

What data was accessed in the M&S and Co-op attack?

Marks & Spencer has revealed that customer personal data has been taken by hackers in a recent cyber attacks.

Chief executive Stuart Machin said the data had been accessed but stressed that this does not include payment or card details, or account passwords.

The high street chain did not say how many customers had been affected.

The Co-op has also apologised to customers after hackers accessed and extracted members’ personal data, such as names and contact details, while it too has suffered availability problems as a result of the attack.

Customers’ passwords and useable card details were not taken from either retailer.

alt=Close-up of a Social Security card beside a paycheck showing earnings, federal and Medicare with check numbers visible.

Cyber security

2025-05-06 Post a Comment

Fake Social Security Statement emails trick users into installing remote tool

byÂ Pieter Arntz:

Fake emails pretending to come from the US Social Security Administration (SSA) try to get targets to install ScreenConnect, a remote access tool.

This campaign was flagged and investigated by the Malwarebytes Customer Support and Research teams.

ScreenConnect, formerly known as ConnectWise Control, is a remote support and remote access platform widely used by businesses to facilitate IT support and troubleshooting. It allows technicians to remotely connect to usersâ€™ computers to perform tasks such as software installation, system configuration, and to resolve issues.

Because ScreenConnect provides full remote control capabilities, an unauthorized user with access can operate your computer as if they were physically present. This includes running scripts, executing commands, transferring files, and even installing malwareâ€”all potentially without you realizing.

This makes ScreenConnect a dangerous tool in the hands of cybercriminals. AÂ phishingÂ group dubbed Molatoriâ€”because of the domains they use to host the ScreenConnect clientâ€”has been found to lure their targets into installing the ScreenConnect clients by sending emails pretending to come from the Social Security Administration (SSA):

â€œYour Social Security Statement is now available
Thank you for choosing to receive your statements electronically.
Your document is now ready for download:
Please download the attachment and follow the provided instructions.
NOTE: Statements & Documents are only compatible with PC/Windows systems.â€

There are some variations to this mail in circulation but the example above shows how legitimate these emails look.

The link in the email leads to the ScreenConnect support.Client.exe, but was found under several misleading names likeÂ ReceiptApirl2025Pdfc.exe, andÂ SSAstatment11April.exe.

After cybercriminals install the client on the targetâ€™s computer, they remotely connect to it and immediately begin their malicious activities. They access and exfiltrate sensitive information such as banking details, personal identification numbers, and confidential files. This stolen data can then be used to commit identity theft, financial fraud, and other harmful acts.Â Experts have identifiedÂ financial fraud as the primary objective of the Molatori group.

There are several circumstances that make this campaign hard to detect:

The cybercriminals send phishing emails from compromised WordPress sites, so the domains themselves appear legitimate and not malicious.
They often embed the email content as an image, which prevents email filters from effectively scanning and blocking the message.
ScreenConnect is a legitimate application which happens to be abused because of its capabilities.

What we can do

When receiving unsolicited emails there are a few necessary precautions you can take to avoid falling for phishing:

Verify the source of the email through independent sources.
Donâ€™t click on links until you are sure they are non-malicous.
Donâ€™t open downloaded files or attachments until you are sure they are safe.
Use an up-to-date and activeÂ anti-malware solution.
If you suspect an email isnâ€™t legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods.

Malwarebytes users are protected

Malwarebytes will detect suspicious instances of the ScreenConnect client as RiskWare.ConnectWise.CST.

Malwarebytes blocks RiskWare.ConnectWise.CST

And blocks connections to these associated domains:

atmolatori[.]icu
gomolatori[.]cyou
molatoriby[.]cyou
molatorier[.]cyou
molatorier[.]icu
molatoriist[.]cyou
molatorila[.]cyou
molatoriora[.]cyou
molatoriora[.]icu
molatoripro[.]cyou
molatoripro[.]icu
molatorisy[.]cyou
molatorisy[.]icu
onmolatori[.]icu
promolatori[.]icu
samolatori[.]cyou
samolatori[.]icu
umolatori[.]icu

We donâ€™t just report on data privacyâ€”we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. WithÂ Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

alt=Google Chrome, the world's most popular web browser, displayed on a computer screen with vibrant colors and a user-friendly interface.

Cyber security

2024-12-30 Post a Comment

16 Chrome Extensions Hacked, Exposing Over 600,000 Users to Data Theft

Ravie Lakshmanan

Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â A new attack campaign has targeted known Chrome browser extensions, leading to at least 16 extensions being compromised and exposing over 600,000 users to data exposure and credential theft.

The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal cookies and user access tokens.

The first company to be known to have been exposed was cybersecurity firm Cyberhaven.

On December 27, CyberhavenÂ disclosedÂ that a threat actor compromised its browser extension and injected malicious code to communicate with an external Command and Control (C&C) server located on the domain cyberhavenext[.]pro, download additional configuration files, and exfiltrate user data.

“Browser extensions are the soft underbelly of web security,” says Or Eshed, CEO ofÂ LayerX Security, which specializes in browser extension security. “Although we tend to think of browser extensions as harmless, in practice, they are frequently granted extensive permissions to sensitive user information such as cookies, access tokens, identity information, and more.

“Many organizations don’t even know what extensions they have installed on their endpoints, and aren’t aware of the extent of their exposure,” says Eshed.

Once news of the Cyberhaven breach broke, additional extensions that were also compromised and communicating with the same C&C server were quickly identified.

Jamie Blasco, CTO of SaaS security company Nudge Security,Â identified additional domains resolvingÂ to the same IP address of the C&C server used for the Cyberhaven breach.

Additional browser extensions currently suspected of having been compromised include:

AI Assistant – ChatGPT and Gemini for Chrome
Bard AI Chat Extension
GPT 4 Summary with OpenAI
Search Copilot AI Assistant for Chrome
TinaMInd AI Assistant
Wayin AI
VPNCity
Internxt VPN
Vindoz Flex Video Recorder
VidHelper Video Downloader
Bookmark Favicon Changer
Castorus
Uvoice
Reader Mode
Parrot Talks
Primus

These additional compromised extensions indicate that Cyberhaven was not a one-off target but part of a wide-scale attack campaign targeting legitimate browser extensions.

Analysis of compromised Cyberhaven indicates that the malicious code targeted identity data and access tokens of Facebook accounts, and specifically Facebook business accounts:

User data collected by the compromised Cyberhaven browser extension (source: Cyberhaven)

Cyberhaven says that the malicious version of the browser extension was removed about 24 hours after it went live. Some of the other exposed extensions have also already been updated or removed from the Chrome Web Store.

However, the fact the extension was removed from the Chrome store doesn’t mean that the exposure is over, says Or Eshed. “As long as the compromised version of the extension is still live on the endpoint, hackers can still access it and exfiltrate data,” he says.

Security researchers are continuing to look for additional exposed extensions, but the sophistication and scope of this attack campaign have upped the ante for many organizations of securing their browser extensions.