Small business owners should be sure to fix these three non-technical risks that require little cybersecurity expertise.
The post 3 easy-to-miss cybersecurity risks for small businesses appeared first on Security Boulevard.
There’s a lot to security that isn’t necessarily “cyber.” It’s not all hackers or complex network attacks.
Alongside traditional cyberattacks that deploy malware or exploit known software vulnerabilities, there are also less technical—yet equally devastating—forms of theft.
This doesn’t mean that well-known cybersecurity best practices don’t apply. Every small business owner should still use unique passwords for every account, turn on multi-factor authentication, keep their software and operating systems updated, and run always-on cybersecurity software.
But for the everyday small business owner juggling dozens of accounts, networks, devices, and the reams of data being created, stored, and shared across text messages, emails, and online portals, this advice is for you.
For National Small Business Week in the US, here are three ways to protect your business that require little technical prowess.
In the US, the Internal Revenue Service (IRS) allows small business owners to use their personal Social Security Number (SSN) as the Federal Tax ID. It’s a small grace meant to simplify annual record-keeping for sole proprietors and owner-employees, but for cybercriminals, it’s a basic oversight they’d like every small business to make.
Using your Social Security Number as your Federal Tax ID means putting your Social Security Number in an ever-increasing number of hands. That’s because small business taxes are different from taxes for everyday salaried employees.
Whenever a small business takes on a new client or a contractor who pays for services costing at least $600, that small business has to share and receive what is called a W-9 form. This exact form isn’t filed with the IRS, but it is used to track payments for later filings.
What’s more important, though, is that this form asks for an owner’s name, address, and tax ID number.
This means that as a small business grows, its vulnerability to identity theft increases in tandem. Every W-9 filed that uses an owner’s SSN as their tax ID number is another opportunity for that SSN to be stolen. After just one year of operation, a small business owner’s SSN could end up in the inboxes, filing cabinets, and cloud drives of a dozen different people and companies.
This is exactly what cybercriminals want.
Equipped with a W-9 form about your business, a cybercriminal could impersonate you or your business. They could open a business credit line, file fraudulent returns that claim your small business income, or scam your clients.
How to stay safe:
Apply for a free Employer Identification Number (EIN) at IRS.gov. It’s quick to do and it separates your business tax identity from your personal tax identity. After that, put the EIN on W-9s, 1099s, and all other business paperwork instead of your SSN.
The most popular cloud storage for most small business owners is the cloud storage they already have—their personal Google Drive or iCloud.
Built to make memory archival as easy as possible, these tools can automatically back up and secure nearly every single moment that happens through your device, from the vacation photos you snapped last summer, to your kid’s first steps recorded on video, to the texts you sent, the notes you made, and the calendar appointments you managed.
But this type of automatic archival poses a threat to any non-personal information that you view, send, markup, or sign when using your personal smartphone. Suddenly, and often without thinking about it, your cloud storage has backups of signed contracts, tax returns, client intake forms, invoices, business financial statements, and photos of physical paperwork.
Above, we warned about using your SSN as your tax ID because it creates a risk if anyone in your business network is breached. But storing client information in your personal cloud storage creates a different problem: it puts that risk directly on you.
Compounding the threat here is the fact that many personal cloud storage accounts are shared with family members. More people accessing the same account means more exposure and more chances for mistakes, even if everyone has good intentions.
How to stay safe:
Go through the cloud backup settings on both your phone and your computer and manage what data is being synced. Move sensitive business files to a dedicated business storage account with proper access controls, sharing permissions, and audit logs—something that can tell you who opened a file and when.
If anything business-related has to live in a personal cloud account, give that account a strong, unique password, turn on multi-factor authentication, and don’t share access with anyone who isn’t you.
Devices have a funny way of moving around. Your smartphone goes into your spouse’s hands as they override your music choices in the car. Your tablet ends most nights in your kid’s bedroom as they watch TV. And your laptop gets tugged around from couch to counter to kitchen table—each time fully opened and logged in, a portal to the web.
You trust everyone in your home to act safely online, but the path to online safety is full of mistakes.
A single errant click on a fake ad, a malicious search result, or a disguised download is all it takes to compromise your device today, along with all your small business records.
Aside from the threat of malware, someone using your device could make purchases, accidentally delete files, and overwrite important documents.
Remember, an “insider threat” doesn’t need to be malicious to cause damage—they just need to be inside your network (which in this, is your home).
How to stay safe:
Treat your devices that you use for work as work devices. That means requiring a passcode or password for device entry, along with multi-factor authentication for important business accounts.
Also, to ensure that any wrong click doesn’t lead to a malicious PDF download or a wayward malware installation, use always-on antimalware protection software, like Malwarebytes for Teams.
It’s easy to get overwhelmed with modern cybersecurity advice. Every week there are new vulnerabilities to patch, emerging scams to avoid, and novel viruses and pieces of malware that can seemingly take over your device, your data, and your business.
Thankfully, there are important steps you can take today that don’t require you to fiddle with internal settings or take a class on network engineering. Some of the most effective protections are simple: Limit how widely you share sensitive information, keep business and personal data separate, and control who can access your devices.
For everything else, try Malwarebytes for Teams to receive 24/7, always-on antimalware protection to shut out viruses, block malware attacks, and keep hackers out of your business.
More than 610,000 Roblox accounts were reportedly stolen. Was yours or your child’s among them?
Ukrainian police arrested three individuals in Lviv who allegedly orchestrated one of the largest Roblox account theft operations to date. Between October 2025 and January 2026, the hacking group is said to have compromised over 610,000 Roblox accounts, including at least 357 high-value “elite” accounts, making around $225,000 from selling access to them.
The hackers distributed infostealing malware disguised as game-enhancement tools, harvested login credentials from infected devices, and sold accounts through a Russian website and closed online communities based on their value.
This operation targeted Roblox accounts because they hold significant monetary value for many users. Accounts can contain high Robux balances, limited-edition items that can no longer be obtained, years of gaming progress with achievements and unlocks, and paid access to premium content.
If you recently downloaded any suspicious game enhancements or other Roblox-related software, your first priority is to run a full system anti-malware scan.
Then check for unknown or untrusted browser extensions. Keep only those that came from verified, trusted sources.
If the scans led to any removals, clear your browser history and cookies completely. Note that this will log you out of most websites.
If you still have access to your Roblox account, change your password and turn on two-step verification if you haven’t already.
If the hackers changed your password and you’re unable to log in, use the password recovery option on the Roblox login page by clicking “Forgot Password or Username?”. Enter the email address associated with your account and check your inbox (including spam folders) for the reset link.
After recovering access, immediately terminate all active sessions to prevent hackers from maintaining access through stolen cookies. Go to Settings > Security and click Log out of all other sessions at the bottom of the page. This ensures that anyone who had unauthorized access can no longer use your account.
If you’ve been completely locked out—because hackers have changed both your password and recovery details—contact Roblox Support immediately. Visit the Roblox support page and provide as much detail as possible. They may ask for:
Roblox explicitly states that, unless required by law, it is under no obligation to restore compromised accounts. It does not guarantee that accounts will be returned to their previous state or that lost virtual items and currency can be recovered. Only in very limited circumstances may Roblox offer the ability to recover lost inventory or its approximate value. It’s important to note that you must contact Roblox within 30 days of the compromise if you want assistance recovering lost items or currency. The support process typically takes 2–5 days.
There are a few steps that make it harder for someone to steal your Roblox account:
Let’s face it, an incognito window can only do so much.
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance.
Apple has released a Background Security Improvement that silently fixes a WebKit vulnerability (CVE-2026-20643).
The post Apple patches WebKit bug that could let sites access your data appeared first on Security Boulevard.
Apple has released a Background Security Improvement to patch a flaw that could allow malicious websites to bypass browser protections and access data from other sites.
The patched WebKit vulnerability is described as:
“A cross-origin issue in the Navigation API was addressed with improved input validation.”
WebKit vulnerabilities refer to security flaws in Apple’s web rendering engine, which powers Safari, Mail, and the App Store on iOS and macOS.
What this means is that the CVE-2026-20643 vulnerability makes it possible for a malicious website to pretend to be another site, maybe one you trust, and then read or steal information that should be kept separate. Normally, browsers enforce a rule called the “same‑origin policy,” which is like a strict fence that stops one site from peeking into another site’s data. This bug could help cybercriminals cut through that fence.
In practical terms, an attacker would first have to lure you to a specially crafted web page. If you visited it, that page could try to bypass the normal isolation between sites and access things it should not see, such as data from another tab or embedded content from a different service.
Attackers do not currently appear to exploit this flaw in the wild, but they like to chain issues like this with other bugs to steal accounts or sensitive data, which likely prompted Apple to ship it as a Background Security Improvement. Apple’s fix tightens how WebKit checks and handles cross‑site navigation.
This patch for a WebKit vulnerability, tracked as CVE-2026-20643, installs on top of versions 26.3.1/26.3.2 and not as a separate full OS version. Background Security Improvements are only available on the latest OS branch (26.x) and apply silently in the background if you’re on the latest version.
For iOS and iPadOS users, you can check if you’re using the latest software version by going to Settings > General > Software Update. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.
For macOS Tahoe users, you can find out if you’re on the latest 26.3 version from the Apple menu. In the upper-left corner of your screen, choose About This Mac. The information shown there includes the macOS name and version number. If you need to know the build number as well, click the version number to see it.
This Background Security Improvement is only available for Mac users running Tahoe 26.3.1 and MacBook Neo users running 26.3.2.
All users have to do is to check if they have the Background Security Improvements option set to enabled.
For iPhone and iPad users, this setting can be found under Privacy & Security, where you can scroll down and look for the Background Security Improvements toggle.
On a Mac (macOS Tahoe 26.3.+ only), you can check by following these instructions:
The Install option in my screenshot means that you can speed up the process by clicking it. But it’s fine to wait until it happens automatically.
After the update, your OS version should show 26.3.1 (a), except for MacBook Neos which should be at 26.3.2 (a).
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.
You have done it a thousand times. Right-click. Delete. Empty Trash. Done.
Except it’s not done. That file, your tax return, your private photos, that EmbezzlementPlan.doc… it’s all still sitting on your drive. Invisible to you, but not to anyone with a $30 recovery tool downloaded from the internet.
Most users assume that deleting a file removes it permanently. In reality, standard deletion only removes the file’s reference from the file system. The underlying data often remains intact on disk until it is overwritten by other files. Think of it like tearing the table of contents out of a book while leaving all the pages intact. The operating system forgets where the file is listed, but the data itself is still there.
The space the file used gets marked as available for new data. Until something else writes over it, the original file may remain fully readable on the disk. Depending on how you use your computer, that could take days, weeks, or even months.
Recovery software exploits this. It scans your drive for data that still exists but is no longer listed in the file system. If you’re trying to recover a file you accidentally deleted, this is a lifesaver. But if you’re trying to permanently dispose of sensitive information, it’s a serious problem.
To address this privacy gap, we’ve introduced File Shredder for Windows. It permanently destroys the files and folders you’re trying to delete so they can’t be recovered.
When you overwrite a file, you replace every single byte of its contents with new data. The original information is physically altered on the disk surface. Once overwritten, the original data no longer exists. There is nothing left to recover.
But one overwrite is not always enough. Advanced recovery techniques can sometimes detect traces of previous data, especially on older hard drives where magnetic patterns leave subtle residue. That’s why File Shredder doesn’t just overwrite once. Depending on your chosen security level, it overwrites multiple times, using different patterns each pass.
File Shredder uses DoD 5220.22-M, a data sanitization standard developed by the US Department of Defense for securely destroying classified data stored on computers.
The standard overwrites data using specific patterns:
Why these specific patterns? Zeros and ones represent binary data. Random data adds unpredictability. By cycling through these patterns multiple times, the original magnetic or electronic state of the storage medium is thoroughly disrupted, making forensic recovery impractical.
When File Shredder finishes, that file isn’t just deleted. It’s gone.
File Shredder overwrites a file before deleting it, helping prevent recovery after it is removed. This is most meaningful on traditional hard drives, where overwrite passes are more direct and predictable. On SSDs, storage works differently, so multiple passes do not provide the same level of assurance. File Shredder offers a few levels so you can choose the right balance of speed and confidence for your device and use case.
Not every file on your computer will need military-grade destruction. Shredding takes time because each pass means reading and writing the entire file contents. File Shredder gives you three options, so you can balance security against speed.
The entire file is overwritten with zeros. This is the fastest option and is effective for everyday file deletion where you want to prevent casual recovery. If someone ran a recovery tool after a Basic shred, they would find nothing but empty data where your file used to be.
Best for: Temporary files, downloads you no longer need, general cleanup where speed matters.
The file is overwritten with zeros, then ones, then random data, then zeros again. After these passes complete, File Shredder performs a verification step, reading the file back to confirm the overwrite patterns were successfully written. This catches any disk errors or write failures that might have left original data intact.
Pattern: Zeros (0x00) > Ones (0xFF) > Random > Zeros (0x00)
Best for: Financial documents, tax records, personal identification documents, medical records, anything you would not want exposed in a data breach or if your computer were stolen.
This runs the full zeros-ones-random-zeros sequence twice, with verification after completion. The additional passes provide extra assurance against advanced forensic recovery techniques.
Pattern: Zeros > Ones > Random > Zeros > Zeros > Ones > Random > Zeros
Best for: Highly confidential business data, legal documents, intellectual property, anything subject to regulatory compliance, or situations where you need absolute certainty.
A note on SSDs
Solid-state drives (SSDs) behave differently from traditional hard drives because wear leveling and flash translation layers may redirect writes to different physical blocks. This means overwriting a file once or multiple times does not guarantee the original data was overwritten. Multi-pass shredding methods were designed for HDDs and are less predictable on SSDs.
File Shredder lives in the Tools section of your Malwarebytes desktop software, alongside other system utilities. We designed it to be straightforward while ensuring you understand the permanence of what you are about to do.
Select
Choose individual files, entire folders, or multiple items at once. File Shredder automatically protects critical system files, so you cannot accidentally shred something that would damage Windows or your Malwarebytes installation. Before anything happens, you’ll see a complete list of every file that will be shredded, with full visibility into file names, locations, and sizes.
Confirm
Clear warning dialogs explain that destruction is permanent. You must explicitly acknowledge before anything is destroyed. Once a file is shredded, it cannot be recovered.
Shred
Choose your level (Basic, Thorough, or Paranoid) and confirm. During shredding, you’ll see real-time progress showing:
You can pause or cancel the job. However, once File Shredder starts working on a file, it finishes shredding that file before stopping. This prevents files from being left in a partially overwritten state, which could leave them corrupted or difficult to delete properly.
Done
When shredding completes, File Shredder shows a report listing every file that was successfully destroyed. You’ll also receive a notification confirming the job is finished.
Shredding large files or deeply nested directories can use a lot of CPU and resources on your machine. To balance security with performance, the implementation includes:
Building a feature that claims to permanently destroy data is a serious responsibility. We did not just write the code and assume it worked. We tested aggressively.
Because shredding is irreversible, the UI incorporates multiple safeguards before execution:
For too long, “delete” has mostly meant out of sight, not out of existence. File Shredder changes that. By securely overwriting files before removing them, it helps ensure your sensitive data stays private even after you delete it.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Your Google Search history provides one of the most detailed windows into your private life, and I know this because when I looked at my own search history last year, I was overwhelmed by the information buried within.
Across just 18 months, Google tracked the 8,079 searches I made and the 3,050 websites I visited because of those searches. That included my late-night perusal of WebMD because of medical symptoms I’d looked up just seconds before, my tour of Goodwill donation sites as I searched for where to drop off clothes ahead of an upcoming move, and my ironically tracked visit to a Reddit thread titled “How do I delete most, if not all, of my info off of the Internet?” (One answer I learned: Don’t use Google Search.)
Google tracked my every question, concern, and flight of fancy—almost literally. On just one day in August 2025, Google recorded the seven flight searches I made on Google Flights and the six hotel searches I made on Google Travel.
Google also recorded the many questions and requests I made when researching topics for the Lock and Code podcast, which I host. And while all of that Google data made for an interesting investigation into what Google knows about me (which you can listen to below), it also made it clear that more people should know how to access this same information.
For most Google users, if Web & App Activity is turned on, Google is saving what they look up, what time they looked it up, and what websites they clicked on as a result. There are ways to turn that data tracking off, but the first step is to know where to look.
Here’s how to do that.
You can start by opening your web browser and signing into Google’s centralized hub for your data online at myactivity.google.com.
Once logged in, you’ll see the above welcome screen with quick settings that you can change, if you want to. Those settings are different for some users, but may include:
Further down on the page, you can browse through your Google Search history. (Our screenshot gallery below can help walk you through the steps.)
After you press Apply, you’ll be taken to a webpage that lists your Google Search history in reverse chronological order, showing you your most recent activity first. As you scroll down, you can find older activity. You can also use the search bar at the top of the page to look for individual pieces of activity, like a search or series of searches that you previously made.
From here, you can also delete individual Google Search entries so that Google no longer stores that data. This will only apply to the individual search you made.
If you want to better protect your privacy, making targeted deletions from your Google Search history is a difficult, lengthy, and imperfect method. Instead, you can simply tell Google to stop recording any of your searches from now on.
There’s a simple way to instruct Google to stop saving your online searches to your Google Account, and it takes just a few clicks. Follow the instructions below, along with the image gallery, for guidance.
If you selected Turn off, you’re done. Google will no longer save your Google Searches as part of your overall Google profile activity. This option means that Google still has your prior searches recorded, though. So, if you want, you can choose the second option, Turn off and delete activity.
When you select that option, Google will walk you through additional steps to choose what types of data you want erased, such as past activity tied to Google Search, Maps, Ads, Image Search, Google Play Store, Help and other services. All of these options reveal just how many products and pipelines Google has built to vacuum up your data.
Don’t be overwhelmed, though. Go through the list at your own pace and start making decisions about your data that are right for you.
We don’t just report on data privacy—we help you remove your personal information
Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.
Dutch intelligence services AIVD and MIVD warn that Russian state‑backed hackers are running a large‑scale campaign to break into Signal and WhatsApp accounts of high‑value targets.
The targets are said to be senior officials, military personnel, civil servants, and journalists. The attackers are not breaking end‑to‑end encryption or exploiting a vulnerability in the apps themselves. Instead, they rely on proven phishing and social engineering methods to trick users into handing over verification codes and PINs, or to add a malicious “linked device” to their account.
Last year we reported on GhostPairing, a method that tricks the target into completing WhatsApp’s own device-pairing flow, silently adding the attacker’s browser as an invisible linked device to the account.
In the cases reported by the Dutch intelligence services, the attackers contacted victims on Signal or WhatsApp while posing as “Signal Security Support Chatbot”, “Signal Support” or a similar official‑sounding account.
The message typically warns about suspicious activity or a possible detected data leak and instructs the user to complete a verification step to avoid losing data or having their account blocked.
Victims are then asked to send back the SMS verification code they just received and/or their Signal PIN.
If the victim complies, the attacker can register the account on a device they control and effectively take it over, receiving new messages and sending messages as the victim.
In a second variant, attackers abuse the “linked devices” feature (Signal’s and WhatsApp’s desktop or other secondary device function). Targets are pushed to click a link or scan a QR code that silently links the attacker’s device to the victim’s account. The victim keeps access as normal, but the attacker can now read along in real time without obvious signs of compromise.
These attacks are not new, but deserve a renewed warning because they rely entirely on human behavior, and understanding how they work makes them easier to stop. The methods used are not technically sophisticated and they can easily be copied by non‑state actors or ordinary cybercriminals.
Because of the current Russian campaigns, AIVD and MIVD say that chat apps such as Signal and WhatsApp are unsuitable for sharing classified, confidential, or otherwise sensitive government information, even though they technically support end‑to‑end encryption.
One specific warning for the targeted users is to use designated apps for sensitive information. Despite dedicated secure systems being available to many of them, some resorted to apps they already knew—Signal and WhatsApp. And to be fair, these apps are safe if you follow a few basic rules:
Both Signal and WhatsApp support disappearing messages, and using them can meaningfully limit the impact of account compromise or device access (though they don’t prevent it completely).
Short‑timer and disappearing messages reduce how much content is available if an attacker gets into a chat later, or if someone obtains long‑term access to a device or backup. They are not a complete solution, but they can limit the damage.
Signal lets you set a per‑chat timer so that all new messages in that conversation auto‑delete from all devices after the chosen period. You can enable it for 1:1 or group chats and choose from various durations (seconds to weeks), and either party can see it is enabled and change the timer.
WhatsApp also supports disappearing messages with timers per chat (and a default option for new chats). Messages can auto-delete after periods such as 24 hours, 7 days, or 90 days, and newer builds include shorter options like 1 or 12 hours.
You turn it on in the chat info under “Disappearing messages,” then pick the desired timer; only messages sent after enabling it are affected.
For particularly sensitive media or voice messages, WhatsApp also offers “view once” photos, voice messages, and videos that can only be opened a single time before disappearing from the chat.
We’ve written a complete guide on setting up two-step verification on WhatsApp.
To set up two-factor authentication (2FA) on Signal, enable the Registration Lock feature, which requires your set PIN to log in on a new device. Open Signal, go to Settings > Privacy > Registration Lock and turn it on. This ensures that even if someone steals your SIM, they cannot access your account without your personal PIN.
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.
Our support team flagged a number of customers who suspected their device might be infected with malware, but Malwarebytes scans came up empty.
When the customers provided screenshots, our Malware Removal Support team quickly recognized the format as web push notifications.
The reason the scans came up clean is that these notifications aren’t malware on the device. They’re browser notifications from websites that trick users into clicking “Allow.”
We helped the customers disable the push notifications (see below for instructions). But since most of them didn’t know how they got them in the first place, we went down the rabbit hole to find out where they were coming from.
We started with one of the most prevalent domains called unsphiperidion[.]co.in, but all we found was a misleading advertisement that promised the Adguard browser extension and instead led to Poperblocker.
But another clue, also mentioned by the Malware Removal Support team—a domain called triviabox[.]co[.]in—practically brought us straight to the source.
We found a site that challenged our intelligence by prompting us to take a quiz.
Later we found these quizzes come in different flavors. Some about geography, vocabulary, and history, while others are specifically targeted at Canada, Germany, France, Japan, and the US.
But the main goal of these sites is to get you to click the “Start the quiz” button, so the site can send notifications later and make money from ads, affiliate schemes, scams, or unwanted downloads.
What that button does before it starts the quiz is show the visitor a prompt with a misleading background.
The show notifications text in the actual prompt tells the real story. You’ll be giving the website permission to show you notifications even when you’re not on the website, which makes it hard for users to determine the origin.
The Click “Allow” to continue text with the red arrow on the website itself is nothing more than a well-placed lure to get you to click that Allow button and open the flood gates. To avoid raising suspicion, the visitor is then presented with the quiz, so later on they will have no reason to suspect what started the ordeal.
Web push notifications (also called browser push notifications) are not always simple advertisements. Some can be misleading messages about the safety of your computer. The gear icon in the notifications themselves can be very helpful. On Chromium-based browsers, clicking it will lead you to the Notifications settings menu where you can block them.
Unfortunately, we often find them used by “affiliates” to promote security software. If you’re looking for an anti-malware solution that doesn’t make use of such affiliates, you know where to find us.
For every browser, the notifications look slightly different and the methods to disable them are slightly different as well. To make them easier to find, I have split them up by browser.
To completely turn off notifications, even from an extension:
For more granular control, you can use the Customized behaviors menu to manipulate the individual items.
Note that sometimes you may see items with a jigsaw puzzle piece icon in the place of the three stacked dots. These are enforced by an extension, so you would have to figure out which extension is responsible first and then remove it. But for the ones with the three dots behind them, you can click on the dots to open this context menu:
Selecting Block will move the item to the block list. Selecting Remove will delete the item from the list. It will ask permission to show notifications again if you visit their site (unless you have set the slider to Block).
Shortcut: another way to get into the Notifications menu shown earlier is to click on the gear icon in the notifications themselves. This will take you directly to the itemized list.
To completely turn off notifications in Firefox:
In the same menu, you can apply a more granular control by setting listed items to Block or Allow by using the drop-down menu behind each item.
Click on Save Changes when you’re done.
Where push notifications are concerned, you can see how closely related Opera and Chrome are.
On Android, you can remove all the items at once or one by one. On desktops, it works exactly the same as it does in Chrome. The same is true for accessing the menu from the notifications themselves. Click the gear icon in the notification, and you will be taken to the Notifications menu.
In Edge, go to Settings and more in the upper right corner of your browser window, then
To manage notifications from your browser address bar:
To check or manage notifications while visiting a website you’ve already subscribed to, follow the steps below:
On your Mac, open the Apple menu, then
The website remains in the list in Notifications settings. To remove it from the list, deny the website permission to send notifications in Safari settings. See Change websites settings.
To stop seeing requests for permission to send you notifications in Safari:
From now on, when you visit a website that wants to send you notifications, you aren’t asked.
While we could conceive of some cases where push notifications might be found useful, we would certainly not hold it against you if you decided to disable them altogether.
Web push notifications are not just there to disturb Windows users. Android, Chromebook, MacOS, even Linux users may see them if they use one of the participating browsers: Chrome, Firefox, Opera, Edge, and Safari. In some cases, the browser does not even have to be opened, and it can still display push notifications.
Be careful out there and think twice before you click “Allow.”
During the course of the investigation we found—and blocked—these domains related to the campaign:
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Samsung has settled a lawsuit with the Texas Attorney General over how its smart TVs collect and monetize viewing data using Automated Content Recognition (ACR). As part of the settlement, Samsung agreed to stop collecting ACR data from Texans without explicit, informed consent and to rewrite its on‑screen privacy prompts and dialogs.
Texas Attorney General (AG) Paxton stated:
“I commend Samsung for being one of the first smart TV companies in the world to make these important changes.”
The Texas AG sued Samsung and other TV makers (Hisense, Sony, LG, TCL) over ACR-based “mass surveillance programs” monitoring what people watch and building profiles used for advertising and monetization.
ACR works by:
If it finds a match, the system knows “this TV user is watching Episode X of Show Y at time Z” or “this ad just played on this device.”
Paxton argues that customers did not meaningfully consent to this data collection, which he calls “watchware,” framing it as deliberate monitoring, rather than an accident.
Samsung also faces a federal class action in New York. Plaintiffs claim Samsung TVs track, store, and sell viewing data to companies such as Google and X (Twitter) without informed consent, in violation of the federal Video Privacy Protection Act and various state privacy laws.
The New York complaint further alleges that Samsung’s ACR records image and audio every 500 ms regardless of source (broadcast, streaming apps, or PC monitor use), and that Samsung’s privacy notice downplays the scope of that data collection by referring to “processing” viewing history.
If you’d prefer to limit or disable ACR-style monitoring of your watching behavior, here’s where to look. Menu names may vary slightly depending on the model and year.
Samsung has agreed to modify its consent and disclosure practices for Texas residents as part of the settlement. Users elsewhere can manually adjust these settings:
Many Sony TVs use Samba Interactive TV as the ACR component.
This disables the Samba ACR integration and general telemetry used for ad/experience tuning.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
By definition, an advanced persistent threat (APT) is a prolonged, targeted attack on a specific victim with the intention to compromise their system and gain information from or about that target.
About a decade ago, the term was mostly used for state-sponsored threat actors. I used threat actors here, because in the state where they operated from and for, they are not seen as cybercriminals. That perception changes, of course, when you’re on the receiving end of such an attack.
When these threats were first identified, their targets were governments and military organizations. Nowadays, the target can be any person, organization or business. We commonly see attacks on healthcare, telecoms, finance, MSPs, SaaS platforms, and supply chain providers.
“APT” is often used as a dramatic label for any serious breach, even if it was short‑lived or opportunistic. So, let’s break down the name to see what really qualifies as an APT.
Advanced does not necessarily mean Hollywood‑level hacking, but it does mean the attackers are deliberate and well prepared. They often combine several techniques: buying or discovering new, unknown software flaws (so‑called zero‑day vulnerabilities), abusing old but unpatched bugs, and crafting very convincing phishing emails that look like genuine messages from colleagues or partners. They may also use legitimate admin tools already present in the network, which makes their activity harder to spot because it looks like normal IT work, so-called LOLbins (Living Off the Land Binaries).
In practice, “advanced” is less about using the fanciest tool and more about choosing the right mix of tools and tactics for a specific victim. An APT group might spend weeks studying a target’s people, systems, and suppliers and then analyze those data with help of an AI. That way, when they finally make a move, it has the highest chance of working on the first try.
Persistence is what makes APTs so dangerous. These attackers don’t care about a quick hit‑and‑run raid. They want to break in, stay inside, and keep coming back for as long as access is useful to them. If defenders discover their activity and kick them out of one system, they may use another back door they prepared earlier, or will simply regroup and look for a new way in.
Being persistent also means they move slowly and quietly. Attackers may spend months exploring the network, creating multiple hidden entry points, and regularly checking back in to see what new data has appeared that is worth stealing. From the defender’s point of view, this turns the incident from a single event into an ongoing campaign. You have to assume the attackers will try again, even after you think you have removed them.
The word threat doesn’t imply that only one kind of malware is involved. An APT usually includes several types of attacks. It refers to the whole operation: the people, their tools, and their infrastructure, not just one piece of malware.
An APT may involve phishing, exploiting vulnerabilities, installing remote access tools, and stealing or abusing passwords. Together, these activities form the threat to the organization’s systems and data.
Behind the threat is a team with a goal (for example, stealing sensitive designs, spying on communications, or preparing for future disruption), and with the patience and resources to keep pushing until they reach that goal.
To avoid falling victim to an APT, assume you could be up against a formidable opponent.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
An AI tool with a funny name has caused quite a commotion as of late—including some allegations of machine consciousness—so here is a breakdown on OpenClaw.
Launched in November 2025, OpenClaw is an open-source, autonomous artificial intelligence (AI) agent that was made to run locally on your own computer, allowing it to manage tasks, interact with applications, and read and write files directly. It acts as a personal digital assistant, integrating with chat apps like WhatsApp and Discord to automate emails, scan calendars, and browse the internet for information.
OpenClaw was formerly known as ClawdBot, but the project brushed up against the large AI developer Anthropic, because of its own tool named “Claude.” In response, OpenClaw’s developer quickly renamed the project to “Moltbot,” which brought impersonation campaigns from cybercriminals. The trademark trouble and the abuse that followed put a dent in OpenClaw’s reputation.
Another dent followed when Hudson Rock published an article about the first observed case of an infostealer grabbing a complete OpenClaw configuration from an infected system, effectively looting the “identity” of a personal AI agent rather than just browser passwords.
The case underlines an impending danger—and not just for OpenClaw, but for other AI agents as well. Infostealers are starting to harvest not just credentials but entire AI personas plus their cryptographic “skeleton keys,” turning one compromised agent into a pivot point for full‑blown account takeover and long‑term profiling.
As I stated before in a broader context, adversaries are starting to target AI systems at the supply‑chain level, quietly poisoning training data and inserting backdoors that only surface under specific conditions. OpenClaw sits squarely in this emerging risk zone: open source, moving fast, and increasingly wired into mailboxes, cloud drives, and business workflows while its security model is still being improvised.
At this stage of its development, treating OpenClaw as a hardened productivity tool is wishful thinking, since it behaves more like an over‑eager intern with an adventurous nature, a long memory, and no real understanding of what should stay private.
Researchers and regulators have already documented prompt injection risks, log poisoning, and exposed instances that hand attackers plaintext credentials or tokens via poisoned emails, websites, or logs that the agent dutifully processes.
For anyone thinking about using OpenClaw in production, the bigger picture is even less comforting. OpenClaw runs locally but is designed to be adventurous: it can browse, run shell commands, read and write files, and chain “skills” together without a human checking every step. Misconfigured permissions, over‑privileged skills, and a culture of “just give it access so it can help” mean the agent often sits at the center of your accounts, tokens, and documents, with very few guardrails.
In fact, an employee at Meta who works in AI safety and alignment recently shared on the social media platform X that she was unable to prevent ClawBot from deleting a major portion of her email inbox.
Further, the Dutch data protection authority (Autoriteit Persoonsgegevens) warned organizations not to deploy experimental agents like OpenClaw on systems that handle sensitive or regulated data at all, flagging the combination of privileged local access, immature security engineering, and a rapidly growing ecosystem of dubious third‑party plugins as a kind of Trojan horse on the endpoint.
Microsoft provided a list of recommendations in this field that make a lot of sense. They are not specifically aimed at OpenClaw, but provide a conservative baseline for self‑hosted, Internet‑connected agents with durable credentials. (If these recommendations feel overly technical, it’s because safely using an AI agent with broad access is still an experimental and technical process.)
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Researchers have found yet another family of malicious extensions in the Chrome Web Store. This time, 30 different Chrome extensions were found stealing credentials from more than 260,000 users.
The extensions rendered a full-screen iframe pointing to a remote domain. This iframe overlaid the current webpage and visually appeared as the extension’s interface. Because this functionality was hosted remotely, it was not included in the review that allowed the extensions into the Web Store.
In other recent findings, we reported about extensions spying on ChatGPT chats, sleeper extensions that monitored browser activity, and a fake extension that deliberately caused a browser crash.
To spread the risk of detections and take-downs, the attackers used a technique known as “extension spraying.” This means they used different names and unique identifiers for basically the same extension.
What often happens is that researchers provide a list of extension names and IDs, and it’s up to users to figure out whether they have one of these extensions installed.
Searching by name is easy when you open your “Manage extensions” tab, but unfortunately extension names are not unique. You could, for example, have the legitimate extension installed that a criminal tried to impersonate.
For Chrome and Edge, a browser extension ID is a unique 32‑character string of lowercase letters that stays the same even if the extension is renamed or reshipped.
When we’re looking at the extensions from a removal angle, there are two kinds: those installed by the user, and those force‑installed by other means (network admin, malware, Group Policy Object (GPO), etc.).
We will only look at the first type in this guide—the ones users installed themselves from the Web Store. The guide below is aimed at Chrome, but it’s almost the same for Edge.
You can review the installed Chrome extensions like this:
Entrar
chrome://extensions/.Use the Remove button to get rid of any unwanted entries.
If it disappears and stays gone after restart, you’re done. If there is no Remove button or Chrome says it’s “Installed by your administrator,” or the extension reappears after a restart, there’s a policy, registry entry, or malware forcing it.
Alternatively, you can also search the Extensions folder. On Windows systems this folder lives here: C:\Users\<your‑username>\AppData\Local\Google\Chrome\User Data\Default\Extensions.
Please note that the AppData folder is hidden by default. To unhide files and folders in Windows, open Explorer, click the View tab (or menu), and check the Hidden items box. For more advanced options, choose Options > Change folder and search options > View tab, then select Show hidden files, folders, and drives.
You can organize the list alphabetically by clicking on the Name column header once or twice. This makes it easier to find extensions if you have a lot of them installed.
Deleting the extension folder here has one downside. It leaves an orphaned entry in your browser. When you start Chrome again after doing this, the extension will no longer load because its files are gone. But it will still show up in the Extensions tab, only without the appropriate icon.
So, our advice is to remove extensions in the browser when possible.
Below is the list of credential-stealing extensions using the iframe method, as provided by the researchers.
| Extension ID | Extension name |
|---|---|
| acaeafediijmccnjlokgcdiojiljfpbe | ChatGPT Translate |
| baonbjckakcpgliaafcodddkoednpjgf | XAI |
| bilfflcophfehljhpnklmcelkoiffapb | AI For Translation |
| cicjlpmjmimeoempffghfglndokjihhn | AI Cover Letter Generator |
| ckicoadchmmndbakbokhapncehanaeni | AI Email Writer |
| ckneindgfbjnbbiggcmnjeofelhflhaj | AI Image Generator Chat GPT |
| cmpmhhjahlioglkleiofbjodhhiejhei | AI Translator |
| dbclhjpifdfkofnmjfpheiondafpkoed | Ai Wallpaper Generator |
| djhjckkfgancelbmgcamjimgphaphjdl | AI Sidebar |
| ebmmjmakencgmgoijdfnbailknaaiffh | Chat With Gemini |
| ecikmpoikkcelnakpgaeplcjoickgacj | Ai Picture Generator |
| fdlagfnfaheppaigholhoojabfaapnhb | Google Gemini |
| flnecpdpbhdblkpnegekobahlijbmfok | ChatGPT Picture Generator |
| fnjinbdmidgjkpmlihcginjipjaoapol | Email Generator AI |
| fpmkabpaklbhbhegegapfkenkmpipick | Chat GPT for Gmail |
| fppbiomdkfbhgjjdmojlogeceejinadg | Gemini AI Sidebar |
| gcfianbpjcfkafpiadmheejkokcmdkjl | Llama |
| gcdfailafdfjbailcdcbjmeginhncjkb | Grok Chatbot |
| gghdfkafnhfpaooiolhncejnlgglhkhe | AI Sidebar |
| gnaekhndaddbimfllbgmecjijbbfpabc | Ask Gemini |
| gohgeedemmaohocbaccllpkabadoogpl | DeepSeek Chat |
| hgnjolbjpjmhepcbjgeeallnamkjnfgi | AI Letter Generator |
| idhknpoceajhnjokpnbicildeoligdgh | ChatGPT Translation |
| kblengdlefjpjkekanpoidgoghdngdgl | AI GPT |
| kepibgehhljlecgaeihhnmibnmikbnga | DeepSeek Download |
| lodlcpnbppgipaimgbjgniokjcnpiiad | AI Message Generator |
| llojfncgbabajmdglnkbhmiebiinohek | ChatGPT Sidebar |
| nkgbfengofophpmonladgaldioelckbe | Chat Bot GPT |
| nlhpidbjmmffhoogcennoiopekbiglbp | AI Assistant |
| phiphcloddhmndjbdedgfbglhpkjcffh | Asking Chat Gpt |
| pgfibniplgcnccdnkhblpmmlfodijppg | ChatGBT |
| cgmmcoandmabammnhfnjcakdeejbfimn | Grok |
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Cybercriminals are using browser push notifications to deliver malware and phishing attacks.
Researchers at BlackFog described how a new command-and-control platform, called Matrix Push C2, uses browser push notifications to reach potential victims.
When we warned back in 2019 that browser push notifications were a feature just waiting to be abused, we noted that the Notifications API allows a website or app to send notifications that are displayed outside the page at the system level. This means it lets web apps send information to a user even when they’re idle or running in the background.
Here’s a common example of a browser push notification:
This makes it harder for users to know where the notifications come from. In this case, the responsible app is the browser and users are tricked into allowing them by the usual “notification permission prompt” that you see on almost every other website.
But malicious prompts aren’t always as straightforward as legitimate ones. As we explained in our earlier post, attackers use deceptive designs, like fake video players that claim you must click “Allow” to continue watching.
In reality, clicking “Allow” gives the site permission to send notifications, and often redirects you to more scam pages.
Granting browser push notifications on the wrong website gives attackers the ability to push out fake error messages or security alerts that look frighteningly real. They can make them look as if they came from the operating system (OS) or a trusted software application, including the titles, layout, and icons. There are pre-formatted notifications available for MetaMask, Netflix, Cloudflare, PayPal, TikTok, and more.
Criminals can adjust settings that make their messages appear trustworthy or cause panic. The Command and Control (C2) panel provides the attacker with granular control over how these push notifications appear.
But that’s not all. According to the researchers, this panel provides the attacker with a high level of monitoring:
“One of the most prominent features of Matrix Push C2 is its active clients panel, which gives the attacker detailed information on each victim in real time. As soon as a browser is enlisted (by accepting the push notification subscription), it reports data back to the C2.”
It allows attackers to see which notifications have been shown and which ones victims have interacted with. Overall, this allows them to see which campaigns work best on which users.
Matrix Push C2 also includes shortcut-link management, with a built-in URL shortening service that attackers can use to create custom links for their campaign, leaving users clueless about the true destination. Until they click.
Ultimately, the end goal is often data theft or monetizing access, for example, by draining cryptocurrency wallets, or stealing personal information.
A general tip that works across most browsers: If a push notification has a gear icon, clicking it will take you to the browser’s notification settings, where you can block the site that sent it. If that doesn’t work or you need more control, check the browser-specific instructions below.
To completely turn off notifications, even from extensions:
For more granular control, use Customized behaviors.
In the same menu, you can also set listed items to Block or Allow by using the drop-down menu behind each item.
Opera’s settings are very similar to Chrome’s:
On desktop, Opera behaves the same as Chrome. On Android, you can remove items individually or in bulk.
Edge is basically the same as Chrome as well:
To disable web push notifications in Safari, go to Safari > Settings > Websites > Notifications in the menu bar, select the website from the list, and change its setting to Deny. To stop all future requests, uncheck the box that says Allow websites to ask for permission to send notifications in the same window.
We don’t just report on threats—we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.
We’re seeing a surge in phishing calendar invites that users can’t delete, or that keep coming back because they sync across devices. The good news is you can remove them and block future spam by changing a few settings.
Most of these unwanted calendar entries are there for phishing purposes. Most of them warn you about a “impending payment” but the difference is in the subject and the action they want the target to take.
Sometimes they want you to call a number:
And sometimes they invite you to an actual meeting:
We haven’t followed up on these scams, but when attackers want you to call them or join a meeting, the end goal is almost always financial. They might use a tech support scam approach and ask you to install a Remote Monitoring and Management tool, sell you an overpriced product, or simply ask for your banking details.
The sources are usually distributed as email attachments or as download links in messaging apps.
This blog focuses on how to remove these unwanted entries. One of the obstacles is that calendars often sync across devices.
If you use Outlook:
To disable automatic calendar additions:
To prevent unknown senders from adding invites:
For help reviewing which apps have access to your Android Calendar, refer to the support page.
To control how events get added to your Calendar on a Mac:
The controls are similar to macOS, but you may also want to remove additional calendars:
Which brings me to my next point. Check both the Outlook Calendar and the mobile Calendar app for Additional Calendars or subscribed URLs and Delete/Unsubscribe. This will stop the attacker from being able to add even more events to your Calendar. And looking in both places will be helpful in case of synchronization issues.
Several victims reported that after removing an event, they just came back. This is almost always due to synchronization. Make sure you remove the unwanted calendar or event everywhere it exists.
Tracking down the source can be tricky, but it may help prevent the next wave of calendar spam.
We’ve covered some of this already, but the main precautions are:
Pro tip: If you’re not sure whether an event is a scam, you can feed the message to Malwarebytes Scam Guard. It’ll help you decide what to do next.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
