Lmst

How you actually should respond to that “183 million credentials leak”

There’s a new Forbes article floating around about the trove of 183 million credentials that were recently leaked to Have I Been Pwned. The articles makes a big deal about the fact that there were “Gmail passwords confirmed” in the leak. Let’s break down why it’s a bad article and what you should have been told instead.

The article makes a big deal of the fact that “Gmail passwords” were included in the leak without saying a single word about the fact that your Gmail password is also your Google password. Google Photos, Google Docs, Google Drive, any site you’ve used “log in with Google” on… all these are compromised if your “Gmail password” is. It’s kind of laughable that this article goes to some effort to fearmonger about compromised “Gmail passwords” when the problem it’s trying to scare people about is actually worse than it says it is.

While the article understates the damage from the leak in that way, it overstates it in another. This article, and others that have reported about this leak, fails to provide the important context that if you practice decent device hygiene and your devices have not been compromised by infostealers, then none of your account passwords are in this leak. Furthermore, because we all have many accounts and infostealers vacuum up credentials from all of them, my guess is that you would have to divide that number by at least 3 or 4 to arrive at a reasonable estimate of the number of impacted people, which is far more relevant than the number of impacted accounts. Given that there are billions of people in the world who log into websites, and we’re talking maybe 20 million people affected by this leak, it’s actually pretty unlikely that you are.

Once the article is finished both understanding and overstating the problem it’s reporting on, it gets around to telling you what it thinks you should do about it, and it gets that wrong too.

When discussing how your password manager can help protect you against compromised passwords, it focuses entirely on the Chrome password manager; there isn’t a single word about how other password managers offer similar features and protections. Maybe the author should have done some real research and reporting here rather than just paraphrasing the press release Google sent him.
It focuses on people enabling 2-step verification on their Google accounts—again, just quoting from Google—rather than making it clear that they should be using strong two-factor authentication or passkeys for all of their accounts, wherever it is offered.
It makes a brief nod to the fact that you should not be reusing passwords on multiple websites without making explicit that the best way to do that is to use a password manager, which everyone should be doing; “if you are a user of the Chrome password manager” is not the same as “you should be using a password manager!”
It doesn’t say a single word about the fact that if your data is in this leak, then one of your devices was compromised, and you need to clean your devices and practice better device security practices in the future. Yes, how to do all this is beyond the scope of an article like this, but the article should at least mention it and linked to some outside sources for more information.
While it does hint (under the misleading heading “What We Know About The 183 Million Passwords Data Leak”) that everyone should register with Have I Been Pwned to get notified automatically about breaches or leaks that impact them (well, aside from the ones HIBP is legally prohibited from warning you about), it is far less explicit about this than it should be.

Here’s the TLDR

This isn’t just a Gmail problem.
Register at Have I Been Pwned if you haven’t already.
Practice good device security hygiene. Most importantly:
- keep your OS and apps up-to-date;
- keep your device security software enabled (macOS, Windows, iOS, and Android all have it built in; you probably don’t need to pay for a third-party antivirus tool);
- keep the malware protections in your web browser enabled; and
- if you keep important data locally on your device, back it up following the 3-2-1 rule.
Change your passwords for any of the sites HIBP says have been compromised, if you haven’t already. While you’re doing that, enable strong 2FA (not email or SMS) or set up a passkey.
Use strong 2FA or passkeys everywhere else.
Use a password manager for all of your passwords, and use long, random, unique passwords generated by the password manager.
Don’t invite hackers onto your device by falling for tech-support or ClickFix scams or enabling browser notifications from shady websites.

*sigh* OK, that last point isn’t as obvious as the previous ones. I can’t with a straight face explain them in a section entitled “Here’s the TLDR”, so I suppose this article needs to be a bit longer…

What are tech-support scams and how to avoid them

If anyone you don’t know tells you they’re helping you fix a problem with your computer and they need you to give them remote access or run some commands they send you, they are almost certainly scammers and you absolutely should not do what they’re asking.

If you suddenly see a pop-up on your computer telling you it’s compromised or broken and giving you a phone number you should call or website you should visit for help getting it fixed, this is almost certainly a scam and you should ignore it. If they’ve managed to make the message fill up the whole screen and you can’t figure out how to get rid of it, then this is even more true. The more flashier and loud the warning is, the more likely it is that it’s a scam.

Do not ask the bad guys how to make the message go away. They will manipulate you into compromising your computer. Ask someone you know in person for help. If you don’t have anyone to ask, call Geek Squad and ask them to come out and help you and show you how to get rid of the messages yourself next time. Believe me, paying Geek Squad a couple hundred dollars is preferable to giving hackers the run of your computer.

Also don’t fall for it if someone calls you randomly on the phone and tells you they’re from “tech support” or Microsoft or Apple or Google or whatever and they’ve detected a problem with your computer and they’re calling you to help you fix it. No one calling you on the phone to tell you they’ve detected a problem with your computer is legitimate.

What are ClickFix scams and how to avoid them

If a message pops up on your computer saying you need to copy and paste a command into a command prompt, the Windows run prompt (Command-R), your browser’s developer console, etc. to fix something, or to get through an “are you human?” check, it is a scam and you shouldn’t do it. The website you’re visiting is compromised, and the people who compromised the website are now trying to compromise your device as well.

These attacks often show you an innocent-looking command they’re telling you to copy and paste and say “Click here to copy this command,” but in fact when you “click here” it copies a malicious command that’s different from what they showed you. If you find that a bit difficult to grasp, think about the fact that this link doesn’t point to a website called “this link”.

Stop enabling crappy browser browser push notifications, just stop

There are a lot of shady websites out there trying to trick you into visiting them instead of the legitimate website you actually intended to visit. And for many of these shady websites, the very first thing they will do when you visit their homepage is pop up a message asking you to let them send you notifications. The pop-up often doesn’t even use the word “notifications”, it uses exciting, useful-sounding language, e.g., “Click here to to keep getting important news updates!”

If you’re the kind of person who tends to end up on these shady websites and say yes when asked to allow notifications, then you probably already know it, because you’re probably already getting notifications from them constantly.

Stop letting them do that to you.

These constant notifications are literally unhealthy, but aside from that, they’re also a security risk, because they are often used as a vector for tech-support and ClickFix scams.

You don’t need the notifications. You don’t need the constant dopamine hits. They are not healthy or safe.

Every browser is a little different, but you can search for, e.g., “Edge disable push notifications” or “Chrome disable push notifications” to find out how to turn off these notifications for the browser you use.

If you are absolutely certain there is a completely legitimate website you want to allow push notifications from, you can enable notifications manually for that specific website. This is usually accomplished by clicking a button or something to the left of the website URL at the top of the browser window to view and update the browser settings for this particular website.

#2fa #breach #ClickFixScam #Forbes #Gmail #Google #HaveIBeenPwned #HIBP #passkeys #pushNotifications #techSupportScam

How you actually should respond to that "183 million credentials leak"

What a recent Forbes article got wrong and what it should have told you instead.

https://blog.kamens.us/2025/10/28/how-you-actually-should-respond-to-that-183-million-credentials-leak/
#Forbes #infosec #ClickFix #techSupportScam #HaveIBeenPwned #HIBP #Gmail #Google

🚨 A new tech support scam is using #Microsoft’s logo and fake browser locks to trick victims into calling bogus support. Don’t fall for it.

Read: https://hackread.com/tech-support-scam-microsoft-logo-browser-lock-data/

#TechSupportScam #Phishing #CyberSecurity #Infosec #ScamAlert

Scams and frauds: Here are the tactics criminals use on you in the age of AI and cryptocurrencies
#Tech #AI #Fraud #Scams #Deepfakes #CryptoScams #CyberSecurity #OnlineSafety #Phishing #TechSupportScam #CryptoFraud #DigitalSecurity #Cryptocurrency
https://the-14.com/scams-and-frauds-here-are-the-tactics-criminals-use-on-you-in-the-age-of-ai-and-cryptocurrencies/

Wanna play a game?
Reboot now… or in five minutes?

Help TDS - a notorious traffic distribution system - has a fresh new illusion — a fake system alert that sets the stage before the tech support scam begins.

It’s not just a pop-up; it’s full-screen psychological priming, blurred just enough to slip past security tools. You’re given a “choice”, but either way, the curtain rises.

Click either button and the show begins: a spoofed full-screen Microsoft virus alert, and a phone number that offers an immediate fix.

The real trick? Victims are already convinced it’s real before the scam even loads.

#Infoblox #dns #phishing #tds #scam #scareware #helptds #threatintel #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #TechSupportScam #ScamAlert #DontDialTheNumber

screenshot from tech support scan showing the need to reboot in order to continue. either way, the victim is shown a tech support scam.

Don’t fall for tech support scams! Learn how to spot the tricks and protect your digital life from scammers. Stay safe online 🔒💻 #CyberSecurity #TechSupportScam #StaySafeOnline

https://bdking71.wordpress.com/2025/06/24/dont-get-tricked-how-to-spot-and-avoid-tech-support-scams-like-a-pro/?utm_source=mastodon&utm_medium=jetpack_social

Oplichters worden steeds creatiever in hun technieken, en de zogenaamde helpdeskfraude is daar een duidelijk voorbeeld van.

Artikel Cybercrimeinfo: https://www.ccinfo.nl/menu-nieuws-trends/opsporing/gezochte-personen-cybercrime/2555614_de-bilt-helpdesk-fraude

Podcast Spotify: https://open.spotify.com/episode/0DjNU0jW4CsA7hK6wS0qMW?si=a2df5d816d6a4ea3

Podcast Youtube: https://youtu.be/1L_vYm5XB3M

#DeBilt #HelpdeskFraude #Cybercrime #Opsporing #Vishing #Smishing #TechSupportScam #AnyDesk #BankhelpdeskFraude #Cybersecurity #DigitaleVeiligheid #FraudePreventie #Oplichting #Politie #GezochtePersonen #FraudeZaken #Cybercriminelen

Huizen / Almere - Helpdesk fraude

Artikel Cybercrimeinfo: https://www.ccinfo.nl/menu-nieuws-trends/opsporing/gezochte-personen-cybercrime/2542675_huizen-almere-helpdesk-fraude

Podcast Spotify: https://open.spotify.com/show/1tIe2XIhAOfcRB818jsacC?si=W88ogkJ0QHC_HSbLEy7pXg

Podcast Youtube: https://youtu.be/6mJivRWu9UQ

#Huizen #Almere #HelpdeskFraude #Cybercrime #Opsporing #Vishing #Smishing #TechSupportScam #AnyDesk #BankhelpdeskFraude #Cyberdreigingen #Oplichting #DigitalSecurity #CyberAwareness #CyberCriminaliteit #Politie #FraudePreventie #Cybercrimeinfo #Digiweerbaar

Op 9 januari 2025 werd een vrouw in Breda slachtoffer van een geraffineerde bankhelpdeskfraude.

Artikel Cybercrimeinfo: https://www.ccinfo.nl/menu-nieuws-trends/opsporing/gezochte-personen-cybercrime/2528152_breda-helpdesk-fraude

Podcast Youtube: https://youtu.be/Q_D_t_fpQjU

Podcast Spotify: https://open.spotify.com/episode/7rddNI0Cb2UBOJdYeSDmn8?si=f96de99ff2df4293

#Breda #HelpdeskFraude #Cybercrime #Vishing #Smishing #TechSupportScam #AnyDesk #BankHelpdeskFraude #Cybersecurity #VeiligInternet #FraudePreventie #Cybercriminaliteit #Politie #Opsporing #GezochtePersonen #Cybercrimeinfo

Arrived by email… thankfully I don't get any of these anymore (they can't figure out the IVR menu prompt on the home telephone) but I have to give the woman a mark for originality…

-----

A phone conversation with a very nice young chap from Pakistan. This is how it went:

"Hello, how are you today?"

"I'm very well thank you for asking, how are you and more to the point, WHO are you?"

"Madam, my name is Sanjit, and I'm calling you from Microsoft."

"Microsoft, is that a city in Pakistan?"

"No Madam, MICROSOFT, the computer company. I'm calling to tell you that we have found a problem with your computer."

"REALLY, that's quite concerning."

"Yes Madam, it can become very serious indeed but thankfully I will be able to fix it for you."

"No, I meant it's very concerning because I don't HAVE a computer."

“You don't?"

“No."

"Ahh, it must be a problem on your laptop Madam."

"Don't have one."

"Ipad?"

"Nope."

"Tablet?"

"I have none of those things. As a matter of fact, I don't even have a telephone."

After a few seconds of silence he said "Madam, you are lying to me now!"

I said "Well, you started it!!" and put the phone down.

-----

#Humour #TechSupportScam #Microsoft

sigh, frustrating to watch folks google for major names instead of tacking on the .com to simply go to the site. Instead they get subjected to #malvertising that no user will be able to differentiate from legit.

For the chain I saw searching amazon, these seem worth blocking.

lunavattuone[.]com
urchin-app-2-p3hvj.ondigitalocean[.]app

#TechSupportScam #TSS

mitmproxy session showing requests to Google and the malicious sites involved in the malvertisement to TSS

TIL that TSS's are equal opportunity. This is the first I'd seen a macOS TSS.

BTW, you might want to block this TDS.

tarapau[.]world

At present it points to here, but I'm sure it'll change by the time anybody blocks it.

datahubcenter11.z13.web.core.windows[.]net

#TechSupportScam

Sur le sujet: analyse de Malwarebyte sur cette arnaque exploitant les résultats de recherche sponsorisés Google
👇
https://www.malwarebytes.com/blog/news/2024/05/watch-out-for-tech-support-scams-lurking-in-sponsored-search-results

Ces mêmes outils permettent aux acteurs malveillants de cibler et adapter géographiquement les campagnes. En effet, les options de ciblage avancées disponibles dans les campagnes publicitaires permettent de viser spécifiquement une population donnée, exploitant les configurations linguistiques et régionales pour adapter le contenu du faux-message d'alerte au public.

Cette technique de ciblage est à l'origine de ce que le l'Office Fédéral de la Sécurité Cyber (OFSC) défini comme la "variante suisse romande"
👇
https://www.ncsc.admin.ch/ncsc/fr/home/aktuell/im-fokus/2024/wochenrueckblick_1.html

#CyberVeille #techsupportscam

This campaign consists of at least four active apex domains.

99read[.]net
hintguides[.]com
movieanddrama[.]com
myfastupdate[.]com

Each of the subdomains within them all lead to the TSS campaign with this format.

hXXps://{random}.{random}.web.core.windows[.]net/?bcda={phonenumber}

Conveniently they occasionally use subdomains with the date. For example the domain 29apr.99read[.]net came on line April 29th, 2024.

The domain 4dec1.myfastupdate[.]com was indeed observed on December 4th 2023. Interestingly the TSS was hosted on the domain itself. So the switch to Azure was a change made since then.

https://urlscan.io/result/4f249136-281f-4dc9-b8e3-d70d3edffdc2/

#ThreatIntel #malvertising #TechSupportScam

Linux bash prompt showing a script being run to probe a set of tech support scam traffic distribution servers.

There's a Facebook #malvertising campaign that uses *.hintguides[.]com for it's dynamic re-director to their current #TechSupportScam (TSS) on Azure. They don't seem to rotate them as quickly as other TSS TDSs I've seen, but they did change from yesterday to today.

Here are three currently active ajax.php URLs that return Javascript that contain the current TSS URL.

22aprl.hintguides[.]com/ajax.php
bestnew.hintguides[.]com/ajax.php
latestupdate.hintguides[.]com/ajax.php

https://urlscan.io/result/bcc95c86-df1d-4153-bc92-f89537b5590d/

Javascript returned from a malicious web server that shows the tech support scam URL the user would be redirected to.

Linux command line showing a script to display the current TSS URL at three different ajax.php URLs

There seems to be a new tech support scam (TSS) TDS being run on this address:

162.0.209[.]251

These are the active domains I see for it.

https://gist.github.com/rmceoin/8605dbce56c2ccfc5a79c32bba14d6e9

All of them respond on the path /click/ with a 301 redirect to a current TSS hosted on CloudFront.

Don't think I've noticed this before, but the TSS page starts with a section at the top for Leave site? that gives the impression that it's rendered and controlled by the browser. That is not true. It's part of the page and invokes the full screen takeover.

I found this complements of a Google search malvertisment for amazon prime.

#malvertising #TechSupportScam