Cybercriminals are distributing spoofed data-breach notifications that are used to scam unsuspecting recipients and infect their devices with malware.
Fraudsters are using malicious SEO methods, Google sites and spam pages to deceive and scam users, according to a report by Bleeping Computer (opens in new tab).
- Antivirus: stay protected when online with the best software
- Best VPN: pick the ideal provider for watertight privacy
- Just in: Millions of wireless security cameras are at risk of being hacked
The crooks have been sending fake data-breach messages from companies like Chegg, EA, Canva, Dropbox, Hulu (opens in new tab), Ceridian, Shein, PayPal, Target, Hautelook, Mojang, InterContinental Hotels Group and Houzz.
To spread the fake notifications, the crooks published new web pages and compromised existing sites with terms like “data breach”. These were then picked up by Google Alerts, a service that allows users to track any keyword.
The notifications used subjects like “Target data breach”, “Dropbox data breach” and “Paypal security breach 2020” to get the attention of users. By clicking on any of these links, users would be directed to web pages containing fake giveaways, advertisements for browser extensions and other scams.
In some cases, the notifications weren’t easily identifiable as scams because they displayed “page not found” warnings and text describing fake data breaches.
To avoid falling victims to these scams, don't install any browser extensions, plugins or software that these alerts may suggest. In many case, you'll just be asked to fill out a survey to see the "notification," which is harmless as long as you don't have to give up any personal information.
Thousands of topics
In its investigation, Bleeping Computer also discovered a directory of 2,000 text files that used particular keywords and phrases to appear in Google Alerts. Most of these were created in this past week, but the oldest can be traced back to July 31, 2018.
All of this information has been taken from public sources and is based on questions people have, with topics including software products, DIY, vaping, breeding dogs and hardware.
Another fake message urged people to update their Adobe Flash browser plugins, appeared in Google Chrome and Mozilla Firefox and sent users to a fake iPhone 11 competition.
Jake Moore, a security specialist at ESET (opens in new tab), told Tom’s Guide: “Bad actors are increasingly getting better at obfuscating their illicit means. Attackers continue to evolve their tactics into lending a false sense of security on their prey and they are extremely good at this.
"They use well known brands to create a sense of misplaced security manipulating the victims into clicking on malware unbeknownst to them. The answer remains in constant vigilance and not to be so quick to click around on a site even if it is thought to be trusted."
- Read more: Stay protected online for less with the best cheap VPN