Microsoft on Monday announced a new feature called inline data protection for its enterprise-focused Edge for Business web browser.
The native data security control is designed to prevent employees from sharing sensitive company-related data into consumer generative artificial intelligence (GenAI) apps like OpenAI ChatGPT, Google Gemini, and DeepSeek. The list will be expanded over time to

Microsoft Adds Inline Data Protection to Edge for Business to Block GenAI Data Leaks

A list of topics we covered in the week of March 17 to March 23 of 2025

March 21, 2025 - The release of the JFK assassination records also resulted in the leak of hundreds of Social Security Numbers

March 20, 2025 - The phishing campaign for valuable Google accounts continues with a new twist, going after the customers of a SasS platform.

March 20, 2025 - Experts are warning about the proliferating market for targeted spyware and espionage. Why should we be concerned?

March 19, 2025 - With financial stress at an all-time high, people are desperately seeking relief. Sadly, scammers know this all too well.

March 19, 2025 - Sperm donor giant California Cryobank has announced it has suffered a data breach that exposed customers' personal information.

 A week in security (March 17 &#8211; March 23) 

Companies in the EU are starting to look for ways to ditch Amazon, Google, and Microsoft cloud services amid fears of rising security risks from the US. But cutting ties won’t be easy.

The global backlash against the second Donald Trump administration keeps on growing. Canadians have boycotted US-made products, anti–Elon Musk posters have appeared across London amid widespread Tesla protests, and European officials have drastically increased military spending as US support for Ukraine falters. Dominant US tech services may be the next focus.

There are early signs that some European companies and governments are souring on their use of American cloud services provided by the three so-called hyperscalers. Between them, Google Cloud, Microsoft Azure, and Amazon Web Services (AWS) host vast swathes of the internet and keep thousands of businesses running. However, some organizations appear to be reconsidering their use of these companies’ cloud services—including servers, storage, and databases—citing uncertainties around privacy and data access fears under the Trump administration.

“There’s a huge appetite in Europe to de-risk or decouple the over-dependence on US tech companies, because there is a concern that they could be weaponized against European interests,” says Marietje Schaake, a nonresident fellow at Stanford’s Cyber Policy Center and a former, decade-long member of the European Parliament.

The moves may already be underway. On March 18, politicians in the Netherlands House of Representatives passed eight motions asking the government to reduce reliance on US tech companies and move to European alternatives. Days before, more than 100 organizations signed an open letter to European officials calling for the continent to become “more technologically independent” and saying the status quo creates “security and reliability risks.”

Two European-based cloud service companies, Exoscale and Elastx, tell WIRED they have seen an uptick in potential customers looking to abandon US cloud providers over the last two weeks—with some already starting to make the jump. Multiple technology advisers say they are having widespread discussions about what it would take to uproot services, data, and systems.

“We have more demand from across Europe,” says Mathias Nöbauer, the CEO of Swiss-based hosting provider Exoscale, adding there has been an increase in new customers seeking to move away from cloud giants. “Some customers were very explicit,” Nöbauer says. “Especially customers from Denmark being very explicit that they want to move away from US hyperscalers because of the US administration and what they said about Greenland.”

“It's a big worry about the uncertainty around everything. And from the Europeans’ perspective—that the US is maybe not on the same team as us any longer,” says Joakim Öhman, the CEO of Swedish cloud provider Elastx. “Those are the drivers that bring people or organizations to look at alternatives.”

Concerns have been raised about the current data-sharing agreement between the EU and US, which is designed to allow information to move between the two continents while protecting people’s rights. Multiple previous versions of the agreement have been struck down by European courts. At the end of January, Trump fired three Democrats from the Privacy and Civil Liberties Oversight Board (PCLOB), which helps manage the current agreement. The move could undermine or increase uncertainty around the agreement. In addition, Öhman says, he has heard concerns from firms about the CLOUD Act, which can allow US law enforcement to subpoena user data from tech companies, potentially including data that is stored in systems outside of the US.

Dave Cottlehuber, the founder of SkunkWerks, a small tech infrastructure firm in Austria, says he has been moving the company’s few servers and databases away from US providers to European services since the start of the year. “First and foremost, it’s about values,” Cottlehuber says. “For me, privacy is a right not a privilege.” Cottlehuber says the decision to move is easier for a small business such as his, but he argues it removes some taxes that are paid to the Trump administration. “The best thing I can do is to remove that small contribution of mine, and also at the same time, make sure that my customers’ privacy is respected and preserved,” Cottlehuber says.

Steffen Schmidt, the CEO of Medicusdata, a company that provides text-to-speech services to doctors and hospitals in Europe, says that having data in Europe has always “been a must,” but his customers have been asking for more in recent weeks. “Since the beginning of 2025, in addition to data residency guarantees, customers have actively asked us to use cloud providers that are natively European companies,” Schmidt says, adding that some of his services have been moved to Nöbauer’s Exoscale.

Harry Staight, a spokesperson for AWS, says it is “not accurate” that customers are moving from AWS to EU alternatives. “Our customers have control over where they store their data and how it is encrypted, and we make the AWS Cloud sovereign-by-design,” Straight says. “AWS services support encryption with customer managed keys that are inaccessible to AWS, which means customers have complete control of who accesses their data.” Staight says the membership of the PCLOB “does not impact” the agreements around EU-US data sharing and that the CLOUD Act has “additional safeguards for cloud content.” Google and Microsoft declined to comment.

The potential shift away from US tech firms is not just linked to cloud providers. Since January 15, visitors to the European Alternatives website increased more than 1,200 percent. The site lists everything from music streaming services to DDoS protection tools, says Marko Saric, a cofounder of European cloud analytics service Plausible. “We can certainly feel that something is going on,” Saric says, claiming that during the first 18 days of March the company has “beaten” the net recurring revenue growth it saw in January and February. “This is organic growth which cannot be explained by any seasonality or our activities,” he says.

While there are signs of movement, the impact is likely to be small—at least for now. Around the world, governments and businesses use multiple cloud services—such as authentication measures, hosting, data storage, and increasingly data centers providing AI processing—from the big three cloud and tech service providers. Cottlehuber says that, for large businesses, it may take many months, if not longer, to consider what needs to be moved, the risks involved, plus actually changing systems. “What happens if you have a hundred petabytes of storage, it's going to take years to move over the internet,” he says.

For years, European companies have struggled to compete with the likes of Google, Microsoft, and Amazon’s cloud services and technical infrastructure, which make billions every year. It may also be difficult to find similar services on the scale of those provided by alternative European cloud firms.

“If you are deep into the hyperscaler cloud ecosystem, you’ll struggle to find equivalent services elsewhere,” says Bert Hubert, an entrepreneur and former government regulator, who says he has heard of multiple new cloud migrations to US firms being put on hold or reconsidered. Hubert has argued that it is no longer “safe” for European governments to be moved to US clouds and that European alternatives can’t properly compete. “We sell a lot of fine wood here in Europe. But not that much furniture,” he says. However, that too could change.

Schaake, the former member of the European Parliament, says a combination of new investments, a different approach to buying public services, and a Europe-first approach or investing in a European technology stack could help to stimulate any wider moves on the continent. “The dramatic shift of the Trump administration is very tangible,” Schaake says. “The idea that anything could happen and that Europe should fend for itself is clear. Now we need to see the same kind of pace and leadership that we see with defense to actually turn this into meaningful action.”

Trump’s Aggression Sours Europe on US Cloud Giants

This week on the Lock and Code podcast, we speak with Carey Parker about what Google Chrome knows about you.

_This week on the Lock and Code podcast…_

Google Chrome is, by far, the most popular web browser in the world.

According to several metrics, Chrome accounts for anywhere between 52% and 66% of the current global market share for web browser use. At that higher estimate, that means that, if the 5.5 billion internet users around the world were to open up a web browser right now, 3.6 billion of them would open up Google Chrome.

And because the browser is the most common portal to our daily universe of online activity—searching for answers to questions, looking up recipes, applying for jobs, posting on forums, accessing cloud applications, reading the news, comparing prices, recording Lock and Code, buying concert tickets, signing up for newsletters—then the company that controls that browser likely knows a lot about its users.

In the case of Google Chrome, that’s entirely true.

Google Chrome knows the websites you visit, the searches you make (through Google), the links you click, and the device model you use, along with the version of Chrome you run. That may sound benign, but when collected over long periods of time, and when coupled with the mountains of data that other Google products collect about you, this wealth of data can paint a deeply intimate portrait of your life.

Today, on the Lock and Code podcast with host David Ruiz, we speak with author, podcast host, and privacy advocate Carey Parker about what Google Chrome knows about you, why that data is sensitive, what “Incognito mode” really does, and what you can do in response.

We also explain exactly why Google would want this money, and that’s to help it run as an ad company.

> “That’s what \[Google is\]. Full stop. Google is an ad company who just happens to make a web browser, and a search engine, and an email app, and a whole lot more than that.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 What Google Chrome knows about you, with Carey Parker (Lock and Code S06E06) 

New phishing scam targets Instagram business accounts using fake chatbots and support emails, tricking users into handing over login credentials.

A new phishing campaign has been tricking users into giving out access to their **Meta Business accounts** especially Instagram. The scam, detected by the Cofense Phishing Defense Center, uses fake chat support, detailed instructions, and attempts to add itself as a secure login method to hijack business accounts.

The phishing campaign starts with a fake Instagram alert email stating that the user’s ads are suspended due to a violation of advertising laws. The email, which appears to be from Instagram’s support team, asks the user to click on a “Check more Details” button to resolve the issue. However, the email is actually sent from a Salesforce address ([email protected]), not Instagram’s official support email.

The Instagram phishing email received by victims (Via Cofense)

This scam is a lot like the one that hit Facebook users back in February 2025, where scammers used automated Salesforce emails to trick people into giving up their login credentials by pretending to be **Facebook Copyright Notices**.

****Fake Chat Support via Chatbot, Phishing and 2FA – All in One Scam****

In the latest scam, when the user clicks on the link for more details, they are redirected to a fake page (businesshelp-managercom) that looks similar to a legitimate Meta Business page. The page informs the user that their account is at risk of suspension and termination and asks them to input their name and business email to proceed to a chat support agent.

The attacker then uses two methods to hijack the business account: a fake tech support chatbot or a supposed “setup guide” with step-by-step instructions. The chatbot asks the user for screenshots of their business account and personal information, while the setup guide provides instructions on how to add **Two-Factor Authentication (2FA)** to the user’s business account.

If the chatbot phishing attempt is unsuccessful, the attacker provides an instructional guide for adding Two-Factor Authentication (2FA) to the user’s business account. This guide mimics a do-it-yourself way to “fix” the user’s account. Users are directed to click on a “View Account Status” button, which reveals detailed instructions on how to start a “System Check” and fix the problem themselves. However, following these steps gives the attacker another way to log in to the Business Meta account via the hacker’s Authenticator app named “SYSTEM CHECK.”

Screenshot of the initial chat with the fake support chatbot (Via Cofense)

According to Cofence’s **blog post** shared with Hackread.com, the attackers have put a lot of effort into making the scam look legitimate. The emails and landing pages closely resemble official Meta communications, and the inclusion of live agent support adds a layer of deception. The attackers even provide video instructions detailing how to trick the user into adding them as a 2FA method.

****What Users Should Do****

This phishing campaign stands out from the usual scams and highlights why everyone who uses social media should be aware of common **social engineering tricks** that scammers use these days. Always double-check the sender and take a close look at the URL before clicking on anything. Using apps like Google Authenticator and Microsoft Authenticator can help block login attempts from suspicious places and unknown devices.

New Phishing Scam Uses Fake Instagram Chatbot to Hijack Accounts

Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay transactions from mobile devices located in China.

Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay transactions from mobile devices located in China.

Image: WLVT-8.

Authorities in Knoxville, Tennessee last week said they arrested 11 Chinese nationals accused of buying tens of thousands of dollars worth of gift cards at local retailers with mobile wallets created through online phishing scams. The Knox County Sheriff’s office said the arrests are considered the first in the nation for a new type of tap-to-pay fraud.

Responding to questions about what makes this scheme so remarkable, Knox County said that while it appears the fraudsters are simply buying gift cards, in fact they are using multiple transactions to purchase various gift cards and are plying their scam from state to state.

“These offenders have been traveling nationwide, using stolen credit card information to purchase gift cards and launder funds,” Knox County Chief Deputy **Bernie Lyon** wrote. “During Monday’s operation, we recovered gift cards valued at over $23,000, all bought with unsuspecting victims’ information.”

Asked for specifics about the mobile devices seized from the suspects, Lyon said “tap-to-pay fraud involves a group _utilizing Android phones to conduct Apple Pay transactions_ utilizing stolen or compromised credit/debit card information,” \[emphasis added\].

Lyon declined to offer additional specifics about the mechanics of the scam, citing an ongoing investigation.

**Ford Merrill** works in security research at SecAlliance, a CSIS Security Group company. Merrill said there aren’t many valid use cases for Android phones to transmit Apple Pay transactions. That is, he said, unless they are running a custom Android app that KrebsOnSecurity wrote about last month as a part of a deep dive into the sprawling operations of China-based phishing cartels that are breathing new life into the payment card fraud industry (a.k.a. “carding”).

How are these China-based phishing groups obtaining stolen payment card data and then loading it onto Google and Apple phones? It all starts with phishing.

If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the **U.S. Postal Service** to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.

These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “**smishing**” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the **Apple iMessage** service and through RCS, the functionally equivalent technology on **Google** phones.

People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution in response to a request by the fraudsters to link the phished card data to a mobile wallet.

If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control. These phones are then loaded with multiple stolen wallets (often between 5-10 per device) and sold in bulk to scammers on Telegram.

An image from the Telegram channel for a popular Chinese smishing kit vendor shows 10 mobile phones for sale, each loaded with 5-7 digital wallets from different financial institutions.

Merrill found that at least one of the Chinese phishing groups sells an Android app called “**Z-NFC**” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.

“I would be shocked if this wasn’t the NFC relay app,” Merrill said, concerning the arrested suspects in Tennessee.

Merrill said the Z-NFC software can work from anywhere in the world, and that one phishing gang offers the software for $500 a month.

“It can relay both NFC enabled tap-to-pay as well as any digital wallet,” Merrill said. “They even have 24-hour support.”

On March 16, the ABC affiliate in Sacramento (**ABC10**), Calif. aired a segment about two Chinese nationals who were arrested after using an app to run stolen credit cards at a local Target store. The news story quoted investigators saying the men were trying to buy gift cards using a mobile app that cycled through more than 80 stolen payment cards.

ABC10 reported that while most of those transactions were declined, the suspects still made off with $1,400 worth of gift cards. After their arrests, both men reportedly admitted that they were being paid $250 a day to conduct the fraudulent transactions.

Merrill said it’s not unusual for fraud groups to advertise this kind of work on social media networks, including TikTok.

A **CBS News** story on the Sacramento arrests said one of the suspects tried to use 42 separate bank cards, but that 32 were declined. Even so, the man still was reportedly able to spend $855 in the transactions.

Likewise, the suspect’s alleged accomplice tried 48 transactions on separate cards, finding success 11 times and spending $633, CBS reported.

“It’s interesting that so many of the cards were declined,” Merrill said. “One reason this might be is that banks are getting better at detecting this type of fraud. The other could be that the cards were already used and so they were already flagged for fraud even before these guys had a chance to use them. So there could be some element of just sending these guys out to stores to see if it works, and if not they’re on their own.”

Merrill’s investigation into the Telegram sales channels for these China-based phishing gangs shows their phishing sites are actively manned by fraudsters who sit in front of giant racks of Apple and Google phones that are used to send the spam and respond to replies in real time.

In other words, the phishing websites are powered by real human operators as long as new messages are being sent. Merrill said the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire.

For more on how these China-based mobile phishing groups operate, check out How Phished Data Turns Into Apple and Google Wallets.

The ashtray says: You’ve been phishing all night.

Arrests in Tap-to-Pay Scheme Powered by Phishing

Amid growing concerns over Big Tech firms aligning with Trump administration policies, people are starting to move their digital lives to services based overseas. Here's what you need to know.

Law enforcement requests for user data from Apple, Google, and Meta mean that these companies can decide whether government authorities have access to your personal information, including location data. This means the companies with the most insight into our lives, movements, and communications are frontline arbiters of our constitutional rights and the rights of non-US citizens—a fact some are likely feeling more acutely now than ever.

Collaboration between Big Tech and the Trump administration began before Donald Trump’s swearing-in on January 20. Amazon, Meta, Google, Microsoft, and Uber each gave $1 million to Trump’s inauguration. Separately, in personal donations, so did Meta CEO Mark Zuckerberg and Apple’s Tim Cook.

Americans concerned about the Trump administration and Silicon Valley’s embrace of it, may consider becoming a “digital expat”—moving your digital life off of US-based systems. Meanwhile, Europeans are starting to see US data services as “no longer safe” for businesses, governments, and societies.

Here’s a brief rundown of the privacy, security, and civil liberties issues related to the use of US-based digital services that suddenly feel more urgent—and what to do about it.

**Cozying Up**

In anticipation of Trump’s inauguration, Meta-owned Facebook, Instagram, and Threads made drastic policy changes citing alignment with Trump administration values, to permit hate speech and abuse “on topics like immigration and gender.” Meta also signaled its allegiance by ditching its fact-checkers—a frequent target of MAGA world ire. Two days after the inauguration, Meta quietly rolled out pro-life moderation actions through post suppression and account suspensions. Zuckerberg explained the company’s new direction to staff, saying: “We now have an opportunity to have a productive partnership with the United States government.”

Meta did not immediately respond to our request for comment regarding its partnership, data sharing, or policy changes.

Google followed suit. The company changed its Maps and Search results to rename part of the world—the Gulf of Mexico—following a Trump executive order renaming it the Gulf of America, despite the the US claiming control of less than 50 percent of the Gulf. Apple and Microsoft also followed Trump’s order.

Google’s consumer products also received a swath of updates in line with the new administration, including further changes to Maps, Calendar, and Search. Next, Google removed the new administration’s “banned” terms from its Google Health product. Then it did an about-face on its public promise not to build weaponized AI tools, such as Project Dragonfly, which was discovered in 2018 to be tailoring Google’s entire platform to enable China’s aggressive crackdown on its citizens. When reached for comment, Google did not immediately respond.

Big Tech aligning with the Trump administration matters because its business models rely on surveillance and amassing our personal data. Meta, Google, Apple and other large tech firms are among the gatekeepers standing between privacy and government requests for user data. Even when tech firms must comply by law, they’re often still free to decide how much information they collect about people and how long they store the data.

**Government Hand-Outs**

Current US laws around tech, privacy, and government requests have been guided by bulwarks like the Fourth and Fifth Amendments, US court rulings, and tech companies’ willingness to question the federal government’s opinion that it is entitled to access our personal information and location data. Apple, Google, and Meta each have language about law enforcement data requests that make it seem like they have our backs when it comes to overreach. Now, with companies shaping certain policies, tools, and practices in pursuit of “partnership” with the Trump administration, these companies’ powers over our data takes on new focus.

Generally, law enforcement can compel US companies to hand over user data using a subpoena, court order, search warrant—or, in rarer cases, a National Security Letter (NSL). As Google explains, an NSL is “one of the authorities granted under the Foreign Intelligence Surveillance Act (FISA).” Google adds, “FISA orders and authorizations can be used to compel electronic surveillance and the disclosure of stored data, including content from services like Gmail, Drive, and Photos.” How companies respond to these demands can vary in consequential ways.

A nearly decade-old battle over encrypted communication provides a clear example of the push and pull over user data between tech companies and federal law enforcement. In 2016, the FBI tried to compel Apple to backdoor an iPhone so law enforcement could access its encrypted contents. Apple refused to break its iOS security to do so. Then-candidate Trump said the company should be made to comply or be punished. “We should force them to do it,” he stated. Backdoors for law enforcement data access became a pet project in Trump’s first term; his DOJ appointee Rod Rosenstein launched a 2017 campaign to rebrand encrypted communications (and locked phones) as “law-free zones.” By 2019, Trump officials were brainstorming laws and bans against “unbreakable” consumer security measures, like end-to-end encryption.

The second Trump administration’s stance on encryption is less clear. Prior to Trump’s new term, in December 2024, FBI officials urged Americans to use encrypted messaging apps in the wake of cyberattacks on telecom companies attributed to the Salt Typhoon hacking campaign. (Since then, Trump’s team disbanded the DHS board investigating Salt Typhoon.) When reached for comment regarding the administration's current stance on companies using forms of encryption law enforcement can't break, a While House official told WIRED via email: “The White House looks forward to working with industry leaders to unlock the Golden Age of digital literacy.”

Apple did not immediately respond to WIRED”s request for comment.

Big Tech’s MAGA pivot is pointedly problematic for countries that rely on services like Meta platforms for government communications, official emergency response coordination, social tools like Marketplace, news, public health messaging, and small business services. Officials in one New Zealand district are exploring Facebook and Instagram exit strategies "until such time as we can be assured of the safety of our whole community and the integrity of democracy on these platforms."

It's a global concern. This week, an annual report on the global state of democracy, the Varieties of Democracy project (V-Dem), told reporters, "the United States will not score as a democracy when we release \[next year's\] data." V-Dem’s principal investigator, Staffan Lindberg, added: "If it continues like this, democracy \[in the US\] will not last another six months." With an expected downgrade to the status of electoral autocracy, the US will share its label with Turkey, Hungary, Iraq, India, and Russia.

This makes Big Tech's data collection, storage, control over, or any use of that data an even more urgent issue around the world. This is particularly true for countries the US government has in its sights for territorial expansion, extracting resources, or MAGA grievance politics.

Of course, saying, “just quit Facebook” is one thing—it’s not that simple. Ditching Messenger and WhatsApp for Signal is pretty straightforward, though. Trading X for Bluesky is easier. Keep in mind that both are currently based in the US and that these are merely _safer_ alternatives. In other words, editing your digital footprint is an act of risk and harm reduction, where you identify threats and take the appropriate steps for your situation to reduce potential harms to yourself and those you care about.

**Cutting Ties**

If you’re thinking it might be handy to know about secure non-US options for your digital footprint, good news: There are a variety of well-established services worth checking out—ones that are increasing in popularity as fears of a DOGE\-Facebook partnership seem less far-fetched by the day..

In the wake of deletions and alterations in the Trump administration’s war on science, accurate health information, inclusion, and equity, an archived copy of the CDC’s pre-Trump website is hosted in Europe due to concerns about US jurisdiction. Similarly, the Internet Archive has a full, live copy of itself preserved outside the US (Internet Archive Canada), also using decentralized Filecoin storage for the 2024/2025 EOT Web Archive “as an added layer of preservation.”

It’s no coincidence that a majority of jurisdictionally-aware US data preservation efforts are listing ProtonMail accounts as their contact info. Proton is a Swiss company offering services comparable to Gmail, Google Drive and Docs, as well as having an end-to-end encrypted platform, a password manager, backup storage, photos, and a VPN. Proton explains in a March 2023 blog post that Swiss law and encryption protects Proton’s users from abortion-related data requests, and details the difference between data requests they receive and those sent to Facebook and Google.

For people who prefer globally accurate maps free of Trump Sharpie defacements, and the Gulf of Mexico keeping its name, check out MagicEarth, TomTom AmiGO, HERE WeGo (all Netherlands-based) or OpenStreetMap (global contributors). Check out Vivaldi (Norway) for browsing, and Qwant (France) or Startpage (Netherlands) for a search engine. IONOS (Germany) is a Squarespace/Wix alternative, Pixelfed (Canada) can stand in for Instagram. StoryGraph (UK) for Goodreads. Affinity (UK/AU) or Canva (AU) can replace Adobe products, and Kobo (Canada/Japan) for an ebook reader.

Check out Plex or Jellyfin for music and video, Nextcloud for file storage and syncing, LibreOffice for an office suite, Affinity Suite to replace Adobe, SearXNG for search—all based outside the US. Codeberg (EU) is basically an open source, privacy-forward, community-run Github; one user has a handy Linux-Is-Best/Outside\_Us\_Jurisdiction listing for digital service providers. If you’re looking for a non-U.S. Starlink alternative, Eutelsat may have you covered.

To find other services that suit your needs, take a look through this sprawling, collectively curated Non-US Alternatives List of everything from email to antivirus programs, e-commerce and social media options, and more. European Alternatives also has a growing collection of categories listing services from web analytics and cloud platforms to password managers, web browsers, calendars, and even a few music streaming services.

Concerns prompting people to jettison US digital services isn’t new, but it’s only getting more popular as the lines between Trump’s White House and Big Tech grow less distinct by the day. There are over a quarter million members in the r/degoogle subreddit, where members share tips, tricks, and reviews on everything they’re using to replace Google products or ditch US products altogether.

“Cancelled all my US streamers and moved to a Crave/GEM combo,” one member explained. “Spent 2 weeks moving to Proton and deleted/cancelled everything US during that process. Bye PayPal, bye Amazon, goodbye American everything.”

How to Avoid US-Based Digital Services—and Why You Might Want To

The phishing campaign for valuable Google accounts continues with a new twist, going after the customers of a Sass platform.

_This blog post was co-authored with_ _Elie Berreby, Senior SEO Strategist_

Criminals are highly interested in online marketing and advertising tools that they can leverage as part of their ongoing malware campaigns.

In particular, we have previously detailed how Google advertiser accounts can be hijacked to create new malicious ads and perpetuate a vicious cycle leading to more compromised accounts.

As part of our investigations, we uncovered a new operation going after Semrush, a visibility management SaaS platform that offers SEO, advertising, and market research, amongst other things.

With 40% of Fortune 500 companies and 117,000 paying customers relying on Semrush, the platform presents a highly attractive target for online criminals.

In this blog post, we detail how fraudsters are taking an indirect approach to hacking Google advertisers and by the same token likely gaining access to Semrush accounts.

We have diligently reported the malicious ads to Google. We would like to stress that we are not referring to any vulnerability or data breach with Semrush or its platform in this post. They are simply being targeted because of their growing popularity.

****Google Ads crew pivots****

Back in January, we documented a large phishing campaign targeting Google accounts via Google Ads using a very specific technique that abused Google Sites.

We believe the criminals behind it likely regrouped and switched to a less direct approach, yet one that might deliver just as much.

We observed this transition with a malicious ad for “Google Ads” that oddly enough redirected to a fraudulent login page for Semrush. While the phishing page uses the Semrush brand, only the “Log in with Google” option is enabled, forcing victims to authenticate with their Google account username and password.

****Semrush phishing campaign****

Barely a day later, the campaign was starting to take shape with Google ads now fully moving away from the “Google Ads” brand to fully impersonating Semrush.

The infrastructure for this new wave was deployed recently and the domain names registered for it are all variations on the Semrush name.

Each ad uses a unique domain name which does a redirect to more static domains dedicated to the fake Semrush and Google account login pages.

Once again, the landing page here shows two different types of login but only the Google method is enabled. We believe this is because the threat actors are primarily interested in harvesting Google accounts.

This is confirmed by the malicious sign in page for Google which sends those credentials to the criminals. We should note that victims that arrive at this page are most likely Semrush users, given the path they took to get here.

****Google Analytics and Search Console Data Theft****

_Disclaimer: The following is not taken from a real compromise but rather is meant to illustrate the importance and extent of owning the credentials for a valuable Google account._

Google Analytics (GA) and Google Search Console (GSC) contain critical and confidential information for businesses, revealing detailed perspectives on website performance, user behavioral patterns, and strategic business focuses.

If a Google account is compromised, the malicious actors can access the raw data directly without having to log into Semrush.

E-commerce tracking in GA shows revenue, transaction volumes, average order values, and conversion rates by channel (organic search, paid ads).

Here’s a local shop selling products to a niche audience in a major U.S. city.

When malicious actors access the Google Analytics account, they can see a wealth of confidential information belonging to the publisher. For companies, this is a direct peek into financial performance.

The GSC account below is connected to Semrush. In GSC, the bad actors could see historical data for the past 16 months, including but not limited to search queries, pages, countries, devices, search appearance and dates.

**Semrush Fraud and spear-phishing**

_Disclaimer: Similarly, the following screenshots were not taken from an actual compromise, but highlight the interconnectivity between Google and Semrush accounts._

As mentioned earlier, Google Analytics and Google Search Console data is often integrated with tools like Semrush for enhanced analysis.

For new projects, the SaaS platform requests validation from a Google account to allow Semrush to see and download GA and GSC data.

Once this is done, we can export behavioral data and KPIs coming directly from Google Search Console (GSC) without direct access to the Google account.

There is additional information stored in a Semrush account (name, phone, business name, address, email and the last 4 digits of a Visa card) that a threat actor could leverage to impersonate an individual or business.

Posing as the business, a threat actor could deceive vendors or partners into sending payments to fraudulent accounts, exploiting the trust tied to the business’s identity.

The combination of billing information and card details could be used to mount a more comprehensive attack. Someone posing as Semrush support, referencing an upcoming payment or the billing update process, could trick the victim into providing full credit card details.

****Conclusion****

Brand impersonation continues to be a popular attack vector used by online criminals to get access to valuable account credentials.

As Google Search is a central part of the SEO and ad ecosystems, individuals and businesses who inadvertently click on a malicious ad are at a major risk of losing extremely sensitive data and feel the impact of fraud on many levels. 

This should be a wakeup call to take steps to prevent such exposure by enforcing guard rails to anyone who manages an account for themselves or a company.

If you are a Malwarebytes customer, you are already protected against the malicious ads and sites used in this campaign. All these incidents have also been reported directly to Google.

_We would like to thank the folks at Silent Push for giving us access to their platform, enabling us to uncover additional infrastructure._

****Malicious** Semrush domains**

adsense-word\[.\]com  
auth\[.\]semrush\[.\]help  
sem-russhh\[.\]com  
sem-rushhh\[.\]com  
sem-rushh\[.\]com  
semrush\[.\]click  
semrussh\[.\]sbs  
semrush\[.\]tech  
seemruush\[.\]com  
semrush-auth\[.\]com  
auth.seem-rush\[.\]com  
ads-semrush\[.\]com  
semrush-pro\[.\]co  
semrush-pro\[.\]click  
auth.sem-ruush\[.\]com  
semrush\[.\]works

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Semrush impersonation scam hits Google Ads 

Citizen Lab's investigation reveals sophisticated spyware attacks exploiting WhatsApp vulnerabilities, implicating Paragon Solutions. Learn how their research exposed these threats and the implications for digital privacy.

Cybersecurity researchers at the Citizen Lab at the University of Toronto have exposed the use of sophisticated spyware named **Graphite**, developed by the Israeli firm Paragon Solutions, to target high-profile individuals through WhatsApp.

Their **investigation** reveals that a previously unknown zero-day vulnerability in WhatsApp’s software allowed the spyware to be installed on devices through a zero-click exploit, allowing adversaries to gain unauthorized access to targeted phones.

For your information **zero-click exploits** mean that a device can be compromised without the user clicking a link, opening a file, or performing any other action.

Attack flow explained (Source: The Citizen Lab)

****Graphite Spyware Servers Worldwide****

Paragon Solutions, established in 2019 by figures including former Israeli Prime Minister Ehud Barak, claims to differentiate itself by adhering to ethical standards, unlike other spyware vendors like the **NSO Group**.

However, Citizen Lab’s researchers mapped out servers attributed to Graphite, and identified suspected deployments against journalists, human rights activists, and government critics across multiple countries. This includes:

*   Italy
*   Israel
*   Canada
*   Cyprus
*   Denmark
*   Australia
*   Singapore

WhatsApp’s parent company, Meta, has confirmed that approximately 90 users in 24 countries were targeted. However, since the researchers are based in Canada; a significant aspect of the investigation focused on a Canadian client, the Ontario Provincial Police (OPP). The analysis uncovered links between Paragon and the OPP, revealing a systematic use of spyware capabilities among Ontario-based police services.

The Italian connection proved to be a focal point of the investigation. Forensic analysis of Android devices belonging to individuals notified by WhatsApp, including journalist Francesco Cancellato and Mediterranea Saving Humans founders Luca Casarini and Dr. Giuseppe Caccia, revealed clear indications of Graphite spyware.

Researchers identified a unique Android forensic artifact, BIGPRETZEL, which confirmed the presence of Paragon’s spyware on these devices. The Italian government initially **denied** any involvement but later **acknowledged** having contracts with Paragon.

Furthermore, the investigation extended to an iPhone belonging to David Yambio, a close associate of the confirmed Paragon targets. Apple threat notifications received by Yambio, coupled with forensic analysis, revealed an attempted infection with novel spyware, subsequently patched by Apple in iOS 18.

In response to Citizen Lab’s findings, Meta, along with Apple and Google, collaborated to address the security vulnerability. WhatsApp implemented a server-side fix, eliminating the need for users to update their apps. Apple also released a patch for its iOS operating system to protect iPhone users.

WhatsApp subsequently **notified** the targeted users. “If we believe that your device has come under threat, we may notify you about it directly via a WhatsApp chat,” the notification read.

****WhatsApp Attacks Persist Despite NSO Group Lawsuit Win****

Hackread.com earlier **reported** that the infamous Israeli spyware company, NSO Group, was held legally liable for compromising hundreds of WhatsApp accounts. Court found NSO Group responsible for breaching WhatsApp’s terms of service and exploiting a vulnerability to install its powerful Pegasus spyware on at least 1,400 devices, targeting journalists, human rights activists, political dissidents, and government officials.

Interestingly, CyberScoop **reported** in November 2024 that NSO Group continued to develop new malware based on WhatsApp exploits, even after Meta filed a lawsuit against them and that when WhatsApp disabled the Eden exploit, NSO Group created the Erised vector to target users until May 2020.

Now, the Citizen Lab’s findings indicate that Israeli spyware firms are continually focusing on exploiting WhatsApp vulnerabilities for spyware deployment and aggressively using them against journalists and activists.  

These cases show the never-ending struggle between technology companies and malicious actors seeking to compromise user privacy and the critical need for continuous caution, stricter security measures, and legal accountability within the spyware industry to protect digital privacy and **human rights**.

Israeli Spyware Graphite Targeted WhatsApp with 0-Click Exploit

A new Zimperium report reveals that rooted Android phones and jailbroken iOS devices face growing threats, with advanced toolkits making detection nearly impossible for cybersecurity researchers.

Despite tighter security from **Apple and Google**, hackers and cybercriminals continue to exploit rooted and jailbroken devices for their attacks. A new report from mobile security firm Zimperium shared with Hackread.com ahead of its publishing on Thursday, warns that compromised mobile phones remain a major risk for businesses, as these devices are far more likely to be targeted by malware and system takeovers.

****What Are Rooting and Jailbreaking?****

**Rooting** (on Android) and **jailbreaking** (on iOS) give users full control over their devices. This allows customization beyond what manufacturers allow and also removes key security protections. A rooted or jailbroken can’t enforce security protocols like Google’s Play Integrity or Apple’s security checks, but they can install apps from unverified sources, disable security features, and modify system files, making them prime targets for cybercriminals.

According to Zimperium’s **research**, rooted Android devices are:

*   **3.5 times more likely** to be attacked by malware

*   **250 times more likely** to suffer a system compromise

*   **3,000 times more likely** to experience a filesystem breach

Depending on who the targeted victim is, a compromised phone can be used as an entry point into corporate networks, allowing attackers to steal sensitive data, launch phishing campaigns, and bypass OTPs.

****A Well-Equipped Toolkit of Hackers****

The security industry has worked hard to detect and block rooted devices, but hackers have also been catching up. Tools like Magisk, APatch, KernelSU, Dopamine, and Checkra1n are in active development, with some even designed to hide their presence to avoid scans.

Magisk, for example, uses a “systemless” root method that avoids modifying core system files, making them harder to detect. APatch takes a different approach by modifying kernel memory on the fly, leaving no permanent traces. These updated toolkits make it increasingly difficult for cybersecurity researchers to spot compromised devices before damage is done.

Overview of current rooting tools (left) and the threat chain of a rooted device leading to a security breach (right) via Zimperium.

****Decline in Rooting and Jailbreaking but Still a Threat****

Rooting and jailbreaking were a big deal from 2011 to 2019. Now that the number of rooted and jailbroken devices has declined, they still pose a serious risk, especially in workplaces where employees use personal phones for work.

Worse, this threat is not limited to small businesses; even employees at cybersecurity giants like Kaspersky Labs have had **their iPhones infected** by malware. A single compromised phone can give attackers access to corporate data, email accounts, and internal applications.

**J. Stephen Kowski**, Field CTO at cybersecurity firm SlashNext, highlights the issue, “When employees root or jailbreak their devices, they’re removing crucial security guardrails. This creates significant attack vectors for threat actors. Businesses need advanced threat detection that can identify compromised devices and block attacks without disrupting workflows.”

Nevertheless, companies need to take mobile security seriously. Traditional security solutions often fail to detect modern rooting tools, so businesses should invest in advanced mobile threat detection that can identify cybersecurity threats in real time. Here’s how a company can start tackling this threat:

*   **Educating employees** on the risks of rooting and jailbreaking

*   **Using mobile security solutions** that detect hidden modifications

*   **Blocking rooted and jailbroken devices** from accessing corporate networks

*   **Implementing strict app policies** to prevent sideloading of unverified software.

Tag

#google