• 🗒️✅ Your Security Checklist
• 🏆🎖️ Test Your Security Skills
• 📰 Your Weekly Security Update
• 🤨 This Should Be on Your Radar 📡
• 🙈 Security Fail of the Week 👎
• 🍎📱 Security Updates from Apple 🍎

If you take nothing else from this newsletter, just do these three things to protect yourself:

1. Use a password manager to store unique and strong passwords for every website. We recommend Apple’s own Passwords app.
2. Limit the number of apps you keep installed on your iPhone. You should delete any apps you are not currently using.
3. Avoid common scams by verifying the email address of incoming messages.

What should you do in the following scenario?

You receive an email from Amazon saying that your Amazon account is compromised and you need to verify it. What should you do? 🤔

1. Put the email in your spam folder.
2. Without clicking any links in that email, visit Amazon.com and change your password.
3. Verify your account with the link in the email.

Scroll to the bottom to see how you did!

The gang goes by the name Scattered Lapsus$ Hunters, and their exploits include stealing huge amounts of data from US cloud services company Salesforce and attempting to blackmail that company’s customers, including Toyota, Disney, UPS, and others. While their spree of high-profile crimes has lasted much of this year, their real identities have remained hidden. Now, Brian Krebs, of Krebs on Security, who is particularly known for unmasking cybercriminals, has gumshoed his way to the identity of one of the group’s social engineers: a teenager named Saif Al-Din Khader, working from his family’s shared Windows PC in Amman, Jordan. Read more at Krebs on Security.

The Bottom Line: Most of the “hacking” that Saif and the rest of the Scattered Lapsus$ Hunters gang got up to is more in the domain of social engineering than technical hacking. The group’s scammers would convince help desk clerks that they were executives or other privileged individuals who had forgotten their passwords. That process is difficult to defend against, especially for clients of the companies whose help desks may be exploited this way. You can pick the companies you patronize with care, focusing on those companies with good reputations, such as Apple, but in the end, it’s best to just freeze your credit and limit how much info you give out to companies. You should also read that article from Brian Krebs, because it’s genuinely amazing investigative reporting, and a top-notch read for a window into the world of cybercriminals.

India Orders All iPhones to Come With State-Run Security App. Apple Declines

The government of India has declared that all phones in India must come pre-loaded with a new government-built app called Sanchar Saathi, designed to allow the government to lock a lost or stolen iPhone, as well as to provide users with a way to report scams. However, privacy advocates warn that the app could be easily repurposed to snoop on citizens, and now Reuters reports that Apple does not plan to comply with the new rule and will make its concerns known to Indian regulators. In response to the criticisms, Indian regulators have announced that individuals may delete the app if they wish.

The Bottom Line: Government-designed and mandated apps have been deployed recently in Russia. Your trust in a government app is going to be proportionate to your trust in your government, but a government mandating an app be installed on every device is probably a bad sign. The opinions of concerned citizens may affect these kinds of policy decisions in some jurisdictions. You can’t remove government-mandated apps, but in general, we recommend keeping a minimum number of apps installed. You can check which apps you have installed by swiping right through your Home screens to your App Library, then tapping on the Search bar. To remove an app from your iPhone, long-press it and select Delete App.

These iPhone Games Hide Scams

Security firm DV has discovered a set of games sold on the iOS App Store that employ a sneaky trick to scam advertisers and users. We don’t usually think of it this way, but when you play a game on your iPhone, you’re actually just following the program’s prompts for where to tap on your screen. There’s presumably some element of strategy involved or it wouldn’t be a very fun game, but also, the game can make pretty good predictions for where you’re going to tap. The scam apps load a web browser, but don’t show it to you. Instead, they use the web browser to load invisible advertisements on top of your game, so when you tap on the game, the ads register a view and a click, and the app’s developers get paid. Read more at DoubleVerify.

The Bottom Line: This scam doesn’t affect the user directly, except by using up some of your battery. The victims of this scam are the advertisers paying for views on their ads and not receiving them. Still, if the developers are willing to do this, then they’re probably also willing to scam you, if they can figure out how. Unfortunately, there are no obvious clues to help you avoid these scam apps. You can view some screenshots of the web pages that are secretly loaded, which may give you a sense of the design aesthetic of this particular campaign, but in the end, this is only a small set of apps—most apps on the iOS App Store are safe.

Superbox Media Streaming Hardware Turns Your Home into a Network for Cybercrime

Superbox is a brand of media streaming devices, competitors to the Apple TV, Roku Streaming Stick, and the like, except that the devices advertise the ability to access subscription services for a single upfront fee. Sounds like a great deal, right? Alas, no. Brian Krebs, of Krebs On Security, has a new piece exposing the scam. The devices do stream subscription services without the subscription, likely in violation of copyright law, but they also share your “unused bandwidth” with a network designed to allow cybercriminals to obfuscate their activities. Read more at Krebs on Security.

The Bottom Line: Don’t buy a Superbox media streaming device. If you own one, consider replacing it.

Surveillance Pricing: How Retailers Use Your Personal Data to Set Prices

Many retailers' websites will show different costs for the same product, depending on your personal data, including your location. This practice is called surveillance pricing by the FCC. Now, New York has a new law to require retailers using surveillance pricing to say so on their website, though they are only required to say that they’re doing it, not which information is used, or how it is used to set a price. Learn more about surveillance pricing and New York's new law at Wired.

The Bottom Line: If you’re using a VPN and a privacy-preserving web browser while opting out of cookie collection, then it’s possible that the prices you see when shopping online will depend on the physical location of the VPN server you’re currently using. This is a relatively benign example of a way that a website might use data collected about you in ways you don’t anticipate and didn’t agree to. We recommend using a privacy-preserving web browser, a VPN, opting out of cookie collection, and opting out of ad-metric collection in order to reduce the personal data available to retailers.

Scammers Might Send Emails from Official Apple Email Addresses

Scammers looking to steal access to an Apple account have figured out a new trick. They noticed that Apple allows users to enter an arbitrary email address when they open a support ticket. When you open a support ticket, Apple emails you to let you know they're looking into the situation. Scammers exploit this by first identifying what email address you use for your Apple account, then opening a support ticket and entering your email address in the form. The result is you get an unexpected message from an official Apple account saying that they’re looking into the issue. Then the scammers will call you pretending to be Apple support, and walk you through resetting your password. Except they’ll direct you to a phishing website, and if you enter your credentials there, that will give the scammers access to your account. The trick is that the initial email will actually come from an Apple account. Read more at Fox News.

The Bottom Line: Apple techs will not call you unless you have initiated contact. Do not answer unsolicited phone calls claiming to be from Apple Support. There are very rare instances where Apple’s security team sends emails to iPhone users to warn them that their device is the target of an ongoing threat, but these emails are exceptionally rare. Should you receive such an email, you still should not answer unsolicited phone calls claiming to be from Apple Support. Instead, go to an Apple Store, or initiate your own call to an official Apple Support line.

Do Your Chrome and Edge Extensions Hide Malware?

Koi Security reports that they’ve identified over a hundred malicious extensions for Chrome and Edge web browsers. All were uploaded by the same hacking group, but engineered for different purposes. Some would inject affiliate codes whenever the user clicked an eBay link, so the developer would be credited as an affiliate for every purchase made on eBay. Others do pure search hijacking or inject extra ads. Read more at Security Week.

The Bottom Line: We recommend practicing extreme caution when installing extensions for your web browser. For a web browser extension to provide any meaningful functionality, it must have almost complete access to your web browsing, which allows any malicious extension to modify the pages you visit, serve extra ads, or harvest data as you enter it in webforms, such as passwords. Browser extensions are risky by their nature, and we recommend avoiding them except for your adblocker and your password manager.

Apple Slashes Security Bounty Program

Like all large and reputable software and hardware companies, Apple will pay a bounty to security researchers who discover bugs in its security systems and report those bugs instead of exploiting them. 9to5Mac reports that Apple is cutting the dollar values of many of the bounties it posts for bugs in Mac security. This is happening at a time when malware designed for macOS is still on the rise. Read more at 9to5Mac.

The Bottom Line: Apple has plenty of budget to pay security researchers, and bounty programs like this are good for everyone. Apple should be increasing its bug bounties on macOS bugs, not slashing them.

Everything you need to know about Apple’s latest software updates.

• The most recent iOS and iPadOS is 26.1
• The most recent macOS is 26.1
• The most recent tvOS is 26.1
• The most recent watchOS is 26.1
• The most recent visionOS is 26.1

Read about the latest updates from Apple.

Both 1: put the email in your spam folder, and 2: without clicking any links in the email, open a new tab and visit Amazon to reset your password, are valid answers depending on whether the email is actually from a valid Amazon customer support email address. There is no condition under which clicking the links in that email is a good idea.

There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.

Interested in Apple’s Password Manager? Check out:

• How To Sort Your Passwords in the Passwords App
• What Are Compromised Passwords on iPhone?