Beware of Coming Online Scam Season

Onlines Scams Are on the Rise

The beginning of September does not only signal the beginning of term papers, research projects, and thesis for the academic community, but the beginning of online scam period as well. Action Fraud, the UK national fraud and cyber crime reporting center, issued yearly warnings for the academic community about the increase of online scams targeting them.

Deception Forms are Diversifying

Such online felony oriented at users is not a novelty. Several times a year students are subject to diverse online deception. Some racketeers attempt to scam users with non-existent accommodation ads.

Most recent scam technique includes deceiving gullible users with fake alerts issued by university finance departments. For instance, one such recent felony includes beguiling users with fake email messages informing about suspended Student Loans Company (SLC) account. Similar scam occurred in 2011 which resulted in astounding 1.3 million dollars financial loss.

Fraudsters aim to wheedle out additional sensitive information. This tactic resembles the one employed by Facebook scammers who try to fool users with messages and attempt to persuade them into “verifying their account.”

Similar strategy is also popular among ransomware developers. Locky developers, which now launched latest version of Lukitus, assaulted users with fake emails using details acquired from the US Office of the Personnel Management breach in 2016. Infamous Cerber,  Cezar, and Arena crypt-malware campaigns included fake messages supposedly sent by tax institutions containing menacing corrupted invoice files.

Lately, US citizens, especially residents of California and Texas, are likely to be bombarded with requests to donate to shady Hurricane Harvey fund-raising sites. Therefore, fraudsters do not cease astonishing the virtual community with new hacking techniques.

Ways to Escape Online Felony

The best advice to avoid becoming a victim of an online scam is to retain vigilance and cautiousness. Either you are a student or just an ordinary online user, you should:

  • verify the sender before opening any email attachment supposedly sent by official institutions
  • not install any updates promoted in random sites
  • not disclose any valuable information to emails supposedly sent by your internet provider or loan company
Arena ransomware attack

Arena ransomware goes on a worldwide rampage

Arena ransomware is a virus closely associated with CrySiS and Dharma malware families

Arena ransomware virus first appeared as a variant of CrySiS/Dharma malware. However, a little later, CryptoMix ransomware gang started using the same extension for its latest variant that was first discovered by a researcher Michael Gillespie.

If your files were encrypted and you can find .arena file extensions in their filenames, you can identify the ransomware family quite easily. The main difference between CrySiS Arena and CryptoMix Arena is that the CryptoMix variant replaces original filenames with hexadecimal strings. An example of the new filename is pN1K7230200106B6C29ECCG62801ZN43.arena.

The newly discovered Arena ransomware variant and its comparison to CrySiS/Dharma is provided on the 2-Spyware website. The new version creates a _HELP_INSTRUCTION.TXT file to provide the ransom payment guidelines and ms.heisenberg@aol.com email address so that the victim could contact the criminals. The Dharma variant provides Macgregor@aolonline.top, chivas@aolonline.top or sindragosa@bigmir.net email addresses in FILES ENCRYPTED.txt ransom note.

Distribution of the malicious virus

CrySiS and CryptoMix crypto-ransomware families are extremely active nowadays as they release new variants every week or two. CryptoMix ransomware variants are known to be distributed via EITest campaign using RIG-V exploit kit. To put it simply, you can get infected with the ransomware by visiting a compromised website that contains a malicious script testing your computer for software vulnerabilities.

However, both ransomware families do not forget traditional malware distribution measures such as malvertising, malicious spam, and Trojan horses. Be careful and do not open shady-looking email attachments, even if they look like they were sent by a reliable company or a person. When in doubt, scan them via online file scanning services such as VirusTotal. However, having an up-to-date anti-malware software can prevent you from launching malicious files as well.

Decryption of .arena files

The most important question that bothers computer users is whether it is possible to decrypt .arena files for free. Unfortunately, at the moment files with these file extensions cannot be decrypted using any third-party tools. We suggest looking for updates on the 2-Spyware website.

You should remove Arena virus from the system to continue using your computer safely. Scan the system with a good anti-malware program while in Safe Mode with Networking to eliminate all malware that might have sneaked into your computer over time.

Facebook Message virus 2017

Facebook Message virus returns as summer 2017 draws to a close

The return of Facebook Message virus: stay away from shortened video links sent by your friends!

Summer is coming to an end, which means that malware developers are heading back to work. In fact, some of them do not even wait for the end of the warm season – recently, researchers from 2-Spyware analyzed new Facebook Message virus variant that infects Facebook accounts to send messages to all of their friends.

The malicious messages contain a link to a video and a line “[name of the recipient] Video,” suggesting the victim to watch a short clip. The concept of the virus is very similar to Facebook Video virus, which also attempts to trick people into opening a fake video link.

Virus infiltrates computers using Trojan horse technique combined with social engineering

Clearly, criminals use social engineering technique to make the victim curious about the link. Once the victim clicks on something that looks like a shortened URL (usually bit.ly) of a video, the virus redirects him/her to a Google Doc page.

The document contains an automatically generated image using target’s photo from Facebook and a play button on it.

Once clicked, a chain of redirections occurs. Each of the websites that victim’s browser connects to collects certain information about the victim, such as:

  • Default computer’s language;
  • Geolocation of the device;
  • Browser information;
  • Installed add-ons and cookies;
  • Operating system type and version;
  • Browser type and version.

Based on computer’s operating system and used browser type, the malware triggers a redirect to a phishing website that suggests installing either a malicious Flash Player update, Chrome or Firefox extension.

If the victim agrees to install the suggested software, his/her account gets compromised. Consequently, it might starts automatically sending messages to all friends, spreading the malicious link further. Cyber security experts say that technical analysis of the virus is required to determine an exact method used for distribution of this virus.

The purpose of the new Facebook Messenger virus

The newly discovered Facebook virus spreads rapidly; however, cyber security experts from Kaspersky claim that the installed virus belongs to adware category and doesn’t download any malicious programs to the system. However, this virus can be updated at any time.

If you received a similar message via Messenger, better do not click on it! Although the malware gets into the system once the victim agrees to do so, there are viruses that are capable of infiltrating the system using security vulnerabilities.

Therefore, if you do not want to become a victim of a much more critical virus’ attack, better keep the distance from suspicious links you receive via Facebook.

If you accidentally clicked on the malicious link, immediately scan your computer with anti-malware to remove Facebook Message virus from the system.

3 fake messaging apps were spreading SonicSpy malware via Google Play Store

SonicSpy – new malware that affected more than 1,000 Android apps

Android users should remain vigilant and be aware of a new variant of Android virus that has affected over 1,000 apps. At least three of them were available on Google Play Store and was promoted as messaging apps. Fortunately, Google removed them. However, experts expect to see malware again pretending to be another app.

A few examples of malware were noticed in February 2017. Google removed them from Store; however, several more hazardous apps were still left until this day. Recently, mobile security company Lookout discovered three fake messaging apps on Google Play Store that contained SonicSpy:

  • Soniac,
  • Hulk Messenger,
  • TroyChat apps.

Surprisingly, all of them offered messaging services. But it was not its primary task. These programs were designed to collect and transfer sensitive data to the cyber criminals.

Malware works as a spying tool

SonicSpy has 73 unique remote features that allow spying on users. It can record phone calls, capture audio or video clips, take pictures with a camera, access contact list, Wi-Fi information and most importantly, steal sensitive data.

When a user downloads one of the malicious apps, malware hides itself and connects to its Command and Control (C&C) server to start malicious activities.

The analysis of the virus revealed that malware might be related to another Android virus – SpyNote. This cyber threat was detected last summer, in July 2016, spreading as a fake Netflix app.

It is believed that SonicSpy, as well as SpyNote, might be created by an Iraq-based hacker. Even the developer of malicious apps on Google Play Store was called “iraqiwebservice.”

Tips to avoid Android spyware and malware

Nevertheless, apps that were spreading SonicSpy on the official app store were removed; there’s still a chance that some malicious apps were not detected yet. What is more, the hacker can create a new developer account and publish new variants of malicious apps.

Besides, numerous other variants of Android ransomware or malware might be disguised under the names of other apps in the official and unofficial stores. Therefore, you should be careful with installed applications and always follow these mobile security tips:

  • Download apps only from official Google Play Store;
  • Check the information about developers and rely only on trusted companies;
  • Read user reviews outside app store because fake reviews can create false image;
  • Read app permissions before installing apps. If the app wants full access to your device or requires irrelevant permissions, you should not install it;
  • Regularly update your device and apps;
  • Invest in smartphone’s security and obtain a professional antivirus.
Cerber and Locky viruses strike again

Hacking in summer time – Locky and Cerber developers start another distribution campaign

Cerber or Locky – ever-evolving and ever-lasting cyber issues

In case you started wondering whether, by any chance, the notorious two ransomware giants got finally terminated, we are sorry to disappoint you. It seems that the developers of these two threats have wisely spent the summer time: improved viruses target netizens again. What’s new and what should you beware of?

Cerber now sniffs for personal data

Corresponding to its original name – the mythical creature Cerber – the developers decided to add data-stealing features. Now the latest version of the virus, which is distributed as CRBR Encryptor, is able to capture browser passwords and bitcoin wallet-related information.
Besides looking for Chrome, Internet Explorer, Firefox and other browser passcodes, the infection also attempts to steal Bitcoin Core wallet, Multibit and Electrum wallet information.

IT specialists suspect that the source code enabling the mentioned function might belong to another project. Though this new update certainly makes the malware even more menacing, data stealing ransomware is not a novelty. Last year some CryptXXX variants were spotted in engaging in data stealing activity as well.

Locky strikes again in a new disguise

While the title of “Locky ransomware” had been regularly flickering in the media headlines last year, its authors has not abandoned this project. In fact, the time periods between each version imply that the crooks have been working on the new more destructive techniques. Consequently, this summer they decided to drop the habit of naming their virus versions after the names of Egyptian and Scandinavian deities and return to the European mythology.

IT specialists have caught its new version – Diablo6 ransomware – spreading via a new malicious spam campaign. However, observing the tendency, Locky developers have not mastered any extraordinary new technique. As in previous cases, they test targeted users’ curiosity. The compromised email might be sent from an unknown sender with a brief message content: “Files attached. Thanks

Opening the E [date] (random_numer).docx file will executes VBS downloader script which then downloads the main payload of the virus. During the encryption process, the malware will append ridiculously long [first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].diablo6 file extension. The current version is relatively modest—it only asks for .49 bitcoin amounting $1.600.

Unfortunately, neither of the ransomware threats are decryptable at the moment. While cyber security specialists continue working on the countermeasures, the virtual community should arm up with awareness and knowledge. Except Cerber, which indeed keeps evolving at the alarming rate, Locky developers seem to rely on the same spam campaigns. If you manage to bridle your curiosity and treat incoming spam emails with cautiousness, you will lower the risk of encountering file-encrypting threats.

Petya aftermath: a month after the virus outbreak

The damage of Petya virus attacks is still being estimated

A month has passed since the new Petya virus version rolled through the cyber world in a wave of terror and confusion. Victims are still counting their losses which presumably reach millions if not billions of dollars.

Major manufacturing, telecommunication, and other social service companies say that at the moment it is quite difficult to estimate the full extent of the inflicted damage. Currently, the victimized businesses fearfully await the end of the year when the last and final calculations will be completed.

The recovery of older Petya versions leave hope for NotPetya decryption

Luckily, cyber security experts do not intend on leaving the Petya outbreak story on a bad note. Well-known antivirus researchers have already managed to come up with working decryptors for three initial Petya virus version Red Petya, Green Petya/ Mischa and Goldeneye.

These decryption tools are not magical. They may freeze the computer or cause errors with a risk of damaging data. That’s the reasons experts always advice making backup copies of the files in case the recovery failed.

Nevertheless, in most cases, decryptors work fine, and if you still have some of your data that you can’t access, you should definitely give them a try.

Unfortunately, we have no good news for the users who have been infected with NotPetya or other hybrid Petya versions. At the moment, at least. These ransomware variants are not developed by Janus Cybercrime which means that the decryptors which work for the original versions are useless when applied for NotPetya.

However, you should not lose hope! There are numerous cases which prove that ransomware decryption is possible and it is only a matter of time when the security experts find a way to work around the encryption and give back your files.

Protecting your data is important: backups are the key

Sadly as it sounds, ransomware developers get more advanced as time goes by Once the security experts patch up one vulnerability, the criminals find another and the cycle continues.
The best way to actually protect your data is to keep backups of it, preferably a few copies of the documents in a few different places. Depending on the importance of your data and your needs, you can invest in automatic backup making software or create extra copies of your most essential files manually.

Protect your Android device from Xavier virus

The updated Xavier Android malware was noticed spreading in Google Play store

Today we would like to introduce a new Android virus called Xavier. The virus belongs to the AdDown family that was first discovered in 2015. The virus itself was spotted in September 2016. However, authors updated it in order to spread it widely via Google Play Store.

The majority of victims who downloaded one of 800 infected applications were from Vietnam, Philippines, and Indonesia. Nevertheless, the virus mostly causes problems to Southeast region; several cases were reported in the United States and Europe.

The purpose of malware – stealing personal information

Xavier is a malicious ad library that enters the system as a Trojan. Malware might not only affect Android smartphones or tablets but TVs and game consoles as well. However, the majority of infections were noticed in mobile devices.

Among infected applications were photo manipulators, antivirus utilities, volume and speed boosters, etc. Applications seemed useful and millions of times users downloaded them from Google Play without thinking that their privacy might be at risk.

The success of the malware is based on its feature to evade detection. This sophisticated virus can bypass regular smartphone’s security. Thus, regular security software installed on the mobiles may not detect it.

On the affected smartphone Xavier might install APK files and initiate remote code access. Thus, hackers might get full access to the device and do whatever they want. They might clone your phone or install additional malware. Malware’s behavior depends on what tasks it receives from the remote Command and Control (C&C) server.

Protecting your smartphone from Xavier and other Android viruses

The main security tip to avoid Android malware was to avoid downloading apps from third-party websites and stick to Google Play. However, it seems that this tip is no longer very helpful. Of course, you should still keep away from unknown app sites, but you need to put more attention to smartphone’s security.

  1. Check information about publishers before installing a new app. Well-known developers are the ones you can trust.
  2. Read reviews of the app before installing. Pay attention to users’ complaints and do not install app with negative feedback.
  3. Read what permissions the app requires. If an application wants to get lots of information, you should not download it to protect your privacy.
  4. Invest in professional mobile security software.

Facebook community – still an easy target for hackers

Nothing new: the same old deception techniques

Though the majority of Facebook netizens originate from modernized countries, they remain easy targets for scammers. Regarding the scam rate, several scams in a row have shaken the Facebook community. Surprisingly, crooks are targeting netizens with the same old tricks: Facebook video virus, Facebook Message scam, free flight tickets giveaway, etc. Why do users keep falling for them?

Observing recent Facebook scams, it seemed unbelievable that fraudsters expected to fool netizens with the same tricks. Unfortunately, they did. One of the most recent deceptions evolved around Facebook video virus.

You might recall that the same story happened last year. Users received a message with the video link which included their profile picture and name. Once they clicked on the supposed YouTube video, they were asked to install a shady browser extension to watch the video.
This year, crooks employ alternative “material” – a corrupted file.

This version of scam is currently spread in North Wales, but taking into account that users fell for the same trick twice or even thrice, the infection might soon disperse to other virtual regions.

Jayden K. Smith wants to be friends with you

Lately, some of your friends might have been posting warnings not to accept the friend request from mysterious Jayden K. Smith. He is said to be a mysterious hacker, who is able to hack your account the very moment you befriend him. The message might seem quite an ordinary warning except that it is another scam.

If you have seen several of them, you might recall that the content of the text does not differ, except the names. Other intimidating “hackers” are Anwar Jitou, Maggie from Sweden, Bobby Roberts, Simon Ashton, and many others.

Unfortunately, Facebook community members have good reflexes sharing things and clicking “Like” button without even giving a thought. Though in this case, this scam did not result in any financial losses, in overall, scam amounts for 50 million dollars.

Other recent scans were not so harmless. Fraudsters released fake posts supposedly published by well-known flight airline companies offering free airline tickets. The posts quickly went viral which turned out to be an expected surprise for the very companies. However, much more bothersome malware disguised under these threats.

Best advice? Think before sharing a post

As in everyday life, an action should follow the thought. No matter how powerful anti-virus you may have, if you tend to surf Facebook clicking here and there mindlessly, you mind end up as a scam victim either.

Naturally, no one enjoys the role of a loser. Thus, double-check the content you receive or confirm the authenticity of the fact you are about to share. Likewise, Facebook might become a safer place.

Decrypt Master file extension files

Master ransomware victims can now decrypt their files for free

The developer of Master ransomware leaks private keys before launching Aleta ransomware campaign

Master ransomware is a version of BTCWare virus. The ransomware has compromised thousands of computers worldwide, taking data stored on them, hostage. This version of the ransomware used to create !#_RESTORE_FILES_#!.inf files as ransom notes and demand a ransom in Bitcoins. Master virus always appended a particular file extension to files that consisted of criminals’ email address and the aforementioned extension, giving a final result of .[email].master.

The developer of the ransomware mysteriously emerged in online forums and on June 30th posted an announcement that within 5 days Master’s decryption keys will be published. Although some did not believe in such words and thought that the message was fake, the private keys were actually leaked.

It is believed that the developer of the ransomware leaked the keys because he was planning to release an updated version, which turned out to be Aleta ransomware. The new virus drops !#_READ_ME_#!.inf ransom note and demands 2 Bitcoins in exchange for a decryption tool. It also marks each file with .[black.mirror@qq.com].aleta extension.

A free Master decryption software is available

Using the leaked keys, a security researcher Michael Gillespie updated Master Decryptor, making it capable of decrypting BTCWare versions using these extensions on encrypted data:

  • .btcware;
  • .onyon;
  • .master;
  • .theva;
  • .cryptobyte;
  • .cryptowin;
  • .xfile.

However, the researcher points out that the ransomware contains a bug that prevents some files from being decrypted successfully. It appears that files smaller than 10MB will contain 16b of junk added to their decrypted versions. However, files larger than that will be successfully decrypted. To remove Master virus and decrypt your files, follow instructions provided on 2-Spyware site.

Reasons not to pay the ransom

If your computer was affected by Aleta or any other BTCWare version, we suggest staying patient. So far, many victims managed to recover their files without paying, although they had to wait for the free decryption tools. However, we believe that it is worth waiting, especially when the cyber frauds ask for such an enormous ransom larger than 5000 USD.

For data recovery solutions and virus removal guidelines, we suggest visiting NoVirus web page. You can find a lot of great cyber security related tips here.

AdsKeeper and Stack Player continue bombarding web browsers with ads

Researchers noticed an increased activity of adware programs

Recently, cyber security experts noticed an increased activity in AdsKeeper and Stack Player distribution. These two ad-supported programs are well-known for a while. They have already made browsing the web complicated for hundreds of thousands of computer users.

These programs are known for:

  • being capable of entering the system in software bundles;
  • altering browser’s settings;
  • using “virtual layer” to display third-party ads;
  • delivering an excessive amount of ads;
  • delivering misleading and malicious ads;
  • redirecting to high-risk websites;
  • tracking information about users.

All these negative features disturb browsing the web and make the system vulnerable. For this reason, infected computers become easily accessible to other cyber threats and malware.

We want to point out that you should be careful when installing freeware or shareware. This two adware are widely spreading with PDF converters, video players, and other free programs. Thus, in order to avoid it, you should:

  • choose reliable sources for software installation;
  • use Advanced/Custom installation settings;
  • do not rush to click “Next” button;
  • unmark all third-party entries offered to download together with the primary program.

The major issues caused by AdsKeeper adware

Nevertheless, AdsKeeper is a legitimate advertising program; it might pose a danger to computer users. Some of the ads delivered by this ad-supported application might redirect to potentially dangerous websites.

The problems begin then adware enters the system silently. It might alter targeted browser’s settings in order to display third-party commercial content on various sites. The PUP might deliver ads even on well-known sites. Thus, you can be easily tricked that offer is reliable and safe to click.

However, research has shown that some of the AdsKeeper ads have nothing in common with safety and credibility. Cybercriminals and scammers often take advantage of this advertising platform in order to spread malicious ads.

Within one click, you might end up on tech support scam or phishing website. Crooks might convince you into installing bogus software or revealing personal information. Thus, this adware might be responsible for helping criminals to reach innocent computer users.

It doesn’t matter that it’s not an intended purpose of the adware program. You should take care of your privacy and computer by performing AdsKeeper removal.

The main characteristics of Stack Player virus

Stack Player is advertised as useful video streaming tool that allows browsing through the huge library of video content and watching it straight through the desktop. Indeed, this free application might seem interesting for those who spend hours watching videos.

However, it’s hard to talk about this program’s functionality because it’s impossible to keep it for a long on the computer. After the installation, it instantly starts tracking information about users and delivers suspicious ads on each visited website.

One of the main problems is that Stack Player ads redirect to high-risk websites or promote bogus antivirus, PC optimization software or suspicious browser extensions. Misleading security alerts and offers to install crucial updates might hide malware as well.

Thus, we want to remind that you should stay away from this program and be careful with installation of freeware or shareware. This program might enter the system bundled too. However, if you already made a mistake and allowed this program to settle in your PC, we recommend following Stack Player removal instructions and getting rid of adware immediately.