Cybercrime trends Fall 2017: what cyber threats can you meet online?

Be aware of ransomware: your files are still in danger

Recently, Europol announced that ransomware is the most powerful cyber threat among all. Thus, this autumn user should be prepared for data-encrypting virus attacks. One of these threats is a new version of Locky; and we are not talking about Lukitus and Ykcol variants.

In October 2017, researchers discovered Asasin – a new example of Locky that spreads via corrupted email attachments. If it finds the way into the computer, there’s no way to get back your files.

The BTCWare family also continues to grow up. At the beginning of October, BTCWare PayDay ransomware version has been noticed spreading and asking to pay the ransom. Thus, it’s time to backup to avoid possible damage.

Facebook scammers allure victims with free iPhone X

Virtual life on the biggest social network is not simple and calm. The new wave of Facebook virus spread a scam aiming at Apple fans and those who are in desperate need to get the latest iPhone model for free.

Numerous fake pages were created on Facebook and Instagram to attract users to participate in iPhone’s giveaway. Undoubtedly, no one is going to give free Apple phones. The purpose of this scam is to collect a bunch of sensitive information about users. In order to participate in such contest, people are asked to verify their Facebook accounts, enter the full name or contact details.

Scam posts might also redirect to suspicious pages and shows numerous ads. Therefore, naive users can end up on a malicious website until he or she ends up on a phishing site. Thus, this autumn you should not forget that too-good-to-be-true offers are always created by criminals.

Malvertising attacks become bigger and more sophisticated

It seems that malvertising became a new sweet spot for cyber criminals. This autumn crooks launched two massive campaigns to spread malware-laden ads. At the beginning of October, the legit Taboola advertising platform was hacked.

Malicious Taboola ads were noticed on website. They redirected to a tech support scam website that warned about “harmful virus” and asked to call a toll-free phone number to Microsoft technicians. Indeed, there’s nothing unique about this scam example.

Later KovCoreG group showed that they are capable of hacking another legit ad-services. This hackers team aimed at one of the most popular and most visited websites – Pornhub. However, this time criminals used a sophisticated attack which targeted users by their location and used browser.

People from the US, Canada, the UK and Australia who visited this porn site using Chrome or Firefox were asked to install a critical update. Meanwhile, Microsoft Edge and Internet Explorer users were tricked by fake Adobe Flash Player update. In this way, cyber criminals tricked millions of users to install Kovter click fraud adware. Thus, being careful with ads this fall is more than important.

Yahoo Data Breach 2013: Every Account Was Hacked

New details discovered about Yahoo data breach

If you had or still have a Yahoo email account, it is high time you changed your password. When it comes to bad luck, Yahoo company certainly knows what it feels like. Begining from 2013, it has been continuously terrorized by cyber criminals. Unfortunately, they managed to succeed in their misdeeds.

The scale of data breach scales turns out to be massive

In August 2013, after the security of Yahoo email accounts was breached, the company stated that 1 billion accounts were hacked. The “unauthorized third-party” was the culprit for leaked data. The latter was comprised of the following:

  • Contacts
  • Full name;
  • Birthday date;
  • Hashed passwords (using MD5);
  • Phone number;
  • Security passwords and answers;

The company assured that no credit card information was leaked. Users were urged to change their passwords. The incident also revealed a bad tendency among users of using “password123” security phrases.

Data breach every year

After more than a year has passed, cyber criminals struck again. On September 22, 2014, 500 million accounts were violated. This time, the specialists claimed that it was a state-sponsored attack.

The data was said to benefit the felons penetrate Gmail and iTunes accounts. The FBI investigation presented the results that the convicts were Russian FSB officers, Dmitry Dokuchaev and Igor Sushchin, cooperating with a few Canadian hackers.

Later on, another incident in 2016 followed these data breaches. The cyber villain, by the pseudonym of “Peace of Mind,” was selling leaked account data on darknet already since late 2015. Further disclosed details led to assume that the data had been obtained prior 2013 data breach incident. Unfortunately, Yahoo security experts’ late discovery about the incidents only made matters worse.

However, while it seems that it cannot get worse, further investigation denies such assumption. The company experts revealed that the 2013 data leak was much bigger in scale than expected. The analysis disclosed that all 3 billion Yahoo accounts, active in 2013, were violated.
Unfortunately, these findings only harm the dubious reputation of Yahoo even more.

If you still have an email Yahoo account, you should change your passwords again. However, considering the fact that more details are unraveled about data breaches dating back three years ago suggests that your account might be still at risk even if you alert the passwords.

On the final note, even if you have Gmail account, you should be vigilant as well. Connecting different accounts might not be a good idea since if perpetrators hack into one, they might breach another. In addition, recent IT experts’ analysis reveals that hackers developed a new campaign called “Free Milk.” By violating one’s users email account, they break into ongoing email chats and foist malicious attachment.
All in all, when it comes to cyber security you can never be too cautious:

  • double-checking the identity of a sender and enabling two-step verification are still viable prevention tips
  • ensure the security of your email and PC with a couple of different cyber security tools
Malicious Monero Miners on a rise

Slow and sluggish computer? It might be infected with a cryptocurrency miner

Miners might replace ransomware in the future

Have you been experiencing system slowdowns lately? If so, you might want to check your computer for a cryptocurrency mining malware. Months passed after the worldwide Petya and WannaCry ransomware attacks, and currently, there are no massive malware outbreaks to discuss.

Eventually, cybercriminals discover a new way of exploiting unprotected computers – infecting them with cryptocurrency mining software that silently generates profits for them. Usage of such miners can even replace the need to demand ransoms.

A malicious miner can silently operate for months or years until the victim or a computer technician discovers it, so such method is much likely to earn big profits for malware developers than extortion software. Besides, users are not so willing to pay the ransom nowadays (finally!).

However, we must say that it is too early to underestimate ransomware, especially when Locky, Cerber and CryptoMix operators keep releasing new versions again and again.

Cryptocurrency mining innovation becomes computer users’ nightmare

Recently, Coinhive introduced a crypto miner for websites – a new technology that eliminates the need to display ads in web pages to monetize content. Coinhive Miner is simply a JavaScript library that can be added to web pages with their owners’ approval.

The miner uses visitors’ CPU power to mine XMR. Sounds like a great plan to say goodbye to online ads in the future? Sadly, there is a bad side of the new technology – cybercriminals started leveraging the new miner and create malicious Monero Miners right away. One of the first examples to mention is SafeBrowse extension which mines XMR using infected computers’ CPU power.

Protect yourself as illegal miners spread rapidly

Recent research by Kaspersky shows that there were over 1.65 million attempts to infect computers with cryptocurrency miners in the first eight months of 2017. Also, recent research by ESET shows that criminals have recently used Monero mining software in an attack against unpatched Windows servers. According to security firm, malicious actors managed to earn approximately $63,000 in only three months.

Unfortunately, when infected with a crypto miner, the victim can notice only one sign – the computer becomes sluggish. Since there are thousands of reasons why the computer can perform poorly, it is evident that victims wouldn’t suspect a miner to be the reason. However, a full system scan using up-to-date anti-malware can help to identify the problem easily.

To avoid installing malicious miners, watch what websites you visit and never open questionable files or links sent to you via email. To increase overall computer’s security, install a security software with a good reputation. You can read useful software reviews on 2-Spyware website.

Ominuous update: Locky now encrypts data as Yckol virus

Locky remains to be a major issue in the cyber space

Perhaps Locky developers ran out of crafty ideas as they ceased making up intriguing names for their malware. After Diablo6 and Lukitus versions were released, the crooks launched a supposedly new version with a brand new name – Ykcol – which is Locky backward.

Any new features?

The latest version does not manifest any exceptional prowess. Besides the alternations in the name, the source code does not seem to have been changed drastically. Nonetheless, there are slight amendments in the distribution campaign.

The menace continues relying on the Necurs botnet which delivers thousands of spam emails worldwide. Since the introduction of Diablo6 and Lukitus extensions, a change in the employed folder type was spotted as well.

Earlier versions of ransomware tended to hide in a .rar folder, but latest editions, including Ykcol, are placed in .7z folder. It contains a VBS script which activates the execution of the file-encrypting threat.

Locky developers retained the habit of disguising the malware in invoice emails. Previous editions were delivered along with a brief message “Files attached. Thanks”. Ykcol tends to fish for gullible users with “Could you please let me know the status of the attached invoice? I appreciate your help!” messages. An alternative sample of the menace tries to persuade potential victims to launch the virus by disguising under the name of Herbalife Nutrition company, which is the nutrition and weight management company located in the US.

From invoices to fake verification emails

While the attention is concentrated on Ykcol ransomware, Lukitus and Diablo6 crypto-viruses should not be ignored as well. Recent analysis reveals that the racketeers disguise the malware under fake Dropbox account verification emails.

In addition, company employees should be especially vigilant about Locky. There have been versions detected which include counterfeited scanned .png images. They are called as scanned printer images.

The problem is that Locky targets company servers. Consequently, it can easily foist such message. Unsuspecting users, thinking that the email was sent by a colleague, might open the corrupted version only to find out Ykcol or Lukitus encrypting their files afterward.

However, though the developers of this menace seem to use conservatives techniques, Locky still remains undecryptable.
Considering prevention means, attentiveness and cyber security are the key factors in warding off Locky:

  • install system updates once they are published
  • update security tools
  • use a couple of different type anti-malware apps
  • double-check the sender of a received suspicious email
RewievedByPro site

ReviewedByPro is here to help you to choose the right security software

Meet – our new page about cyber security

If you are worried about the latest security threats infecting your computer, fear no more – our new website will help you not to get lost in the labyrinth of safety and privacy.

The new page is fully dedicated to helping you choose the best anti-malware and privacy tools on the basis of your needs. The page contains reviews, tutorials, and comparison tables of anti-malware and privacy software.

Additionally, there is a question section on the page where you can ask anything about cyber security and privacy. You will get an answer from one of the site’s professionals.

A reputable security tool is mandatory nowadays

Each day presents more and more new malware that you must avoid at all costs. It is essential to purchase a security program that you could fully trust – with all of this zero-day malware you are in constant danger of losing your private information.

A high-quality tool has to be constantly updated in order to detect and delete even the newest threats.

The latest ransomware has shown the world how fragile our systems are – the attacks like Petya or WannaCry caused a lot of damage to many domains, including the health and transportation industries.

The experts at have one goal – to make the world as safer as possible. By writing thorough reviews on security tools, they want to make sure that their readers choose the products of the highest quality.

That is why you will see tables of pros and cons, test results, and opinions about various aspects of the applications. Simply open the Security section and see the list of reviews.

Read everything about VPNs

On you can also discover a lot of VPN (Virtual Private Network) reviews. If you are not sure whether you need a VPN, you can find a lot of information on the page about the functions and usage of this service.

A VPN is an exceptionally great tool when it comes to your privacy. You can access the sites blocked in your country, browse safely when using public WiFi, and be protected when using P2P services.

You can read VPN reviews and choose the one most suitable for you regarding price and functionality. If you want a quick comparison, you can simply go to the Privacy section and skim through the table which compares VPN services.

So, do not hesitate – visit and give it a shot. It might just be the website that you’ve always needed.

Beware of Coming Online Scam Season

Onlines Scams Are on the Rise

The beginning of September does not only signal the beginning of term papers, research projects, and thesis for the academic community, but the beginning of online scam period as well. Action Fraud, the UK national fraud and cyber crime reporting center, issued yearly warnings for the academic community about the increase of online scams targeting them.

Deception Forms are Diversifying

Such online felony oriented at users is not a novelty. Several times a year students are subject to diverse online deception. Some racketeers attempt to scam users with non-existent accommodation ads.

Most recent scam technique includes deceiving gullible users with fake alerts issued by university finance departments. For instance, one such recent felony includes beguiling users with fake email messages informing about suspended Student Loans Company (SLC) account. Similar scam occurred in 2011 which resulted in astounding 1.3 million dollars financial loss.

Fraudsters aim to wheedle out additional sensitive information. This tactic resembles the one employed by Facebook scammers who try to fool users with messages and attempt to persuade them into “verifying their account.”

Similar strategy is also popular among ransomware developers. Locky developers, which now launched latest version of Lukitus, assaulted users with fake emails using details acquired from the US Office of the Personnel Management breach in 2016. Infamous Cerber,  Cezar, and Arena crypt-malware campaigns included fake messages supposedly sent by tax institutions containing menacing corrupted invoice files.

Lately, US citizens, especially residents of California and Texas, are likely to be bombarded with requests to donate to shady Hurricane Harvey fund-raising sites. Therefore, fraudsters do not cease astonishing the virtual community with new hacking techniques.

Ways to Escape Online Felony

The best advice to avoid becoming a victim of an online scam is to retain vigilance and cautiousness. Either you are a student or just an ordinary online user, you should:

  • verify the sender before opening any email attachment supposedly sent by official institutions
  • not install any updates promoted in random sites
  • not disclose any valuable information to emails supposedly sent by your internet provider or loan company
Arena ransomware attack

Arena ransomware goes on a worldwide rampage

Arena ransomware is a virus closely associated with CrySiS and Dharma malware families

Arena ransomware virus first appeared as a variant of CrySiS/Dharma malware. However, a little later, CryptoMix ransomware gang started using the same extension for its latest variant that was first discovered by a researcher Michael Gillespie.

If your files were encrypted and you can find .arena file extensions in their filenames, you can identify the ransomware family quite easily. The main difference between CrySiS Arena and CryptoMix Arena is that the CryptoMix variant replaces original filenames with hexadecimal strings. An example of the new filename is pN1K7230200106B6C29ECCG62801ZN43.arena.

The newly discovered Arena ransomware variant and its comparison to CrySiS/Dharma is provided on the 2-Spyware website. The new version creates a _HELP_INSTRUCTION.TXT file to provide the ransom payment guidelines and email address so that the victim could contact the criminals. The Dharma variant provides, or email addresses in FILES ENCRYPTED.txt ransom note.

Distribution of the malicious virus

CrySiS and CryptoMix crypto-ransomware families are extremely active nowadays as they release new variants every week or two. CryptoMix ransomware variants are known to be distributed via EITest campaign using RIG-V exploit kit. To put it simply, you can get infected with the ransomware by visiting a compromised website that contains a malicious script testing your computer for software vulnerabilities.

However, both ransomware families do not forget traditional malware distribution measures such as malvertising, malicious spam, and Trojan horses. Be careful and do not open shady-looking email attachments, even if they look like they were sent by a reliable company or a person. When in doubt, scan them via online file scanning services such as VirusTotal. However, having an up-to-date anti-malware software can prevent you from launching malicious files as well.

Decryption of .arena files

The most important question that bothers computer users is whether it is possible to decrypt .arena files for free. Unfortunately, at the moment files with these file extensions cannot be decrypted using any third-party tools. We suggest looking for updates on the 2-Spyware website.

You should remove Arena virus from the system to continue using your computer safely. Scan the system with a good anti-malware program while in Safe Mode with Networking to eliminate all malware that might have sneaked into your computer over time.

Facebook Message virus 2017

Facebook Message virus returns as summer 2017 draws to a close

The return of Facebook Message virus: stay away from shortened video links sent by your friends!

Summer is coming to an end, which means that malware developers are heading back to work. In fact, some of them do not even wait for the end of the warm season – recently, researchers from 2-Spyware analyzed new Facebook Message virus variant that infects Facebook accounts to send messages to all of their friends.

The malicious messages contain a link to a video and a line “[name of the recipient] Video,” suggesting the victim to watch a short clip. The concept of the virus is very similar to Facebook Video virus, which also attempts to trick people into opening a fake video link.

Virus infiltrates computers using Trojan horse technique combined with social engineering

Clearly, criminals use social engineering technique to make the victim curious about the link. Once the victim clicks on something that looks like a shortened URL (usually of a video, the virus redirects him/her to a Google Doc page.

The document contains an automatically generated image using target’s photo from Facebook and a play button on it.

Once clicked, a chain of redirections occurs. Each of the websites that victim’s browser connects to collects certain information about the victim, such as:

  • Default computer’s language;
  • Geolocation of the device;
  • Browser information;
  • Installed add-ons and cookies;
  • Operating system type and version;
  • Browser type and version.

Based on computer’s operating system and used browser type, the malware triggers a redirect to a phishing website that suggests installing either a malicious Flash Player update, Chrome or Firefox extension.

If the victim agrees to install the suggested software, his/her account gets compromised. Consequently, it might starts automatically sending messages to all friends, spreading the malicious link further. Cyber security experts say that technical analysis of the virus is required to determine an exact method used for distribution of this virus.

The purpose of the new Facebook Messenger virus

The newly discovered Facebook virus spreads rapidly; however, cyber security experts from Kaspersky claim that the installed virus belongs to adware category and doesn’t download any malicious programs to the system. However, this virus can be updated at any time.

If you received a similar message via Messenger, better do not click on it! Although the malware gets into the system once the victim agrees to do so, there are viruses that are capable of infiltrating the system using security vulnerabilities.

Therefore, if you do not want to become a victim of a much more critical virus’ attack, better keep the distance from suspicious links you receive via Facebook.

If you accidentally clicked on the malicious link, immediately scan your computer with anti-malware to remove Facebook Message virus from the system.

3 fake messaging apps were spreading SonicSpy malware via Google Play Store

SonicSpy – new malware that affected more than 1,000 Android apps

Android users should remain vigilant and be aware of a new variant of Android virus that has affected over 1,000 apps. At least three of them were available on Google Play Store and was promoted as messaging apps. Fortunately, Google removed them. However, experts expect to see malware again pretending to be another app.

A few examples of malware were noticed in February 2017. Google removed them from Store; however, several more hazardous apps were still left until this day. Recently, mobile security company Lookout discovered three fake messaging apps on Google Play Store that contained SonicSpy:

  • Soniac,
  • Hulk Messenger,
  • TroyChat apps.

Surprisingly, all of them offered messaging services. But it was not its primary task. These programs were designed to collect and transfer sensitive data to the cyber criminals.

Malware works as a spying tool

SonicSpy has 73 unique remote features that allow spying on users. It can record phone calls, capture audio or video clips, take pictures with a camera, access contact list, Wi-Fi information and most importantly, steal sensitive data.

When a user downloads one of the malicious apps, malware hides itself and connects to its Command and Control (C&C) server to start malicious activities.

The analysis of the virus revealed that malware might be related to another Android virus – SpyNote. This cyber threat was detected last summer, in July 2016, spreading as a fake Netflix app.

It is believed that SonicSpy, as well as SpyNote, might be created by an Iraq-based hacker. Even the developer of malicious apps on Google Play Store was called “iraqiwebservice.”

Tips to avoid Android spyware and malware

Nevertheless, apps that were spreading SonicSpy on the official app store were removed; there’s still a chance that some malicious apps were not detected yet. What is more, the hacker can create a new developer account and publish new variants of malicious apps.

Besides, numerous other variants of Android ransomware or malware might be disguised under the names of other apps in the official and unofficial stores. Therefore, you should be careful with installed applications and always follow these mobile security tips:

  • Download apps only from official Google Play Store;
  • Check the information about developers and rely only on trusted companies;
  • Read user reviews outside app store because fake reviews can create false image;
  • Read app permissions before installing apps. If the app wants full access to your device or requires irrelevant permissions, you should not install it;
  • Regularly update your device and apps;
  • Invest in smartphone’s security and obtain a professional antivirus.
Cerber and Locky viruses strike again

Hacking in summer time – Locky and Cerber developers start another distribution campaign

Cerber or Locky – ever-evolving and ever-lasting cyber issues

In case you started wondering whether, by any chance, the notorious two ransomware giants got finally terminated, we are sorry to disappoint you. It seems that the developers of these two threats have wisely spent the summer time: improved viruses target netizens again. What’s new and what should you beware of?

Cerber now sniffs for personal data

Corresponding to its original name – the mythical creature Cerber – the developers decided to add data-stealing features. Now the latest version of the virus, which is distributed as CRBR Encryptor, is able to capture browser passwords and bitcoin wallet-related information.
Besides looking for Chrome, Internet Explorer, Firefox and other browser passcodes, the infection also attempts to steal Bitcoin Core wallet, Multibit and Electrum wallet information.

IT specialists suspect that the source code enabling the mentioned function might belong to another project. Though this new update certainly makes the malware even more menacing, data stealing ransomware is not a novelty. Last year some CryptXXX variants were spotted in engaging in data stealing activity as well.

Locky strikes again in a new disguise

While the title of “Locky ransomware” had been regularly flickering in the media headlines last year, its authors has not abandoned this project. In fact, the time periods between each version imply that the crooks have been working on the new more destructive techniques. Consequently, this summer they decided to drop the habit of naming their virus versions after the names of Egyptian and Scandinavian deities and return to the European mythology.

IT specialists have caught its new version – Diablo6 ransomware – spreading via a new malicious spam campaign. However, observing the tendency, Locky developers have not mastered any extraordinary new technique. As in previous cases, they test targeted users’ curiosity. The compromised email might be sent from an unknown sender with a brief message content: “Files attached. Thanks

Opening the E [date] (random_numer).docx file will executes VBS downloader script which then downloads the main payload of the virus. During the encryption process, the malware will append ridiculously long [first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].diablo6 file extension. The current version is relatively modest—it only asks for .49 bitcoin amounting $1.600.

Unfortunately, neither of the ransomware threats are decryptable at the moment. While cyber security specialists continue working on the countermeasures, the virtual community should arm up with awareness and knowledge. Except Cerber, which indeed keeps evolving at the alarming rate, Locky developers seem to rely on the same spam campaigns. If you manage to bridle your curiosity and treat incoming spam emails with cautiousness, you will lower the risk of encountering file-encrypting threats.