New Windows Troubleshooting Scam Emerges

Just in time for the holidays a new PC scam is making the rounds that trys to trick you into turning over you hard earned cash.

“Windows Troubleshooting” is a new nasty scam that distributes as cracked software installer, it displays a fake BSOD, or Blue Screen of Death, on the infected machine and then shows Troubleshooting Windows pop up that seems like legit Windows Troubleshooter.

Image result for windows troubleshooting scam

The Troubleshooting scam was first detected by Pieter Arntz (a security researcher from Malwarebytes), the researcher said that Tech Support Scammers use different techniques for distributing themselves. This particular one was offered as a cracked software installer.

After installed, the scam will say that your Windows cannot be fixed, prevents you from using Windows, and encourages you to buy a program using PayPal to fix the “detected problems” and unlock the screen.

imageproxy-php.png

The option of “Buy Windows Defender Essentials” will open a PayPal page to let you purchase the app for $25. The funds will be transferred to the following PayPal address

“lillysoft.it@gmail.com” and use the following URL:“https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=DXKLEMZTGTTDY”

After a successful payment, victims will be redirected to “hitechnovation.com/thankyou.txt”, which includes the word “thankuhitechnovation” that tells the program to open a new screen that pretends to fix the issues and enables the victim to close the program.

How to remove it?

To remove this scam, you should first bypass the lock screen, the malware uses a simply breakable mechanism to verify if a victim made a payment or not. But, you can simply workaround this issue by following these steps:

– Open the fake PayPal purchase screen.
– Press Ctrl + O keys from the keyboard to launch open dialog box.
– Type http://hitechnovation.com/thankyou.txt into Open box and press enter.

That’s all. You should be able to close the window and access your Windows because the program will think the user paid and shut itself down.

Share This:

Malware Hidden in Hacked Episodes

A report from cybersecurity company Proofpoint reports that it has observed a “targeted email campaign” that is using details of leaked Game of Thrones episodes to try and spread malware to unsuspecting users.

Image result for game of thrones

The company first came across an e-mail on August 10th with the subject line “Wanna see the Game of Thrones in advance?” The emails contained some general details of upcoming episodes, as well as a Microsoft Word attachment with malware hidden in it. Once downloaded, it would attempt to install a “9002” remote access Trojan (RAT). Proofpoint says that similar attacks in the past have been attributed to groups associated with the Chinese government, and that it’s possible that this attack could be coming from the same actors.

Image: Proofpoint

At the end of July, hackers stole 1.5 terabytes of data from HBO, including contact information for the show’s stars, unaired episodes and scripts, while an unrelated accident allowed a pair of episodes to leak to the internet earlier this month.

Proofpoint isn’t saying that HBO’s breaches and these attacks are connected. The hackers behind these phishing attempts are using the leaks as a way to get people to click on and accidentally install their software, relying on natural human curiosity to carry out their attack.

Share This:

New Malware Threat Infects Through Microsoft’s PowerPoint

In another security hack that is making the rounds, Microsoft’s PowerPoint is the target.

Image result for powerpoint malware

“Spammers are testing a new way to trick victims into installing malware that downloads after the user hovers over a link in a PowerPoint slide show,” ZDNet reports. The new infection, which was discovered by BleepingComputer, “abuses a hover action in PowerPoint slide show mode to install malware.” When a user opens the PowerPoint file and puts their cursor over the malicious hyperlink, a PowerShell command runs quietly in the background “that connects to a malicious domain and downloads malware files.”

Like other Office malware that uses macros to infect victims, the latest malware is spread via email attachments. The attached file formats are the open-source version of Microsoft PowerPoint slide show, which are only for viewing, and can’t be edited like normal files. The malware proceeds to download a banking trojan.

Image result for powerpoint malware

The PowerPoint (PPSX) examples seen so far display the hyperlinked text “Loading… Please wait”. Hovering over it will download malware automatically unless Office Protected View is enabled. Fortunately, Protected View was enabled by default in Office 2010, in which case Office displays a security warning that blocks the download.

The PowerPoint file downloads a banking trojan it calls Gootkit or Otlard. SentinalOne calls the malware Zusy.

Protecting Yourself

I wonder how much I have stated this. “Do not open attachments, or click on hyperlinks in your email unless you are 100% certain of it’s origin and that you have requested it”. Most security threats (malware – trojan horses, ransomware etc.) are spread through email. Always use caution before clicking!

Share This:

Is Our Power Grid in Danger?

Was hacking our Presidential election just the first part of an even greater cyber-problem?

Researchers from the network security firm ESET have reported that a Russian hacker group may have developed a way to take down the power grids of entire countries.

Image result for power grids cyber

The researchers described the malware, dubbed “Industroyer,” as the most dangerous hacking weapon since Stuxnet. First identified in 2010, Stuxnet is a malicious computer worm that targets industrial computer systems and was responsible for causing substantial damage to Iran’s nuclear program.

In fact, the ESET researchers said the malware was responsible for a 2016 blackout that affected Ukraine’s capital city of Kiev for an hour. The researchers also said the malware could be reconfigured to attack other key infrastructure components as well.

A Very Scary Threat Evolves

“Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas),” the company wrote in a blog post today.

Because Industroyer affects switches directly, the malware can inflict varying degrees of damage on a target country’s infrastructure, from simply triggering a temporary blackout, to causing cascading failures or serious damage to equipment.

The malware is able to attack infrastructure equipment so effectively because it uses the common industry protocols that were first designed decades ago, long before most systems were connected to the Internet. As a result, security had not been a major priority at the time they were implemented. In many cases, the hackers only need to learn how to program the malware to communicate with the protocols because there aren’t any security systems that they need to circumvent.

This is yet another example that our national security relies less on firearms and more on cyber-defense.

Share This:

Qakbot Attacks

Another week, another cyber-threat threatens the security of both individuals and business alike. This latest one, Qakbot has a special emphases on taking down business networks. It is just the latest cyber-threat and you can be sure that there will be many more – even more destructive ones to come. These threats will continue until our behavior changes in respect to how seriously we treat internet services. Security solutions are incredibly important, however even the best security solution cannot be 100% effective in this ever changing tech world. Cyber-criminals are continually changing their modes of attack and security solutions are often playing catch-up. The way we interact with internet services is the key to not only protecting ourselves – but each other. I touch on some of my recommendations for protecting yourself at the end of this article.

Image result for malware trojan

Introducing Qakbot

On Tuesday, researchers from Cylance said that Qakbot, an information-stealing Trojan and backdoor malware that targets the Microsoft Windows operating system and 64-bit browsers with a a target against business/enterprise users is on the loose.

Qakbot is a self-propagating kind of malware that has been circulating for several years now. The Trojan can spread not only through networks and external drives and devices but also focuses on stealing valuable credentials and taking control of the networks it has infected.

There has been a resurgence of the malware, according to Cylance, which had been made even more evasive and persistent with new, polymorphic features that enable the malicious code to squat in business networks for longer and “easily thwart legacy endpoint security solutions” by the use of muddying code, as well as constantly-evolving file makeup and signatures.

The Evil Tricks of Qakbot

Once a system has been infected with Qakbot through exploit kit use, phishing campaigns or malicious downloads, the malware does not lock a system in order to hold a business to ransom.

Instead, Qakbot is able to lock out Active Directories and once credentials have been stolen, use these to spam neighboring hosts and disrupt corporate activities. In turn, this may result in the compromise of additional hosts and further spread or the user accounts related to the authentication attempts being locked out.

New samples of the malware suggest that Qakbot now also targets victims globally due to the inclusion of international character sets, and a recent surge in attacks means that companies should stay on their guard against suspicious downloads or activity and keep their systems up-to-date to prevent infection.

Protecting Yourself

I do not mean to sound like a broken record each time I report on the latest security attack, but I have no choice. Protecting yourself against most security intrusions is actually quite easy, and you will find these tips throughout this fine blog. In fact what you see below is copied from my earlier post regarding the Wannacry Ransomware threat on May 15, 2017.


It is incredibly important to do the following:

  • Always make sure that you install the latest updates & patches for your operating system, especially Microsoft Windows.
  • Make sure you have an up to date anti-virus program running on your computer.
  • Do not click on links or attachments in email unless you are 100% certain it is legitimate and that you have requested it. If you are not sure about a hyperlink or attachment contact the sender directly to ask about it.
  • Do not visit questionable able websites.
  • When you are browsing website be certain to read carefully any dialog box that pops up before clicking on it.

Last but not the least, make sure that you run a backup of your system files regularly. If your PC gets infected and your important files are encrypted, you can get them later.


Thanks to ZDNet for being on top of the Qakbot story which much of this information was attained.

Share This:

New MacOS Virus Emerges

I have stated this time and time again to my Apple friends. While MacOS is historically more secure then Microsoft’s Windows it is NOT because Apple has a secret security sauce. Apple’s “lead” in the security arena can basically be found in the numbers.

Cyber Criminals want the biggest bang for their hard – cyber crime work. Writing malware, ransomware and trojan horses for Windows as opposed to MacOS simply hurts more people because many more people use Windows when compared to MacOS.

This latest story demonstrates that yes – Apple’s MacOS is indeed vulnerable – just like Windows – just not as often.

While Mac malware tends to be a rather rare occurrence, Ars Technica is now reporting that security researchers have discovered two separate, new MacOS viruses that rely on old Windows tricks to get into your laptop and steal your data.

One of the attacks, documented by software firm Objective-See, exploits an established Windows technique which hides and executes malicious code using Word document macros.

mac, macos, windows, malware, virus

The hack tricks unsuspecting users into opening infected Word documents which subsequently run malicious macros once the file has been loaded. The good thing is that it’s fairly easy to identify infected files prior to opening them.

Anytime you open a Word file containing macros, your device will ask you for permission. Denying permission on its own is enough to prevent the malware from spreading.

But if you click ‘run’, all sorts of bad things could happen: A hacker could spy on you or pull your browsing history, or they could initiate a secondary infection by downloading additional malware.

More MacOS malware

While also inspired from older Windows exploits, the other recently found malware – uncovered by researchers from Iran Threats – appears to be slightly more advanced.

Unlike the previous example, which used an infected Microsoft Word document as its attack vector, this one is merely disguised as a legitimate application.

The virus essentially prompts users to download and install a fake software update. It then proceeds to harvest the user Keychain and phish for usernames, passwords as well as any other credentials, before eventually relaying the recovered data back to the attacker.

The best way to avoid this attack is to simply refrain from downloading software from third-party or untrusted websites. The safest route is to download updates straight from the App Store or simply from the official website of the app-maker in question.

While exploits for MacOS are still mostly a rarity, Apple has dealt with a litany of bugs and glitches for iOS in recent months.

Not too long ago, numerous iOS users reported their devices had frozen after a malicious three-second video spread on the internet. In another similar case, thousands of users reported experiencing unexpected shutdowns after trolls discovered a glitch in iOS that could crash any device by just sending a short text message.

Share This:

The Evolution of the Trojan Threat

As the news about an old Trojan, known as Betabot sadly demonstrates the cyberthreat we all face from infected and malicious software seems to be evolving to another level.

Image result for Beta Bot trojan

What is Betabot?

Previously, Betabot was primarily a banking information stealing Trojan, a password stealing Trojan, and a botnet, but it appears that the old school malware is now looking to capitalize on the current ransomware trend.

The Evolution of a Trojan

Now, Betabot becomes the first known weaponized document with password stealing malware that is also calling ransomware as a second stage attack.

In a new report on the threat, Patrick Belcher, Senior Director of Threat Research, Invincea, explains that the malware packs virtual machine awareness and can check for some sandboxes, which helps it evade detection and analysis. What’s more, the Betabot was observed last week being delivered by the Neutrino exploit kit, the researcher says.

As Always Be Very Cautious With Email Attachments

The infection campaign relies on weaponized documents delivered as email attachments, and on social engineering to trick users into enabling macros. The attachments claim to be resumes, but,once the malicious macros have been enabled, malware capable of scrapping all passwords stored in local browsers is served. The email campaign attempted to infect thousands of victims, Belcher notes.

Although Betabot has no further use of the compromised machine once it manages to steal passwords, a second-stage attack was also observed. In this new stage the malware deploys the Cerber ransomware on the endpoint. By taking this approach, the malware’s operators are looking to increase their profits.

A single IP (93[.]174.91.49) is used for both Betabot and Cerber, and Belcher explains that the malware authors switched between the two sometime between August 11 and August 16. Weaponized documents called resume.doc were serving Cerber before Aug 11, but they started delivering Betabot (as bb.exe, bbcrypt.exe, and diablo.exe) on Aug. 16.

“This marks the first time that a weaponized document with password stealing malware has called ransomware as a second stage attack. This is an evolution in maximizing the profits from an endpoint compromise, earning much larger payout by using multiple attack techniques,” Belcher concludes.

Avoiding Betabot and Other Dangerous Exploits

You can avoid these dangerous exploits by doing the following:

  • Keep good and up to date security software on your PC. I recommend Kaspersky Lab.
  • Use a password manager so that you can have strong, unique and encrypted passwords. I recommend LastPass.
  • Never open unsolicited attachments in your email. If you are not sure about the attachments contact the sender and confirm it’s legitimacy before opening it.
  • Be wary of clicking on hyperlinks to websites you are not familiar with.

All of this will help protect yourself from security exploits like Betabot.

Share This:

Microsoft’s New Critical Flaw Users Printers as a Weapon

Microsoft has patched a security vulnerability found in every supported version of Windows, which if exploited could allow an attacker to take over a system.

microsoft headquarters

Microsoft reported in a bulletin posted today that as part of its monthly release of security fixes that a recently discovered “critical” flaw could let an attacker remotely install malware, which then could be used to modify or delete data, or create new accounts with full user rights.

The “critical”-rated flaw affects Windows Vista and later.

Those who are logged in as an administrator, such as some home accounts and server users, are at the greatest risk.

An attacker could exploit the flaw by conducting a man-in-the-middle attack on a system or print server and injecting malicious code. That’s possible because the print spooler service doesn’t properly validate print drivers when installing a printer.

The security flaw works like this.

Normally, User Account Controls are in place to warn or prevent a user from installing a new driver. To make printing easier, an exception was long ago created to avoid this control. This printer exception creates a mechanism that allows downloading executables (usually very bad) from a shared drive, and then run them without generating any warning on the user side. This is a dream come true for cyber criminals.

The result with this printer exception with executables was turning our printer into a “drive-by exploit kit.

Share This:

Finding & Killing HummingBad

Yesterday I reported that over 80 million Android devices could eventually be infected with the malware known as “HummingBad”. If you have an Android you are probably asking yourself, “How do I know if my phone is infected?”

HummingBad has reportedly infected an astounding 10 million devices already, with over 280,000 of those infections estimated to have taken place in the US. Unfortunately, chances are that even if you’ve been hit, you won’t know about it.

So how can you find out if your Android device has HummingBad?

Although the existence of mobile malware is frustrating, mobile app developers and security groups have had time to respond, which means that there are many apps on Google Play that can detect the bad software. As CNET suggests, if you haven’t installed anything yet, look to apps like Avast, Bitdefender, AVG and Zone Alarm to keep your phone safe from unwanted intruders. Of these options AVG is my favorite for Android devices.

If your chosen app happens to detect HummingBad on your phone sadly there’s really only one way to deal with it: a factory reset. Yes, it’s a pain, but it’s almost certainly preferable to putting your data at risk.

Once you’ve removed the malware, it might be time to reexamine your downloading practices. If you’ve downloaded an app from an untrusted source in recent weeks, there’s a high probability that that’s where you installed HummingBad. In the future, try to limit your downloads to the Google Play store.

But whether or not you were unlucky enough to catch HummingBad, this issue is likely only going to get worse in the future. In Check Point’s report, they claim that a “dangerous trend will escalate as other groups learn from Yingmob [the creators] and find new ways to achieve the independence they need to launch larger and more sophisticated attack campaigns in the future.”

Share This:

Over 80 Million Androids Affected With HummingBad

A malware program created by a Chinese hacking collective has gained control of 85 million Android devices, which the group is reportedly exploiting to the tune of $300,000 a month. The group, which researchers say is responsible for developing the HummingBad malware campaign, represents a dramatic increase in the organization and capabilities of hacking groups.

Dubbed Yingmob, the hacking group is also believed to be the brains behind the iOS malware campaign known as Yispecter, which I reported on back in October 2015. The group is highly organized and unbelievably works in tandem with a legitimate Chinese advertising analytics company.

Understanding Hummingbad

The malware consists of a persistent rootkit, which the hackers install on Android devices. The group then uses that rootkit to generate fraudulent ad revenue and install additional fraudulent apps. Yingmob has 25 employees organized into four different groups who are responsible for developing HummingBad’s malicious components, according to Check Point researchers.

Yingmob’s efforts have paid off. The group has been able to achieve self-sufficiency, proving that hacking groups can now generate enough income from their illegal activities to sustain themselves indefinitely. But financial gain is only the tip of the iceberg, according to the researchers.

The hackers try to root thousands of devices every day, and are able to successfully get its malware installed on devices hundreds of times each day. Yingmob can then use those devices to create a botnet, enabling the group to launch more targeted attacks against businesses and government agencies, or even sell the access it has gained on the black market.

Avoiding Hummingbad & Other Nasty Infections

Mobile devices today are becoming more and more suspectable to malware and other security exploits. As mobile devices continue to become, for many, their primary way of communicating with the world, these devices are also going to gain in popularity as targets for cybercrime. The best way to avoid these very real security problems is to only install apps on your mobile devices from the official app store and to take a few minutes to read the reviews. If there are no reviews or bad reviews simply move on to another app.

Also just like on your PC do not visit questionable websites and so not – never ever – click on hyperlinks or attachments in your email – unless you are 100% certain that it is legitimate.

Share This:

1 2 3 6