Hey FixMeFans and StartMeStars! We’re back with the Sunday Scaries – our way of keeping you in the loop with the latest news on malware and scams that are hitting the internet.
As COVID-19 scams continue to fall, this will be the last installment of the Sunday Scaries for the time being. However, you can continue to check our Weekly Roundups where we to post everything you need to know to stay up to date on all things cybersecurity!
19 July 2020 Update
BlackRock Android Malware Steals Passwords and Card Data from Hundreds of Apps
BlackRock, a new strain of Android malware, has been popping up on the scene recently, but this time it’s targeting a lot more apps than its predecessors.
According to reports, BlackRock malware targets up to 337 Android applications in its goal of acquiring user passwords and card data. The virus is designed to sprout malicious pop-ups on its victims’ screens as they try to type in sensitive information – rather than typing their information into a legitimate app, victims will instead type it into the virus’s database.
This strain of Android malware is often geared towards phishing financial and social media/communication apps, however it’s been reported to target various other sectors as well, such as dating, news, shopping, and lifestyle.
You can read more about the Android virus here.
Fake DNS Scam Targets WordPress Websites
In a recent report from Naked Security, it appears that a new scam targeting WordPress websites has been making its rounds.
The report indicates that individuals have been receiving emails concerning a security upgrade for their WordPress site, prompting users to follow a link that will lead to the update. Once on the fake site, users are then prompted to enter their credentials, which then only leads to a 404 error page with the victim’s domain name.
This scam is fairly dangerous, as the fake website looks very similar to typical WordPress sites, and even contain the correct details associated with each individual user.
You can read more about the scam here.
Phorpiex Botnet Spreads Malware through Email Campaign
Phorpiex, known for its association with notorious malware campaigns, has been popping up increasingly over the past month. Phorpiex is a botnet often linked to spreading various forms of malware and sextortion scams, and it’s being spotted more now than ever before.
While previous reports found the botnet spreading phishing scams via email, recently Phorpiex has been linked to the Avaddon ransomware campaign, which prompts its victims to open malicious ZIP files contained within emails.
Though the practice of not opening ZIP files from emails might seem like common knowledge, the reason cybercriminals use this method is because it works. To make sure you’re on top of the viruses, here’s what you can do.
- For prevention, make sure you don’t download or open files from untrusted sources: Many viruses and scams are using current issues as a way of taking advantage of unsuspecting people – make sure that you don’t open any emails or files unless you know it’s from a legitimate source.
- If you suspect that you have it, run a virus scan: Make sure you’re using an antivirus software, such as McAfee and run a FixMeStick scan to be sure the virus is removed. FixMeTip: FixMeStick customers get an exclusive deal on McAfee Total protection. If you’re not using an antivirus software, you’re at risk! Check out this limited time offer HERE.
- Update your passwords: Many of these viruses are after your login information for various websites – so if you’ve been hacked, it’s best to update your passwords and make sure they’re safe and secure.
12 July 2020 Update
Conti Ransomware Could Become the Next Successor of Ryuk
According to recent reports, the Conti ransomware strain could be a possible successor to the Ryuk crypto-malware family.
It appears that Conti ransomware is not only based on a similar code to Ryuk, but also uses the same ransom note used by Ryuk in earlier attacks. Along with that, reported attacks from Ryuk have been steadily decreasing, with reports of Conti have only been increasing.
Since mid-2019, Ryuk has been teaming up with Trickbot malware to discretely infect victims’ networks with ransomware, targeting various organizations and demanding ransoms for hundreds of thousands of dollars.
If you believe you’ve been infected, here are some steps you can take:
- Disconnect your computer from other devices, external drives, and the internet: if you’re dealing with ransomware, you’ll want to contain the virus to one computer, making sure it doesn’t spread to different files.
- Use a smartphone or tablet to take a picture of the ransomware screen for future reference: this will come in handy if you bring the computer to a technician or have to file a police report.
- Run a FixMeStick scan to make sure there are no lingering threats: If you’re adamant about not paying the ransom, you can access your computer through Safe Mode to run your FixMeStick. Though running a scan won’t decrypt your files, it will at least make sure that the virus doesn’t further infect your computer.
- Bring your computer to a technician: Decrypting your files is no easy task, so it’s in your best interest to bring your computer into a professional to see if there’s any way to save your files.
For more information on Conti ransomware, you can check here.
Cerberus Banking Trojan Hidden Within Play Store
Banking trojan Cerberus, which has been terrorizing Android users over the past year, has been rediscovered on the Google Play Store – this time masquerading as a legitimate currency app.
The banking trojan has been posing as “Calculadora de Moneda,” a legitimate Spanish currency conversion app, and has been downloaded over 10,000 times by unsuspecting users.
While during the first few weeks of installation, the app performed its intended function, though after lulling users into a false sense of security, it soon triggered a dormant code – inevitably launching the Cerberus trojan.
The trojan is typically dormant, and waits until users input their banking credentials – some reports indicate that it’s even able to read text messages to gain access to one-time passcodes (OTP) — as well as grab two-factor authentication (2FA) details.
You can read more about the Cerberus trojan here.
Once Again, Joker Malware Spreads Through Play Store
First discovered back in 2017, the Joker malware is considered to be one of the most prevalent kinds of Android viruses – known for billing fraud, initializing spyware, and stealing SMS messages, contact lists, and device information.
Similar to other forms of Android malware, Joker is typically hidden within malicious applications found on the Play Store.
While the malware is usually quickly taken down by Play Store restrictions, it seems as though Joker was able to bypass Play Store restrictions by effectively obscuring the malicious files contained within the application.
Though the Joker malware has since been taken down from the Play Store, experts warn that it will likely resurface again with new adaptations to bypass Play Store restrictions.
Curious? You can read about the Android malware here.
5 July 2020 Update
The New Ransonware That’s Been Targeting Mac Users
While many believe that Macs are more resistant to malware than their PC counterparts, this isn’t always the case. While more types of malware are geared to PC’s, Macs get their fair share of viruses too, seeing as the most recent ransomware has begun targeting Mac users.
The ransomware, dubbed ThiefQuest, is pretty nasty, as it can exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a keylogger to grab passwords, credit card numbers, or other financial information as a user types into the computer.
If that’s not enough, the malware lingers and acts as a backdoor on the infected computer, which can be used to launch a second attack on victims.
Though the virus does sound quite intimidating, at this stage it’s relatively difficult to come across unless you’re using torrents to download files, and even then you’re likely to receive a lot of warnings from Apple concerning the suspicious file.
Mac Trojan Found Within Google Search Results
Recent reports indicate that a new Mac trojan has been spreading itself through Google search results.
This trojan is specifically designed to bypass the Mac OS’s security measures, as it poses as a Flash Player which users then install onto the computer. While Apple typically makes it quite difficult to install malware onto a device, this trojan bypasses those steps by automatically launching a “getting started guide”, prompting users to install the virus.
This virus, however, is particularly dangerous because it can infect computers through Google search results. For example, if a user searches for a YouTube video, they may receive a pop-up indicating that they should download the latest version of a Flash Player, which inevitable contains the hidden trojan.