New Malware forces you to change your Wifi's default password

Ifwatch, a custom-built vigilant malware software changed the Wi-Fi passwords of  nearly 10000 routers to make it more secure.

According to researchers at the cyber security firm Symantec, the software is actually used to defend the machine from the hackers and provides solution for the other malware infections.

“We have not seen any malicious activity whatsoever,” said Symantec threat intelligence officer Val Saengphaibul. “However, in the legal sense, this is illegal activity. It’s accessing computers on a network without the owner’s permission.”

Ifwatch software infect the routers with a mysterious piece of “malware” through Telnet ports, which are often protected by default security credentials that could be easily for accessed for malicious attack, and then prompts the users to change their Telnet passwords.

The software is spreading quickly around the world but found mostly in China and Brazil. It was first discovered by an independent researcher in 2014.

“We have no idea who is behind this — or what their full intention is,” Saengphaibul said.

Will 'Green Dispenser' Take of all your Money?

(pc- google images)
ATM malwares are no myth to the cyber world and this time is no different than the earlier. a team of security researchers from PointProof have unraveled the veil off a new malware, named GreenDispenser, that gives the capability to hackers to attack compromised ATMs and drain all of it's cash.

This malware acts on the basic principle of a primitive DDoS action in which the machine displays an 'out of service' message on the screen but in the meanwhile can crack open the bank vaults through correct pin number, looting a lot of money with no trace of robbery at all.

Such kind of activities were first reported in Mexico and similar abuses have been reported in other countries ever since. GreenDispenser, unlike its predecessors, Ploutus and Tyupkin; requires no physical access for the installation procedure and hence makes it easier for the hacker to break into the machine and subsequently; the server.

It is being doubted that cyber criminal bosses now have an mobile app that provides them with a two-step encryption and creates a firewall of authorisation for malwares such as GreenDispenser itself.

ProofPoint, in another post explained such encryption; an extract from which is given below:-
GreenDispenser employs authentication using a static hardcoded PIN, followed by a second layer of authentication using a dynamic PIN, which is unique for each run of the malware. The attacker derives this second PIN from a QR code displayed on the screen of the infected ATM. We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN – a two-factor authentication of sorts.

Now, these malwares are evolving with the passage of time, making ATMs more vulnerable. ATMs being the primary target results as a threat to the financial institutions. Thus, security with credit and debit card credentials should be also enhanced accordingly. The question arises; How long to completely secure the parameters?

Once again a malicious application found on Google Play Store

Researchers at Check Point Threat Prevention have detected a malicious application and said to have affected some one million people, which was published twice in the Google Play Store. The malware was packaged within an Android game called “Brain Test”.

According to the researchers, the malware was reported to Google Play twice. Each instance had between 100,000 and 500,000 downloads as per the Google Play statistics. Check Point reached out to Google on September 10, 2015, and the app containing the malware was removed from Google Play on September 15, 2015.

“The malware was first detected on a Nexus 5 smartphone, and although the user attempted to remove the infected app, the malware reappeared on the same device shortly thereafter. Our analysis of the malware shows it uses multiple, advanced techniques to avoid Google Play malware detection and to maintain persistency on target devices, the researchers wrote in a blog post.

Although, the reported the malware to Google, and the company concerned removed the app from the Google Play Store, it manages to bypass malware detection through several sophisticated techniques. It also installs an application similar to itself and so these two monitor the removal of each other and actually protects each other from being removed.

The researchers suggested that in order to prevent yourself from the malware, you must have an up-to-date anti-malware software on your mobile device. It has already infected anyone’s phone, he/she has to re-flash it with an official ROM.

Security experts detects Odlanor malware that cheats at poker

Security experts from at ESET have discovered a malware that targets Pokerstars’ users and Full Tilt Poker and that lets competitors (crooks) cheat their way to winning games by leaking their information about their cards to their competitors.

It affects people who have accounts on PokerStars and Full Tilt Poker.

Researchers have said that the hackers have been using the malware dubbed Odlanor to sneak a look at a player's virtual poker hand on popular gambling sites. They are then signing into the same game and betting against their victim to up the stakes and steal their money.

It is said that the malware is a successor to the Zynga-targeting Pokeragent Facebook worm, which was discovered two years ago.

According to the researchers, once the Odlanor executed, it will be used to create screenshots of the window of the two targeted poker clients PokerStars or Full Tilt Poker, if the victim is running either of them. The screenshots are then sent to the attacker’s remote computer.

Then, the cheating attackers can retrieve the screenshots. They reveal not only the hands of the infected opponent but also the player ID. Both of the targeted poker sites allow searching for players by their player IDs, hence the attacker can easily connect to the tables on which they’re playing.

New Android Ransomware locks Victim's Phone Permanently

Security researchers at ESET have discovered the first malware that could allow an attacker to reset the PIN of anyone’s phone to permanently lock them out of their own device.

“This ransomware also uses a nasty trick to obtain and preserve Device Administrator privileges so as to prevent uninstallation. This is the first case in which we have observed this aggressive method in Android malware,” the researchers said in a blogpost.

The malware dubbed LockerPin, which spreads via an adult entertainment app called Porn Droid, could change the infected device's lock screen PIN code and leaves victims with a locked mobile screen, demanding a $500 ransom.

Researchers said that there was no effective way to regain access to infected devices without losing personal data. Rebooting the device in Safe Mode, uninstalling the offending application and using Android Debug Bridge (ADB) could not solve the problem.

In order to unlock the device to perform factory reset that wipes out all the personal data and apps stored on users device.

According to the researchers, as the lock screen PIN is reset randomly, paying the ransom amount won't give the users back their device access, because even the attackers don't know the randomly changed PIN code of their device. This is a novelty among ransomware, usually they do everything possible to unlock the device, up to and including live tech support.

If the ransomware gets installed on anyone’s smartphone, the app first tricks users into granting it device administrator rights. It does so by disguising itself as an "Update patch installation" window.
After gaining the control over phone, the malicious app goes on to change the user's lock screen PIN code, using a randomly generated number. Though the majority of infected devices are detected within the United States, the researchers have spotted the infections worldwide.

Researchers have suggested that in order to protect our smartphone from the ransomware, please do not install apps outside of the Google Play Store. Similarly, don't grant administrator privileges to apps unless you truly trust them.

CAPTCHA-bypassing malware found in Google Play

(PC-google images)
Bitdefender Security Researcher, Liviu Arsene has recently revealed that a malware, identified as Android.Trojan.MKero.A has found its way into the highly legitimate apps in Android powered Google Play Store by successfully evading the Google Bouncer's vetting algorithms. This can cause a lot of trouble for the vendors who provide paid premium services of their products as the malware can now make the services available for free.

To bypass CAPTCHA authentication systems, the trojan redirects the requests to an online image-to-text recognition service, Since the online service relies on actual individuals to recognize CAPTPCHA images, requests are sent back to the malware within seconds so that it can proceed with the covert subscription process.

After receiving the sent back request, the Trojan interacts with a command-and-control (C&C) infrastructure which loads the CAPTCHA code on the target link, parses an SMS code for an activation , and ultimately subscribe the user to the premium service.

Google Play has been notified of at least seven apps that exhibit this type of behavior, two of which have been downloaded between 100,000 and 500,000 times. Moreover, these seven malware-harboring Google Play applications have been analysed and a list of 29 randomly generated C&C servers names were recovered from a single sample which did not have any encrypted strings. Hence, if any one of these locations became unresponsive –due to a takedown or any other reason – the malware on any infected device will automatically reconnect to the next C&C server in the preconfigured list and proceed with the preset instructions.

The total financial losses have been estimated to amount to a staggering $250,000, which is just  from the minimum $0.50 charged for sending the subscription SMS messages.

iOS malware steals over 225,000 Apple accounts to create free App Utopia

Researcher from Palo Alto Networks, a computer security firm, have found out that hackers, who have targeting jail-broken iPhones, have raided more than 225,000 Apple accounts, using them for app buying sprees or to hold phones for ransom.

The jailbreak is a tool in iPhones to use additional iThing tweaks available through the alternative Cydia store, and for some to pirate software by installing ripped-off apps for free.

“In cooperation with WeipTech, we have identified 92 samples of a new iOS malware family in the wild. We have analyzed the samples to determine the author’s ultimate goal and have named this malware “KeyRaider”. We believe this to be the largest known Apple account theft caused by malware,” the researchers posted in a blog.

Claud Xiao, a researcher, said that the KeyRaider malware, hidden in jailbreaking utilities, is slurping login credentials and GUIDs from the user's iTunes data, and siphoning them off to remote servers.

"We believe this to be the largest known Apple account theft caused by malware," Xiao said. "The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.”

He confirmed that the purpose of the attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying.

It is said that especially the people in China got affected but herald from 17 other countries including France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea from the attack.

Similarly, some people said that they were being locked out of phones and forced to pay ransoms.

According to the researchers, the attack was discovered by a Yangzhou University student known as i_82 who worked with Xiao alongside a group. They exploited an SQL injection vulnerability on the bad guy's server to learn about the attack. They siphoned about half of the stolen accounts before the VXer became savvy and punted the white hats. They have now set up a website for users to check if they are impacted. 

Researchers detect a new Android Trojan targeting users from china

Photo Courtesy: Dr. Web

Security researchers from Doctor Web, Russian anti-virus software developer, have detected another new Android Trojan, which is said to be distributed among users from china to spy on their victims.

Previously, the researchers had found an Android Trojan, which spreads as a security certificate that tricks users into thinking it must be installed onto users device. That Trojan had made two-Step authentication feature insecure when it got infected users' device  with a new malware which was capable of intercepting their messages and forwarding them to cybercriminals.

The Trojan dubbed Android.Backdoor.260.origin can intercept SMS messages, record phone calls, track GPS coordinates of the infected device, take screenshots, and even collect data entered by the user.

“Due to the fact that Android.Backdoor.260.origin is distributed as “AndroidUpdate”, potential victims are very likely to install it on their mobile devices,” the researchers posted in a blog.

According to the researchers, the Trojan has main malicious features that are implemented in special modules incorporated into the malware's software package. Once it gets activated, the Trojan extracts the following additional components: super, detect,,,, 1.dat,,, substrate_signed.apk and cInstall.

“Next, it tries to run the binary cInstall file (detected by Dr.Web as Android.BackDoor.41) with root privileges. If the attempt is successful, this malicious module plants a number of files extracted earlier into system folders and tries to stealthily install a utility called “Substrate”. This tool expands functionality of applications and is used by Android.Backdoor.260.origin to intercept entered data. If the Trojan does not succeed in acquiring root privileges, then, most likely, it will fail to install necessary components. As a result, the malware will not be able to perform the majority of its functions properly,” the researchers added.

Once all the modules get installed, the Trojan removes its entire shortcut created earlier and launches the malicious service called PowerDetectService which runs the malicious module with the name It also has been added to Dr.Web virus database under the name of Android.BackDoor.42, and Substrate.

“In fact, this tool is not actually malicious and can be easily downloaded from Google Play. However, cybercriminals have modified the original application and incorporated the new version into Android.Backdoor.260.origin. As a result, the tool became potentially dangerous for mobile devices' users,” the researchers explained.

The researchers have now warned the users not to install applications from unreliable sources. And it is important to protect their mobile device with reliable anti-virus software.

Researchers detect Malvertising in PlentyOfFish

Photo Courtesy: Malwarebytes

Researchers from Malwarebytes Unpacked, a security firm, have detected a malvertising, which derived from “malicious advertising" uses online advertising to spread malware and it involves malware-laden advertisements into legitimate online advertising websites, in the PlentyOfFish, a Vancouver-based online dating service which makes money from advertising.

The researcher have warned the users not to click on the adverts as they are automatically targeted by using an attack that detects if their computer can be infected (via outdated software), and launches directly that way.

Soon after the flaw detected, they have contacted the company concerned to make them aware of this issue.

According to the researchers, the attack chain uses the Google URL shortener as intermediary to load the Nuclear exploit kit.

“While we see this mechanism quite frequently within our telemetry, it is particularly difficult to reproduce it in a lab environment,” the researcher wrote in a blogpost. The ad network involved in the malvertising campaign ( was familiar and it turns out that we had observed it in a rare attack captured by our honeypots just one day prior.”

The sample was collected from the Tinba banking Trojan. Given that the time frame of both attacks and that the ad network involved is the same, chances are high that pof[dot]com dropped that Trojan as well.

According to a news report published in The Register, the attack against PlentyOfFish comes against the backdrop of the fallout from the data dump by hackers who breached cheaters’ hook-up website Ashley Madison, and the earlier attack against AdultFriendFinder.

 There’s nothing to link the three attacks directly, however it’s fair to say that dating and adult hook-up websites are very much in the firing line of hackers, so extra precautions ought to be applied.

Beware of “unbreakable” Cryptolocker virus

Photo Courtesy: ABC

Many people are becoming victims of an encryption virus dubbed Cryptolocker which hijacks computer files and demands a ransom, if anyone wants to restore them.

A report in ABC confirms that now, Australians are paying thousands of dollars to overseas hackers to rid their computers of Cryptolocker, which comes in a number of versions and the latest capitalizing on the release of Windows 10.

The deputy chairperson of the Australian Competition and Consumer Commission (ACCC), Delia Rickard, said over the past two months, the number of victim of the scam had been increasing. They have received 2,500 complaints this year and estimates about $400,000 has been paid to the hackers.

As per the report, the "ransomware" infects computers through programs and credible-looking emails, taking computer files and photographs hostage. It can arrive in an email disguised as an installer of the new operating system in a zip file.

Experts have found it more complicated than other viruses.

Josh Lindsay, IT technician, told ABC that he had been repairing computers for 15 years but the current form of the virus was "unbreakable".

It is said that the hackers have been offering computer owners a chance to retrieve data but only if they pay a ransom using the electronic currency Bitcoin.

Michael Bailey from Tasmanian Chamber of Commerce and Industry (TCCI) said when his organization was hit by the overseas hackers, his company paid a ransom equivalent to $US350.

Fake Android Virus alert says "Your Mobile compromised by Chinese Hackers"

Fake virus alert is the technique used by the Cyber criminals to trick users into thinking their system have a virus then tell them to install or buy fake applications, sometimes redirect them to spam websites.

A New fake virus alert spotted by Malware Bytes team says users that their device infected by a dangerous virus created by Chinese Hackers.

"whoever put this one together is watching all those APT news stories with glee and weaving them into their efforts below." Malware Bytes blog post reads.

Anyone passing through the page paulgrenwood[dot]com/US/smart/index[dot]html, receives the following message:

Warning! Your phone is attacked by severe virus that can steal your privacy which created by Chinese hackers on [date].
Please clear this virus immediately.

There is another fake warning message on the next page with “Android App on Google Play” button underneath the message and list of infections.

A rotator URL (clmbtrk(dot)com/?a=17990&c=81777&s1= )  is being used to send visitors to a variety of random adverts depending on geographical location.

Visiting the URL with a standard desktop setup would, more often than not, lead to a blank page. The bulk of the pages seen were dating sites with a lot of flesh on display, and even one hardcore pornography site

There’s no infection, so no need to panic.

Cyber Criminals abuse Yahoo's advertising network to spread malware

Cyber Criminals are targeting Yahoo’s advertising networks to deliver malware directly to the computers of users who is viewing the ads.

Security firm Malwarebytes, who discovered the attack on July 28, says that Yahoo is a victim of malvartising attacks in which exploit kits are used to redirect victims to the malware website.

The malvertising attack which does not require any user interaction, is believed to be one of the biggest in recent times due to the massive amount of traffic in Yahoo. 

In one of the campaigns, the attackers used the Angler Exploit Kit - This exploit kit usually infect victim's machine with annoying software and malware that forces victims to pay the money to unlock their system.

The security firm said that it had informed Yahoo about the attack the very same day. Yahoo said that the malware campaign has been stopped and that the company is investigating the matter.

Although it is not yet possible to determine exactly how many people have been affected by the hack, but it could be large as Yahoo gets 6.9 billion visits a month.

Attackers exploit the Privilege Escalation 0-day in Mac

Adam Thomas, a researcher from Malwarebytes, has discovered a new adware installer that exploits of a zero vulnerability in Apple's DYLD_PRINT_TO_FILE variable in the wild which helps to uses to install unwanted programs including VSearch, a variant of the Genieo package, and the MacKeeper junkware.

The vulnerability which is being exploited by this adware was first uncovered by a researcher Stefan Esser a month ago. However, this researcher did not first report about the flaw to the company concerned.

The adware was able to change the Sudoers file - s a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how.

 The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.

According to a post by MalwareBytes, if anyone installs VSearch, the installer will also install a variant of the Genieo adware and the MacKeeper junkware. As its final operation, it directs the user to the Download Shuttle app on the Mac App Store.

However, Apple has still not turned up to fix the problem. 

Russian APT attackers control the Hacked Machines using Twitter, Github

Russian APT attackers have used an advanced type of backdoor which tries to avoid detection by adding layers of obfuscation and mimicking the behavior of legitimate users. 

The attackers used popular legitimate websites such as Twitter, Github and other compromised web servers to send instructions and steal data from the compromised machines, according to a APT report published by the security firm FireEye.

The group is known as APT29, which creates an algorithm that generates daily Twitter handles and embedding pictures with commands. 

The attackers post instructions for their backdoors in a tweet, which contains a URL and a hashtag.  The malware will download contents hosted in the specific URL including all images in the page. 

They hide the data and other instructions within an Image file using a technology called Steganography. 

The Hashtag contains a number representing a location within the image file and a few characters that should be appended to the decryption key.  The key will be used for retrieving the data stored in the  image.

The instructions also contains where to upload the stolen data - It uploads to a specific account on a cloud storage service using the login credentials.

APT 29 is suspected to be in Russia since it is active during normal working hours in Moscow.

Researchers find out New Linux Backdoor

Security researchers from Doctor Web, a Russian Anti-malware company, have detected a new backdoor dubbed Linux.BackDoor.Dklkt.1 that targets Linux operating systems.

However, the signature of the backdoor has been added to Dr.Web virus databases. So, its Linux users are under reliable protection.

“It clear that creators of this malicious program planned to equip it with wide variety of powerful features, but bringing all their intentions to life proved rather problematic at the moment, not all of the program's components work as they should,” the researchers wrote in a blog.

The researchers have claimed that backdoor is supposedly of Chinese origin. They have said that the virus makers tried to create a multi-component malicious program encompassing a large number of functional properties.

“For example, they wanted to equip it with functions typical of file managers, DDoS Trojans, proxy servers, and so on,” they added. “However, not all of these plans were destined to see the light. Moreover, virus makers attempted to make a cross-platform program out of their creation; so that the executable file could be assembled both for Linux and Windows architectures. However, due to carelessness of cybercriminals, the disassembled code contains some strange constructions that have absolutely nothing to do with Linux.”

According to the researchers, the backdoor checks the folder from which it is run for the configuration file containing all operating settings. The file has three addresses of command and control servers. One of them is used by the backdoor, while the other two are stored for backup purposes. The configuration file is encrypted with Base64.

Once the backdoor gets activated, it tries to register itself in the system as a domain (system service). If the attempt fails, the backdoor terminates its work.

“Once the malicious program is successfully run, it sends the server information on the infected system; at that, the transmitted data is compressed with LZO and encrypted with the Blowfish algorithm. In addition to that, every packet contains a checksum, so that the recipient could verify data integrity,” the researchers explained.

Researchers have said that then Linux.BackDoor.Dklkt.1 waits for incoming commands that can include launching a DDoS attack, starting SOCKS proxy server, running a specified application, rebooting the computer or turning it off.

‘Android games on Google Play steal Facebook credentials,’ say researchers

This may come as a shock to many of the game lovers that Cowboy Adventure, a popular Android game on Google Play store, because researchers, from ESET, have revealed that the game has compromised the Facebook login credentials of over a million users who downloaded that Android game.

According to a post by the researcher on July 9, the Cowboy Adventure app on the Google Play store was able to steal personal information of the users.

With 500,000 – 1,000,000 installs, the developer of the Cowboy Adventure app also used it as a tool to harvest Facebook credentials.

However, the Google has taken down both of the apps from their app store and also warns against their installation on Android devices.

“It was one of two games spotted by ESET malware researchers that contained this malicious functionality, the other one being Jump Chess,” according to a report on Welivesecurity.

The report said that unlike some other Android malware, these apps did contain legitimate functionality (they actually were real games) in addition to the fraud. The problem lies in the fact that when the app is launched, a fake Facebook login window is displayed to the user. If victims fell for the scam, their Facebook credentials would be sent to the attackers’ server.

It is said that the latest version of the app at the time Google took it down from their official market last week was 1.3. This trojanized game had been available for download from Google Play since at least April 16, 2015, when the app was updated.

“We are not sure how many users had their Facebook credentials compromised,” the report read.

 “Our analysis of these malicious games has shown that the applications were written in C# using the Mono Framework. The phishing code is located inside TinkerAccountLibrary.dll. The app communicates with its C&C server through HTTPS and the address to which to send the harvested credentials (also known as the ‘drop zone’) is loaded from the server dynamically,” the report read.

The researchers have said always download apps from the official Google Play store than from alternative app stores or other unknown sources and always check the ratings and user comments.  

“Even though Google Play is not 100% malware free, they do have strong security mechanisms to keep trojans out,” the researchers added.

Researchers detect a threat that abuses Android accessibility feature to steal data

Researchers from LookOut, a San Francisco-based mobile security company that provides security to both private and business mobile devices, have detected a malware dubbed “AndroRATIntern” that abuses the accessibility service in Android to steal sensitive data from infected smartphones.

“After discovering this threat, Lookout notified both LINE and Google. None of LINE’s systems were breached. All Lookout users are protected against this threat,” the researchers wrote in the blog.

According to the researchers, AndroRATIntern is surveillanceware developed from the AndroRAT malware toolkit. It is sold commercially as “AndroidAnalyzer”.

“The threat is notably the first piece of malware we’ve ever seen abusing the Android accessibility service to steal data,” the blog read.

According to them, the malware targets the Japanese market. It can collect a broad amount of data from infected devices, including LINE’s, which allows users to make voice and video calls and send messages and most popular communications apps in Japan, messages, contact data, call logs, SMS, audio, video, photos, SD card changes, and GPS location.

The researchers said that the AndroRATIntern must be locally installed which requires a malicious actor to have physical, unmonitored access to the target device, making it a much more targeted threat that cannot be spread by drive-by-download campaigns.

It steals SMS messages, contact data, and other files are not uncommon. However, it is difficult to steal messages from LINE as the application runs in a sandbox.

The malware bypasses the security mechanism by abusing the text-to-speech accessibility feature in Android. This feature is designed to aid visually impaired users, but the malware developers are leveraging it to capture LINE messages when they are opened by the victim.

The researcher pointed out some tips which can keep people safe:

-         - Keep a pass-code on your device. it will be significantly harder for someone to download and install anything to your phone if it’s locked
-          -Download security software that can tell you if malicious software is running on your device

New Trojan that hides in PNG images affects healthcare organizatons

A new Trojan named the Stegoloader Trojan has been reported. The most victims claimed by this trojan are based in healthcare organizations in the US.

This new Trojan hides itself in PNG imaged to infiltrate personal computers of people and collect information. The malware hides in the pixels of the images.

The trojan hides in PNG images so it is able to circumvent security measures like network firewalls and personal antivirus software.

This malware was first spotted in 2013, but since then it has been reworked many times and multiple versions of Stegoloader now exist. Dell was the first company to report this malware.

Out of all the Stegoloader victims, 42 percent are in the healthcare industry.

Dangerous Android malware steals money from Your Bank

Researchers from Doctor web security have identified a banking trojan called Android.BankBot.65.origin which has been specially created for Android devices.

Cyber criminals are adding the malicious code with the legitimate online banking applications and planting them in various third-party android markets and other websites.

"Due to the fact that a compromised application looks and operates as a legitimate one, potential victims are very likely to install it on their mobile devices."  After that the Trojan starts accessing the system information and do nasty stuff.

After the installation of malicious software Android.BankBot.65.origin generates special kind of configuration file containing operating parameters for the Trojan. The trojan usually receive commands from host server and then exploit all the device vulnerability causing cyber criminals to steal money by intercepting and modifying SMS.

It may intercept incoming SMS messages and send texts to numbers listed by cyber criminals. It can add various texts to the list of incoming SMS messages. Using these methods, cyber criminals steal money from users' bank accounts by sending messages to transfer money from the victim's account to the account of cyber criminals or by intercepting messages containing verification codes or by implementing other fraudulent methods .

Messages like “pre-approved Credit card asking personal information” are example of fraudulent schemes which may lead user to fall into trap and they may share their banking credentials which leads to online banking stealing . And Thus its important to download mobile banking applications from authentic sources only .

Think twice before you open email attachments from unknown senders

Security researchers of Checkpoint have discovered a new ransom threat dubbed Troldesh, which is also known as Encoder.858 and Shade.

The Troldesh, which was created in Russia, has already affected numerous users across the world. The Troldesh ransomware typically encrypts the user’s personal files and extorts money for their decryption.

“Troldesh is based on so-called encryptors that encrypt all of the user’s personal data and extort money to decrypt the files. Troldesh encrypts a user’s files with an “.xtbl” extension. It is spread initially via e-mail spam,” Natalia Kolesova, anti-bot analyst at the Check Point, wrote in a blog.

She said that they found a distinctive characteristic in Troldesh besides the typical ransom features. 

The inventors of Troldesh directly communicate with the user by providing an email address, which is used to determine the payment method.

According to Kolesova, once a corrupted email is opened, the malicious threat is activated. Then, it will start encrypting the user’s files with the extension .xbtl.

Along with the files, users’ names are also encrypted. Once the encryption process is done, the affected user is displayed a ransom message and is being redirected to a ‘readme’ text for further information.

In a bid to stay safe, users are advised not to open anything suspicious by unknown senders.

“Many cases have been reported by the users paying the ransom without having their files decrypted. In order to avoid ransomware, it is important to back up important data previously on an external storage device or in a cloud,” she wrote.

The researcher said that the affected users have to download a powerful anti-malware tool to scan the system and remove the ransomware.

The researcher said she contacted the hackers via an email and asked for a discount.

“I was very interested to learn more about the ransom and tried to start a correspondence with the attackers. As required, I sent the specified code to the e-mail address provided, one that is registered on the most famous Russian domain,” the researcher wrote.

The crooks had demanded 250 euros to decrypt all of the files.

However, after the researcher asked to reduce the amount, the criminals agreed to lower the ransom to €118 / $131, payable via QIWI money transfer system.