Skip to content

Why free VPNs are not a risk worth taking

September 18, 2017

Here’s a question. If you’re not paying for your VPN service, where is the provider getting the money to run it? The answer might cause you to lose some sleep.

TANSTAAFL. If you’ve read your Heinlein, you know it’s an acronym for “There ain’t no such thing as a free lunch.”

Think about Facebook.
We use it for free, but in return for that attention, Facebook catalogs vast amounts of information about us, which it uses for targeted advertising.
Google became one of the world’s most profitable companies on the back of “giving away” free search (along with little ads on the side).
The result was almost total dominance of the digital advertising industry.

All of that brings us to VPN services.
Let’s do a two minute recap of what a VPN is, first.
VPN (or Virtual Private Network) is a term used for services that allow you to encrypt your internet traffic between your computer and a destination computer on the VPN service.
This is particularly necessary when using something like a hotel’s open Wi-Fi service, so that other guests can’t watch all your traffic and steal juicy bits, like credit card numbers and passwords.

Here’s the thing: Running a VPN service is expensive.
You need either servers and data lines, or you’re paying a cloud vendor like Amazon for every bit received, sent, and stored.
Either way, it costs money.
So, think about this: If you’re running a free VPN service, how do you pay for all that expense?

You… In the back of the room, I see your hand up. “Ads,” you say. Yep, that’s a possibility.
Some free VPN services plaster ads on your browser display and sell those to whomever will pay.

I see another hand. “Stolen data.” That’s a possibility, too.
If you were a criminal organization or a terrorist ring, and you wanted to pick up a lot of credentials quickly, one easy way would be to open up a free VPN and wait for people to just hand you their secret information.
As P.T. Barnum is said to have said, “There’s a sucker born every minute.”

TASBEM. In other words, TANSTAAFL.

OK, one more. “Lead in for upgrade sales.” Yeah, that works, too.
Some vendors will offer a small amount of free access and when you eat up that bandwidth, they’ll ask you to upgrade.
Try before you buy is a proven method for selling services, it’s perfectly legitimate, and it’s often good for both the vendor and the customer.

You may also see some universities, activists, and other well-meaning groups offer free VPNs, but the problem is that they are resource constrained.
That means that you’re bound to see either slowdowns or stoppages because they can’t afford the resources needed to provide the service.
Some of those groups might also harvest information as you use their services, for use sometime in the future to further whatever their agendas might be.

The bottom line, though, is this: It’s just not worth risking your personal and financial data on a free VPN service.
The VPN services I rated range from about $6 to $12 per month, or about $40 to $120 per year.
It’s usually a better deal to pay for the whole year at once.

The cost of identity theft keeps going up, both in out-of-pocket expenses and in the time and hassle to clean up the mess.
When it comes to a service that’s designed to transfer your personal credentials and keep them safe, isn’t it worth spending just a few bucks to save potentially thousands of dollars, hundreds of hours, and an unmeasurable amount of stomach acid?



CCleaner Compromised to Gather and Transmit Information About Its Users

September 18, 2017

The app was compromised for almost a month

Piriform, the company that makes the popular CCleaner application, just announced that their application was hijacked and used to gather information about its users and send it to an unknown party.

Hackers usually prefer to penetrate insufficiently secured servers and get the data they want in that manner, but that usually means that webmasters and programmers were not doing their job.
Compromising the code for an application to gather information about user’s devices before that app is distributed is on a different level.

Piriform hasn’t said anything about how their systems were penetrated or how the executable was modified before launch, but they did reveal everything that’s been going on, and it’s not a pretty sight.
In fact, if you read the short description of the event, it’s even more terrifying.

An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems, ” wrote Paul Yung, VP for Products at Piriform.

What was the application doing?

It turns out that the attack was supposed to take part in two stages, but the attackers never really reached the second stage.
Two versions of CCleaner were affected, 5.33.616 for the 32-bit desktop release, and 1.07.3191 for the Cloud variant.
If we think about it that was probably the intention; to leave the 64-bit version alone since it would have attracted too much attention.

As for the information collected by CCleaner and sent to an IP address, that’s not much we can do about that.
Paul Young explained that the name of the computer, the list of installed software along with the Windows updates, the list of running processes, the MAC address of the first three adaptors, and some other information regarding processes running as administrator, were all collected, encrypted and sent away

Avast Threat Labs helped with the investigation, but the legalities are still ongoing.
The authorities have been notified, and an update has been released for all users, no matter the platform.
It remains to be seen if anything more will surface in the coming days about the location of the attackers or their actual goal.


Back to school: Warning over phishing scam targeting students

September 6, 2017

Emails claiming to be from the Student Loan Company are trying to steal personal data and banking information from new and returning students

Students heading to university this month have been warned to watch out for a phishing email scam which looks to steal their personal information for the purposes of identity theft and fraud.

The UK’s fraud and cyber crime centre Action Fraud and The City of London police have urged universities to raise awareness about the scam to both new and returning students ahead of the new academic year.

Criminals looking to take advantage of a busy time for students are sending phishing emails purporting to be from the Student Loans Company, the government-owned body which provides student loans.

Addressed to ‘Student’, the email claims that most student loan accounts have been suspended due to inaccurate information and targets are urged to click on a provided link in order to update their information.

Of course, the link doesn’t lead to a legitimate website, but a fake version of the Student Loans Company website with the aim of stealing credentials – including email address, password and secret answer as well as bank account details.

All of this is information which can easily be exploited to carry out fraud, additional hacking related crimes or sold on underground forums.

The scam has been active for at least two weeks and is targeting both new and current university students. It’s also been spotted targeting people who never applied for student finance.

Like many phishing scams, this one attempts to panic the victim into giving up their personal data.
In this instance, it’s attempting to use the fear of not receiving the funds students require to pay for university in an effort to scare them into clicking the fake link and delivering their information into the hands of criminals.

However, taking a few seconds to examine the email quickly demonstrates that it’s a fake – for a start, it’s full of poor spelling and grammar, even in the opening line.

Due to incomplete student information update provided to the Student Loans Company (SLC).
Most Accounts have been suspended due to inaccuracy, and we strictly advice every student to update their information

The sentence is written in broken English, with erroneous use of capital letters – and ‘advice’ is incorrectly used instead of ‘advise’.

This phishing email displays a number of tell-tale signs of a scam including spelling and grammar errors. As the new university year begins, we are urging people to be especially cautious of emails that request personal details.
Always contact your bank if you believe you have fallen victim to a scam
,” said Detective Chief Inspector Andy Fyfe of the City of London Police.

The Student Loans company has also reminded students that it will never ask for student’s personal or banking emails over email and that anyone who sees the scam should report it.

Anyone who receives a scam email about student finance should send it to us at in addition to reporting it to Action Fraud, as this allows us to close the site down and stop students from being caught out,” said Paul Mason, Executive Director of Repayments and Counter Fraud at the Student Loans Company.

We want to remind students to stay vigilant with the details they provide online and to be mindful of the personal information about themselves they post online and on social media too,” he added.


Locky ransomware: Why this menace keeps coming back

September 4, 2017

It’s one of the most successful forms of ransomware.
Here’s why the Locky ransomware keeps disappearing – only to reappear again

It was arguably the incident which pushed the threat of ransomware into the view of the whole world, over a year before the WannaCry outbreak.

In February 2016, the Hollywood Presbyterian Medical Center in Los Angeles, California became infected with Locky ransomware.
The infection encrypted systems throughout the facility, locking staff out of computers and electronic records.

Eventually, the hospital paid a ransom of 40 Bitcoins – then equivalent to $17,000 – in order to acquire the decryption key to restore its data.

The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.
In the best interest of restoring normal operations, we did this
,” Allen Stefanek, presiden of the Hollywood Presbyterian Medical Center said at the time.

Locky went on to plague victims around the world during most of 2016 with many seeing no alternative beyond paying up.

This particular strain of ransomware was so prolific that by November it was one of the most common malware threats in its own right.

But then Locky disappeared in December 2016, prompting some cyber security researchers to suggest that those behind it simply went on a Christmas break.
It eventually re-emerged in January, but only in a tiny fraction of instances compared to when it was at its height and infections have been spiking and dropping ever since.

For example, after months of almost zero-activity, the former king of ransomware suddenly returned in August and in a big way as millions of phishing emails containing a Locky payload suddenly flooded inboxes.
Not only that, but potential victims are targeted with new strains of Locky – Diablo and Lukitus.

But why did this ransomware go so quiet in the first place?

Nobody knows who exactly is behind Locky, but the sophistication of the ransomware, and the strength of the underlying cryptography which researchers haven’t been able to crack, points to it being the work of a highly professional group.

Like a legitimate software developer they’re constantly working to update their product, and unlike other forms of ransomware, Locky isn’t available ‘as-a-service’ for others to use, so it’s possible the campaigns go quiet as those behind on it work on their code or experiment with new tactics.

The respite we saw from Locky was likely just a planned pull-back on the attackers part.
Like any organisation, they need to time to refine code and command-and-control infrastructure, plan new attack vectors, organise ransom payment collection methods and compile new lists of targets
,” said Troy Gill, manager of security research at AppRiver.

Each time Locky has briefly re-emerged before seemingly disappearing during the course of this year, it’s been doing something a little different, suggesting that those behind it are experimenting.

For example a Locky spike in April saw the ransomware flirt with a new delivery technique with distribution via an infected PDFs instead of Office documents, a tactic associated with the Dridex malware botnet.
So it could be that the ransomware simply goes offline as those behind it examine malware trends and how they can implement them into Locky for it to become more successful.

The timing of these comebacks matches closely with the introduction of new attributes such as the most recent Diablo and Lukitus extensions for attached files and the use of new distribution techniques involving PDF documents or phishing links,” says Brendan Griffin, threat intelligence manager at PhishMe.

These periods of Locky absence are used as a chance to build upon their successes and find new, smarter ways to deliver their ransomware“.

Locky is distributed via the Necurs botnet – a zombie army of over five million hacked devices – and the ransomware appears to go off the radar when the botnet is used for other activity. For example, Necurs re-emerged following a period of inactivity in March with its power was harnessed to distribute email stock scams.

The following months saw the continuation of malicious activity, with Necurs shifting to the distribution of Jaff ransomware.

While less sophisticated than Locky, researchers believe Jaff and Locky to be connected.
Not only do the Jaff decryptor website and the Locky decryptor websites look almost identical, but like Locky, the ransomware will delete itself from the infected machine if the local language is Russian.

Unlike the case of Locky, researchers have been able to able to construct a decryption tool for Jaff, distribution of which has declined since it was released in June.

Since then, the Necurs botnet has returned to distributing Locky, which might indicate that while they may experiment with other forms of cyber criminal activity, those behind Locky see it as a reliable tool to fall back on – because it works and generates revenue.

Locky is an incredibly powerful and well developed piece of ransomware,” says Adam Kujawa director of malware intelligence at Malwarebytes.
At the end of the day, the bad guys want to make money and they will use whatever software they can get their hands on to make that happen“.

So while Locky is successful, those behind it are opportunistic and are constantly on the lookout for other means of making money – and if that means dropping Locky in favour of something else then so be it.

But for now, Locky remains successful – because if victims weren’t still paying ransoms, the attackers would swiftly move onto something else.
But 18 months on from the Hollywood Presbyterian Medical Center attack, it’s still here and it’s still successfully infiltrating networks.

Ransomware remains successful because it works, because enough people get infected after being duped by phishing emails and enough organisations will give in and pay the ransom fee in order to regain access to their systems – especially as there’s still no decryption tool available.

Simply put, Locky keeps returning because it is successful.
So the next time it appears to go silent, don’t make any assumptions about the ransomware being dead – it’s likely that it’s just gone offline while those behind it work to make it even more effective.


Locky ransomware is back from the dead again – with new ‘Diablo’ variant

August 16, 2017

One of the most successful families of file-encrypting malware is back — again — with a new spam campaign.

One of the most successful families of ransomware has returned once again, with a new email spam campaign designed to infect victims with the file-encrypting malware.

Locky was one of the first major forms of ransomware to become globally successful and at one point was one of the most common forms of malware in its own right.

However, attacks distributing Locky have declined this year, and while it was once the king of ransomware, its title has been usurped — Cerber now dominates the market.

But that doesn’t mean Locky no longer poses a threat.
After going dark for a few months — even to the point where it wasn’t being distributed at all — the ransomware is once again being spread through the Necurs botnet.

But this time it’s being distributed with a new file extension called Diablo6, according to Malwarebytes researchers who’ve observed the new campaign.
The new Diablo variant calls back to a different command and control server than previous Locky campaigns.

Like other ransomware families, Locky is distributed via the use of spam emails; this particular campaign sends them in the form of PDF attachments with embedded .DOCM files.

If the user downloads the attachment and enables macros as the payload requests, they’ll soon find that they’ve lost access to the files on their computer and are told that they need to pay a ransom in order to get the “private key” from the “secret server” of the attackers.

While Locky is far less prevalent than it has been, it remains a risk to organisations because of its strong cryptography and the fact that those behind it still update and alter the payload and the tactics used to deliver it.

The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it’s not active at a particular given time,” said ‎Marcelo Rivero, intelligence analyst at Malwarebytes.

It isn’t the first time Locky has reappeared after seemingly disappearing.
It appeared to cease activity over Christmas 2016, leading researchers to speculate that its developers had taken a break over the holiday season.
Sure enough, it re-emerged in January and infections have been spiking and dropping ever since.

The sudden reappearance of Locky could potentially be attributed to decryption tools for Jaff ransomware being made available for free in June.
Jaff appeared in May and was spread by the same Necurs botnet used to distribute Locky.

Cybercriminals deploy ransomware because it allows them to reap high rewards using little effort.
Therefore, it could be the case that once Jaff — which demanded a ransom of $4,000 and used a decryptor almost identical to that of Locky — was cracked by security professionals, the criminals behind it have simply gone back to using Locky.

While those behind Locky have yet to be identified, researchers have noted that the ransomware will delete itself from the infected machine if the local language is Russian, possibly pointing towards the geographic location of the developers.


Android app stores flooded with 1,000 spyware apps

August 10, 2017

Three fake messaging apps in the Google Play Store discovered to be distributing stealthy data-stealing SonicSpy malware – and that’s just a fraction of the activity by this group.

Hackers have flooded Android app stores – including the official Google Play store – with over one thousand spyware apps which have the capability to monitor almost every action on an infected device.

Dubbed SonicSpy, the malware can silently record calls and audio, take photos, make calls, send text messages to numbers specified by the attackers, monitor calls logs and contacts and monitor information about Wi-Fi access points.

In total, SonicSpy can be ordered to remotely perform 73 different commands and its suspected to be the work of malware developers in Iraq.

Marketed as a messaging application, the malware performs the advertised messaging function in order to avoid users getting suspicious of the download, while all the while stealing their data and transferring it to a command and control server.

SonicSpy has been uncovered by researchers at Lookout after they discovered three versions of it live in the official Google Play app store, each advertised as a messaging service.

Google has since removed the malicious apps – called soniac, hulk messenger and troy chat – from its store, but many other versions remain available on third-party application markets and the malware could’ve been downloaded thousands of times.
At the time of removal from Google Play, soniac had been downloaded between 1,000 and 5,000 times.

When downloaded from Google Play, Sonic Spy will hide itself from the victim and remove its launcher icon from the smartphone menu, before connecting to a command and control server and attempting to download and install a modified version of the Telegram app.

This custom app contains the malicious features which allow the attackers to gain significant control over the device.
It’s unclear if the attackers are targeting specific users, or if they’re trying to get hold of any information they can from anyone who downloads the malware.

Researchers analysed samples of SonicSpy and have found that it contains similarities to a spyware called Spynote, which was first uncovered in the middle of last year.

Both Sonic Spy and Spynote share code, make use of dynamic DNS services and they both run on the non-standard 2222 port, leading Lookout to suggest that the two families of malware have been built by the same hacking operation.

Tricking users into using a fully functioning application while it secretly exfiltrates data to the attackers is also noted as a tactic used by the same attack group.
The account behind the malicious apps is called ‘iraqwebservice’ leading researchers to suggest the campaign is of Iraqi origin.

Whoever is behind the malware, “Spoofing an encrypted communications app also shows the actor’s interest in gathering sensitive information,” said Michael Flossman, Security Research Services Tech Lead at Lookout.

And while SonicSpy has been removed from the Google Play Store for now, Flossman warns that it could potentially get into it again.

The actors behind this family have shown that they’re capable of getting their spyware into the official app store and as it’s actively being developed, and its build process is automated, it’s likely that SonicSpy will surface again in the future,” he said.

Google keeps the vast majority of its 1.4 billion Android users safe from malware, but malicious apps still regularly get through to the official store.


LastPass has moved two previously free features to the paid plan and doubled the price

August 6, 2017

LastPass is one of the most popular password managers on the market, but it’s getting a price hike today.
It’s going to be twice as expensive going forward, but the good news is you’re getting some more features for the money.
The bad news is those features used to be free.
Users of the free account won’t be completely losing out, though

Before today, LastPass was $12 per year, but now it’s $24.
The free version of LastPass will lose support for emergency access and unlimited sharing, which are heading to the more expensive premium version.
Emergency access lets you designate trusted contacts who can request access to your passwords in the event of an emergency.
Anyone on the free version already using this feature will still have access.
Sharing on the new free account will only be available in one-to-one format, but the premium account lets you share to as many people as you want.
Additionally, premium users retain the shared folder option.

The free account continues to have multi-device support, which was added just last year.
I assume that was one of the big drivers of premium sign ups, so that might have something to do with the price increase.
It would be hard to take that away, so LastPass is upping the price and fiddling with the other features.