Posted on

Google Scam Targets Australian Cat Owners

Australian Cats Google Scam Targets Cat Owners in Australia

Google Users Warned About Searching for This Specific Cat Breed in Australia

Cybersecurity experts are warning Google users to avoid searching for the phrase “Are Bengal cats legal in Australia” as it has become a conduit for phishing scams that could compromise personal data. Hackers are reportedly targeting users who search for this specific phrase, directing them to malicious websites that steal sensitive information. This is the latest example of “search engine poisoning,” a technique where cybercriminals manipulate search engine results to lure users into their traps.

How the Scam Works

When users type in “Are Bengal cats legal in Australia” on Google, they may encounter certain search results designed to look like legitimate resources. However, some of these results are “poisoned” — they are crafted by hackers who manipulate the SEO (Search Engine Optimization) of their malicious sites to appear higher in search results. Unsuspecting users who click on these malicious links are redirected to fraudulent sites that prompt them to enter sensitive details, potentially handing over valuable data to cybercriminals.

In this specific campaign, experts have identified a connection to the notorious Gootloader malware, which has been deployed in similar attacks globally. Once on these sites, users are either encouraged to download files under the pretense of accessing a “secure PDF” or enter personal details to continue reading. Downloading any files or submitting personal information on these pages may result in direct exposure to malware, which can compromise financial accounts, personal information, and even work-related credentials.

The Role of Search Engine Poisoning in Hacking Attacks

This tactic, known as search engine poisoning, is not new but has become more sophisticated. Cybercriminals understand the types of searches that generate curiosity and use these trends to create traps for potential victims. By flooding search engines with links to malicious sites related to popular questions — such as the legality of Bengal cats in Australia — they increase their chances of luring curious individuals. This type of hacking has proven successful, as users often assume that high-ranking results are safe.

Once on a malicious page, users’ computers and networks are at risk. Hackers may plant malware capable of logging keystrokes, capturing screenshots, and even gaining administrative control over a device, putting both personal and professional data in jeopardy.

The Cost of Falling Victim to a Phishing Scam

For internet users, especially those in professional fields, this attack is a strong reminder of the importance of online vigilance. According to IBM, the average cost of a data breach in 2024 rose to a record $4.88 million, reflecting the increasingly high stakes of cybersecurity threats. Cybercrime tactics continue to evolve, exploiting even the most innocent of online behaviors.

SUPERAntiSpyware advises users to verify any unfamiliar link, avoid downloading unverified files, and use anti-phishing tools to stay secure online. For the most comprehensive defense, why not try our Professional X Edition?

Posted on

How to remove Loki

Delivered through malicious spam campaigns, Loki focuses on stealing credentials off the victim computer and runs a keylogger, a common hacking method. Loki also communicates back to a Command and Control server (C&C) to report what it finds and to receive commands if needed.

How it works

Loki, named after the creator’s username Lokistov, is delivered to users through a variety of channels, but the most common is malicious emails that can come in a variety of types. The most common strategy is the familiar “invoice” style email that attempts to get the potential victim to open the attachment. Once opened, the “invoice” will try to run embedded macros or get the user to follow a link to a downloader. One example of such a “invoice” can be found below.

Invoice enable content picture

If the potential victim were to click “Enable Content,” Loki would be installed and start gathering data. This is a common attack vector[  and was used by, albeit in a more complex way, Emotet.

This is not the only way Loki can be delivered, however, as it can be purchased by a malicious user,  Loki will be delivered in the most cost effective way.

Loki focuses primarily on credential-stealing and boasts an impressive 80 programs it has the ability to steal from. The most notable being all major browsers, including:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Microsoft Internet Explorer
  • Opera Software’s Opera browser

In addition to this already worrying list, Loki is able to go after many alternative versions of these browsers such as:

  • 8pecxstudio’s variant of Firefox, Cyberfox
  • Google’s open-source browser Chromium
  • Independently developed Firefox fork, WaterFox
  • Nichrome

In addition to browsers, Loki can go after FTP clients, Microsoft Outlook, and independently developed SuperPuTTY. This list will likely be expanded in future campaigns to include more commonly used programs if vulnerabilities are found.

After connecting and confirming the presence of its C&C server, Loki launches a keylogger in a separate thread. This keylogger records every button press of the keyboard during its operation and can be used to reveal other passwords and usernames that may not have been stored in a program it can access. This is then bundled with any other data it retrieved.

Once the data is gathered, it is compressed and sent to the C&C server hosted by the malicious actor. These normally are shut down quickly after a new campaign has been identified but can remain active for days or weeks at a time giving them plenty of time to store the gathered data somewhere else and sell it.

Who is affected?

Loki can be bought in the dark web for fairly cheap. Last know price at the time of this writing was $70. The consequence of this is that Loki can be used to target anyone. The benefit of the availability is it makes it much easier for Anti-Malware companies to stop it.

Indicators of Compromise

  1. C:\Users\admin\AppData\Local\Temp\saver.scr
  2. a.doko.moe
  3. MD5: 500F84B83BE685009C136A67690CA0C3

What you can do


If you or someone you know is infected with the Loki malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Loki from any Windows computer.

If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech03 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

How To Remove Loki

  1. Restart the infected computer in safe mode without networking.
  2. Search through the items in the Indicators of Infection section above and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.
Posted on

How to remove ServHelper

ServHelper is a new backdoor with a downloader variant, which first appeared in November of 2018. Named by the Threat actor “Ta505,” ServHelper spreads through email campaigns using a quantity-over-quality approach that has proven to work, albeit less effectively than the Emotet strategies discussed here. ServHelper seems to be largely targeted toward businesses but could change to focus on individual’s in future campaigns.

How does ServHelper works

ServHelper is downloaded through Microsoft Word documents with macros. The documents often pretend to be invoices, though they may take other forms such as, but not limited to: greeting cards, complaints, or details from your bank. These documents attempt to convince the victim to enable macros in them by saying that the content cannot be viewed until macros are enabled. If the victim clicks the Enable Content button, the infected document runs code that downloads ServHelper to the computer. You can learn more about how to protect yourself here. An example is shown below:

Infected enable Content doc

Another method employed by ServHelper is to distribute PDF files that claim you must follow the link provided to update your PDF viewer. These links instead reach out to a download server that infects anyone who visits. The end result is the same regardless of whether the victim gets the infection from a Word document or a PDF.

Once installed, ServHelper does one of two things.

  1. Establishes a remote-control session that allows the malicious actor to control the infected computer from anywhere. To accomplish this, the malware talks to a Command and Control server (C&C) where it takes it commands from. Some of the notable commands include: the ability to kill itself and remove traces of itself from the computer, the ability to copy user’s browser profiles, and the ability to execute a command shell. This allows the attackers to gain access to your PII as well as any passwords, usernames, bank account information, using advanced hacking methods.
  2. Drops another piece of malware known as FlawedGrace. ServHelper recently removed some of its capabilities (in this version only) to instead focusing on dropping this malware. FlawedGrace acts as a remote-access Trojan providing similar functions to ServHelper.

Who is affected?

ServHelper largely targets businesses, so most of the emails are designed to look like emails you would see in your day-to-day business, such as invoices. Despite this active focus, it’s entirely possible for computers outside of a business to be infected and extorted, so protection is paramount.

Indicators of Compromise

ServHelper makes several changes that indicate whether a computer has been infected.

  1. The most noticeable one is the C:\Windows\ServHelper.dll that is dropped in the windows folder.
  2. Unusual scheduled startup tasks are always noteworthy and ServHelper uses them to start itself every time a victim’s computer is ran.
  3. C:\PROGRAM FILES\COMMON FILES\SYSTEM\WINRESET.EXE
  4. crl.verisign[.]com/pca3[.]crl
  5. hxxp://ocsp.verisign[.]com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCECcNdVyfWsO322H1CZgocHg%3D
  6. hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl[.]cab
  7. IP: 104.81.60.211
  8. IP: 104.81.60.51
  9. IP: 2.17.157.9

What you can do

If you or someone you know is infected with the ServHelper malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove ServHelper from any Windows computer.

If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech02 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

How to Remove ServHelper

  1. Restart the infected computer in safe mode without networking.
  2. Search through the Indicators of infection listed above and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.
Posted on

Watch out for fake PayPal “unable to complete your recent transactions” phishing emails!

Phishing Emails Watch out for fake PayPal

We here at SUPERAntiSpyware have noticed a fairly recent clever email phishing campaign that claims to be PayPal. In the email the fake PayPal scam artists attempt to scare users into thinking that not only have their recent PayPal payments been declined, there is also unusual selling activities and they “will need some more information” about your recent sales in attempt to steal your information.

Example of the phishing email

Phishing Emails

We here at SUPERAntiSpyware recommend you simply delete this email, and do not click any links within the email, especially the fake blue “Check Your Accounts” button. If you have been scammed by this email, immediately change your PayPal account password and consider looking into changing your spam settings to avoid future spam emails such as these. Remember, if you do not recognize the sender address, do not open the email, and if you do open an email such as this always hover your mouse pointer over the emails links to see where they’re trying to take you, usually phishing emails links will point you to a website that has nothing to do with the company they’re posing as.

Posted on

Watch out for fake Office 365 phishing emails!

that claims to be Microsoft attempting to inform users their Office account email storage space is almost full and to prevent incoming/Outgoing mail from getting bounced back, to click the supplied link to add an additional 10 gigs of free and mandatory storage. This of course is an obvious scam to phish your password as the link takes you to a fake Office 365 login screen.

Example of the spam. Beyond the obvious sketchy character of the email, hovering over the links within the email with your mouse pointer clearly shows it takes you to a different website and not a Microsoft website.

We here at SUPERAntiSpyware recommend you simply delete this email, and do not click any links within the email. If you have been scammed by this email, immediately change your Office 365 account password and consider looking into changing your spam settings to avoid future spam emails such as these. Remember, if you do not recognize the sender address, do not open the email, and also if you do open an email always hover your mouse pointer over the emails links to see where they’re trying to take you.

Posted on

Watch out for fake “Microsoft account Verify your email address” spam!

Verify Your Email Address

We at SUPERAntiSpyware have noticed in uptick in spam that claims to be associated with verifying your email address to set up a Microsoft Account.

Fake Microsoft account verification email

We recommend you immediately delete this email, do not click the “Verify Your email address button” it will redirect you to a known phishing site to try to steal your account information. You can tell the button is fake by simply hovering your mouse over the button and taking a look at the URL, clearly non-Microsoft related.

Clicking this button does not verify your account, it brings you to a phishing website that will lure you into giving up your account information!

If you have been scammed by this email, immediately change your Microsoft account password and consider looking into changing your spam settings to avoid future spam emails such as these. Remember, if you do not recognize the sender address, do not open the email!

Posted on

Tax Season is here – Watch out for Identity Stealing Spyware!

Taxes The Season is Here !

Keep your personal information safe this tax season by doing a Free scan with SUPERAntiSpyware Free Edition

We want to remind everyone that tax season is the time of increased attacks in the forms of spyware, various methods of phishing , and scams. Spyware and Malware authors significantly increase their activity during the tax season in order to try to steal data and withdraw money from bank accounts, steal credit cards, passwords, and other malicious acts.

Watch out for Identity Stealing Spyware!

During this tax season its important to do a few things to help protect yourself online:

1) Make sure your Operating System and software applications such as web browsers and email clients are up to date.

2) Run a Complete Scan with SUPERAntiSpyware regularly with the latest updates, at least twice a week during this period of increased activity.

3) Be cautious before visiting strange websites, or opening strange email attachments. Think before you click!

4) Manually erase, or use privacy software, to delete sensitive data from you PC. Spyware cannot steal what isn’t there!

5) Lookout for spam phishing email impersonating government, bank, or tax company officials asking for sensitive information.

Do you have any security recommendations that help you stay safe during the tax season? Feel free to leave a comment below!

SUPERAntiSpyware Team

Posted on

How to deal with Tech Support Scams

How to deal with Tech Support Scams Now!

You get a pop-up message that says you’re infected and for you to call “Microsoft” Tech Support with the provided number, a voice may come from your speaker instructs you that your data is in harm’s way and you should not shut off your PC. In a panic, PC users call this number and long story short, end up paying hundreds of dollars to a scam artist that claimed to fix something that was never an issue to begin with. This story is common today if you read the news.

A tech support scam artist claims to be an employee (or work with) of a major software company offering technical support to the victim. This can range from someone claiming to be your ISP, your cable provider, or even a Apple or Microsoft. The scam artist will claim the “company” has received notifications of errors, viruses, or issues from the victim’s PC. Scam artists are also claiming to work on behalf of the government to fight computer viruses and threats from enemy nations, hackers and terrorist organizations.

How they get you

Tech Support scam artists have a few tricks to try to extort you or scare you into paying them:

Cold Call. You’ll get a random call from the scammer who claims your PC is infected or has a serious error.

Pop-Up or Rogue Website. This is the more popular tactic where the victim will accidentally stumble upon a rogue website or receive a pop-up claiming you have a Windows OS Blue Screen Error, a massive data error, or a serious infection. Sometimes, it will lock your screen up and freeze your internet browser, or play a sound or voice over the speaker in an attempt to scare the victim. The pop-up or rogue website will always include the scam phone number for the victim to call.

Once you are speaking to them and letting them in

They will attempt to scare you further and instruct you to allow them to remote access your PC or devices to “fix” them. One they are in, they will claim they found the “errors” or “viruses” and ask you to pay for them to be removed, this usually amounts to hundreds of dollars. The money is collected from the victim usually by debit/credit card, wire transfer, or even prepaid gift carts!

If the tech support scammers are remotely accessing your devices, they can use this as a way to hold your information hostage and ransom you. They can intentionally install malware onto your PC, or steal your sensitive data on your PC such as passwords, financial accounts, and other data. There have been reports of the scammers becoming so agitated they have threatened to destroy the computer and all its data unless the victim pays on spot.

What can you do to stop them?

We at SUPERAntiSpyware recommend a few different forms of defense and mitigation against the plague of tech support scams:

Do NOT give out credit card or bank information.

Recognizing what is occurring and ending the call immediately if you are speaking to a tech support scammer.

Do not allow unknown and unverified organizations remote access your devices such as your phone or PC.

Make sure you are using the latest version of SUPERAntiSpyware and it is up to date.

If you see a pop-up or you stumble upon a rogue website that is claiming you are infected, have an error, or a Blue Screen of Death go ahead and close your web browser, if needed force it down via the Process Manager. If you cannot do that, reboot your machine.

If you are a victim

File a fraud report with your Bank or Card issuer immediately and stop payment, or see if you can dispute the payment if it has already been made.

File a Complaint with the FBI Internet Crime Complaint Center

Change your passwords to the services the tech support scam artists may have uncovered when they remote accessed your PC.

Remove any remote access software the scam artist may have had you install on your PC.

Posted on

Prevention is Best!

Prevention is the best Safeguard

Prevention is the best way to ensure you are never infected with spyware and your data is never lost or stolen. It is possible to clean up an infected machine and remove spyware but sometimes the damage from certain spyware, such as ransomware, cannot be fixed as files become encrypted or otherwise corrupted.

While no single solution available is a silver bullet, the following list outlines some of the best practices in lessening the risks of losing data after an infection:

1) Backup your files and software! Having backup copies of your photos, documents, software, and other files can make sure you never lose them to a malware infection such as ransomware encryption. Many people choose to use external drives or the cloud for their backups, but keep in mind that if you use external drives, the data can still be at risk if you leave your backup drives connected to your machine at all times.

We at SUPERAntiSpyware offer an Online Backup Solution as an optional service when purchasing SUPERAntiSpyware at $6.95 a month. This subscription allows you to back up and protect your important files and documents onto a cloud-like server so you always have copies of your important files.  You can read more about our backup services here: https://www.backup.support.com

2) Keep SUPERAntiSpyware up to date and run regular scans. We update our definition list twice a day to make sure our users catch the latest threats, as well as periodically release software updates. It is imperative users keep up to date so their software continues finding the latest threats. In order to make sure that nothing creeps in between scans, we recommend regular scanning at least once a week, if not every day.

3) Update your Windows Operating System and Software you use. Make sure you always are using the latest version of Windows with the latest updates and security fixes. Most Windows updates are patches for existing and/or potential vulnerabilities, so keeping these holes filled is crucial in stopping the spread of malware. Additionally, using unsupported operating systems (anything older than Windows 7 as of right now) can leave you just as unprotected. If you are using web browsers such as Firefox, Chrome, or others, always make sure you are using the latest versions, and don’t forget to update any add-ons, plugins, or extensions you use to the latest editions.

4) Double Check Emails before opening them. Check the sender of every email you receive. If you do not know them, or the email looks suspicious, do not open it! Delete it! Do the suspicious emails include links to click or strange attachments? Do not click the links or open the attachments no matter how innocent they sound. If it claims to be from an official organization, call them and ask if the email is legit. Better safe than sorry!

5) Use strong passwords and/or multi-factor authentication. Good passwords are long. Good passwords also contain capital and lower case letters, numbers, and special characters. Do not use an easily accessable password that contains personal information like your birthday or the name of your pet, and do not use the same password for every website! This makes it harder for hackers to gain access to your personal information, especially when you use different passwords for every site. It might be a bit more to remember, but it diminishes the risk and the headache of sorting everything out after your information is stolen.

Many sites, such as banks, often will have multi-factor authentication available. With these systems, you not only need a password, but you also will need a special code that is often randomized on a dongle or smart phone app. These types of systems are more secure than just a typical password, as the extra step is incredibly difficult to hack into.

6) Use an Ad blocking Extension. Software such as Adblock Plus and uBlock Origin for your internet browsers are free, cross-platform browser extensions that filter unwanted content such as ads, pop-ups, rogue scripts, and even IP leaks. Using an ad blocking extension on your web browser will greatly lessen the impact of “Malvertising”, website ads that drop rogue programs onto your PC without your knowledge. While these programs might not block every ad you encounter, the chances of you running into something particularly malicious will be reduced dramatically.

7) Remove unsupported software. Many software programs, such as Flash or QuickTime, are no longer supported by their publishers, or are no longer supported by modern web browsers. This means that existing versions can have massive security flaws, despite their being many users who still have the software installed on their computers. It is recommended that users uninstall software that has been abandoned by their creators, especially if it is something that deals with content on the web.

At the same time, many newer pieces of software cannot run on older operating systems such as Windows 98, Windows ME, and even Windows XP. Keep your operating system up to date! When Microsoft stops supporting an old operating system, they stop all updates, which can lead to vulnerabilities being exploited.

8) Don’t talk to tech support scammers. If you’re on the internet and suddenly get a pop-up or email claiming your PC is infected with a virus, and that you need to call a listed number immediately, do not do it! A real security company wouldn’t sell their services from sketchy pop-ups or emails. These companies typically list a 1-800 number for you to call so they can try to lure you into spending potentially hundreds of dollars and giving them remote access to your PC.  More likely than not, they will try to infect you or steal personal information during their remote access “work”.

9) Make sure you are on secure connection when purchasing products online or entering in personal information. You can tell you are on a secure website when the URL reads “https” and not just “http.” This is also referred to as HTTP over SSL which is encrypted. This protects against eavesdropping and tampering. Often, the address bar will change color or display a lock icon next to the URL you are visiting if you are connected through a secure HTTPS connection.

10) Use a firewall. Since Windows XP, every Microsoft operating system has come with a firewall. It is recommended you make sure this is always enabled. If you use a third-party firewall, it is also recommended you always keep it up and running. Firewalls use rules and examine network traffic as it passes in and out of your PC. If a connection does not follow the firewalls rules, it will be blocked. This also allows you to monitor activity on your network from intrusion attempts or if rogue software on your PC is trying to reach out to a hacker.

Remember to Stay Safe

Even the most cautious of people can get infected; however, by following these tips your risk of getting infected or being unable to recover from an infection will go down dramatically. Remember to stay safe, exercise caution, scan regularly, keep everything up to date, and backup your data often.

Posted on

Typosquatting: Another front of malware attacks

Typosquatting is a type of internet scam that relies on end users making mistakes, such as spelling errors or entering the wrong domain name when entering a websites URL. It is also commonly known as URL Hijacking. There are many motivations for a hijacker to take the Typosquatting approach to deceiving unsuspecting victims:

1) To redirect web traffic to their own or a competitor’s product.

2) Installing malware to infect the user’s machine, typically with ad-hosting pieces of malware.

3) Freeze the web browser for a fake Tech Support scam, scaring the user into calling a fake tech support number claiming the user has a virus infection. These scams potentially cost the users hundreds of dollars.

4) To steal user information by running a phishing scheme to mimic legitimate website.

5) Making revenue from the user clicking on advertisements (either in plain site or disguised as legitimate search links) on the Typosquat website.

6) To blackmail or strong-arm payment from the company they’re Typosquatting in order to force a purchase of the website from the Typosquatter.

A scammer who runs a Typosquat scam typically registers a website address with spelling close to the legitimate websites address. This is typically something simple like omitting a letter, adding a letter, or using a different Top Level Domain. For example if a user wants to go to our website, they may end up typing superaantispyware[dot]com with double a’s. This will end up showing a user a Typosquatting website such as this:

Another type of Typosquat scam would be due to the person improperly typing out the full URL, typing something like google [dot] om , rather than typing google [dot] com. In this instance, the person typing the .om domain would actually be viewing a page hosted on Oman’s Top Level Domain, rather than the basic .com domain. In some instances, large corporations will buy up as many associated domains as they can in order to prevent this type of mistake (Google, for example, has variants of their site containing multiple o’s and different Top Level Domains); however, not all companies have the foresight and/or money to do this.

It is easy to avoid falling prey to a Typosquatting scam. Here are a few easy things you can do to prevent this.

1) Never open links in emails from unexpected senders, and exercise caution when visiting sites you’re not familiar with.

2) Bookmark your favorite websites so you can easily access them.

3) Use a search engine like Google, Bing, or Yahoo when looking for a specific website if you are unsure about the spelling or if the business’ website is the same as their name. Some car dealerships, for example, use dealer names or slogans as their website.

4) Double check the URL you are typing before loading the page

5) Make sure Real-Time Protection is turned on in SUPERAntiSpyware Professional

6) If you are starting a web-based business, consider buying multiple domains that are similar to your primary site to preemptively stop Typosquatters. Most domain registrars will offer bulk rates when you purchase more than one domain at a time.

While this type of attack is somewhat uncommon by today’s standards, it still happens every once in a while. By practicing safe browsing habits, keeping your web browsers up-to-date, and running regular scans of your machine, you should not be impacted by most of these types of attacks.