Jerry Stainthorpe

Yahoo Announced a Second Breach; 1 Billion Users Affected

December 16, 2016 by Jerry Stainthorpe

Yahoo reported a breach that occurred in August of 2013 and affected 500,000 members.

Yahoo is now reporting a second breach that has affected an estimated 1 billion users. The breach included birth dates, names, hashed passwords, email addresses, telephone numbers and, at least in some cases, security questions and answers, some of which were encrypted.

“This is absolutely shocking that Yahoo has again just been informed by external parties via law enforcement that they have been the victim of the largest data breach in history,” Joseph Carson, Head of Global Strategic Alliances at Thycotic, said. “More than one billion user accounts have been disclosed and impacted by this breach, meaning that almost one in three people using the internet have been impacted by this single breach alone.”

This second breach “brings the total number of stolen credentials and passwords this year to more than 3 billion which almost equals the number of people actually using the internet,” said Carson. “That is astonishing.”

“It appears thus far from the publicly disclosed information that this is resulting from privileged unauthorized third party access. This has been a common source of many of the data breaches this year,” Carson said.

Yahoo is in the process of notifying affected users. “Yahoo has stated that they are notifying account holders impacted by this breach which means they are informing, get this, nearly one out of every seven people on this planet,” said Carson, who expects the breach to “likely impact the proposed agreement between the two companies.”

“The value will likely decrease to cover the potential costs of this breach which could be the biggest financial impact from any cyber breach to date,” he said. “This breach is one to surely watch and will likely cause many issues for Yahoo in the EU with the European Commission and the Data protections regulations who will be looking for answers from Yahoo for both of the major breaches this year.”

Source: SCMagazine

FedEx Delivery Notices Dropping Zeus and Fareit Trojans

December 16, 2016 by Jerry Stainthorpe

Not all FedEx deliveries contain packages that users expect.

Security researchers at AppRiver have observed an uptick in spam messages that appear to be shipping notifications from FedEx, but in fact contain Fareit malware, an information stealer that targets email passwords and browser-stored passwords, as well as FTP credentials.

During AppRiver’s analysis, the malware also downloaded a copy of the ever-popular Zeus Trojan onto the infected machine.

According to Troy Gill, manager of security research, the messages appear to contain a shipping receipt for a package that the courier was unable to deliver. The attached file, while it does have .PDF in the name, is actually a file archive utilizing the open source file archiver 7zip. Inside the compressed archive, you will find an executable file (.exe) that contains the Fareit malware.

JavaScript-toting spam emails: What should you know and how to avoid them?

December 16, 2016 by Jerry Stainthorpe

Source: https://blogs.technet.microsoft.com/mmpc/2016/04/18/javascript-toting-spam-emails-what-should-you-know-and-how-to-avoid-them/

We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware.

Some of the JavaScript downloaders that we’ve seen are:

The same JavaScript downloaders are also responsible for spreading the following ransomware:

The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript. The JavaScript attachment mostly has the following icon, depending on the system’s script software. The file names are either related to the spam campaign, or completely random:

Figure 1: Examples of JavaScript attachments from spam email campaigns

US FBI PSA – Tech Support Scam

December 16, 2016 by Jerry Stainthorpe

http://www.ic3.gov/media/2016/160602.aspx

Tech Support Scam

The Internet Crime Complaint Center (IC3) is receiving an increase in complaints related to technical support scams, where the subject claims to be an employee (or an affiliate) of a major computer software or security company offering technical support to the victim. Recent complaints indicate some subjects are claiming to be support for cable and Internet companies to offer assistance with digital cable boxes and connections, modems, and routers. The subject claims the company has received notifications of errors, viruses, or security issues from the victim’s internet connection. Subjects are also claiming to work on behalf of government agencies to resolve computer viruses and threats from possible foreign countries or terrorist organizations. From January 1, 2016, through April 30, 2016, the IC3 received 3,668 complaints with adjusted losses of $2,268,982.

Technical Details

Initial contact with the victims occurs by different methods. Any electronic device with Internet capabilities can be affected.

Telephone: This is the traditional contact method. Victims receive a “cold” call from a person who claims the victim’s computer is sending error messages and numerous viruses were detected. Victims report the subjects have strong foreign accents.
Pop-up message: The victim receives an on-screen pop-up message claiming viruses are attacking the device. The message includes a phone number to call to receive assistance.
Locked screen on a device (Blue Screen of Death – BSOD): Victims report receiving a frozen, locked screen with a phone number and instructions to contact a (phony) tech support company. Some victims report being redirected to alternate websites before the BSOD occurs. This has been particularly noticed when the victim was accessing social media and financial websites.
Pop-up messages and locked screens are sometimes accompanied by a recorded, verbal message to contact a phone number for assistance.

Once the phony tech support company/representative makes verbal contact with the victim, the subject tries to convince the victim to provide remote access to their device.

If the device is mobile (a tablet, smart phone, etc.), the subject often instructs the victim to connect the device to a computer to be fixed. Once the subject is remotely connected to the device, they claim to have found multiple viruses, malware, and/or scareware that can be removed for a fee. Fees are collected via a personal debit or credit card, electronic check, wire transfer, or prepaid card. A few instances have occurred in which the victim paid by personal check.

Variations and Trends

An increasingly reported variation of the scam occurs when the subject contacts the victim offering a refund for tech support services previously rendered because the company has closed.

The victim is convinced to allow the subject access to their device and to log onto their online bank account to process the refund. The subject then has control of the victim’s device and bank account. With this access, the subject appears to have “mistakenly” refunded too much money to the victim’s account, and requests the victim wire the difference back to the subject company. In reality, the subject transferred funds among the victim’s own accounts (checking, savings, retirement, etc.) to make it appear as though funds were deposited. The victim wires their own money back to the company, not finding out until later that the funds came from one of their own accounts. The refunding and wiring process can occur multiple times, which results in the victim losing thousands of dollars.

Victims are increasingly reporting subjects are becoming hostile, abusive, and utilizing foul language and threats when being challenged by victims.

Additional Threats

The tech support scam is an attempt by subjects to gain access to victim devices. However, more can happen once a subject is given access to the device. For example:

The subject takes control of the victim’s device and/or bank account, and will not release control until the victim pays a ransom.
The subject can access computer files that may contain financial accounts, passwords, and personal data (health records, social security numbers, etc.).
The subject may intentionally install viruses on the device.
The subject threatens to destroy the victim’s computer or continues to call in a harassing manner.

Defense and Mitigation

Recognize the attempt and cease all communication with the subject.
Resist the pressure to act quickly. The subjects will urge the victim to fast action in order to protect their device. The subjects create a sense of urgency to produce fear and lure the victim into immediate action.
Do not give unknown, unverified persons remote access to devices or accounts. A legitimate software or security company will not directly contact individuals unless the contact is initiated by the customer.
Ensure all computer anti-virus, security, and malware protection is up to date. Some victims report their anti-virus software provided warnings prior to the attempt.
If a victim receives a pop-up or locked screen, shut down the device immediately. Victims report that shutting down the device and waiting a short time to restart usually removes the pop-up or screen lock.
Should a subject gain access to a device or an account, victims should take precautions to protect their identity, immediately contact their financial institutions to place protection on their accounts, and monitor their accounts and personal information for suspicious activity.

Filing a Complaint

Individuals who believe they may be a victim of an online scam (regardless of dollar amount) can file a complaint with the IC3 at www.ic3.gov.

To report tech support scams, please be as descriptive as possible in the complaint including:

Name of the subject and company.
Phone numbers and email addresses used by the subject.
Websites used by the subject company.
Account names and numbers and financial institutions that received any funds (e.g., wire transfers, prepaid card payments).
Description of interaction with the subject.

Complainants are also encouraged to keep all original documentation, emails, faxes, and logs of all communications.

Because scams and fraudulent websites appear very quickly, individuals are encouraged to report possible Internet scams and fraudulent websites by filing a complaint with the IC3 at www.ic3.gov. To view previously released PSAs and Scam Alerts, visit the IC3 Press Room at www.ic3.gov/media/default.aspx.

Tech support scams

December 16, 2016 by Jerry Stainthorpe

https://askleo.com/avoiding-tech-support-scams/?notenboom-avoidingsupportscams=&ad_id=504769&share-ad-id=1

CyberCriminals Send out 14 Million Emails

December 16, 2016 by Jerry Stainthorpe

According to security firm AppRiver, this weekend was very busy for the cyber criminals.

Researchers are saying the bad guys sent out 14 million emails laced with Locky ransomware. Analyst Jonathan French figures that at least one botnet was used to send out the emails.

Locky was first seen in Feb. 2016 and when it finds a victim, encrypts the files, it then asks for .5 bitcoin which is valued at approximately $340.

AppRiver was able to monitor the activity with a global network of honeypots.

“Virus hits are tabulated on a global scale across our servers,” French explained, “we are able to pull the hit statistics for a rule we have and see the counts over time. If we know which specific rule is blocking which campaign — such as one we add for brand new malware variants — we are able to give a size to the amount of emails caught as well as a time frame.”

“The initial guess is due to the sudden drop in traffic during the 3 p.m. time frame and then a subsequent jump in virus traffic again,” French said, “it seems unlikely two botnets would be that coordinated in sending malware. Looking closer at some of the sending IP addresses between the two, we can see that many of the IPs were active during both malware pushes.”

Locky was dormant for a while and researchers are postulating the botnets may have been in need of upgrading before the push.

Source: CyberScoop

Safety tips for online shopping

December 16, 2016 by Jerry Stainthorpe

If it’s too good to be true, it probably is. Many malware developers know now is the time to target online shoppers and they will use intriguing “deals” to generate clicks. Whether it is ads offering free products, or a “new” website that has the best deals out there. Chances are you’ll never receive the product, but a stolen identity instead.
Look out for fake delivery confirmation emails. These typically contain malware and can compromise your computer. If you ordered online, it is best to go directly to the website you ordered from, obtain your tracking number there and then go to the appropriate delivery service website to track the package.
Social media sites have become a popular platform to target potential customers. Be on the lookout for fake ads, coupons, or freebies offered. This goes for emails offering prizes or gift cards too! Many times not only will these “deals” result in hackers stealing your payment information, but also could include malware to infect your computer.
Avoid using public WiFi while making online purchases. This means, don’t do your online shopping while sipping your pumpkin spice latte at Starbucks. Get it to go, and shop from your couch! Using public WiFi’s are not secure, leaving the door open to hackers.
If you shop online, use a credit card. That way, if your information is stolen the cyber criminals are not tying up your personal funds from your checking or savings account.

Quick tips for avoiding all scams

December 16, 2016 by Jerry Stainthorpe

Quick tips for avoiding all scams

If it sounds to good to be true, it probably is.
Read carefully, scams almost always have improper grammar or spelling mistakes which you won’t normally see in a legitimate message.
Check the email it was sent from, it will often be easy to spot that the email didn’t come from support@amazon.com for example.
If you click a link and are taken to a page looking for personal information, turn around. No company will immediately request that information from you to get a deal.

Now we’re here, it’s finally time for the list. Lets get rolling:

5. Fake Charity Emails

There is no doubt that during the holidays we tend to give more as a society. We’re all feeling happier, and are more willing to spread the cheer during the “giving season.” Cyber criminals are always on top of their best chances to scam you out of money and may even try to do it using fake charity emails. These could come in looking to get donations out of you, and may appear to be legitimate at first. Make sure to read carefully through the emails and look for their typical mistakes (typos, poor grammar, etc.). To be extra careful, if you’re looking to donate to a charity that came from a suspicious email, open your browser and manually navigate to their website. Using this process you ensure you’re not being fooled by any fake webpages and can continue to spread holiday cheer!

4. Fake Shipping Notifications

This scam attempt is very popular at all times of the year, but even more so during the holiday season. We all tend to order more things online during the holidays which means UPS and FedEx are ramping up their deliveries to get all the packages out on time. Cyber criminals look to target this aspect by alerting you that your packages were not able to be delivered and you need to fill out forms with personal information to reschedule the delivery. As we all know, if UPS attempts to make a delivery and can’t they will leave a note on your door. You can also sign up for programs UPS and FedEx offer to monitor packages being sent to your address. This will allow you to skip over these shady emails and go right to your account to check a delivery status.

3. Black Friday or Cyber Monday Extravaganzas

We’re not the only ones who get overly excited for the steal of the year on that flat screen TV, cyber criminals look forward to Black Friday and Cyber Monday just like consumers. Cyber criminals have been preparing for this time of year and are often putting some serious dedication into their scams. In previous years entire “Black Friday Deals” websites have been created trying to lure customers into buying fake products on their fake website. These sites are showing even lower prices than normal stores are offering to try to prey on customers looking for the best deal wherever they can find it. Be sure to always purchase directly from retailers no matter what sites you see deals on.

2. Fake E-Greeting Cards

E-greeting cards are not something that really caught on as a popular trend but they’re still used as a cute way to spread some holiday cheer and happiness. They’re even sometimes sent out by businesses as a way to spread some cheer to customers and wish them a happy holidays. Because of this, criminals are out looking to take advantage of your holiday spirit and trick you into clicking their malicious links.

Sometimes these E-Greeting cards will come loaded with malware as an attachment (as a PC Matic customer this will be blocked easily), however they also may try to get you to give up personal information. This type of attack is focused on social engineering and will attempt to get you to enter personal information to win a “holiday contest”, or another silly excuse they come up with. Remember to avoid giving out personal information on the internet when possible, especially if it is solicited through a shady email or pop-up.

1. Fake Last Minute Shopping Deals

This year specifically be on the lookout for scams that could involve Wal-Mart or Amazon. They are two of the big powerhouses in retail store and online shopping, and cyber criminals see pretending to be them as an easy target. These scams could come in the form of last-minute sales or coupons that will often sound to good to be true. If you see a deal like this and want to see if it’s legitimate, go directly to Amazon.com or Walmart.com and see for yourself. If they’re emailing about a deal it will most likely be on the front page of their site.

Another way the criminals try to scam people with shopping related deals are free gift cards, that’s right FREE GIFT CARDS. They’ll often exclaim this offer in full caps to you in an email or malicious pop-up. A good rule of thumb for this one is no store is ever going to give you a free gift card for filling out a form with personal information. There are some instances where stores offer gift card deals with a purchase, these are legitimate and are often done by stores like Target.

Fake ISP Complaint Emails Distribute Locky Ransomware Variant

December 16, 2016 by Jerry Stainthorpe

The latest Locky distribution campaign uses emails that pretend to be complaints from the victim’s ISP, stating that spam has been sent from the victim’s computer. The emails contain a ZIP attachment that uses social engineering to trick users into opening it: the file is named logs_[target_name].zip.

The ZIP file includes a JavaScript that, when opened, downloads an encrypted DLL that is decrypted into the %Temp% folder on the infected machine. Loaded using the legitimate Windows program Rundll32.exe, the DLL will install and execute the Locky ransomware.

As soon as the installation process has been completed, the ransomware scans the computer and network shares (including the unmapped ones) for specific file types and starts encrypting them. Encrypted files are renamed and appended the .AESIR extension.

After the encryption process has been completed, the malware displays a ransom note informing the victim on what happened with their files and providing instructions on how to pay the ransom to decrypt the files.

http://www.securityweek.com/fake-isp-complaint-emails-distribute-locky-ransomware-variant