Cryptowall 2.0 and Assorted Ransomware; Prevention

CryptoWall 2.0 Ransom Note

There’s some nasty malware showing up in inboxes right now, disguised as fake receipts and documents, or delivered on web sites from a very fake ‘You must update your… ‘ message. While these have always been a major source of computer attacks, the current batch deserves special prevention and backups. CryptoWall 2.0, CryptoLocker, and other ransomware arrive quietly, encrypt all your documents in the background, and then place a ransom notice on your screen, asking for payment in Bitcoins or an untraceable money order. The encryption is not breakable on most variations of this ransomware; the best defenses are to never work with an administrator account (use ‘standard’ or ‘limited’), and to backup your entire computer on a schedule, and unplug the backup device between backups–these programs encrypt every document they can see, even on backup drives and networks.

We have more information on prevention, either do-it-yourself or as a service, here. And we can help with the cleanup, in central Maryland.

Phone Call from Microsoft… NOT

You would think that the malware pushers would know better than to place a phone call to a company that specializes in cleaning up malware and try to lie to us. Nope. So here’s what’s happening:

The phone rings, I answer, and manage to start recording right after. The standard LIES are that they’re from Microsoft, and are in the US, and can see viruses in your computer, and can clean them up, and can be trusted, and, on and on–all wrong. The skill level of whoever wrote the script is high enough that they do point to screens that do show information that is sufficiently technical that it looks scary. They take you to the ‘event log’–that’s a list of routine stuff. Not scary unless the computer is already spitting sparks out the front.

Don’t try this at home. The result of letting these guys actually play in your PC are not pretty for your computer or your credit card. When you get this phone call, just hang up.

Infectious Fax? No, It’s a Dangerous Download

Urgent emails are mostly phishing. Don't open them.

Today’s mail includes a new variation of an existing scam. A simple message, apparently coming from your own email server, reporting the arrival of a fax message. Note that it’s all super-generic; the from address is fax@ (your email domain here), and the return address is (probably random) blopez27@ (your email domain here). The download link is through Google’s link shortening service, but other domain shorteners are likely also in use–note the reference to Dropbox in the email–OOPS!


Don’t Do What I Did–I Am A Professional

OK, I followed the link. it led to a ZIP file, and I downloaded it. Again, don’t try this at home.
Then I opened the file. It contains one file, ‘Document-2816409172.scr’. I did NOT open that file.

A fax would typically be an image file, probably PNG or TIF or JPG format. It will not be inside a ZIP, because ZIP files compress or bundle other files, and image files are already compressed as much as they can be, so zipping them makes them slightly larger–there’s no logical reason to zip a fax image.

An SCR file is a Windows screen saver, and it can contain scripting and program code. It’s potentially very dangerous.

So, for those of you who still use 20th-Century image transmission technology, er, faxes, be advised of these facts:

  • Email services won’t receive faxes for you.
  • Fax services are branded with the name of the service provider that you pay a monthly fee to, or on corporate networks, much more information than just the domain name from your email address.
  • If you haven’t paid for a fax phone number through a paid service, any fax that arrives is anything but a fax.

OK, all of this should be obvious, but if no one is falling for the scam, then why haven’t the senders moved on to the next evil idea?

Don’t Search Online for Tech Support Phone Numbers

Tech support phone agent standing by

by Jerry Stern

A few of my customers have made the mistake of going to Google and searching, for example, for “HP tech phone”, and called the number that showed up. All of them recognized that the phone call was very, very odd, and hung up once the company at the far end remoted into their machines, blamed all problems on malware, and asked for $150 to $300 to clean it all up, and none of them were burnt.

What I’ve done is search for the phone number they dialed, in quotes, and each time, I found at least a dozen listings for a company with that phone number saying that they are the authorized tech support for a particular company, with a page for each of HP, Microsoft, Samsung, Sony, Brother, and so on and on. Or, to be more accurate, NONE of the above–it’s fraud.

So if you must search Google for tech support phone numbers, do it like this: “site:____company_domain__ tech support phone”

So for Microsoft, the search would be “ tech support phone”
The results will bring up ONLY search results on the domain after “site:”, and not random fraud and paid placements.

Here’s what the Federal Trade Commission had to say about this on November 20th, but remember that they’ve only settled one case. The practice is still prevalent:

Tech Support Scheme Participant Settles FTC Charges

One of the defendants in an alleged tech support scheme has agreed to settle a Federal Trade Commission complaint against him and give up the money he made from the scheme.

Navin Pasari is a defendant in one of six complaints filed by the FTC in September 2012 as part of the Commission’s ongoing efforts to protect consumers from online scams. According to the complaint against Pasari and his co-defendants, the defendants placed ads with Google, which appeared when consumers searched for their computer company’s tech support telephone number. After getting consumers on the phone, the defendants’ telemarketers allegedly claimed they were affiliated with legitimate companies, including Dell, Microsoft, McAfee and Norton, and told consumers they had detected malware that posed an imminent threat to their computers. The scammers then offered to rid the computer of the non-existent malware for fees ranging from $139 to $360.

The stipulated final order against Pasari imposes a $14,369 monetary judgment, which represents the total amount of money Pasari received in connection with the scam. The final order also requires him to divest his ownership interest in PCCare247 Inc., another defendant in the action, and transfer any proceeds he receives from the divestiture to the FTC.

In addition, the final order prohibits Pasari from opening or assisting with the opening of payment processing accounts for a company or other entity unless he personally supervises the accounts. The final order also prohibits Pasari from misrepresenting or assisting others in misrepresenting any information to consumers.

While the stipulated final order announced today resolves the FTC’s claims against Pasari, litigation continues against the remaining defendants in each of these actions.

The Commission vote approving the stipulated final order was 4-0. The U.S. District Court for the Southern District of New York entered the judgment on Nov. 12, 2013.

Fedex burned my package! (Not)

Fake Fedex email is a phish.

When I have to choose between informing email users about what kind of email scams are resulting in infected computers, and informing email scammers about what they’re doing wrong, I choose to turn on the lights, and hope the bugs run.

From today’s email, I see an email that claims to be from Fedex. The logos and reply address are correct, but in the header I see that the sending computer is Belinda…, which I’ve shortened, because Belinda has an infected computer and doesn’t know what it’s been told to do. So apparently, Fedex in the USA sends emails from the University of Melbourne. Not.

And here’s the email text, with errors left as they are:

Message Subject: “We can not diliver your package”

“We apologize, but it seem so, that we not can deliver your package. One of our trucks is burned tonight. In attachment you can find a form for insurance. Please fill it out and send it us urgent, because we must told amount of damage to the Insurance company.”

And the attachment is 65.3 Kb, and while that size might be possible for a form, the filename is “”. A document should be a PDF or possibly a DOC file, never a ZIP, which is a compressed multi-file archive. Inside the zip there is a file named “Insurance_FEDEX_-N774662.exe”. That’s a program, not a document, and I won’t run it; that’s a dangerous package to open.

In short: Be suspicious of emails that want you to open an attached file. They lead to repair bills.

Business Proposal from Johannesburg

Phishing emails

From the SPAM pile this morning…

Dear Friend,

It is with trust and sincerity that I approach you for assistance to transfer some funds into your bank account. Please do accept my apology if my mail infringes on your personal ethics. My name is Augustine Dinga, A Private Lawyer based here in Johannesburg South Africa. Honestly it will be my humble pleasure if we can work together.

I would like you to act as the next of kin to my deceased client, a citizen of your country that has the same last name with you who made a deposit of $23.5 million only with a Bank here in Johannesburg few years back. He died in a plane crash with his immediate family in a plane crash without any registered next of kin and as such the funds now have an open beneficiary mandate with a Bank, This means that any person from your country can act as the next of kin of the deceased person for claiming the inheritance funds without any risk involved.

Moreso, I have received official letter from the bank suggesting a likely proceeding for confiscation of the Fund in line with existing laws by the bank in which my client deposited the sum of $23.5 Million Dollars . According to the Government Law as provided in section 129 sub 63(N), South African Banking Edit of 1961 at the expiration of 11 years the fund will revert to the ownership of the South African Government, if nobody applies to claim the fund.

My proposition to you is to present you to the bank as the Next of kin and beneficiary of my deceased client so that the bank will pay this $23.5 million to you so that we can share the amount on a mutually agreed percentage of 60% for me 40% for you.

All legal documents to back up your claim as the deceased Next of Kin will be provided by me. All I require is your honest cooperation to enable us see this transaction through. I guarantee you that this will be executed under a legitimate arrangement that will protect you from any breach of the law.

If you are interested in this transactions, Please do let me know immediately so that I can give you comprehensive details on how to proceed.

Barrister Augustine Dinga

OK, for those who don’t know, it’s a variation on the classic Nigerian letter that I was getting on my fax machine 15 years ago, and by air post back around 1992. Basically, they claim to overpay and ask for a refund, sent by a method that can’t be reversed, and then the original payment, frequently a major U.S.  company’s check, is found to be fake, and that’s reversed, and after that, well, federal officials show up at your door. That’s here. Over there, which might or might not be in the country claimed, it only takes one fool out of a billion spams to make you rich, and there’s no risk. Nice little business.

I usually don’t reply to these letters; they’re just too sad. But maybe, just this once:

My Dearest Augustine Dinga:

I am so saddened to hear that your friend, whom you didn’t name, by the way, has passed away. That’s probably my third cousin, twice removed,  Ersatz Morgan Billy-Bob Jones Jr., who went down in a flaming trail of air cargo and land records being shipped to your country. So sad.

Yes, of course I’ll help. But I have a problem of my own. Perhaps we can help each other. There were all those flaming land records, remember? Some important ones were lost. I still have the original deed involved, of course, but I’ll need a buyer for the property, oh, and must have an overseas barrister, too, and I shoudn’t really go lower than $24 million, but I suppose for a friend of my poor crispy cousin, I could take the $23.5 million amount.

The property in question is something of a landmark, you see. Please let me know right away if you could consider buying it; it’s just massive, and a terrific income-producing structure that brings in tolls all day every day. We call it the ‘Brooklyn Bridge’.

Very Truly Yours, Etc, etc.

Jerry Stern is webmaster at and