Cryptowall 2.0 and Assorted Ransomware; Prevention

CryptoWall 2.0 Ransom Note

There’s some nasty malware showing up in inboxes right now, disguised as fake receipts and documents, or delivered on web sites from a very fake ‘You must update your… ‘ message. While these have always been a major source of computer attacks, the current batch deserves special prevention and backups. CryptoWall 2.0, CryptoLocker, and other ransomware arrive quietly, encrypt all your documents in the background, and then place a ransom notice on your screen, asking for payment in Bitcoins or an untraceable money order. The encryption is not breakable on most variations of this ransomware; the best defenses are to never work with an administrator account (use ‘standard’ or ‘limited’), and to backup your entire computer on a schedule, and unplug the backup device between backups–these programs encrypt every document they can see, even on backup drives and networks.

We have more information on prevention, either do-it-yourself or as a service, here. And we can help with the cleanup, in central Maryland.

Phone Call from Microsoft… NOT

You would think that the malware pushers would know better than to place a phone call to a company that specializes in cleaning up malware and try to lie to us. Nope. So here’s what’s happening:

The phone rings, I answer, and manage to start recording right after. The standard LIES are that they’re from Microsoft, and are in the US, and can see viruses in your computer, and can clean them up, and can be trusted, and, on and on–all wrong. The skill level of whoever wrote the script is high enough that they do point to screens that do show information that is sufficiently technical that it looks scary. They take you to the ‘event log’–that’s a list of routine stuff. Not scary unless the computer is already spitting sparks out the front.

Don’t try this at home. The result of letting these guys actually play in your PC are not pretty for your computer or your credit card. When you get this phone call, just hang up.

Infectious Fax? No, It’s a Dangerous Download

Today’s mail includes a new variation of an existing scam. A simple message, apparently coming from your own email server, reporting the arrival of a fax message. Note that it’s all super-generic; the from address is fax@ (your email domain here), and the return address is (probably random) blopez27@ (your email domain here). The download link is through Google’s goo.gl link shortening service, but other domain shorteners are likely also in use–note the reference to Dropbox in the email–OOPS!

 

FakeFax-anon
 

Don’t Do What I Did–I Am A Professional

OK, I followed the link. it led to a ZIP file, and I downloaded it. Again, don’t try this at home.
Then I opened the file. It contains one file, ‘Document-2816409172.scr’. I did NOT open that file.

A fax would typically be an image file, probably PNG or TIF or JPG format. It will not be inside a ZIP, because ZIP files compress or bundle other files, and image files are already compressed as much as they can be, so zipping them makes them slightly larger–there’s no logical reason to zip a fax image.

An SCR file is a Windows screen saver, and it can contain scripting and program code. It’s potentially very dangerous.

So, for those of you who still use 20th-Century image transmission technology, er, faxes, be advised of these facts:

  • Email services won’t receive faxes for you.
  • Fax services are branded with the name of the service provider that you pay a monthly fee to, or on corporate networks, much more information than just the domain name from your email address.
  • If you haven’t paid for a fax phone number through a paid service, any fax that arrives is anything but a fax.

OK, all of this should be obvious, but if no one is falling for the scam, then why haven’t the senders moved on to the next evil idea?
 

Windows XP support has ended at Microsoft. So What?

XP-Ends

On Patch Tuesday of this month, Microsoft sent the last batch of patches to Windows XP users. What does this mean?

First, the positive items:

  • XP Activation, needed for re-installing Windows XP, still works. I’ve done it since April 8th, and it is not a problem.
  • Existing patches still download, if they are from AFTER Service Pack 3 for Windows XP.
  • Service Pack 3 is still available for Windows XP.
  • Microsoft’s very basic antivirus, ‘Security Essentials’, will continue to function, with warnings, on Windows XP with Service Pack 3, but is no longer available to download on XP.
  • Many antivirus companies have announced that they will continue to provide protection for Windows XP.
  • Alternate browsers are available for Windows XP, including versions of Mozilla FireFox and Google Chrome.

Next, the negatives:

Don’t Search Online for Tech Support Phone Numbers

by Jerry Stern
CTO, PC410.com

A few of my customers have made the mistake of going to Google and searching, for example, for “HP tech phone”, and called the number that showed up. All of them recognized that the phone call was very, very odd, and hung up once the company at the far end remoted into their machines, blamed all problems on malware, and asked for $150 to $300 to clean it all up, and none of them were burnt.

What I’ve done is search for the phone number they dialed, in quotes, and each time, I found at least a dozen listings for a company with that phone number saying that they are the authorized tech support for a particular company, with a page for each of HP, Microsoft, Samsung, Sony, Brother, and so on and on. Or, to be more accurate, NONE of the above–it’s fraud.

So if you must search Google for tech support phone numbers, do it like this: “site:____company_domain__ tech support phone”

So for Microsoft, the search would be “site:microsoft.com tech support phone”
The results will bring up ONLY search results on the domain after “site:”, and not random fraud and paid placements.

Here’s what the Federal Trade Commission had to say about this on November 20th, but remember that they’ve only settled one case. The practice is still prevalent:


Tech Support Scheme Participant Settles FTC Charges

One of the defendants in an alleged tech support scheme has agreed to settle a Federal Trade Commission complaint against him and give up the money he made from the scheme.

Navin Pasari is a defendant in one of six complaints filed by the FTC in September 2012 as part of the Commission’s ongoing efforts to protect consumers from online scams. According to the complaint against Pasari and his co-defendants, the defendants placed ads with Google, which appeared when consumers searched for their computer company’s tech support telephone number. After getting consumers on the phone, the defendants’ telemarketers allegedly claimed they were affiliated with legitimate companies, including Dell, Microsoft, McAfee and Norton, and told consumers they had detected malware that posed an imminent threat to their computers. The scammers then offered to rid the computer of the non-existent malware for fees ranging from $139 to $360.

The stipulated final order against Pasari imposes a $14,369 monetary judgment, which represents the total amount of money Pasari received in connection with the scam. The final order also requires him to divest his ownership interest in PCCare247 Inc., another defendant in the action, and transfer any proceeds he receives from the divestiture to the FTC.

In addition, the final order prohibits Pasari from opening or assisting with the opening of payment processing accounts for a company or other entity unless he personally supervises the accounts. The final order also prohibits Pasari from misrepresenting or assisting others in misrepresenting any information to consumers.

While the stipulated final order announced today resolves the FTC’s claims against Pasari, litigation continues against the remaining defendants in each of these actions.

The Commission vote approving the stipulated final order was 4-0. The U.S. District Court for the Southern District of New York entered the judgment on Nov. 12, 2013.

Fedex burned my package! (Not)

When I have to choose between informing email users about what kind of email scams are resulting in infected computers, and informing email scammers about what they’re doing wrong, I choose to turn on the lights, and hope the bugs run.

From today’s email, I see an email that claims to be from Fedex. The logos and reply address are correct, but in the header I see that the sending computer is Belinda…@unimelb.edu.au, which I’ve shortened, because Belinda has an infected computer and doesn’t know what it’s been told to do. So apparently, Fedex in the USA sends emails from the University of Melbourne. Not.

And here’s the email text, with errors left as they are:

Message Subject: “We can not diliver your package”

“We apologize, but it seem so, that we not can deliver your package. One of our trucks is burned tonight. In attachment you can find a form for insurance. Please fill it out and send it us urgent, because we must told amount of damage to the Insurance company.”

And the attachment is 65.3 Kb, and while that size might be possible for a form, the filename is “Insurance_form_#43824.zip”. A document should be a PDF or possibly a DOC file, never a ZIP, which is a compressed multi-file archive. Inside the zip there is a file named “Insurance_FEDEX_-N774662.exe”. That’s a program, not a document, and I won’t run it; that’s a dangerous package to open.

In short: Be suspicious of emails that want you to open an attached file. They lead to repair bills.