TalkTalk too TalkTalkative?

For the Register, Kat Hall revisits the allegations that the security of TalkTalk customers was compromised by data leaked to support scammers. In the BBC’s Moneybox programme it was claimed that ‘criminals appear to have accessed the details of TalkTalk engineer home visits and have gone on to use this information to trick customers’.

It’s not altogether clear that there is a direct link, but Hall points out that:

‘At the end of January, TalkTalk said it was considering cutting ties with its Indian call centre provider after three employees at the site were arrested for allegedly scamming customers.’

Added to the support scam resource page.

David Harley

Ransomware and business in the UK

Last week (26th January 2016), Foursys published the results of its cybersecurity survey: IT Security Survey Results: “Cybersecurity in 2016 and beyond”. Questions were posed to more than 400 organizations in the UK, from SMEs to major corporates and public sector organizations. Somewhat alarmingly, of the 15.8% of respondents who admitted to a security breach event in 2015 (a further 15.8% declined to disclose),  41.9% of respondents said they’d suffered a ransomware breach, which is why I’m mentioning it here.

The overall results of the survey are summarized in infographic form here.

David Harley

Ransomware: decryption doesn’t always cost

Happy endings aren’t nearly as common as I’d wish in the world of ransomware, but David Balaban’s guest blog article for Tripwire offers a few instances where decryption didn’t mean paying a ransom:

Ransomware Happy Ending: 10 Known Decryption Cases

The instances he cites include:

  • Locker
  • Torlocker
  • Teslacrypt
  • Coinvault and Bitcryptor
  • Linux.encoder.1
  • Cryptolocker
  • Cryptinfinite
  • Radamant
  • Cryptolocker2015

Unfortunately, recovery tools are rarely forever, and often the scammer wises up and fixes the holes in his code. So there are many cases where paying up is the only way to get your data back, if you don’t have backups. But before you do pay up, consider Balaban’s advice and ‘describe your problem on computer help forums like Bleeping Computer orMalwarebytes.’ Or, of course, contact the company that makes your security software.

Don’t just assume that the scammers are evil geniuses who can’t be beaten.

David Harley

Unlucky 7ev3n: greedy ransomware and how to avoid it

Bob Covello posted an interesting article on Graham Cluley’s site on The new economics of data protection in a world of ransomware. He cites the case of 7ev3n, a more-than-usually greedy instance of ransomware demanding a hefty 13 bitcoins for the key to your encrypted data. Which is very much in contrast, by the way, to the £350 apparently demanded by the attackers who caused Lincolnshire council to shut down their systems for a few days, though the BBC reported the ransom demand as being for a heart-stopping£1m. A subsequent report by the BBC  not only cited the lower figure, but asserted that the council had announced that it would not pay the ransom. It’s by no means impossible that demands will continue to rise if and when ransomware gangs get more into the idea of extorting businesses rather than (or at any rate as well as) individuals who may simply not be able to afford such sums. Come to that, a business may be less able to write off its data than an individual who may simply decide that his or her data is not worth paying so much for.

The core message of Covello’s article is simple enough. Even the most expensive backup and cloning options he cites look much more attractive than paying an estimated $5,000 in the hope of having the 7ev3n gang restore your data.

I wouldn’t agree with Marcin Kleczynski that

Even using backup systems isn’t an effective countermeasure because ransomware would actively look for different types of backup systems and encrypt them, too.

Nevertheless, it is worth remembering that ransomware does look for external storage and encrypt what it finds there, if possible. So you need to bear in mind:

  • While external storage is connected, data stored there may be as vulnerable as data on your internal drives. Storage that is only connected when you need it to be is obviously safer than an always-on network or cloud drive. And don’t discount the value of backups of backups. This paper by my colleague Aryeh Goretsky is several years old and so predates the current upsurge in ransomware, but it does address the backup basics very clearly, and they haven’t changed much: Options for backing up your computer
  • If you do have to restore from backup, you need to be sure that the malware is no longer on your system. (Part of the value of cloning.)

David Harley

‘Educational’ ransomware

An article by David Bisson – Ransomware author tries to blackmail security researcher into taking down ‘educational’ malware project -looks at the complicated relationship between unequivocal ransomware (Magic, Ransom_Cryptear.B) and open-source ‘educational’ malware (Hidden Tear, EDA2). Not to mention the unfortunate affair of the free-hosting service that suspended the author’s account and deleted the data, so that even the criminal is unable to decrypt affected files now.

David Harley


Martin Zhang blogs for Symantec about the Android ransomware the company calls Android.Lockdroid.E here: Android ransomware variant uses clickjacking to become device administrator

The malware passes itself off as a porn app. It encrypts files, but if it succeeds in gaining access rights, it also has the ability to lock the device, change the PIN, and delete data via a factory reset.

The clickjacking technique it uses apparently works with versions of Android prior to version 5.0. Unfortunately, that may include up to 67% of Android devices.

Commentary by Pierluigi Paganini here. 

Commentary by The Register here: Two-thirds of Android users vulnerable to web history sniff ransomware – Crooks want you to pay up on pain of severe embarrassment – and more

David Harley

TalkTalk and Wipro still TalkTalking?

A slightly opaque story about TalkTalk and arrests at the Indian call centre it’s been using to lighten its support load.

Adding to the Support Scam Resource Page, though it’s not clear exactly what the scam was from TalkTalk’s statements.

David Harley

Support Scams and the Security Industry

For Graham Cluley’s blog, David Bisson summarizes the story of how Symantec ended its agreement with one of its partners after Jérôme Segura reported for Malwarebytes on how the partner was using tech support scam techniques to trick customers into buying Norton Antivirus and a year’s support at prices well in excess of the pricepoint set by Symantec.

You may recall that I also commented here on the story last week, though I focused on slightly different issues.

Among the classic scam ploys used by the scammer Jérôme talked to were the notorious CLSID misrepresentation and the misrepresentation of the legitimate Windows utility csrss.exe (Client/Server Runtime SubSystem). While this is an essential component of modern Windows versions, malware does sometimes use the same filename in the hope of making it harder to detect, and purveyors of support scams sometimes use the Task Manager (as in this case) or another utility such as Tasklist.

In fact, if you run one of these utilities, you’ll find that you have lots of legitimate processes running with names that are sometimes associated with malicious software (for example, lsass.exe and svchost.exe) but the processes are legitimate and often essential. The scammer doesn’t care about this, of course: he just wants to ‘prove’ to you that there are ‘malicious’ processes on your system, so that you’ll let him have remote access to it and charge you accordingly. The value to the scammer of using a filename that is also used by malware is that they can direct you to Google searches that will lead you to alarming references to the ‘csrss.exe virus’ or Trojan. Some of these links are malicious, some are well-meant but misleading, and some are genuinely informative. However, the scammer is not going to encourage you to read anything that is really informative.

I particularly like David’s suggestion that:

If you come across a fake anti-virus alert, collect screenshots, audio, and whatever other data you can document about the messages, and then post those files on the affected anti-virus firm’s forum. Those companies will take no greater pleasure than in shutting down someone exploiting their potential customers.

 While no-one in this business likes to see scammers getting away with anything, it’s particularly satisfying when we’re able to take direct action against those whose actions are responsible for blackening the reputations of  an industry which, by and large, tries harder than most to behave honourably and ethically. Of course, I wouldn’t want to discourage you from reporting scammers to law enforcement, either. No doubt they make good use of the information even if they tend not to talk about it.

It’s worth mentioning that forums aren’t the only way to contact a security company. If you have a support agreement with a vendor, you can certainly talk to its support desk. Most companies have an address to which you can send malicious samples and links. And some of us who write about this stuff get lots of comments to our blogs. That CLSID blog I mentioned above has attracted many hundreds of comments. I can’t reply to them all, but I do read them, and sometimes they provide material for further research and writing. One I really liked recently observed:

“This scammer called today and I played along. When he read my CLSID I googled “CLSID” and found this page. I told him that I had googled it and found that everyone has that CLSID. He told me that my google was broken. Best laugh of the day!”

Fortunately, people aren’t generally as dumb as scammers believe they are. There’s a difference between not knowing much about technology and being stupid. Though in these days of elaborate online scams, it really is smart to go out of your way to learn more about the technology you use than the bare bones of logging in and typing in text.

David Harley