Monthly Archives: October 2016

Support Scam Threatens to Delete Hard Drive

Siddhesh Chandrayan, for Symantec, reports on a particularly vicious example of social engineering designed to scare a victim into ringing a fake support line:

Tech support scams increasing in complexity – Tech support scammers have begun using code obfuscation to avoid detection.

The pop-up fake alert claims that the victim’s system is infected with ‘’ and that the hard drive will be deleted if he or her tries to ‘close this page’. It displays a fake ‘hard drive delete timer’ complete with audio effect.

Don’t panic! In principle, Javascript like this isn’t able to do any such thing: that’s a security feature of the language. (There are, of course, other ways of accessing and changing the contents of a client-side disk, but there’s no suggestion that any of those mechanisms are at play here.)

The obfuscated script also includes code to ascertain whether the system is running Windows, ‘MacOS’, UNIX or Linux, so that the alert can be tailored accordingly.

Commentary by David Bisson, writing for Graham Cluley’s blog: Scare tactics! Tech support scam claims your hard drive will be deleted – Scammers tries to frighten you into phoning them up.

David Harley

Support Scams: the supply chain

Support scammers tend to be seen by people with a reasonable understanding of technology as being pretty low-grade, as scammers go.

‘Support desk’ scammers are sometimes subjected to humiliating telephone exchanges by people who take an understandable pleasure in wasting their time by pretending to be even dumber victims. They capitalize on the fact that scammers at this level are often easily confused if the victim doesn’t follow the script, and don’t have the technical knowledge to respond appropriately to reverse social engineering. Yet some of the tricks they deploy to convince victims that their systems are compromised so that they seek help from a fake helpline have become surprisingly sophisticated. As have the scammer organizations themselves.

For Malwarebytes, William Tsing offers an explanation as to how support scammers ‘can be sophisticated enough to set up infrastructure handling and network tracking, SEO cloaking, and payment processing.’ His suggestion is that behind the scam companies is a ‘criminal underclass’ offering prefabricated scam packages ‘that only require a credit card and ill intent to set up.’ And since most cybercrime works on a similar model, that comes as no surprise. In his article, he dissects a specific example of a Scam in a Box: Scamming as a service – seriously.

David Harley

Security Essentials or Support Scam?

Microsoft describes a malicious program that masquerades as an installer for Microsoft’s own Security Essentials program. What Hicurdismos actually does is generate a fake Blue Screen of Death (BSoD) including a ‘helpline number’: so yes, it’s essentially a malware-aided tech support scam. It is spread by drive-by-download, and takes a number of steps to make itself look like a serious system issue, such as hiding the mouse cursor and disabling Task Manager.

Security Essentials is still available from Microsoft’s own support site for Windows version 7 and below. Windows 8.x and 10 users should note that it can’t be used on their systems,. However, they don’t need it since the version of Windows Defender that comes with 8.x and 10 has equivalent functionality (unlike the version on earlier Windows versions). However, apart from the pointer to the ‘helpline’, the fake BSoD closely resembles an error message that may be seen in those versions. Would that convince 8.x and 10 users that they also need the fake Essentials? Microsoft seems to think so.

Fortunately, it’s widely detected.

SHA1: e1e78701049a5e883a722a98cdab6198f7bd53a1

SHA256: 7dcbd6a63cb9f56063d2e8c5b17b3870bb2cbaeaafff98ce205d742cce38ba96

VirusTotal report: at 24th October 2016, 42 out of 56 vendors were shown as detecting it.

Commentary from The Register: Microsoft: Watch out millennials for evil Security Essentials

David Harley

Interest rates down, bitcoin stockpiles up

The Guardian and the International Business Times offer a sidebar to the ‘Do/should businesses/organizations pay up?’ discussion, by revealing that financial institutions are amassing bitcoin in case of extortion. However, both articles are focused on DDoS attacks and related extortion demands rather than ransomware. The IBT article doesn’t really go into the question of whether paying up is a Good Thing, except to quote Dr. Simon Moores: ‘”The police will concede that they don’t have the resources available to deal with this because of the significant growth in the number of attacks.” The article in the Guardian (from which the IBT seems to have drawn most of its content) does explore that issue in more depth, but doesn’t discuss ransomware at all.

However, IBT does quote Marcin Kleczynski of Malwarebytes as saying a couple of months ago that he knew of UK banks that have substantial quantities of bitcoin ready to deploy in the event of a ransomware attack. Well, that’s going to discourage the bad guys, isn’t it? 🙁

International Business Times: UK banks allegedly stockpiling Bitcoin to pay off cybercrime extortion threats – Police ‘don’t have the resources’ to combat cyber extortion attempts, expert claims.

David Harley

APWG statistics

According to the Anti-Phishing Working Group’s report for the second quarter of 2016, phishing attacks (as measured by the number of phish sites) reached an all-time high in that period (61% higher than the previous recorded high in 2015 Q4). It also cites PandaLabs as reporting detection of 18 million ransomware programs over that period, amounting to more than 200,000 per day.

Phishing Activity Trends Report 2nd Quarter 2016

David Harley

Decrypters info

An article by Charlie Osborne for ZDnet/Zero Day includes an alphabetical list of ransomware families for which decrypters are available, with links. It’s not, of course, a complete list (either of remediable ransomware or of reputable sources of decrypters) but the sources it does list are indeed reputable. As we’re seeing an increasing number of less reputable sources misusing SEO, blog comments and so on, that’s not a small consideration. Added to the Specific Ransomware Families and Types and Ransomware Recovery and Prevention pages.

Remove ransomware infections from your PC using these free tools – A how-to on finding out what ransomware is squatting in your PC — and how to get rid of it.

Ransomware listed includes: Al-Namrood, Apocalypse, ApocalypseVM, Autolocky, BadBlock, Bart, Bitcryptor, Cerber v.1, Chimera, CoinVault, CrypBoss, CryptoDefense, CryptInfinite, CryptXXX v.1 & 2, CryptXXX v1, 2, 3, 4, 5, DMALocker, DMALocker2, Fabiansomware, FenixLocker, Gomasom, Globe, Harasom, HydraCrypt, Jigsaw, KeyBTC, Lechiffree, Marsjoke | Polyglot, Nemucod, Nemucod, MirCop, Operation Global III, TeslaCrypt, PClock, Petya, Philadelphia, PowerWare, Rakhni & similar, Rannoh, Shade v1 & 2, SNSLocker, Stampado, TeslaCrypt v1, 2, 3, 4, UmbreCrypt, Vandev, Wildfire, Xorist, 777

Backup, PR Pressure and Ransomware

I recently received a spate of emails from a PR person suggesting that I add Lee Munson’s article on The history of ransomware to the AVIEN ransomware resources pages. I nearly ignored it altogether because  I don’t respond well to PR pressure. It’s one of the few things I have in common with career journalists…

Backup: the Why and How

However, the article is a reasonable introductory guide and offers a brief history that includes some (but by no means all) ransomware families and some reasonable advice, so I’m OK with including it, here. That said, while I agree that backups are an essential precaution (and not only because of the risk of a ransomware attack), he misses an essential point. Of course it’s ‘preferable’ to have offsite backups in case of ‘the risks of a fire etc. in your own home’, but many people and organizations nowadays don’t think first in terms of physical media like optical disks and flash storage, but rather in terms of some form of cloud storage. Which are very likely to be offsite, of course.

Offsite versus Offline

However, where such storage is ‘always on’, its contents may be vulnerable to compromise by ransomware in the same way that local storage is, so it’s important that offsite storage:

  • Is not routinely and permanently online
  • Protects backed-up data from automatic and silent modification or overwriting by malware when the remote facility is online
  • Protects earlier generations of backed-up data from compromise so that even if disaster strikes the very latest backups, you can at least retrieve some data, including earlier versions of current data.

Most articles on backup aimed at home users don’t go deeply into backup strategies, especially as utilized by system administrators, and that’s a gap I’m considering trying to fill. (However, Aryeh Goretsky’s article for ESET, Options for backing up your computer, is a good summary for home users, even though it’s several years old.)

Making the Cloud less Nebulous

For the moment it’s worth remembering that backup isn’t a fire-and-forget one-time exercise, but an ongoing task. Furthermore, the last thing you want to do is rely on a single generation of backups on a single site, or using a single provider. Bear in mind also that when cloud providers offer versioning, when backup of a file is triggered when it is modified, it may or may not mean that (one or more) earlier generations of the same file are preserved. It may be more convenient to keep only the latest version of a document, thus saving both space and the potential hassles of version control. But it makes sense to have a generational strategy in place so that you can, if necessary, roll back to a previous version and build on that. It makes even more sense to have read-only versions in reserve, for obvious reasons.

David Harley