Author Archives: DHarley

Should TalkTalk block TeamViewer?

It’s hardly a secret that TalkTalk has had problems with tech support scams. Or at any rate its customers have, leading to suspicions that some of the scammers “… know more about their intended victims (and their issues with TalkTalk) than they should.” I don’t suppose for a moment that TalkTalk is actively cooperating with known scammers, of course, but it was widely reported last year that three call-centre workers at Wipro, to which TalkTalk outsourced some support services in 2011, had been arrested on suspicion of – according to the BBC – selling TalkTalk customer data.

The BBC’s recent report also asserts that TalkTalk customers are targeted by “an industrial-scale fraud network in India”. Commentary from Sophos hints that the issue is ‘related not to TalkTalk but to one of its subcontractors’.

TalkTalk has set up a site in cooperation with Get Safe Online called Beat The Scammers, which it describes as “an education and awareness campaign … designed to help you protect yourself from the growing threat of scams”. The site does seem to offer some reasonable advice and offer a certain amount of insight into how these particular scammers appear to be operating, though it seems focused on old-school cold-calling rather than on pop-ups directing victims to ‘helplines’. Still, most of the old tricks are still used by ‘next-generation’ scammers.  And in fact, I quite like the idea of ‘The Nevers’, a short list of things that a TalkTalk representative ‘will never do’. For instance:

  • Ask for a customer’s full password (apparently they may ask for two digits)
  • Ask for bank details to process a refund (details the company should already have)
  • Ask the customer to send money through services like MoneyGram or Western Union (two services very commonly used by scammers)

However, the company has also upset some of its customers, according to Kat Hall (writing for The Register), by blocking TeamViewer, a remote access/desktop management tool – TalkTalk blocks TeamViewer – Wants to protect customers from phishing and scamming.

It’s perfectly true that TeamViewer, like AMMYY and several similar tools/sites, is widely used by support scammers. But it’s a legitimate service also widely used for entirely legitimate desktop management purposes. A blanket ban on its use is rather like an anti-malware application deciding to make it impossible for a customer to run ‘Possibly Unwanted’ or ‘Possibly Unsafe’ applications. We don’t do that – well, most of us don’t – because although it might make some customers safer, some people would be seriously inconvenienced by it. Apart from the fact that those people would have to take their business elsewhere, it hardly seems appropriate for a security company to deny its customers access  to legitimate services. There is a classic tripod model of security, said to consist of Confidentiality, Integrity, and Availability. Take away availability, and what you have is no longer security.

David Harley

RanRan: Ransomware, Politics and Extortion

An interesting if somewhat niche ransomware analysis from Unit 42: Targeted Ransomware Attacks Middle Eastern Government Organizations for Political Purposes

Falcone and Grunzweig say: ‘The ransom note specifically attempts to extort a political statement by forcing the victims to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.’

David Harley

Technet: Elementary, my dear scammer

An article for Microsoft’s Technet describes a somewhat innovative tech support scam. It uses a script associated with the JS/Techbrolo family, known for its habit of generating fake alerts involving dialogue loops and audio messages. So far so average. But in this case, the pop-up isn’t a dialogue loop, but a website element of the scam page. If the victim clicks anywhere on the ‘dialogue box’ or anywhere else on the page, he or she is presented with what looks like a full-screen browser page open at something looking very much like a Microsoft support URL: however, it’s actually just another website element.

Microsoft: Breaking down a notably sophisticated tech support scam M.O.

HT to David Bisson, whose Tripwire blog drew this to my attention: Tech Support Scam Uses Website Elements to Spoof Microsoft Support Page

*Bummer for Dharma: Decrypter On The Road

It seems that it’s now possible to decrypt Crysis-encrypted files that have the .dharma extension: Alleged Master Keys for the Dharma Ransomware Released on BleepingComputer.com.

ESET has updated its Crysis decryptor to take advantage of the newly-released keys. Kaspersky has done the same with its Rakhni decryptor. I imagine others will do the same, if they haven’t already.

David Harley

The Dharma Bums is a novel by Jack Kerouac. And On The Road is another. Sorry, I couldn’t resist.

Patcher/Filezip/Filecoder – data recovery and naming

Because of time issues, I added the malware ESET calls OSX/Filecoder.E to the Specific Ransomware Families and Types page but didn’t give it an article of its own here. Since there is important news (to potential victims) from Malwarebytes and Sophos, I’m repairing that omission here.

Note that both Reed and Cluley sometimes refer to the malware as FileCoder. This is potentially misleading: while ESET, which first uncovered the thing, detects it as OSX/Filecoder.E, the term ‘Filecoder’ is used generically by the company to denote crypto-ransomware, so you/we need to use the full name ‘OSX/Filecoder.E’ to distinguish it from other, unrelated ransomware families.

David Harley

Lockdroid’s text-to-speech unlocking

Catalin Cimpanu, for Bleeping Computer, details Lockdroid’s novel use of TTS functions as part of the post-payment unlocking process: Android Ransomware Asks Victims to Speak Unlock Code. Based on a report from Symantec that I haven’t seen yet.

Lockdroid’s current campaigns appear to be focused on China, but that doesn’t mean its innovations won’t be seen elsewhere. Symantec’s Dinesh Venkatesan noted implementation bugs and that it might be possible for a victim to recover the unlock code from the phone.

David Harley

Tech Support Scams in Spain

My colleague Josep Albors came to a surprising conclusion in his Spanish language blog article Fake technical support is the most detected threat in Spain during January. I was so taken with the article that I generated a somewhat free translation with copious extra commentary for WeLiveSecurity: Support scams now reign in Spain.

David Harley

Kaspersky researcher on Russian ransomware ecosystem

Anton Ivanov for Kaspersky: A look into the Russian-speaking ransomware ecosystem.

He says:

One of the findings of our research is that 47 of the 60+ crypto ransomware families we’ve discovered in the last 12 months are related to Russian-speaking groups or individuals.

And:

While analyzing the attack statistics for 2016, we discovered that by the end of the year a regular user was attacked with encryption ransomware on average every 10 seconds, with an organization somewhere in the world hit around every 40 seconds.

Good article.

David Harley