Tag Archives: Brian Krebs

Scammers using Dell support data?

If support scammers are using Dell customer data, as seems to be the case, Dell could certainly be more proactive in warning its customers, despite its own concerns about being seen as vulnerable to external or internal data leakage. But at least they’re now trying to gather info on the issue.

See my article here: Support Scammers Targeting Dell Customers with links to related articles by Brian Krebs, Dan Goodin et al.

Excerpt:

… not everyone who is [a Dell customer] has the technical grasp that Krebs’s correspondents seem to have. So perhaps it’s time Dell at least made more effort to notify people using its products (and especially its support services) that scammers may have such data, and that possession of such data shouldn’t be taken as some sort of validation of the bona fides of a cold-caller.

 Added to resources page, of course.

David Harley

Ransomware, the Cloud, and DDoS

Ransoming the Cloud

On the ransomware resources page, I recommended:

Back up your data to an external device. And to cloud services as well, if you like. Bear in mind, though, that if your data is backed up somewhere that’s ‘always on’ while you’re using your computer, there’s a risk that ransomware (or other malicious software) might be able to encrypt, delete or corrupt your backed-up data too. For the same reason, don’t try to reinstall backed-up files from an off-line resource (at any rate, a write-enabled offline resource) until you’re sure the malware is no longer present and active on your system.

In Ransomware a Threat to Cloud Services, Too Brian Krebs notes an instance where, when one of Children in Film’s employees opened an attachment passed off as an invoice: within 30 minutes, over 4,000 files on a cloud server, mounted as a local drive, had been encrypted by Teslacrypt. Fortunately, according to Krebs, the cloud hosting company kept daily backups and the company was able to use BleepingComputer’s TeslaDecoder to decrypt the files without paying the extortionists, but the inconvenience was still significant.

DDoS  Statistics

For Tripwire, David Bisson summarizes some of the detail from a report from cloud provider Akamai on trends in DDoS (Distributed Denial of Service) attacks, often associated with attempted extortion.

Cloud Security Alliance Survey

The Register reports that a CSA poll found that:

  • Some respondents would pay very large sums to extortionists to avoid data dumps
  • That gambling sites continue to be targeted with threats of DDoS attacks, often coinciding with major sporting events
  • That “… even police and law enforcement agencies [are] recommending organisations hit by the most water-tight ransomware encryption attacks to pay up to get their decryption keys.”

The article also suggests a link between the Hidden Tear open source code and the not-very-successful Linux.Encoder.

DD4BC

And here are a couple of items about the DD4BC (DDoS for BitCoin) gang:

  • ESET reports on Operation Pleiades in which several countries cooperated with Europol against the threat.
  • A related story from the BBC.

All items added to the ransomware resources page.

David Harley

iYogi tech support – sued by State of Washington

The name iYogi will not be unfamiliar to you, if you’ve been following how the tech support scam has been evolving over the past few years.

In Fake Support, And Now Fake Product Support I described how a legitimate and ethical AV company outsourced its support to the iYogi company  in India. This must have seemed at the time an entirely reasonable way of addressing a difficulty that faces security companies with a product version that is free to consumers: what happens when users of that product need support? Running a tech support operation is a significant cost even for companies that charge for all their products (time-limited trials excepted, of course). The idea was that Avast! customers would get free support for Avast!-related queries, but would then be offered an upgrade to a for-fee iYogi support package. However, the AV company’s understanding was that:

here at AVAST, we never phone our customers (unless they specifically ask us to of course) and none of the partners we work with do either.

Unfortunately, it seemed that iYogi’s understanding of the situation was rather different. According to Brian Krebs, reported incidents of tech support scam coldcalls from “Avast customer service” did indeed turn out to have originated with iYogi.

While someone describing himself as the co-founder and president of marketing at iYogi strongly denied any connection with the usual gang of out-and-out scammers, Avast! found it necessary to suspend its arrangement with the company. Avast!’s later arrangements for customer support are discussed on the company’s blog here.

iYogi’s recent activities seem to have continued to attract controversy.  A recent article from Help Net Security tells us that Washington State has announced a lawsuit against iYogi, alleging that ‘iYogi’s tactics are unfair and deceptive business practices that violate Washington’s Consumer Protection Act.’ The activities in which the company is alleged to have engaged have a familiar ring, involving deceptive online advertisements, misleading ‘diagnostics’, aggressive selling of support plans and the company’s own anti-virus software. In a twist I haven’t encountered before, the Washington suit filed in King County Superior Court claims that:

iYogi tells the consumer that upgrading to Windows 10 from Windows 7 or 8 costs $199.00 if the upgrade is done independently, but that the upgrade is “included” for free as part of iYogi’s five-year service package or for $80 as part of iYogi’s one-year package. In fact, an upgrade to Windows 10 is free for Windows 7 or 8 users who choose to do so independently. In addition, iYogi incorrectly tells consumers that their computers will stop working if they do not upgrade to Windows 10 soon.

Help Net quotes Microsoft as estimating that 71,000 residents of Washington lose $33m each year, a sizeable proportion of the 3.3m Americans who are estimated to lose $1.5b in a year.

 David Harley

Status Epsilon-icus*

Ok. That wasn’t the last update.

And very possibly the last update here (the target blog suggests why…): Epsilon Overkill and the Security Ecology

Update 3: Rebecca Herson evaluates some of the advice given by Epsilon customers for coping with the phlurry of phish anticipated post-Epsilon: http://blog.commtouch.com/cafe/email-security-news/advice-after-the-epsilon-breach/

Links and a little extra irony from me: http://chainmailcheck.wordpress.com/2011/04/07/epsilon-epidemic/

Update 2: a discomfiting suggestion that there was a longstanding problem that Epsilon were actually aware of: http://www.itnews.com.au/News/253712,epsilon-breach-used-four-month-old-attack.aspx (hat tip to Kurt Wismer, again)

Update: a few more articles you might find worth reading.

It’s reasonable to assume that the Epsilon fiasco will lead to an epidemic: at any rate, luminaries such as Brian Krebs and Randy Abrams are making that assumption, and publishing some excellent proactive advice accordingly. So rather than go over the same ground, I’ll just cite some of the more useful blog posts around that.

Two highly relevant posts by Brian Krebs:

And two relevant posts by Randy:

A list of companies known to have been affected from ThreatPost: http://threatpost.com/en_us/blogs/list-companies-hit-epsilon-breach-040511

And a characteristically to-the-point rant by Kurt Wismer on why it wouldn’t be an issue in a sane world: http://anti-virus-rants.blogspot.com/2011/04/why-epsilon-breach-shouldnt-be-issue.html

*Yes, a rather forced pun, I know. http://en.wikipedia.org/wiki/Status_epilepticus 

David Harley CITP FBCS CISSP
AVIEN Dogsbody
ESET Senior Research Fellow