Tag Archives: ESET

Tech Support Scams in Spain

My colleague Josep Albors came to a surprising conclusion in his Spanish language blog article Fake technical support is the most detected threat in Spain during January. I was so taken with the article that I generated a somewhat free translation with copious extra commentary for WeLiveSecurity: Support scams now reign in Spain.

David Harley

ESET: Key Insights & Key Card Ransomware

ESET’s WeLiveSecurity blog put together an article combining commentary from Stephen Cobb, Lysa Myers and myself: Ransomware: Key insights from infosec experts.

Yesterday, the site also commented on a story – Austrian hotel experiences ‘ransomware of things attack’ – that I also touched upon for ITSecurity UK: Key Card Ransomware: News versus FUD.

David Harley

Jackware: carjacking and ransomware

My friend and colleague Stephen Cobb, for ESET, recently posted an article on Jackware: When connected cars meet ransomware. He says:

I define jackware as malicious software that seeks to take control of a device, the primary purpose of which is not data processing or digital communications. A car would be such a device. A lot of cars today do perform a lot of data processing and communicating, but their primary purpose is to get you from A to B. So think of jackware as a specialized form of ransomware. With regular ransomware, such as Locky and CryptoLocker, the malicious code encrypts documents on your computer and demands a ransom to unlock them. The goal of jackware is to lock up a car or other device until you pay up.

Fortunately, and I stress this: jackware is, as far as I know, still theoretical. It is not yet “in the wild”

So speculation, but informed speculation, a hot topic, and well-written (of course).

David Harley

Pokémon beGOne – malware exploiting a popular craze

[Also published on the Mac Virus blog, which also addresses smartphone security issues]

Not quite ransomware (though there is a suggestion that it may happen), but but my ESET Lukas Stefanko describes a fake lockscreen app that takes advantage of the currently prevalent obsession with Pokémon GO to install malware. The app locks the screen, forcing the user to reboot. The reboot may only be possible by removing and replacing the battery, or by using the Android Device Manager. After reboot, the hidden app uses the device to engage in click fraud, generating revenue for the criminals behind it by clicking on advertisements.  He observes:

This is the first observation of lockscreen functionality being successfully used in a fake app that landed on Google Play. It is important to note that from there it just takes one small step to add a ransom message and create the first lockscreen ransomware on Google Play.

In fact, it would also require some other steps to enable the operators to collect ransom, but the point is well taken. It’s an obvious enough step that I’m sure has already occurred to some ransomware bottom-feeders. And it’s all to easy for a relatively simple scam to take advantage of a popular craze.

Clicking on porn advertisements isn’t the only payload Lukas mentions: the article is also decorated with screenshots of scareware pop-ups and fake notifications of prizes.

The ESET article is here: Pokémon GO hype: First lockscreen tries to catch the trend

Somewhat-related recent articles from ESET:

Other blogs are available. 🙂

David Harley

ESET Latin America on Ransomware

Here’s an article from my colleague ESET Camilo Gutiérrez Amaya, Head of Awareness & Research for Latin America: Ransomware: First files … now complete devices.

The article is actually adapted from the ransomware  section of ESET’s 2016 trends paper (In)security Everywhere, but worth reading if you haven’t read that somewhat hefty document.

David Harley

Crysis? What Crysis?

Ondrej Kubovič  for ESET: Beyond TeslaCrypt: Crysis family lays claim to parts of its territory. The ransomware that ESET calls Win32/Filecoder.Crysis encrypts files on fixed, removable and network drives.

It uses strong encryption algorithms and a scheme that makes it difficult to crack in reasonable time.

It encrypts everything except system files and its own bits and pieces, and charges between 400 and 900 euros. However, ESET users may be able to recover files encrypted by older versions with the help of ESET technical support.

David Harley

DNS Unlocker

James Rodewald has put up an interesting article for ESET on a DNS hijacker. It’s actually the way it conceals its activity that’s of most interest: however, this will also interest followers of this blog:

Typically a computer user affected by DNS Unlocker will see advertisements with a note at the bottom saying, “Ads by DNSUnlocker” … or something similar and multiple different variations of “support scam” pop-ups …

Crouching Tiger, Hidden DNS

David Harley

TeslaCrypt Says Sorry, Provides Decryption Key

Posted by me to the ITSecurity UK site: TeslaCrypt: We’re Sorry, Here’s the Decryption Key. Since they (or other operators) seem to have moved on to CryptXXX, I’m not sure how seriously we should take that apology.  ESET and BloodDolly have released decryptors: Instructions for the ESET tool are here, and for BloodDolly’s tool at Bleeping Computer here.

David Harley

Tech Kangaroos: wish they’d hop it?

Malwarebytes describes getting the jump on a group apparently responsible for impersonating legitimate security companies. Well, that sort of impersonation is pretty standard for tech support scammers, but in this case Malwarebytes is talking about ‘a fraudulent page which the crooks built by stealing the graphics from the Malwarebytes website and altering it to trick people into calling a toll-free number.’

And not only Malwarebytes. The article includes some screenshots of fake sites impersonating Microsoft, AVG, Kaspersky, ESET and so on.

Here’s the Malwarebytes article: The hunt for tech support scammers. Commentary by SC Magazine: Scammers impersonate legit cyber-security companies

Added to tech support resources page.

David Harley