Tag Archives: MalwareBytes

Support Scammers hit Mac users with DoS attacks

 examines another attack somewhere on the thin borderline between ransomware and tech support scams: Tech support scam page triggers denial-of-service attack on Macs. This is another instance of scammers encouraging victims to call a fake helpline by hitting them with some sort Denial of Service (DoS) attack: in this case, by causing Mail to keep opening email drafts until the machine freezes, or using iTunes., apparently to put up a fake alert.

Commentary by David Bisson for Tripwire: Tech Support Scam Creates Series of Email Drafts to Crash Macs.

David Harley

 

Malwarebytes makes VinCEmeat of screen locker

Interesting analysis from Pieter Arntz for Malwarebytes of the VinCE screen locker, intended to persuade the victim into calling the ‘helpline’ number the malware displays. An example of malware that illustrates an almost imperceptible distinction between a tech support scam and true ransomware.

A closer look at a tech support screen locker

This AVIEN article also added to Tech Support Scams and Ransomware, to Specific Ransomware Families and Types,  and to PC ‘Tech Support’  Scam Resources. The latter has now been renamed by dropping the reference to cold-calls, as cold-calling is no longer the only (or, arguably, the most effective) means of implementing tech support scams.

David Harley

HTML5 bug misused by support scammers

An article by Jérôme Segura for Malwarebytes – Tech support scammers abuse bug in HTML5 to freeze computers – describes the use of a variation on the Tech Support ploy of using Javascript loops to simulate a persistent pop-up ‘alert’. In this case, the attack makes use of a bug that abuses the history.pushState() method introduced with HTML5. According to Segura, ‘the computer that visited this site is essentially stuck with the CPU and memory maxed out while the page is not responding’, though it may be possible to kill the browser process with Task Manager.

Hat tip to David Bisson, whose commentary for Graham Cluley’s blog called the issue to my attention.

David Harley

Support Scams: the supply chain

Support scammers tend to be seen by people with a reasonable understanding of technology as being pretty low-grade, as scammers go.

‘Support desk’ scammers are sometimes subjected to humiliating telephone exchanges by people who take an understandable pleasure in wasting their time by pretending to be even dumber victims. They capitalize on the fact that scammers at this level are often easily confused if the victim doesn’t follow the script, and don’t have the technical knowledge to respond appropriately to reverse social engineering. Yet some of the tricks they deploy to convince victims that their systems are compromised so that they seek help from a fake helpline have become surprisingly sophisticated. As have the scammer organizations themselves.

For Malwarebytes, William Tsing offers an explanation as to how support scammers ‘can be sophisticated enough to set up infrastructure handling and network tracking, SEO cloaking, and payment processing.’ His suggestion is that behind the scam companies is a ‘criminal underclass’ offering prefabricated scam packages ‘that only require a credit card and ill intent to set up.’ And since most cybercrime works on a similar model, that comes as no surprise. In his article, he dissects a specific example of a Scam in a Box: Scamming as a service – seriously.

David Harley

Flash Player exploit -> Angler -> CryptXXX

John Leyden heralds a post apparently due to appear on the Malwarebytes site later today (25th May 2016) about a wave of malvertising exploiting the Flash Player exploit (CVE-2016-4117) recently addressed by Adobe in order to direct victims to the Angler exploit kit and launch infection with the CryptXXX ransomware.

I’m guessing that we’re talking about CryptXXX 3.0, which I wrote about earlier today: CryptXXX 3.0: gang breaks own decryptor.

Worth looking out for (the article and the malware).

[Added: Malwarebytes article now published as New Wave of Malvertising Leverages Latest Flash Exploit. Jerome Segura observes:

The ads are typically clean of any malware for anyone trying to manually verify them. The JavaScript code looks benign no matter how many times you refresh the page or rotate IP address. This is because the rogue version of the JavaScript is served conditionally, with the proper referer, user-agent, sometimes even your screen resolution, and several other parameters.

Very interesting.]

David Harley

 

Tech Kangaroos: wish they’d hop it?

Malwarebytes describes getting the jump on a group apparently responsible for impersonating legitimate security companies. Well, that sort of impersonation is pretty standard for tech support scammers, but in this case Malwarebytes is talking about ‘a fraudulent page which the crooks built by stealing the graphics from the Malwarebytes website and altering it to trick people into calling a toll-free number.’

And not only Malwarebytes. The article includes some screenshots of fake sites impersonating Microsoft, AVG, Kaspersky, ESET and so on.

Here’s the Malwarebytes article: The hunt for tech support scammers. Commentary by SC Magazine: Scammers impersonate legit cyber-security companies

Added to tech support resources page.

David Harley

I do not like that SamSam-I-am ransomware

Darren Pauli for the The Register flags the rise of a ransomware variant that, according to Talos, has ‘a particular focus on the healthcare industry’.

Pauli’s article: Hospital servers in crosshairs of new ransomware strain – SamSam virus is highly contagious and Bitcoin’s the only known cure. He also summarizes Maktub, which resembles SamSam in that  files are encrypted offline and C&C infrastructure is not used for payment.

The Talos blog with more technical detail: SAMSAM: THE DOCTOR WILL SEE YOU, AFTER HE PAYS THE RANSOM

Malwarebytes analysis of Maktub: Maktub Locker – Beautiful And Dangerous

Commentary by Sean Gallagher for Ars Technica: Two more healthcare networks caught up in outbreak of hospital ransomware – New server-targeting malware hitting healthcare targets with unpatched websites.

David Harley

Tech Support Scam that Spoofs ISPs

Jérôme Segura has blogged for Malwarebytes about a somewhat innovative tech support scam campaign: Scammers Impersonate ISPs in New Tech Support Campaign.

The scam is pushed by malvertising which

‘detects which Internet Service Provider (ISP) you are using (based on your IP address) and displays a legitimate looking page that urges you to call for immediate assistance.’

Added to the tech support scam resource page.

David Harley