Tag Archives: David Bisson

Technet: Elementary, my dear scammer

An article for Microsoft’s Technet describes a somewhat innovative tech support scam. It uses a script associated with the JS/Techbrolo family, known for its habit of generating fake alerts involving dialogue loops and audio messages. So far so average. But in this case, the pop-up isn’t a dialogue loop, but a website element of the scam page. If the victim clicks anywhere on the ‘dialogue box’ or anywhere else on the page, he or she is presented with what looks like a full-screen browser page open at something looking very much like a Microsoft support URL: however, it’s actually just another website element.

Microsoft: Breaking down a notably sophisticated tech support scam M.O.

HT to David Bisson, whose Tripwire blog drew this to my attention: Tech Support Scam Uses Website Elements to Spoof Microsoft Support Page

Backup and Ransomware

Ransomware isn’t the only reason to implement a good backup strategy – for home users as well as for businesses – but it’s a pretty good one, and these days you can’t afford a backup strategy that doesn’t take ransomware’s evil little ways into account.

In an article for Graham Cluley’s blog, David Bisson offers some pretty good advice, in a form that practically anyone can understand.

How to create a robust data backup plan (and make sure it works) – The backup basics that every end-user should know!

David Harley

Support Scammers hit Mac users with DoS attacks

 examines another attack somewhere on the thin borderline between ransomware and tech support scams: Tech support scam page triggers denial-of-service attack on Macs. This is another instance of scammers encouraging victims to call a fake helpline by hitting them with some sort Denial of Service (DoS) attack: in this case, by causing Mail to keep opening email drafts until the machine freezes, or using iTunes., apparently to put up a fake alert.

Commentary by David Bisson for Tripwire: Tech Support Scam Creates Series of Email Drafts to Crash Macs.

David Harley

 

LG TV ransomware revisited

In case you were wondering what happened as regards the story I previously blogged here – Smart TV Hit by Android Ransomware – it appears that LG has decided after all to make the reset instructions for the TV public rather than requiring an LG engineer to perform the task for only twice the price of a new set… Note that this was an old model running Android, not a newer model running WebOS.

Catch-up story by David Bisson (following up on his earlier story for Metacompliance) for Graham Cluley’s blog: How to remove ransomware from your LG Smart TV – And the ransomware devs go home empty-handed!

The article quotes The Register’s article here, which details the instructions, but also links to a video on YouTube by Darren Cauthon – who originally flagged the problem – demonstrating the process.

[Also posted at Mac Virus]

David Harley

 

HTML5 bug misused by support scammers

An article by Jérôme Segura for Malwarebytes – Tech support scammers abuse bug in HTML5 to freeze computers – describes the use of a variation on the Tech Support ploy of using Javascript loops to simulate a persistent pop-up ‘alert’. In this case, the attack makes use of a bug that abuses the history.pushState() method introduced with HTML5. According to Segura, ‘the computer that visited this site is essentially stuck with the CPU and memory maxed out while the page is not responding’, though it may be possible to kill the browser process with Task Manager.

Hat tip to David Bisson, whose commentary for Graham Cluley’s blog called the issue to my attention.

David Harley

Support Scam Threatens to Delete Hard Drive

Siddhesh Chandrayan, for Symantec, reports on a particularly vicious example of social engineering designed to scare a victim into ringing a fake support line:

Tech support scams increasing in complexity – Tech support scammers have begun using code obfuscation to avoid detection.

The pop-up fake alert claims that the victim’s system is infected with ‘Exploit.SWF.bd’ and that the hard drive will be deleted if he or her tries to ‘close this page’. It displays a fake ‘hard drive delete timer’ complete with audio effect.

Don’t panic! In principle, Javascript like this isn’t able to do any such thing: that’s a security feature of the language. (There are, of course, other ways of accessing and changing the contents of a client-side disk, but there’s no suggestion that any of those mechanisms are at play here.)

The obfuscated script also includes code to ascertain whether the system is running Windows, ‘MacOS’, UNIX or Linux, so that the alert can be tailored accordingly.

Commentary by David Bisson, writing for Graham Cluley’s blog: Scare tactics! Tech support scam claims your hard drive will be deleted – Scammers tries to frighten you into phoning them up.

David Harley

FLocker: Android Ransomware meets IoT

An article for Trend Micro by Echo Duan illustrates one of the complications of having an operating system that works on and connects all kinds of otherwise disparate objects: FLocker Mobile Ransomware Crosses to Smart TV.

Of course, embedded versions of operating systems such as other versions of Linux, Windows and so on, are not in themselves novel. FLocker, however, seems to lock smart TVs as well as Android phones, as long as they’re not located in one of a number of Eastern European countries. It claims to be levying a fine on behalf of a law enforcement agency. Apparently another of these agencies that prefers its fines paid in iTunes gift cards. As Zeljka Zorz points out for Help Net Security, this doesn’t say much for the credibility of the criminals, but if your device and data have become unavailable to you, knowing that they’re criminals and not the police doesn’t help much.

While the malware locks the screen, Trend tells us that the C&C server collects ‘data such as device information, phone number, contacts, real time location, and other information. These data are encrypted with a hardcoded AES key and encoded in base64.’

Unsurprisingly, Trend’s advice is to contact the device vendor for help with a locked TV, but the article also advises that victims might also be able to remove the malware if they can enable ADB debugging. How practical this would be for the average TV user, I don’t know.

Back in November 2015 Candid Wueest wrote for Symantec on How my TV got infected with ransomware and what you can learn from it, subtitled “A look at some of the possible ways your new smart TV could be the subject of cyberattacks.” Clearly, this particular aspect of the IoT issue has moved beyond proof of concept.

If cited this before, but it’s worth doing again. Camilo Gutierrez, one of my colleagues at ESET (security researcher at the Latin America office) notes that:

… if the necessary precautions are not taken by manufacturers and users, there is nothing to prevent an attacker from seizing control of a device’s functionality and demanding money to return control. Perhaps this is not a threat we expect to see much of in the near future, but we shouldn’t lose sight of it if we are to avoid serious problems later.

Just as I was about to post this, I noticed additional commentary by David Bisson for Graham Cluley’s blog. He notes that there’s an interesting resemblance between FLocker’s interface and the earlier ‘police’ ransomware he calls Cyber.Police.

David Harley

Fake Support, Real Screen Locker Malware

Here’s another instance where ransomware and tech support scams overlap. Jérôme Segura, for Malwarebytes, describes how scammers have moved on from ‘bogus browser locks and fake AV alerts‘ to real screen lockers. In particular, he describes an example of malware shared by @TheWack0lian that passes itself off as a Windows update. However, during the ‘update’ it effectively locks the computer, ostensibly due to an ‘invalid licence key’, forcing the victim to call a ‘support line’.

The article – Tech Support Scammers Get Serious With Screen Lockers – includes a keyboard combination that might disable the locker, and some hardcoded ‘key’ values that might also work. However, it’s likely that there are already variants out there that use different ‘keys’, and if there aren’t, there almost certainly will be.

Commentary by David Bisson for Graham Cluley’s blog is also worth reading: New tech support scams mimic ransomware, lock users’ computers –Beware if you’re asked to pay $250 for a product key to unlock your PC.

David Harley