Tag Archives: ESET blog

Support Scams – What to do next

My latest article for ESET’s WeLiveSecurity blog expands on an article that originally appeared in a lengthy article on support scams for ITSecurity UK, and subsequently in an article for the ESET Threat Radar Report for December 2015.

Support scams: What do I do now? covers some of the options for people who’ve allowed a support scammer to access their PC and, on discovering that they’ve been duped, have asked about the implications of that mistake and what they need to do next.

Link added to support scam resources page.

David Harley

Japan Disaster: Commentary & Resources

[Further links added March 13th 2011 (and a couple more on the same day). Extra links and commentary appended March 14th. More commentary re the Bing chaintweet subsequently added. And yet more  on related scams added March 15th. More miscellaneous resources and commentary on 16th and 17th March. Additional links on 23rd March]

This is an attempt to bring together a number of disparate blogs highlighting resources I’ve been collecting over the past couple of days, relating to the Japanese earthquakes and tsunami. Apologies if there’s nothing here that’s new to you, but I think it’s important to spread this information as far as possible. This will now be my primary resource for putting up any further information I come across. I don’t, of course, claim that it will cover a fraction of the coverage that’s out there.

  • Some blogs of mine:
  • http://blog.eset.com/2011/03/11/japanese-earthquake-inevitable-seo 
  • http://chainmailcheck.wordpress.com/2011/03/12/earthquaketsunami-scam-resources/
  • http://blog.eset.com/2011/03/12/disaster-scams-and-resources
  • http://blog.eset.com/2011/03/11/disasters-getting-involved
  • And one more that I’ve referenced below…
  • Urban Schrott of ESET Ireland on do’s and don’t’s for safe browsing and disaster scam avoidance: http://esetireland.wordpress.com/2011/03/11/security-warning-japanese-earthquake-scams-will-send-tremors-through-the-web/
  • Paul Ducklin at Sophos on clickjacking by ibuzzu.fr: http://nakedsecurity.sophos.com/2011/03/12/japanese-tsunami-video-exploited-by-clickjackers/
  • Norman Ingal at Trend with some detail on observed BHSEO and fake AV: http://blog.trendmicro.com/most-recent-earthquake-in-japan-searches-lead-to-fakea/ 
  • Robert Slade at Securiteam with an older post (from the time of the Haiti earthquake – but still relevant) on training for disaster: http://blogs.securiteam.com/index.php/archives/1346
  • More analysis from Kimberley at stopmalvertising.com: http://stopmalvertising.com/blackhat-seo/recent-japanese-earthquake-search-results-lead-to-fakeav.html
  • Paul Roberts at Threat Post: http://threatpost.com/en_us/blogs/experts-warn-japan-earthquake-tsunami-spam-031111
  • Guy Bruneau at Internet Storm Center: http://isc.sans.edu/diary.html?storyid=10537&rss
  • Sean at F-Secure:  http://www.f-secure.com/weblog/archives/00002119.html 
  • Mike Lennon at Security Week: http://www.securityweek.com/massive-influx-scams-surrounding-japans-earthquake-and-tsunami-expected
  • spamwarnings.com is showing examples of spam related to this event: http://www.spamwarnings.com/tag/devastating-tsunami 
  • IRS online charities search: http://www.irs.gov/app/pub-78
  • Charity Navigator offers independent evaluation of charities: http://www.charitynavigator.org/
  • Google’s crisis response page: http://www.google.com/crisisresponse/japanquake2011.html
  • An old but much-to-the-point article on disaster scams from PC World: http://www.pcworld.com/article/61946/beware_of_online_scams_for_disasterrelief_funds.html
  • Phil Muncaster: http://www.v3.co.uk/v3-uk/news/2033668/google-twitter-facebook-step-help-japan-earthquake-survivors
  • Google’s People Finder service: http://japan.person-finder.appspot.com/?lang=en
  • Bing’s response page including several organizations offering relief initiatives: http://www.microsoft.com/about/corporatecitizenship/en-us/our-actions/in-the-community/disaster-and-humanitarian-response/community-involvement/disaster-response.aspx. A useful page, but there’s an aspect to Bing’s retweeting PR effort (see http://www.twitter.com/bing) that I can’t quite like, as explained at http://chainmailcheck.wordpress.com/2011/03/12/faith-hope-charity-and-manipulation/.
  • US-CERT: Japan Earthquake and Tsunami Disaster Email Scams, Fake Anitvirus and Phishing Attack Warning [Yes, the Anitvirus typo is on the web site: some useful links, nonetheless] 
  • Latest news from NHK World: http://www3.nhk.or.jp/nhkworld/ 
  • Graham Cluley: Japanese Tsunami RAW Tidal Wave Footage – Facebook scammers trick users with bogus CNN video
  • Morgsatlarge on Why I am not worried about Japan’s nuclear reactors
  • Real photos of the damage (hat tip to Rob Slade: http://www.nytimes.com/interactive/2011/03/13/world/asia/satellite-photos-japan-before-and-after-tsunami.html?hp; http://www.cbc.ca/news/interactives/japan-earthquake/index.html. Not exactly security-related, but the sort of thing that’s being used to decoy people onto unsafe sites.
  • One from the Register that I missed at the time, though it’s basically a pointer to the Trend article above: http://www.theregister.co.uk/2011/03/11/japan_tsunami_scareware/
  • World Nuclear News: Battle to stabilise earthquake reactors
  • Lester Haines for The Register: Threat to third Fukushima nuke reactor: Authorities using seawater to battle overheating
  • Apparently I wasn’t the only person upset at Microsoft’s use of the disaster to promote Bing: BingDings* Force Change of Tune.
  • Here’s another clickjack scam brought to my attention by Graham Cluley: as he rightly says, it’s not likely to be the last. Japanese Tsunami Launches Whale Into Building? It’s a Facebook clickjack scam 
  • While Lewis Page describes in The Register how the Fukushima plant is actually performing “magnificently”, given the unexpected scale of the stress to which Japanese nuclear facilities have been subjected in the past few days: http://www.theregister.co.uk/2011/03/14/fukushiima_analysis/ Even if you’re not totally convinced that this is an argument for more nuclear powerplants, it’s certainly a welcome corrective to the FUD-exploiting scareware SEO that I suspect we’ll see over the next few days.
  • Graham Cluley on an SMS hoax: Fukushima radiation hoax SMS message spreads in Philippines (clue: it’s the hoax that’s spreading, not radiation…)
  • Nuclear Energy Institute: Information on the Japanese Earthquake and Reactors in That Region
  • Lester Haines: Fukushima reactor core battle continues: May be heading for meltdown, but no Chernobyl likely
  • Stan Schroeder for Mashable: AT&T, Verizon offer free calls and texts to Japan from US 
  • Ben Parr for Mashable:  Japan Earthquake & Tsunami: 7 Simple Ways to Help
  • Technet Blog: Microsoft Supports Relief Efforts in Japan
  • USA.answers.gov summary: Current Situation in Japan
  • Christopher Boyd, GFI Labs: Another “Whale smashes into building” Tsunami scam on Facebook 
  • Allan Dyer has mentioned that SMS “BBC FLASHNEWS” hoaxes like the one Sophos flagged at http://nakedsecurity.sophos.com/2011/03/14/fukushima-radiation-scare-hoax-text-message-spreads-in-philippines/ have also been circulating in Hong Kong.
  • Urban Schrott with some more scam info from Facecrook and elsewhere
  • Sophos on tsunami charity scams
  • Lots more links suggesting that radiation risk is way overblown, but I think we have enough of those to get the gist. Just be sceptical about alarmist reports that you can’t verify from reputable sites.
  • Business Standard on Cybercrime sets sail on tsunami sympathy
  • Symantec on Phishers Have No Mercy for Japan describing a fake American Red Cross donation site.
  • I’m also seeing a number of posts and articles suggesting that the situation regarding affected nuclear facilities is getting worse: I’m not qualified to separate fact and fiction in many of these cases, so I won’t try to track them here.
  • Allan Dyer describes one of the SMS hoaxes and a donation scam message pretending to be from AT&T: http://articles.yuikee.com.hk/newsletter/2011/03/a.html
  • Graham Cluley describes several Japan-related video links that actually lead to malicious javascript and a Java applet, plus some fake twitter email notifications: Spammed-out Japanese Tsunami video links lead to malware attack. See also Chet Wisniewski’s post SSCC 52 – Twitter HTTPS, net neutrality, car hacking, tsunami scams and Pwn2Own.
  • Jimmy Kuo forwarded a reliable donation link at at http://www.jas-socal.org/, and here’s a post from Tracy Mooney on charitable giving .
  • A series of other blogs from McAfee: http://blogs.mcafee.com/mcafee-labs/world-record-for-disaster-scam-site; http://blogs.mcafee.com/consumer/robert-siciliano/tsunami-scam-warnings-keep-coming-in; http://blogs.mcafee.com/consumer/consumer-threat-alerts/japan-earthquake-scams-spreading-quickly
  • Christopher Boyd on Japan “Miracle Stories” scams on Youtube… and Rogue AV results lurk in contamination comparison searches and ICRC Japan donation scam mails and .tk URLs offering surveys, installs and fake Tsunami footage and Tips for avoiding the endless Japan disaster files and A Japan-themed 419 scam…
  • Crawford Killian is tweeting a lot of more general Japan-related stuff that might be useful to you as background rather than as direct security stuff. http://twitter.com/Crof (hat tip to Rob Slade.)
  • Nicholas Brulez: Japan Quake Spam leads to Malware
  • John Leyden for The Register: Fake Japan blackout alerts cloak Flash malware: Scumbags continue to batten on human misery
  • Not directly security-related, but I can see it being used as a social-engineering hook: Timothy Prickett Morgan on Japanese quake shakes semiconductor biz: Boards and chip packages hit too.
  • An article by Amanda Ripley that has no direct security implication that I can see offhand, but I thought was interesting anyway: http://www.amandaripley.com/blog/japan_and_the_cliche_of_stoicism/
  • I probably won’t continue to add too many resources to this page that don’t have a direct and compelling security dimension, but if you are interested in the sort of footage of exploding reactors, tsunami hits and so on that blackhats use as bait for fake AV and clickjacking, the BBC has quite a few relevant videos: I know that because I watch the news. 🙂 I haven’t looked up individual links, but a quick Google search brings up several at http://www.bbc.co.uk/: no doubt searches of CNN etc. would bring up similar results. There’s lots of this stuff out there: no need to click on dubious links from unknown sources!

    David Harley CITP FBCS CISSP
    AVIEN COO
    ESET Senior Research Fellow

    

    Blackhat SEO and other nuisances

    The horrific Russian suicide bombings have, inevitably, generated a load of blackhat SEO (search engine optimization) attacks, not to mention Twitter profile attacks, using topical keywords to lure victims into running malicious code. I’ve blogged on that elsewhere recently – e.g. “Here come (more of) the Ghouls”, at http://www.eset.com/blog/2010/03/30/here-come-more-of-the-ghouls – so I won’t repeat myself here.

    However, I hear from that nice Mr. Cluley at Sophos that there’s an awfully good paper available about “Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware”, by Fraser Howard and Onur Komili.  

    It is a good paper, and it will interest a lot of the people who read this blog. And it should interest quite a few people who probably won’t read it. 🙁

    David Harley FBCS CITP CISSP
    Security Author/Consultant at Small Blue-Green World
    Chief Operations Officer, AVIEN
    ESET Research Fellow & Director of Malware Intelligence

    Also blogging at:
    http://www.eset.com/blog
    http://smallbluegreenblog.wordpress.com/
    http://blogs.securiteam.com
    http://blog.isc2.org/
    http://dharley.wordpress.com
    http://macvirus.com

    About those alligators….

    I don’t know what Peter Norton  is up to these days. In the anti-virus industry, he’s probably best remembered for (a) the security products marketed by Symantec that still bear his name (though not the famous pink shirt photograph), though he sold his company to Big Yellow about 20 years ago. In researcher circles, he’s also remembered for telling Insight magazine in 1988 or thereabouts that “We’re dealing with an urban myth. It’s like the story of alligators in the sewers of New York. Everyone knows about them, but no one’s ever seen them. Typically, these stories come up every three to five years.” Well, quite a few people put computer viruses in the same category as flying saucers around that time. Commodore, for instance, reacted to questions about Amiga malware by saying that it sounded like a hoax, and moved on (1) to ignoring it altogether.

    Not long after that, he lent his name to Symantec’s antivirus product, which I suppose makes it the world’s first anti-hoax software.

    I’ve no idea whether there really are or ever were alligators in the sewers of New York, but according to the BBC, Scotland ‘s sewage system has quite a few equally bizarre inhabitants. Notably:

    • A Mexican Kingsnake
    • A goldfish called Pooh
    • An anonymous frog
    • An equally anonymous badger (no, it wasn’t in the company of the frog: what a story that could be…)

     The above were all alive and well, if not as sanitary as one might hope. However, a sheep found in a manhole chamber and a cow found in a storm tank did not survive the experience. Other inanimate objects found included credit cards, a working iron, false teeth, jewelry, and some of the hundreds of thousands of mobile phones that Brits are alleged to flush down the loo. 

    It’s not known whether the very smelly aggregation of money mules that is apparently operating out of Scotland and associated with the “London scam” described here is operating out of the same network

    (1) Yes, I’m paraphrasing myself. “Viruses Revealed”, Chapter 2, published by Osborne in 2001.

    David Harley FBCS CITP CISSP
    Security Author/Consultant at Small Blue-Green World
    Chief Operations Officer, AVIEN
    ESET Research Fellow & Director of Malware Intelligence

    Also blogging at:
    https://avien.net/blog
    http://www.eset.com/blog
    http://smallbluegreenblog.wordpress.com/
    http://blogs.securiteam.com
    http://blog.isc2.org/
    http://dharley.wordpress.com
    http://macvirus.com

    Unnamed App Facebook Hoax/Scam

    Flagged by Peter Kruse on a specialist list.

    A hoax is circulating on Facebook, warning about a virus that is supposed to add an “Unnamed App” to the FB tabs.

    SEO actually drives the incautious Googler towards fake AV.

    I blogged this at some length at ESET, so I won’t repeat it all here.

    http://www.eset.com/threat-center/blog/2010/01/27/unnamed-app-facebook-hoax

    David Harley FBCS CITP CISSP
    Chief Operations Officer, AVIEN
    Director of Malware Intelligence, ESET

    Also blogging at:
    http://www.eset.com/threat-center/blog
    http://smallbluegreenblog.wordpress.com/
    http://blogs.securiteam.com
    http://blog.isc2.org/
    http://dharley.wordpress.com

    Haiti-Related Resources

    Help resources, mostly: blogged at http://www.eset.com/threat-center/blog/2010/01/14/haiti-help-resources because there was an issue re security blogging in general to which I wanted to add my 2 cents.

    If you have additional resources you’d like to see added, mail me at dharley [at] eset.com. Here are the resources listed in the blog above right now (I’ve been updating them as I’ve seen them come in.)

    That first resource includes a long list of contact information for legitimate organizations working in or for Haiti. It also includes some recommendations from the FBI via MSNBC for avoiding being scammed or worse by bad actors.

    Update: Tom Kelchner includes some resources for self-protection in the modestly entitled blog at http://sunbeltblog.blogspot.com/2010/01/best-advice-on-avoiding-haitian-relief.html.

    The ESET blog has also been updated to include those and other resources.

    David Harley FBCS CITP CISSP
    Chief Operations Officer, AVIEN
    Director of Malware Intelligence, ESET

    Also blogging at:
    http://www.eset.com/threat-center/blog
    http://smallbluegreenblog.wordpress.com/
    http://blogs.securiteam.com
    http://blog.isc2.org/
    http://dharley.wordpress.com

    Belated millennium bugs revisited.

    In view of interest elsewhere, I revised and added some links at :
    http://www.eset.com/threat-center/blog/2010/01/06/millennium-falcon-crash-burn-revisited

    David Harley FBCS CITP CISSP
    Chief Operations Officer, AVIEN
    Director of Malware Intelligence, ESET

    Also blogging at:
    http://www.eset.com/threat-center/blog
    http://smallbluegreenblog.wordpress.com/
    http://blogs.securiteam.com
    http://blog.isc2.org/
    http://dharley.wordpress.com

    The Register: “Welcome to the out-of-control decade”

    A disquieting article by Rik Myslewski that strikes some deep chords with me. :-/

    “Waiting in the wings are corporate entities eager to exploit your personal information, and government agencies watching your every step.”

    http://www.theregister.co.uk/2009/12/31/the_out_of_control_decade/

    The issue of government monitoring spends a lot of time under the spotlight, of course, and so it should. (Craig Johnston and I considered some of the law-enforcement issues in an AVAR paper this year, but there’s much more to it than that, obviously.)

    http://www.eset.com/download/whitepapers/Please_Police_Me.pdf

    But I’m seriously concerned about the consequences of the increasing amount of personal data (good, bad, and purely mythical) available to anyone with a browser (or even a USB port). It’s an issue I’ve had occasion to think about several times recently, and I expect to return to it a lot more in the coming months. For instance:

    http://www.eset.com/threat-center/blog/2009/12/14/que-sera-sera-%e2%80%93-a-buffet-of-predications-for-2010

    http://www.eset.com/threat-center/blog/2009/12/14/your-data-and-your-credit-card

    http://www.eset.com/threat-center/blog/2009/12/12/the-internet-book-of-the-dead

    http://www.eset.com/threat-center/blog/2009/06/09/data-protection-not-a-priority

    Also, this quote from the ESET Global Threat Trends report for December: “Criminals and legitimate businesses will mine data from a widening range of resources, exploiting interoperability between social networking providers. Sharing of data in the private sector will be an increasing threat until the need is accepted for more data protection regulation on similar lines to that seen in the public sector, especially in Europe.”

    David Harley FBCS CITP CISSP
    Chief Operations Officer, AVIEN
    Director of Malware Intelligence, ESET

    Also blogging at:
    http://www.eset.com/threat-center/blog
    http://smallbluegreenblog.wordpress.com/
    http://blogs.securiteam.com
    http://blog.isc2.org/
    http://dharley.wordpress.com

    Top Ten Trite Security Blog Predictions

    I started to blog this here, but decided it would be more annoying elsewhere. Tee-hee…

    http://preview.tinyurl.com/yfg4xcq

    David Harley FBCS CITP CISSP
    Chief Operations Officer, AVIEN
    Director of Malware Intelligence, ESET

    Also blogging at:
    http://www.eset.com/threat-center/blog
    http://dharley.wordpress.com/
    http://blogs.securiteam.com
    http://blog.isc2.org/

     

    Paypal phishing its own users

    Well, not really. But they seem to think they are.

    Randy Abrams makes a serious point about user grooming and misleading autoresponses at

    http://www.eset.com/threat-center/blog/2009/12/03/paypal-admits-to-phishing-users.

    David Harley FBCS CITP CISSP
    Chief Operations Officer, AVIEN
    Director of Malware Intelligence, ESET

    Also blogging at:
    http://www.eset.com/threat-center/blog
    http://dharley.wordpress.com/
    http://blogs.securiteam.com
    http://blog.isc2.org/