Tag Archives: The Register

Tech Support Scammers Target BT Customers

Well, this isn’t the first time. But a report by Kat Hall for The Register suggests that some of the scammers may have more information about potential victims than they should. Which makes me wonder whether there’s a leak similar to that affecting TalkTalk customers. I’ve certainly been contacted in the past by BT sales people who were clearly not based in the UK.

I don’t know whether there’s been such a leak at BT, of course. However, it’s not unknown for people working in legitimate support to be also implicated in some way in support scamming, whether by leaking data or by working in a call centre that encourages scam calling as well as offering legit support for legit organizations. And it’s hard to police that kind of activity.

That article by Kat Hall: Indian call centre scammers are targeting BT customers – In some cases fraudsters knew their mark’s personal details

David Harley

Tech support scams – FTC offers money back…

…well, there’s no foolproof way of doing that (getting your money back, that is), unfortunately. But Shaun Nichols reports for The Register that FTC ready to give back tech support scamming money to the bilked.

“Those who have been identified as eligible by the FTC will get an email from the commission with a PIN number that can be used to obtain the claim forms. In order to claim a share of the payout, consumers will have to fill out a claim before October 27.”

The article does, very sensibly, point out the risk that scammers will use the FTC’s initiative as a springboard for further scams. Unfortunately, I can’t predict exactly what form such scams will take, but I’d be surprised if they don’t happen…

The Federal Trade Commission’s own press release is here: FTC Announces Refund Process for Victims of Deceptive Tech Support Operation.

It states:

Eligible consumers bought tech support products and services between April 2012 and November 2014 from Advanced Tech Support, which also used the name Inbound Call Experts. Consumers will have until October 27, 2017 to submit a request for a refund.

David Harley

AV-Test Report: malware/threat statistics

AV-Test offers an interesting aggregation of 2016/2017 malware statistics in its Security Report here. Its observations on ransomware may be of particular interest to readers of this blog (how are you both?) The reports points out that:

There is no indication based on proliferation statistics that 2016 was also the “year of ransomware“. Comprising not even 1% of the overall share of malware for Windows, the blackmail Trojans appear to be more of a marginal phenomenon.

But as John Leyden remarks for The Register:

The mode of action and damage created by file-encrypting trojans makes them a much greater threat than implied by a consideration of the numbers…

Looking at the growth in malware for specific platforms, AV-Test notes a decrease in numbers for malware attacking Windows users. (Security vendors needn’t worry: there’s still plenty to go round…)

On the other hand, the report says of macOS malware that ‘With an increase rate of over 370% compared to the previous year, it is no exaggeration to speak of explosive growth.’ Of Android, it says that ‘the number of new threats … has doubled compared to the previous year.’

Of course, there’s much more in this 24-page report. To give you some idea of what, here’s the ToC:

  • The AV-TEST Security Report 2
  • WINDOWS Security Status 5
  • macOS Security Status 10
  • ANDROID Security Status 13
  • INTERNET THREATS Security Status 16
  • IoT Security Status 19
  • Test Statistics 22

David Harley

Ransomware Avalanche – WannaCryptor and Jaff

It probably hasn’t escaped your notice that there is a huge outbreak of ransomware affecting organizations pretty much worldwide. The main cause of upset is the malware ESET calls Win32/Filecoder.WannaCryptor.D (other security software is available…)

At the moment it’s unclear how much actual data has been affected, and how many systems have been shut down as a proactive measure. One thing that does seem clear is that systems that haven’t been patched against MS2017-010 are vulnerable to the  ‘externalblue’ exploit from the ShadowBroker NSA leak unless they have security software that blocks that exploit.

Being in the UK, I’m especially interested in the effect on the NHS, though I’m not in a position to tell you much about it. Here are a couple of links:

Some sources link this with Jaff, but the information I have doesn’t suggest a resemblance. ESET detects it as PDF/TrojanDropper.Agent.Q trojan – the sample I received came as an attachment called nm.pdf. Commentary by EMSISOFT. Commentary by The Register.

David Harley

Hitler Ransomware

For once, an article about Hitler that doesn’t invoke Godwin’s law

The Register’s John Leyden describes how Hitler ‘ransomware’ offers to sell you back access to your files – but just deletes them: Sloppy code is more risible than Reich, though.

I don’t suppose this gang will finish its career in a bunker in Berlin, but I’d like to think that there is at least a prison in their future.

David Harley

 

Thermostat Hacking – a Hot Topic

At this year’s Def Con, Andrew Tierney and Ken Munro demonstrated how they created full-blown ransomware to take control of an unnamed brand of smart thermostat ‘and lock the user out until they paid up.’

  • Thermostat Ransomware: a lesson in IoT security. They observe that ‘Our intention was to draw attention to the poor state of security in many domestic IoT devices. Also to raise awareness in the security research community that it’s not all about software hacking. Hardware hacking is often an easier vector.’

  • Commentary by The Register: Thermostat ransomware

It’s not clear right now whether this is another aspect of the story noted by Security Week about Vulnerabilities Exposed Trane Thermostats to Remote Hacking, based on research by Jeff Kitson for Trustwave. But it sounds very similar.

David Harley

Ransomware: F-Secure looks at the ‘customer’ experience

Useful resources from F-Secure:

Commentary by The Register: Ransomware gang: How can I extort you today? Step 1. Improve customer service. Step 2.???? Step 3 PROFIT!!!

David Harley

If it’s encrypting, perhaps it’s ransomware

Researchers from the University of Florida and Villanova University suggest that ransomware can be mitigated by detecting its encrypting files early in the process:

CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data

A good idea, but some anti-malware programs already do something like this (i.e. flag programs that start encrypting files in bulk). But still a good idea. At The Register, Richard Chirgwin offers a round of applause:

Florida U boffins think they’ve defeated all – ransomware Crypto Drop looks for tell-tale signs that files are being encrypted

David Harley

Ranscam: paying up won’t get your files back

Whenever I think that the various criminals behind ransomware can’t sink any lower, someone comes along and proves me wrong.

Edmund Brumaghin and Warren Mercer in a post for Talos describe a particularly vicious example of ransomware they call Ranscam, which doesn’t bother to encrypt files. It claims that the files have been moved to a ‘hidden, encrypted partition’ , but in fact the malware simply deletes them, makes it difficult as possible to recover them, and then puts up a ransom demand. In fact, the criminals have no way of recovering the victim’s files: they just take the money, given the opportunity. As the authors put it:

Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place rather than a sound ransom payout strategy.

The Talos blog: When Paying Out Doesn’t Pay Off.

Commentary by John Leyden for The Register: Nukeware: New malware deletes files and zaps system settings – When you’ve paid up, but there’s nothing to unlock.

David Harley

 

Flash Player exploit -> Angler -> CryptXXX

John Leyden heralds a post apparently due to appear on the Malwarebytes site later today (25th May 2016) about a wave of malvertising exploiting the Flash Player exploit (CVE-2016-4117) recently addressed by Adobe in order to direct victims to the Angler exploit kit and launch infection with the CryptXXX ransomware.

I’m guessing that we’re talking about CryptXXX 3.0, which I wrote about earlier today: CryptXXX 3.0: gang breaks own decryptor.

Worth looking out for (the article and the malware).

[Added: Malwarebytes article now published as New Wave of Malvertising Leverages Latest Flash Exploit. Jerome Segura observes:

The ads are typically clean of any malware for anyone trying to manually verify them. The JavaScript code looks benign no matter how many times you refresh the page or rotate IP address. This is because the rogue version of the JavaScript is served conditionally, with the proper referer, user-agent, sometimes even your screen resolution, and several other parameters.

Very interesting.]

David Harley