New Ransomware Threat Emerges

A massive botnet is sending emails containing ransomware that could destroy your computer.

Image result for Scarab ransomware

You probably know from prior articles that ransomware is the # 1 digital threat in the world. The FBI estimates that nearly $1 billion was paid by victims of these attacks in 2016 alone. Now, millions of computers are at risk of being infected with a new ransomware strain. The threat is being spread in a super clever way that is easy to fall victim to.  That is why you need to know what to look for to prevent this threat.

It starts with a phishing email

The latest ransomware attack, dubbed Scarab, is being distributed by the Necurs botnet through phishing emails. Scarab first appeared this summer but was recently updated to block users from using third-party recovery tools. This attack is spreading extremely fast. Within the first six hours of being launched, over 12.5 million malicious emails were sent to unsuspecting victims.

The phishing emails supposedly contain a scanned document that the recipient will want to look at. The “document” is actually a zip attachment that contains a VBScript downloader. If the attachment is clicked, it will infect your computer, phone or tablet with ransomware.

People from all over the world started receiving these malicious emails on Novevmber 23rd. The email subject line says the document was scanned from trusted printer companies like:

• Scanned from Lexmark

• Scanned from Epson

• Scanned from HP

• Scanned from Canon

Once your computer is infected, a ransom note appears. It begins with, “If you want to get all your files back, please read this.” The note goes on to demand payment. In a strange twist, the scammers do not have a set ransom. Instead, the note says, “the price depends on how fast you write to us.”

The best way to avoid this ransomware attack is knowing how to spot a phishing email and not click this malicious link.

Share This:

New Windows Troubleshooting Scam Emerges

Just in time for the holidays a new PC scam is making the rounds that trys to trick you into turning over you hard earned cash.

“Windows Troubleshooting” is a new nasty scam that distributes as cracked software installer, it displays a fake BSOD, or Blue Screen of Death, on the infected machine and then shows Troubleshooting Windows pop up that seems like legit Windows Troubleshooter.

Image result for windows troubleshooting scam

The Troubleshooting scam was first detected by Pieter Arntz (a security researcher from Malwarebytes), the researcher said that Tech Support Scammers use different techniques for distributing themselves. This particular one was offered as a cracked software installer.

After installed, the scam will say that your Windows cannot be fixed, prevents you from using Windows, and encourages you to buy a program using PayPal to fix the “detected problems” and unlock the screen.

imageproxy-php.png

The option of “Buy Windows Defender Essentials” will open a PayPal page to let you purchase the app for $25. The funds will be transferred to the following PayPal address

“lillysoft.it@gmail.com” and use the following URL:“https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=DXKLEMZTGTTDY”

After a successful payment, victims will be redirected to “hitechnovation.com/thankyou.txt”, which includes the word “thankuhitechnovation” that tells the program to open a new screen that pretends to fix the issues and enables the victim to close the program.

How to remove it?

To remove this scam, you should first bypass the lock screen, the malware uses a simply breakable mechanism to verify if a victim made a payment or not. But, you can simply workaround this issue by following these steps:

– Open the fake PayPal purchase screen.
– Press Ctrl + O keys from the keyboard to launch open dialog box.
– Type http://hitechnovation.com/thankyou.txt into Open box and press enter.

That’s all. You should be able to close the window and access your Windows because the program will think the user paid and shut itself down.

Share This:

Avoid These Holiday Scams

The holiday season is a time for shopping, giving and family festivities. It’s also a time for heightened vigilance about cyber crime and fraud. Scammers and cyber thieves come up with new ways to steal your money, data and identity every year, and many of these schemes are rampant during the holidays.
Image result for holiday scamsThe holidays are a here and that means many of us will be shopping online. Do not let a cyber grinch ruin your holidays.

Here are five common holiday scams and tips on how to avoid them:

1. Online shopping scams: Online shoppers hunting for Black Friday bargains or Cyber Monday deals be warned: Fraudulent shopping websites abound, advertising unusually deep price cuts or exclusive offers meant to lure you into providing your personal or financial information or clicking on malicious links that can infect your computer.

How to stay safe: Remember, if an offer seems too good to be true, it likely is. Jamie Howard, Deputy Head of Fraud Risk Management and Investigations, UBS, says it’s best to shop only with reputable retailers and only transact on secure websites with “https” in the URL. Also be sure to have the latest anti-virus software running on your device.

2. Malicious e-mail links: From bogus e-cards to malware-laden advertisements, e-mail scams are a major problem during the holidays. Phishing schemes involving package-delivery notices are especially prevalent. An e-mail, purporting to be from the U.S. Postal Service or a common carrier delivery service, instructs customers to click on a link that promises a shipping-status update but instead unleashes a virus or other malware on their device that could end up stealing usernames, passwords and other private information.

How to stay safe: Segriff advises that unless you know the sender, “never click on a link in an e-mail, and never open attachments.” Also, never send personal or financial information by e-mail. “If anyone asks you for that, it’s a red flag.”

3. Wi-Fi hotspot risks: Think twice about using the unsecured Wi-Fi in an airport, hotel or other public space to order that last-minute gift from your laptop, tablet or smartphone.Mobile devices make it convenient for us to shop almost anywhere at any time, but they also make it easier for crooks to carry out a wide variety of cyber schemes—from phishing to “evil twin” hacks that use bogus Wi-Fi signals to access your device and plunder your data.

Image result for wifi hotspots risks

How to stay safe: Keep in mind, the information you transmit or receive on unsecured wireless networks may be accessible to other users on the network. Avoid using unsecured networks in general—and never use them to send or receive personal or financial information. Consider using your own secured personal hotspot instead.

4. Gift card scams: One common scam this time of year involves a victim receiving a threatening call or voicemail saying that a family member needs help to pay for an emergency need or will soon be arrested for some kind of crime unless a fine is paid immediately. The victim is then told to make the payment with gift cards and provide the imposter with the codes to redeem and use them. “Fraud seeks to exploit one emotion or another—this one being love and trust,” Howard says. “Criminals prey on that sense of family support during the holidays.”

How to stay safe: Note that no legitimate government entity, bank, attorney or bail bondsman should ask for payment via pre-paid gift cards. If you receive one of these calls and find it suspicious, never provide your personal or financial information. The best thing to do is simple: hang up.

5. Charity fraud: Many of us open our hearts and our wallets to those in need during the holidays. But beware of fraudsters who may contact you by phone or mail seeking to exploit your good intentions. “There are criminal enterprises masquerading as charitable organizations to get people’s money,” Howard says. Such scams are likely to pick up this year in the aftermath of Hurricanes Harvey, Irma and Maria and the California wildfires.

How to stay safe: Learn to recognize the warnings signs of charity scams, and only donate to charities you know and trust. Ratings on Charity Navigator’s website can help you find trustworthy charitable organizations. The IRS also has an online tool that lets users search for legitimate charities to which donations may be tax-deductible.

Share This:

Apple Resolves Recent ‘Root’ Problem

Apple has just released a security update for macOS High Sierra and you should update right now (Apple will automatically push the security patch later today). This update fixes yesterday’s very concerning vulnerability that let anyone log into your Mac without your password.

In order to install the update, open the Mac App Store and click on the “Updates” tab. Interestingly, the release notes say “install this update as soon as possible.” Apple has worked long hours to fix yesterday’s flaw as soon as possible. But it shouldn’t have happened in the first place.

The security flaw affected all Macs running the latest version of High Sierra (at least version 10.13.1 — 17B48). On the login screen or in the preference panel, you could bypass all security screens by entering the root username and no password. Multiple persons at TechCrunch tested the flaw and could replicate it effortlessly. After that, you can see everything on the computer even if it’s not yours. It even works with a screen sharing session. For hackers, it’s a great way to access your emails, personal data and more.

,
The patch release notes are quite short. “A logic error existed in the validation of credentials. This was addressed with improved credential validation,” Apple says.

Apple will automatically roll out the update later today for everyone who is affected.

Share This:

MAC’s New Root Problem

The username is the “root” of all problems for Apple’s latest operating system.

It turns out you don’t need a password to log in to a locked Apple device using MacOS High Sierra — just the username “root.”

By heading to your device’s System Preferences, under Users & Groups, you can click on the lock and get hit with a prompt asking for a username and password to change settings. Then, instead of entering a password, you can type in “root” for the username and leave the password field empty.

After clicking unlock several times, it should eventually open up, no passwords necessary.

The simple exploit means anybody with physical access to your MacOS High Sierra device can log in on your computer, no matter how secure your passwords are.

Image result for mac root problem

The bug works for every aspect of the OS that would normally require a password, which means someone could also get access to your Keychain, containing all your passwords.

MacOS High Sierra was also plagued with a password issue when it launched, after a former NSA hacker showed that he could extract sensitive data from Keychain using an app downloaded online.

There’s a workaround for the “root” flaw until Apple fixes it. You can turn guest users off, or change the root password from your directory utility.

Another reccomendation is creating the username “root” and setting a password to solve the blatant issue.

Share This:

Protecting Your Information This Holiday Season

It’s the holiday season – which means it’s time to also take extra care when shopping online.

According to the National Retail Federation, 59 percent of consumers will make online purchases, up from 56.5 percent from 2016. With credit card numbers flying through cyberspace, make sure you take steps to protect your security if you plan to shop online this year.

See the source image

The following tips can keep an online Grinch from ruining your holiday cheer.

  1. Verify the company and website. One of the most important first steps you can take is to make sure you’re actually making a purchase from a legitimate business. Independent websites like Biz Rate will let you read what other consumers have to say about a business. The Better Business Bureau Online offers consumers a list of safe shopping sites. When in doubt, go with a reputable company you already know and trust.
  2. Look for signs of security. When it’s time to input your payment information, look for an “s” after “http” in the website address, ensuring your data is encrypted as it is transmitted. Also look for a tiny closed padlock in the address bar or on the lower right corner of the window. As an added security measure, update your website browser. The most recent versions of website browsers are typically the most secure.
  3. Be skeptical. We’re all looking for a bargain, but approach a deal that seems too good to be true with caution. Submitting your information to an unknown company to purchase a new computer for $25 could be risky. Paying the higher price through a trusted vendor may be the difference between a secure purchase and a compromised credit card number.
  4. Pay with plastic. Yes, financial planners often tell you not to run up your credit card bill, and that still holds, but using your credit card for online purchases offers you some protection that debit cards may not. If there are any problems, you can work with your credit card company to file and resolve a dispute. Incidentally, many credit cards offer protection or insurance on purchases. In lieu of using plastic, many retailers will allow you to use a third-party payment service, such as PayPal, which guarantees your purchase.
  5. Safeguard your Password. It’s time to get a little more sophisticated with your choice of passwords; and “abcd123” isn’t going to cut it. Today’s hackers are smart and determined. Get creative and use a combination of letters, numbers and symbols. For example, if you want to make your password memorable and use a pet’s name, you could try “$p0tTheD0g” or something similar.
  6. Check it out. When your credit card statement arrives, go over every detail, making certain all of the purchases are yours. If you question a line item, call the credit card company immediately. Don’t forget to check a store’s online purchase policy as well, should you need to exchange or return an item.

Happy online shopping this year – and stay safe.

Share This:

Weaponized Email

Nearly all of the popular domains are inadequately protected from “weaponized” email impersonation by hackers, formerly known as spear phishing.

See the source image

One out of every five emails today appears to come from a suspicious sender who’s not authorized to use the sending domain. It has also been found that only 0.5 percent of the top million domains use adequate authentication strategies to protect against email impersonation, even though most systems support stronger defenses.

Better email authentication defenses could help the typical company save $8.1 million each year in costs related to cybercrime.

These findings come on the heels of a report released last week from Google and the University of California-Berkeley that identified phishing as the greatest threat to people’s online identities.

‘Vast Majority’ of Businesses are Vulnerable

DMARC (domain-based message authentication, reporting, and conformance) is an email security system designed to protect against malicious actors sending unauthorized emails that appear to come from legitimate domains. The DMARC system enables administrators to set policies that validate the “From:” content in email headers comes from legitimate senders at those domains.

“Email has been weaponized by hackers as the leading way to infiltrate networks, and the vast majority of businesses are leaving themselves vulnerable by either incorrectly configuring their authentication systems or forgoing protection entirely,” ValiMail co-founder and CEO Alexander García-Tobar said in a statement. “Businesses are asking their employees to complete an impossible task: identifying who is real and who is an impersonator, by closely examining every message in their inboxes. The only sustainable solution is for companies to take control of their email security at the technology level and stop placing the onus on employees to prevent phishing attacks.”

Of organizations that use DMARC to validate their emails, 77 percent have either misconfigured the system or set policies that are too permissive, the ValiMail study found. In fact, only 15 percent to 25 percent of companies in various industries have properly implemented and maintained DMARC protections, the study noted.

‘Alarming Lack of Understanding’

Close to 100,000 phishing email campaigns were reported every month in the early part of this year, according to the Anti-Phishing Working Group, an international coalition of businesses, government organizations, and law-enforcement agencies. Several hundred companies see phishing attacks every few weeks, with businesses in the payment, financial services, and Webmail sectors the most vulnerable, the group said.

The year-long study by Google and the University of California-Berkeley released last week found that phishing poses the top threat against people whose online identities were exposed by Internet data breaches. Google said it has taken several steps in response to boost its authentication systems to defend against phishing.

The new research released today “demonstrates the volume of email fraud threats faced by companies today and highlights the alarming lack of understanding of how to combat these threats,” the Global Cyber Alliance’s Shehzad Mirza said in ValiMail’s statement. “These findings highlight that a lack of email authentication is the most prevalent security vulnerability companies face.”

Late last month, the U.S. Department of Homeland Security issued a directive requiring all federal agencies to begin implementing stronger email security defenses, including DMARC, within 90 days. The move is aimed at preventing federal emails and Web sites from spoofing and impersonation by hackers.

DMARC usage by federal agencies has grown since 2016, although only 38 percent had established adequate record policies as of October, according to the Online Trust Alliance. The ValiMail study noted that DMARC protection is available to most domains.

“Over three-fourths (76 percent) of the world’s email inboxes support DMARC and will enforce domain owners’ authentication policies, if those policies exist,” the report noted.

Share This:

Understanding Two-Factor Authentification

If you aren’t using two-factor authentication yet, you’re way behind and leaving your accounts vulnerable to hackers and phishers. In fact – you probably have been exposed to two-factor authentication and do not even realize it. If you ever forgot a password and were sent a text message with a code or if you were required to answer security questions you have already used two-factor authentication.

Image result for two factor authentication

Passwords today are simply not secure enough, especially when considering your personal and financial security.

There are several types of two-factor authentication security. Also not all two-factor authentication methods are equal. Some are safer and more secure then others. Here’s a look at the most common methods and which ones best meet your individual needs.

Two-Factor Authentication vs. Two-Step Authentication

Before diving in, let’s take a quick moment to clear up some confusion between two-factor authentication and two-step authentication. They’re similar, but not quite the same — one’s a square, the other a rectangle.

Two-factor authentication is when you protect an account with two factors. A factor is either “something you know” (e.g. password), “something you have” (e.g. phone), or “something you are” (e.g. fingerprint). To truly be protected by two-factor authentication, your account must require two locks of different factors before granting access.

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication methods

If an account is protected by two locks of the same factor, then it falls under two-step authentication (or two-phase authentication). For example, a password and a security question are both “something you know,” making authentication two-step but not two-factor. Though this can still provide adequate protection, two-factor authentication is preferable.

Just as a square is a rectangle but a rectangle isn’t a square, two-factor authentication is a type of two-step authentication but not the other way around.

Method 1: Security Questions

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method security

What is it?
When creating an account, you choose one or more security questions and set answers for each one. When logging into that account, you have to provide the right answer to each question to validate that you have rightful access.

The Pros
Security questions are extremely easy to set up. Most of the time, the service provides a dropdown menu of questions — all you have to do is pick one and give the answer. You don’t need any other equipment, devices, etc. The answer is just stored in your head.

The Cons
Many security question answers can be found in public records (e.g. your father’s middle name) or socially engineered (e.g. phishing emails or phone calls). To get around this, you can make your answer gibberish and effectively make it a second password — but be careful that you don’t lose it or forget it!

Method 2: SMS Messages

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method sms

What is it?
When creating an account, you provide your mobile phone number. Whenever you want to log in, the service sends you an SMS message with a verification code that expires (usually after 15 minutes). You have to input that number to complete the logging in process.

The Pros
SMS messages are extremely convenient. These days, pretty much everyone has an SMS-capable device and can receive SMS messages free of charge. Usually the messages arrive instantly, but even when they don’t it rarely takes more than a few minutes. If you ever lose your device, you can transfer your phone number so you’ll never be permanently locked out.

The Cons
You have to trust the service enough to share your phone number. Some disreputable services may use your number for advertising, or sell it off for monetary gain. And since phone numbers aren’t actually tied to devices, hackers can actually circumvent SMS-based authentication without ever touching your phone (though it isn’t easy).

Method 3: Time-Based One-Time Passwords

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method totp

What is it?
When you create an account, you’re assigned a “secret key.” After installing a code-generating app (like Google Authenticator or its alternatives), you scan a QR code to load the secret key into the app. It then generates one-time passwords every so often (e.g. 30 seconds) using the secret key as a seed, and you need these one-time passwords to log in.

The Pros
The codes are generated based on a mixture of the secret key and the current time, which means you can get valid codes on your device even when you have no reception and/or no mobile service. And since the secret key is stored on the device itself, it can’t get intercepted or redirected (such as through a phone number takeover).

The Cons
You will be unable to log in if your device runs out of battery or dies altogether. Sometimes internal clocks can desync between device and service, which results in invalid codes. These are two reasons why printing backup codes is essential.

If a hacker somehow clones your secret key, then they can generate their own valid codes at will. And if the service doesn’t limit login attempts, hackers may still be able to compromise your account through sheer brute force.

Method 4: U2F Keys

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method u2f

What is it?
Universal 2nd Factor (U2F) is an open standard that’s used with USB devices, NFC devices, and smart cards. In order to authenticate, you simply plug it in (for USB keys), bump it (for NFC devices), or swipe it (for smart cards).

The Pros
A U2F key is a true physical factor. Unlike SMS codes, they can’t be intercepted or redirected. And unlike most two-factor methods, U2F keys are phishing-proof because they’re only registered to work with sites you’ve registered. It’s one of the most secure 2FA methods currently available.

The Cons
Because U2F is a relatively new technology, it isn’t yet widely supported. For example, as of this writing, NFC keys only work with Android mobile devices whereas USB keys mainly work with the Chrome browser (Firefox is working on it). U2F keys also cost money, often between $10-$20 but could go higher depending on how rugged you want it to be.

Method 5: Face, Voice, Fingerprint

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method biometrics

What is it?
Facial recognition, voice recognition, and fingerprint scans all fall under the category of biometrics. Systems use biometric authentication when it’s imperative that you really are who you say you are, often in areas that require security clearance (e.g. the government).

The Pros
Biometrics are extremely difficult to hack. Even a fingerprint, which is arguably the easiest to copy, requires some kind of physical interaction. Voice recognition would need some kind of statement said in your voice, and facial recognition would need something as drastic as plastic surgery. It isn’t unbreakable, but pretty close.

The Cons
The biggest downside, and the reason why biometrics are rarely used as a two-factor method, is that a compromised biometric is compromised for life. Plus, how comfortable would you feel giving up your face, voice, or fingerprints? Would you trust them to be kept safe? Most wouldn’t.

Which Two-Factor Authentication Method Is Best?

Well, it depends on what you value most:

  • For balance, time-based one-time passwords are the best. You just have to be careful about keeping backup codes in case you lose or break your device.
  • For privacy, U2F keys are the best. They can’t be used to track you and you don’t have to give up any personal information to use them. But they cost money.
  • For convenience, SMS messages are the best. Yes, they can be intercepted or redirected, and yes, they fail with bad reception, but they’re quick, easy, and secure enough.

If given the choice, don’t ever rely on security questions as a two-factor method. If you have no other option, then prefer to use it as a second password. Don’t ever answer the question directly, especially if the answer isn’t something that only you know.

Share This:

Google Battles Tricky Redirect Pages

Did you ever wonder how you got tricked into opening a rogue webpage? If you have experienced this – you are not alone. This is a big problem because this nasty trick can land you on a webpage that can install viruses, trojan horses and more.

Image result for google chrome

The good news is that Google is taking some action to help stop this.

Google is rolling out new security features for Chrome which will make it harder for third-party ads to subvert pop-up blockers or disguise links within a site.

On its Chromium blog, Google admits to getting lots of user feedback saying that sites will randomly redirect to other pages — one in five feedback reports relate to seeing unwanted content. Some pages do it automatically, while others have transparent overlays or deceptive buttons.

Another nifty trick is to change the page you’re currently on to the ad, while opening the link you’re trying to access in another tab. Google calls this “effectively a circumvention” of the pop-up blocker.

Starting in January, Chrome will block these kinds of redirects. Site owners can today access an Abusive Experiences Report which will allow them to see if their site has problems like these. If they do, and the site’s content is not fixed within 30 days, the site won’t be able to open new pages or trigger redirects.

This could be part of Google’s campaign against malicious ads, which it’s been working on since earlier this year. The company has also said advertisers have until next year to clean up their ads or they won’t appear to Chrome users at all.

 

Share This:

Netflix Phishing Scam Emerges

There’s a new Netflix phishing email doing the rounds, and this one seems particularly well put-together. The email implies your account will be suspended unless you act fast, but the intention, as always with these kinds of emails, is to get hold of your credit card information.

Netflix has over 100 million subscribers at this point. All of whom will have some form of credit or debit card information on file. This makes Netflix users a prime target for phishing emails, with hackers safe in the knowledge they’ll be able to fool someone, somewhere into clicking.

Phishing for Netflix Account Information

The latest attempt at tricking innocent Netflix users, as first noticed by MailGuard, is rather more sophisticated than most. It claims your account is due to be suspended because Netflix hasn’t been able to verify your billing information. But you can fix it by clicking on the links provided.

The email is personalized, uses the official Netflix logo, and includes links to the Netflix Help center and contact page. as well as the option to “Restart Membership”. Except it doesn’t really. Instead, the links all lead to a fake Netflix website designed to nab your payment information.

Most of us would see through this quickly and act accordingly. However, the urgency included in the email means some older or less tech-savvy people could easily get fooled into giving away their payment information. So please be sure to pass this warning onto other Netflix users.

To its credit, Netflix issued a statement saying,

“We take the security of our members’ accounts seriously and Netflix employs numerous proactive measures to detect fraudulent activity to keep the Netflix service and our members’ accounts secure. Unfortunately, scams are common on the internet and target popular brands such as Netflix and other companies with large customer bases to lure users into giving out personal information.”

Avoid Clicking on Links in Emails

This isn’t the first Netflix email scam and it won’t be the last. The best advice to stave off all phishing attempts, Netflix or otherwise, is to avoid clicking on any links in emails. Instead, open your web browser and go directly to the official website to see what, if anything, is up.

Share This:

1 2 3 40