Industry Intel

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Your Federal Tax Payment Has Not Been Rejected

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

It’s been more than a week since we started seeing spam email, supposedly sent by the EFTPS (Electronic Federal Tax Payment System, a division of the US Department of the Treasury), informing recipients in dire, bolded text that Your Federal Tax Payment ID: 01037513 has been rejected. I had hoped it would be a faded memory by now, but apparently it just won’t die.

Spam, ladies and gentlemen. It’s a lie, cooked up in a criminal’s troubled mind, with the goal of convincing signficant numbers of people to click a link in the message. It’s a pretty contrived message, which also informs the recipient, in characteristic Spamglish, to “In other way forward information to your accountant adviser.” Apparently, whoever began the campaign needs a refresher in the history of recent Internet scams — this particular scam has been going on again, off again for four years.

Judging by the number of other people asking about this online, the campaign must have been massive. And like a squirrel harassing birds on a feeder, it’s not likely to go away anytime soon.

In this case, the link looks like it’s supposed to go directly to the EFTPS Web site, but the author of the spam simply hyperlinked the URL to point elsewhere. In the case of some of the samples we’ve seen, the messages link to a page on the domain freesite.org; That page contains a single line of HTML to redirect victims to yet another site, which has since been shut down.

So while the spam messages continue to percolate through the email networks, it’s a tiger with no teeth or claws anymore. If you clicked the link, only to end up on a blank page at eftpsid0353546.com — a domain hosted in Russia, on the same server as such esteemed Web sites as qualityhealthmall.com and fdadrugmall.com — rest assured, you’re probably safe, but need to practice the first two parts of Stop. Think. Connect.

Patchy Phisher Forces Firefox to Forego Forgetting Passwords

Every browser can, at the user’s discretion, be set up to remember passwords. In general, Webroot advises most users not to set the browser to store login credentials, because they’re so easily extracted by password-stealing Trojans like Zbot. In Firefox, for example, you can click Tools, Options, then open the Security tab, and uncheck a box that tells the browser to remember passwords entered into Web forms. (The box is checked by default.)

But in the course of taking a more thorough look at a Trojan that came to our attention in July, we were surprised to see the Trojan modify a core Firefox file. Upon closer inspection, the Trojan patches a file named nsLoginManagerPrompter.js. The patch adds a few lines of code (displayed above), and comments-out other portions of code, that dictate whether Firefox prompts the user to save passwords when he or she logs into a secure site.

Before the infection, a default installation of Firefox 3.6.10 would prompt the user after the user clicks the Log In button on a Web page, asking whether he or she wants to save the password. After the infection, the browser simply saves all login credentials locally, and doesn’t prompt the user.

read more…

Five Reasons You Should Always “Stop. Think. Connect.”

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Today’s the official kickoff for National Cyber Security Awareness Month, and the organizations supporting the event, including the National Cyber Security Alliance, the Anti-Phishing Working Group, and dozens of corporate citizens including Webroot, want you to protect your computer and your personal information. So they’ve come up with a three word campaign slogan they hope will become conventional wisdom for every Internet user: Stop. Think. Connect. Think of it as the 21st century equivalent of looking both ways before crossing the street.

In my case, they’re preaching to the choir. For years, I’ve advocated that people treat everything they see online critically, and to scrutinize information before acting on it. That’s because the army of criminals who commit fraud and theft over the Internet on a daily basis rely on you to not stop, not think, and to click links or open files immediately, without regard to the consequences of your actions. That’s how most people infect themselves. If you stop and think before you connect, you can prevent most of these infections yourself, simply by exercising a little restraint.

It’s hard to think of a major cybercrime outbreak over the past year that hasn’t relied, to some extent, on the naivete of its targets. Security professionals call these tricks “social engineering,” but that’s just a geeky term for criminal skullduggery that’s as common offline as online. The ruse almost always tries to invoke an adrenaline-fueled need for an immediate response — usually out of fear, greed, or panic — on the part of a victim. The victim ends up in a mental state where they are likely to make rash, impulsive decisions. And they do.

Putting the brakes on social engineering tricks usually takes all the steam out of them. To that end, I’d like to show you examples of five of the most common cyberscams that lead to the loss of personal information or sensitive data. Hopefully, if you know what to expect, you’ll simply walk away from the encounters unscathed.

read more…

Newsflash: HTML Spammers are Not So Bright

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

It’s been more than a week that we at Webroot, and countless others, have been getting floods of bogus messages with HTML attachments. I thought I’d give the curious readers of this blog a quick glance at one of the drive-by sites that load in the browser if you try to open the file.

As I’d mentioned previously, the HTML files themselves simply contain highly obfuscated Javascript (code that’s hard for humans to read but easy for machines to interpret). When you try to load those malicious scripts into a browser, the script instructs the browser to load a page from another Web site. In fact, the file I saw today goes to server 1, which bounces the browser to server 2, and then a script on server 2 loads more files from servers 3 & 4 in a full-screen iFrame.

In the end, what I saw looked like an update to what has become the “classic” Javascript fakealert. Unfortunately for the malware distributors, this so-called update is laughably obvious. These are clearly not the sharpest tacks in the box.

It all starts with a warning popup which reads:

There is a big chance that your computer is infected! They can cause data loss and file  damages and need to be fixed as soon as possible. Return to Microsoft Security Assessment Tool and download it to   guard your PC.

Wow, really? How big is the chance? Is this more like a scratch-off lottery ticket level of chance, or is it closer to a look under the bottle cap to see if you win chance? What they don’t tell you is that your chance of becoming infected with an annoying rogue increases to about 100% if you continue down this well-worn path. read more…

Civilization 5 Torrent Bonus: Uncivilized Malware

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Bootlegged copies of Civilization 5, the highly anticipated, just-released real time strategy game, are already popping up in file sharing services. And, as we’ve come to expect, some of the pirated copies of the game come with that little something special — malicious components.

One of our Threat Research Analysts, who also happens to be an avid gamer, started looking for pirated copies of the game Friday morning and, within five minutes of looking, found Trojans in some of the torrents in circulation. I’ve chosen to focus on one of these files, not only because it was the first we saw, but also the most interesting. The Trojan, bundled in a torrent with the ISO image of the Civ 5 installation disc, is called ‘read me before burn.exe‘ (MD5: 2f7ff2ecef4b5cf1c9679f79d9b72518).

On a typical Windows system, the file appears to be a text document, but only because it uses a file icon of a text document. With the file extension visible, however, it’s clearly an .exe with a mission.

read more…

Malicious HTML Mail Attachments Flood Inboxes

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

If you hadn’t already noticed, an ongoing spam campaign where someone is sending email messages with attached HTML files continues to be a problem. The current campaign appears to be a new wave of spam similar to the one I reported about in July.

The messages, which began arriving a week ago, have subject lines pulled from news headlines (“Cops kill shooter at Johns Hopkins Hospital,” “America’s Got Talent Judges Were They Shocked,” “Daniel Covington”) and with a financial angle (“Apartment for rent,” “Invoice for Floor replacement,” “credit card,” and the ever-popular “Shipping Notification”).

The messages themselves are brief, such as the one shown above, and encourage the recipient to open the attached file.

Several readers have already sent me messages complaining about the volume, and asking what to do about the spam. My answer is the same with these spam messages as with any other spam messages: Delete them, mark them as spam, or do whatever you can to train your email spam filter to learn and block those messages.

One thing you should not do is open the HTML file.

read more…

Epic Malware Dropper Makes No Attempt to Hide

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

In the world of first-person shooter games, getting the most headshots — hits on the opponent which instantly take the opponent’s avatar out of the game — is a prized goal. The headshot is the quickest way to dispatch a foe in virtually every shooter, which is why the file name of a malware sample, currently in circulation, stood out.

The file, yogetheadshot.php.exe (VT), is a dropper, a glorified bucket designed to tip over and spill other malware all over a PC. But where other droppers might leave behind a handful of payloads, this one utterly decimated a testbed PC with a malware headshot — an unusually overt infection that, defying conventional wisdom about malware infections, took no apparent effort to mask its behavior or remain low key.

The file, extracted from network traffic recorded while a test system got manhandled by a drive-by download site, was only one of several executable payloads that originated from the same domain hosting the drive-by.

But this sole dropper was more than capable of delivering the terminal blow to a middle aged Windows XP box. We first saw it appear on September 7th, but it has become more widespread since then.

(Update, 22 Sept.: Here’s a video that shows what happens on a system when someone executes this dropper. The dropper is near the upper-left corner of the screen. The rest of the screen is taken up with Process Explorer, which lets you see just how many payloads the dropper delivers.)

[vimeo 15167753]

read more…

New Rogue Is Actually Five Rogues in One

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

For years, the makers of those snake oil security programs we call Rogue Security Products have spent considerable effort making up new names, developing unique graphic design standards, and inventing backstories for their utterly useless, expensive scam products. Now a new rogue has taken this never ending shell game one step further, releasing a single program that calls itself one of five different names, depending on what button an unfortunate victim clicks in a highly deceptive dialog box. Let’s call it what it really is, though: A malicious play in five acts.

The rogue’s delivery method, or Act 1 in this melodrama, is no different from the many we’ve seen in the past 18 months which use a Javascript-enhanced Web page to convince viewers they’re watching a live malware scan on their computer. This trick is so hackneyed, it’s become the cybercrime equivalent of the dastardly villain in a silent movie tying the hapless woman to a railroad track, then twisting the ends of his mustache for dramatic effect. Does anyone still fall for this?

Only, this time the fakealert delivers a different payload: When the victim runs the rogue executable (named simply setup.exe), Act 2 begins. The rogue displays a dialog box that looks like an alert message issued by Microsoft Security Essentials, cautioning the victim that a legitimate Windows component present on most or all installations of Windows, such as iexplore.exe or cmd.exe, is actually a piece of malware.

The rogue helpfully offers to perform some sort of online scan, and that’s where it gets weird. The rogue pretends to scan the hard drive with 32 different antivirus engines, a-la VirusTotal. The vast majority of them are well known, at least in the security community. But five are new, and it’s those five that merit closer inspection.

read more…

Workplace Social Networking: More Like Antisocial Not-working

By Ian Moyse, EMEA Channel Director

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Hardly a week goes by when the national press doesn’t carry a story about how social networks represent a threat to privacy or security, or both. These news stories aren’t wrong: Users of social networks face a raft of risks, ranging from malware attacks and identity theft, to cyberbullying, grooming from sexual predators or stalkers, viewing or posting inappropriate content, and the ever-present risk that you (or someone you work with) might end up with your foot (or is it your keyboard?) firmly in mouth.

Using social networks to give out too much information about yourself can also lead to some predictably poor outcomes. One Australian employee, fired from his job, had posted about skiving from work after a night of heavy drinking. A group of call center employees swapped brags about abusing customer information on Facebook and were fired. Is it hard to believe that the employer used the employees’ own Facebook posts as a virtual admission of guilt?

With Facebook adding over 400,000 users a day and LinkedIn 400,000 a week, social networks can no longer be ignored by employers, as employee misuse of social networks accelerate.

read more…

Cracked Trojan-Maker Infects Prospective Criminals

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

In what seems to be a trend in my September blog posts, the research team has run across a program meant for criminally-minded people which has a nasty surprise inside.

The program in question is called the ZombieM Bot Builder, which is used by the kind of upstanding citizens who spread Trojans in order to build up botnets — a collective of infected computers that can act as one entity. The creators of this program, an Argentinian group called Arhack, sell it for 180 euros. But don’t pull out your stolen credit cards just yet, because Arhack doesn’t take Visa: They sell this garbage exclusively via Western Union money transfer.

Well, someone has cracked both the earlier, 1.0 version of their bot generator and the latest, 2.0 version, and posted it online for other criminals — the cheap kind, who don’t have 180 euros to spare — to use. The cracked version lets you use all aspects of the program to generate bots and manage the botnet without the need for a customized username and password, which you would otherwise need in order to start up the program.

But there’s a hitch: Whenever you run the cracked version, it also installs Trojan-Backdoor-PoisonIvy, a different but equally nasty botnet Trojan. The backstabbing Trojan trifecta is in play.

read more…

Fake Flash Update Needs Flash to Work

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

If you live in the US, you may have played sports, barbequed, or enjoyed the last long weekend of the summer outside doing something fun outdoors. Unfortunately, that wasn’t an option here in Boulder, where a large wildfire generated a thick plume of smoke and ash. So, what’s a malware analyst to do indoors on a beautiful day with toxic smoke outside? Why, spend some quality time with Koobface, of course.

I took a closer look at the worm’s behavior and also noted that, since the Migdal keylogger site went dark for the Koobface crew, they’ve switched to using a new domain as the dead drop for credentials stolen by the Koobface password stealer payload: m24.in, the Web site of some sort of media company based in India. The behavior I saw by the keylogger was virtually identical to that used by the Migdal variant, reported in a previous post. The payload is even named m24.in.exe, just like the Migdal payload was named after the domain where it posted stolen passwords.

It’s been a while since the worm changed its primary method of infection: For nearly its entire existence, Koobface has spread by manipulating the social network accounts of infected users so it appears the user posted a link to a video. Of course, the worm does the posting in the name of the user, and the link points to a page which purports to be some sort of streaming video, but actually pushes the malware on anyone who visits.

And, in order to take on the appearance of a real online video, it uses Flash.

read more…

PHP Backdoor Has Another Backdoor Inside

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Is there no honor among thieves anymore?

The other day I was looking at a remote access Trojan written in the PHP scripting language. The bot loads into memory on a victim’s computer when an unsuspecting user, for example, stumbles upon an iframe pointing to the PHP script embedded in a Web page. The code is  nicely appointed with such desirable features as the ability to execute shell commands on the host server, send a flood of data packets at another computer, and scan remote computers.

Once loaded into a victim’s browser, the bot connects to, and is capable of executing commands issued by, a botnet server–until the victim reboots their computer. But for most users, that’s probably long enough. If an attacker can execute commands on an infected user’s computer, installing more Trojans is just child’s play.

But someone appears to have embedded a surprise into this PHP backdoor: It’s another backdoor within the backdoor.

read more…