Threat Lab

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Security in the Rough

This week marks the 18th annual BlackHat USA conference where many of the world’s brightest security minds come together to discuss and showcase techniques capable of defeating and compromising a wide array of technologies. This year’s show arrives at a critical time in the world of online security and privacy, with near daily headlines of massive breaches and widespread critical vulnerabilities, all undermining the viability of mitigating today’s threats. All the while technology marches forward, integrating itself into new devices that will make up the future Internet of Things.

There were three headlines from the past few weeks which were especially concerning. The first was the discovery of the DYLD_PRINT_TO_FILE vulnerability affecting OS X Yosemite. What is so alarming about this vulnerability is that, with a single command, you are able to modify any file as a root user, including the sudoers file which stores usernames and passwords. This vulnerability is a perfect example of security oversight during the development process and how such an oversight can have a massive impact on security integrity. At least in this case, the exploit is specific to Yosemite and has been fixed in the latest OS X release.

The second alarming headline talked about 950 million Android phones being at risk of compromise by simply receiving a MMS. The exploit exists within a piece of code, called Stagefright, which is responsible for playing MMS messages. This vulnerable piece of code is part of all Android versions between 2.2 and 5.1, with an update needed to address the flaw. Unfortunately, it is very difficult to patch all devices as updates flow through network carriers at different speeds for different devices. While there are no current examples of this exploit being used in the wild, this won’t be the case for long; and the result of this vulnerability is that there will be millions of Android devices which are vulnerable to being remotely hacked.

The third, and most alarming, headline was for the recall of 1.4 million cars by Fiat Chrysler due to the demonstrated ability to remotely hack and control vehicles through the Uconnect infotainment system. What is so concerning about this hack is that so many critical systems could be controlled remotely. Everything from the wiper blades to the brakes to killing the engine. This begs the questions of, “Why does Uconnect need to have access to the brakes or engine?” It seems obvious that for basic security, these systems would be separated. However this hack demonstrated otherwise.

But as concerning as these headlines are, there is a silver lining. Unlike many headlines, these were all the result of security researchers who were looking to validate that proper security is in place. Thankfully in these cases, the researchers came forward to disclose their findings to improve security for everyone else. I cannot stress how important this type of behavior is to the viability of the future of security. The reality is that it is very difficult to design a bulletproof OS or application and that mistakes will be made. What is important is that when mistakes are discovered, that they are disclosed and addressed rather than sold on hacking forums to be used for malicious purposes. Some companies have done a great job in creating bug bounty programs to encourage the disclosure of vulnerabilities and I hope to see more of this in the future.

So back to BlackHat and why this year’s event is so timely and important. It is because BlackHat drives awareness and attention to the critical issues facing security from all angles. The conference also provides a common ground for collaboration and innovation that often finds its way into the products and technologies of the future.

As we move forward and embrace the Internet of Things, we must learn from our past mistakes and focus on ensuring we integrate the convenience technology has to offer without losing our privacy or security along the way.

10 Tips To Survive Black Hat 2015

Black Hat USA is next week, and with it will come some of the biggest hacker news of the year. From cars to mobile devices, all the way to the hotel HVAC, nothing is really out of the reach of the teams of white hat and black hat security researchers that are about to make their way to this conference. With that though will be the thousands of attendees outside those main groups looking to still get a bit of work done while at the conference. Well, we don’t want to encourage you avoiding it all together, but want to give you some tips to survive the event even with all your devices that you need. So below you will find 10 tips to survive Black Hat 2015. You are welcome to reuse them and share them with your team going, or even as reminders of the digital landscape and threats around.

Encryptor RaaS (Ransomware as a Service)

A new ransomware has emerged and its very similar to tox as it is created for hackers to easily design encrypting ransomware payloads to distrube from their botnets. Since the creator of Tox was selling his operation, this could very well be the end result of that. The idea is to contract hackers with already operational botnets and campaigns use this page to create encrypting ransomware binaries to their specifications and then hand off 20% of their succussful scams to the Encryptor RaaS author.

Creation page

All a hacker has to do with this page is just input the bitcoin wallet address they want the funds to go to. Then customize the price they want for immediate payment, late payment, and lastly a timer for what is considered a late payment.

Skip forward to infecting a victim and there is no GUI popup. Just all your documents are now encrypted and you have this new instructions text at every directory.

Typically you have to install a layered tor browser to get to here, but tor2web currently is supporting a gateway to the page even if you’re just using a normal browser like firefox or chrome. Here is what you’ll be presented with.

Instructions are fairly clear on how to install a bitcoin wallet and send money to the hackers holding your files ransom. If you wait too long then the price will go up – and is set by the generator we showed earlier. Once you have paid the ransom this page will update showing “PAYED” and will then have a link to the decryptor. The decryptor doesn’t have a GUI either and will just run in the background until all files are decrypted.

MD5 Analyzed: D87BA0BFCE1CDB17FD243B8B1D247E88
Additonal MD5 Analyzed: ECDACE57A6660D1BF75CD13CFEBEDAEE

Webroot will catch this specific variant in real time and heuristically before any encryption takes place. We’re always on the look out for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

Macs are immune to malware? Yet another Apple exploit…

Yesterday information was published online through www.theregister.co.uk discussing an exploit that was discovered in the Mac OSX 10.10 Yosemite operating system. The discovered exploit allows a user to gain root access on a machine without any admin credentials. The exploit uses an environment variable called DYLD_PRINT_TO_FILE that was added in the Yosemite operating system, and is used by the OS to specify where the dynamic linker logs error messages. It was discovered however that the environment variable can be used maliciously in order to modify files that are owned by the “root user” account. The bottom line is that with one basic line of code a malware author could easily do away with the password requirement for the user account being compromised, therefore giving them full reign on the system.

While this exploit has not yet been seen implemented into any new malware in the wild, it is important to be aware that such a huge vulnerability exists. As usual, Mac users should always exercise prudence when downloading and installing software onto their machines, as well as download a reliable internet security app. In addition, the exploit is not present in older versions of Mac OSX, such as Mavericks, and is not present on the 10.11 beta of El Capitan.

The vulnerable code is found below

echo ‘echo “$(whoami) ALL=(ALL) NOPASSWD:ALL” >&3’ | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s

Another Hacking Team exploit that is CRITICAL for ALL Windows systems – CVE-2015-2426

It just doesn’t seem to end with all the exploits being revealed by the Hacking Team dump earlier this month. This vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts. The Adobe Type Manager module contains a memory corruption vulnerability, which can allow an attacker to obtain system privileges on an affected Windows system.

Adobe Type Manager, which is provided by atmfd.dll, is a kernel module that is provided by Windows and provides support for OpenType fonts. A memory-corruption flaw (buffer underflow) in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts.  This vulnerability can allow an attacker to gain SYSTEM privileges on an affected Windows system. Hackers would use this to infect users systems with any type of malware and gain remote control access if they desired – all without notifying the user. Also, this vulnerability can be used to bypass web browser and other OS-level sandboxing and protections.

This is a confirmed exploit on Windows XP and up and Windows Server 2003 and up. Since Windows XP and Windows Server 2003 are no longer supported by Microsoft, there is no patch for users on those operating systems so we HIGHLY advise that you migrate to a newer operating system. Windows Vista, 7, and 8 users are going to have an update rolled out shortly that will patch this vulnerability so make sure you keep an eye out for updates. More info here

Turning failure into success

As a security professional it’s hard to say ‘I told you so’ but as far back as 2009-2010 Webroot was saying that the endpoint market was broken and that a new approach to stopping malware infections on endpoints was needed. At that time the rest of the endpoint security market was particularly quiet on their efficacy at stopping attacks they just kept pointing at meaningless and some would say gamed ‘independent’ test results about how great their efficacy was.

Of course the ‘chickens came home to roost’ and that efficacy was thrown under a Mack Truck over the past couple of years by the volume and frequency of new malware and its variants that was hitting endpoints. The attack patterns changed too. No longer did you have broad-based attacks now you had targeted, individualized and especially in 2014 continuous attacks aimed at known individuals in organizations.

The availability and open nature of today’s communications plus the exploitation by the big Internet players and other actors has meant everyone’s life can be pried into and used to make life more convenient, but with that convenience comes a dark side (that for many observers is seemingly winning and cannot be thwarted.) Frankly neither I, nor Webroot believe that.

Attackers’ methods can be turned against them and the attentions of the priers thwarted by only allowing them to access what you want them to access. Lots of security vendors believe that too. If those who want manipulate get smart then we need to get smarter. We can have smarter cybersecurity and we can make it consciously work together to make life very difficult indeed.

At Black Hat Webroot will be demonstrating and talking about some of the security solutions and collective threat intelligence that by working together make endpoints, servers, networks and the Internet safer for us all and are turning previous failures into success. In the end its choosing battles and winning the wars that will matter.

The OPM data breach was probably inevitable

Breaches big and small have been in the news, from small organizations losing banking files to global groups like Sony losing seemingly everything to hackers. But with the recent Office of Personnel Management (OPM) hack that was revealed recently, with anywhere between 18 and 32 billion individual records stolen by digital infiltrators, we have not seen a breach to this scale.

The scary, and somewhat disappointing aspect, is that the breach was probably inevitable.

Encryption Not Present

While OPM Director Katherine Archuleta had noted the need for an upgrade in the technology and implementation of encryption on all the data 18 months prior, the need was dismissed due to the age of the networks. During testimony today with the House Oversight and Government Reform Committee, she said “It is not feasible to implement on networks that are too old.”

Contractors Credentials

On the other side, would encryption had helped as the breach all started with compromised contractors credentials? Dr. Andy Ozment, assistant secretary, Office of Cybersecurity and Communications stated during the same hearing that encryption would “not have helped in this case” as the attackers would have had the data encrypted once they accessed the machine.

Previously Breached

In July of 2014, the OPM had a breach of its networks, apparently with the breach being traced back to China. OPM downplayed the breach stating that no personal data was stolen but provided credit monitoring to employees. Following this breach, the Office of the Inspector General completed an audit of the whole department, finding significant failures in the security layers. The full investigation also found that there was no inventory of the endpoints, devices, databases, and investigators were not able to see if OPM was scanning for breach and vulnerabilities.

Two-Factor Authentication

During the same audit “We believe that the volume and sensitivity of OPM systems that are operating without an active Authorization represents a material weakness in the internal control structure of the agency’s IT security program,” the report concluded. In a day and age when two-factor has become a standard recommendation from the local IT friend to even the CIO of the US Department of Energy (http://energy.gov/cio/two-factor-authentication), this is one of the biggest failures within the OPM’s security layer. Lacking a physical CAC card or even phone authentication for login into the local machines and thus into the network could have saved the data from falling into the wrong hands.

These are just four of the issues leading up to this breach, areas often and exhaustively preached by security companies and professionals worldwide as the biggest and most vulnerable areas of attack. Beyond this, the audit itself not only highlighted the areas in need of immense improvement and increased security, but essentially laid the groundwork for the hackers, exposing all the weaknesses that have since been exploited, resulting in this breach.

For the full Inspector General report cited above from 2014, please click here: https://www.opm.gov/our-inspector-general/reports/2014/federal-information-security-management-act-audit-fy-2014-4a-ci-00-14-016.pdf

WhatsApp Spam Emails Making a Comeback

In 2013 we shared a series of blog posts about several WhatsApp scams making the rounds redirecting people to pharmaceutical sites and malware.

In recent weeks we have seen that these scams have made a comeback and are evading modern spam filters.

Sample Spam Email:

whatsapp

Using the email above as an example, by pressing the ‘Play’ button on a Desktop or Mobile browser the user is taken to a site masquerading as an article from the BBC titled:

SPECIAL REPORT: We expose how to lose 23 lbs of Belly Fat in 1 Month With This Diet Cleanse That Celebrities Use

whatsapp2

Instead of taking the user directly to the scam site, they try to dupe the would-be victim into thinking that the deal is legitimate by impersonating the above article. All other links lead to the real BBC site, however attempting to leave the page will also launch a pop-up window to the fake shop which can be confused for a legitimate advertisement.

Pop-up window loads when leaving the site:

whatsapp3

If the user chooses to learn more about the ‘celebrity cleanse’ they are then taken to a site where they are prompted to enter personal information including personal email, postal address, and phone number.

Sample screenshot of the landing scam page:

whatsapp4

Remember, always buy from a legitimate, trusted site. If something seems too good to be true, it usually is.

Rombertik

Yesterday in the news we saw a huge spike in the interest of the Rombertik malware. Rombertik infiltrates the computer through email phishing attacks that drop as a .scr screen saver executable that contains the malware that will inject code into your browsers to spy on you and threaten your MBR or Encrypt documents if it detects that it’s being analyzed or sandboxed. We’ve been catching these variants since January 13th, but only now has it become so popular with the media coverage.

The initial drop is a zipped attachment and once unzipped it’s a .scr screensaver executable file. The first stage of the malware is checks to make sure it’s not being debugged or sandboxed where if it fails these checks will attempt to overwrite your MBR (Master Boot Record).

obtaining handle to mbr overwrite mbr

Here we can see the code “\\\\.\\PhysicalDrive0” in the first image where it is attempting to obtain the handle to the MBR. If it can get access to the MBR then it will perform the second image where it writes 200 hex bytes to the MBR with buffer to display the below message after the BIOS when starting your computer – forcing a bootloop until the operating system is reinstalled.

Boot Loop

However, you will need to give this administrator rights in order for the MBR or encrpyting routine to complete. So unless you’re an XP user, you’ll see that familar user account control pop up asking if you wish to give “yfoye.exe” permission. I don’t know how many users are blindly giving permission to random executables that are originally expected to be documents from attachments (many group policies in businesses are also set to not give admin rights to email attachments), but I would suspect that the scare hype of this malware is limited to XP users.

After all the checks for sandboxing and debugging are cleared the malware will then perform it’s normal operation of hooking into your browser. Below in the first image is Rombertik searching for handles to the Firefox process (it does this with other browsers like Chrome as well).

firefox openprocess phone home

Then the second images shows it will connect to home and ensure that it can securely transmit the data it intercepts. Below, the malware injects a thread into the browser process to intercept and monitor network traffic API calls

remote thread

For Rombertik specifically it drops through email phishing and Webroot has multiple layers of protection. First is going to be through the zip – we actually detect this exact drop as a zip once it writes to disk. If that doesn’t trigger, then next layer is once it’s extracted and will be blocked in real time right as the .scr executable inside the zip it’s written to disk. If that fails, then next layer of protection is through heuristics if an action by the file is picked up. Since after the sandbox checks it launches a second copy of itself and overwrites the second copy with remaining thread process it’s very suspicious and a common tactic used by encrypting ransomware as well so our heuristics look out for actions like this.

MD5 Analyzed:

F504EF6E9A269E354DE802872DC5E209 (W32.Rombertik.Gen)

Aditional MD5s:

9FA5CE4CD6323C40247E78B80955218A (W32.Rombertik.Gen)

21A728FCD1A45642490EE0DAF17ED73A (W32.Rombertik.Gen)

FAADD08912BADEF2AB855D0C488B9193 (W32.Rombertik.Gen)

AC94549FAF48D11778265F08535A55B7 (W32.Rombertik.Gen)

D95495728DB1D257C78BCC19B43E94FF (W32.Rombertik.Gen)

3733DD9DF99C08953216B3DA5A885EFD (W32.Rombertik.Gen)

B5AFBB36D9E3EC3BC4A9445627C23E4F (W32.Rombertik.Gen)

38F5191DE5B8C266746006E9766B2F9D (W32.Rombertik.Gen)

AlphaCrypt

We’ve encountered yet another encrypting ransomware variant and at this point it’s expected since the scam has exploaded in popularity since it’s inception in late 2013. This one has a GUI that is almost identical to TeslaCrypt.

GUI

While this may look identical to TeslaCrypt it does have some improvements like deleting the VSS to make sure you aren’t saved by your shadow volume. Take a look at the below strings from an unpacked memory dump.

VSS delete

We can very clearly see that it opens up a command prompt and runs the command “vssadmin.exe delete shadows /all /Quiet” This will ensure that all shadow copies are deleted and the /Quiet will make sure that the command does not display messages to the user while its running.

Payment is similar to recent variants – bitcoin through layered tor browsing. Not using a money mule like ukash or moneypak allows the authors to maximize thier earning power and anonymity. They can just take the full ransom amount and put through a bitcoin mixer that will use sophisticated algorithms to scramble it through millions of addresses and completely “clean” the money.

bitcoin launder

A more convenient feature this variant of encrypting ransomware has is that you are not immediately forced to use install the tor browser and will instead try and use URLs that use public gates to the secret server through your current installed browser. However, these don’t always work so the backup option is to install Tor like we’ve seen previously. See the entire ransom notice below.

Ransom notice

The volatitlity of this variant is quite high since it creates new instances of common windows processes to do the encryption routine to try and be as covert as possible and is extremely similar to how Cryptowall 3.0 opertates. Below is the final bit of unpacking, where it sets the child process context and resumes the thread.

unpacking routine

MD5 analysed: 1C71D29BEDE55F34C9B17E24BD6A2A31
Aditional MD5 seen: 6B19E4AE0FA5B90C7F0620219131A12D

Webroot will catch this specific variant in real time and heuristically before any encryption takes place. We’re always on the look out for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

A Recap of RSA 2015

Last week marked one of the largest security conferences in the world, and with RSA 2015 now to a close, it is time to look back at what we shared, learned, and shown to the over 30,000 attendees of the San Francisco conference.

4-22-2015 1-16-11 PMReleased: Webroot’s 2015 Threat Brief

This report contains insights, analysis, and information on how collective threat intelligence can protect organizations from sophisticated attacks.

 

4-22-2015 10-40-16 AM

Shared: Webroot Threat Brief Infographic

Behind the 2015 Threat Brief are some amazing statistics that we thought readers would love to see as an infographic. Produced to help deliverthe state of internet security beyond the readers of the report, the infographic serves as a perfect vessel to share with friends the importance on online security.

 

IMG_8351

Our Booth: Bigger and Better Than Ever

“It’s been an amazing week at RSA Conference. With many lessons learned by corporations, the security industry has responded quickly and made great strides this week to battle against the onslaught of cyber threats. Conference attendees responded overwhelmingly positively to our collective threat intelligence, smarter cybersecurity approach, speaking sessions and demos. In fact, our booth traffic has been higher this year than ever before, and we’re definitely looking forward to continuing these conversations at RSA Conference 2016.”
– Dick Williams, CEO, Webroot

Interested in seeing more? We have a full gallery below of our time at RSA Conference 2015, highlighting the Webroot team hard at work showing off the power of Collective Threat Intelligence from Webroot.


 

Fake Security Scams – 2015 Edition

New year; similar Scams. In 2013,  I wrote an article talking about the popular Fake Microsoft Security Scams that were doing the rounds. As expected, these type of scams have continued to grow in popularity as a way for nefarious people to get money from users. Unfortunately, today these scams are more popular than ever. While the premise remains the same, some new versions of these blur the lines between what is a scam and what isn’t.

Recap

It’s worth having a quick look back at what exactly one of those aforementioned scams entails. The classic Microsoft scam goes something like this: the user gets a pop-up in their browser that tells them that they are infected and says to call a number (toll free of course) to get said infection removed. Once the user calls this number they will be directed to a website that allows the scammers (*agents*) to connect to the PC.

Microsoft Scam

Figure 1: Typical Scam Message

Depending on the version the webpage (see screenshot above), the scam may try to set itself as the homepage, which means that even if the user restarts their PC, they will continue to see this warning message. This can help back up these scammers’ claims that the PC is infected.

Once the scammers get connected they will show the user all the “infections” that are located in the Windows Event Logs. Windows Event logs are extremely useful to diagnose Windows issues. We would commonly use them to look for hard disk issues as any time Windows has an issue writing to a hard disk it will create a warning/error in the event logs.

After the scammers get connected, they will often install other programs that will show more errors messages. This will either be fake antivirus programs or trial versions of well-known programs that will show cookies that they will use as evidence of an infection.

In the example below, I have shown a snapshot of the warnings and errors from a test PC. It’s worth mentioning that even on a brand new PC there will be warnings or alerts in the Windows event logs.

Windows Event Logs

Figure 2: Windows Event Logs

Another version of this type of scam is the version that locks the browser and uses quite intimidating language (as seen in the case below). Apparently, this user has a potentially FATAL Virus! Thankfully, we are a bit away from computer malware being able to cross the organic barrier to kill users but it’s the type of message that can catch less technical users off-guard. In certain cases the alert pop-up will keep re-appearing this locking the browser session.

Fatal Virus Scam

Figure 3: It’s not fatal

So what’s new for 2015?

The biggest change compared to when we discussed this topic in 2013 is that these scams have now spread to other platforms, with Mac versions of these scams becoming increasingly popular. And they follow the exact same process as the PC versions. Remember that Macs do get malware and it highly advised that you install an antivirus product on your Mac.

Since these scams use a website, any device that has a browser can fall victim to this type of scam. They’re not OS dependent so if your internet enabled-toaster has a screen and a web browser it could get this type of alert! Joking aside, since it’s a browser-based scam, it’s advisable to have a backup browser installed just in case you have issues with your primary browser.

Fake Mac Security

Figure 4: The Mac version

The Mac versions of this scam are pretty much identical to their PC counterparts. The only difference is that they won’t use the Windows Event Log viewer as it doesn’t exist on the Mac platform but they will use other tricks to try to fool users. In theory you could have a version that targets the Linux platform (since it’s browser based) but that platform (generally speaking) is used by more technical users and thus isn’t the target platform for these scammers.

The “Legitimate” Scam

The most disappointing of the new trends in Fake Security Scams, is the emergence of the “Legitimate” version.  What do we mean by this?That well-known and respected multinational companies are using malware as a reason to charge users a fee to fix a device or service. Talk to anybody who works in IT and probably the most common reason why users suspect hardware isn’t working is due to a virus. It’s rarely (if ever) actually due to a virus, although there are of course exceptions to this. Remember the majority of malware these days is designed with the end goal of financial benefit to the person/group pushing the malware.

There is no real advantage for a scammer to stop your printer from working. The days of malware being made just to cause annoyance is long gone (although occasional cases still exist). So now let’s take a look at some of the common “legitimate” Scam types:

Your PC is part of a Botnet (an ISP favourite)

The botnet is a scam that has grown in popularity. An ISP (Internet Service Provider) will claim that a user is part of a botnet (Zeus being a favourite) and that for a flat fee they can clean out this botnet. Since the call has come from a legitimate source, the user will let their guard down and let the ISP “help” them out.

I have been connected to a number of these cases where the user has a PC that is supposedly part of a botnet. After running through the system with a fine tooth-comb and capturing network events, I was unable to find any evidence of botnet traffic. In these cases I advise the customer to contact the ISP and ask for the evidence used to determine the initial diagnosis. I have yet to hear back from any of these cases with some hard evidence of botnet traffic.

Printer (or other device) is not working because of a virus

This is by far and away the most popular type of “legitimate” scam that we encounter. A user is unable to get their printer working and they contact the hardware manufacturer. After going through a number of basic tests. it is determined that a virus is causing the issue and that they can remove the malware and setup the printer for a flat fee (notice the trend?).

I am picking on printers but it can be for any type of connected hardware. I have been connected to customers’ PC and have installed the printer for them after doing a full check for malware on the PC. In every case, it was just a matter of running through the steps and verifying that the device is installed.

What to do in the cases above

If you suspect that you have a virus that is causing a system issue, DO NOT give any credit card information to a 3rd party. Tell them you will contact them back, get the phone number directly from there Website (not the one they may give you over the phone). Contact Webroot and we can determine if there is a malware issue. Pretending to be from an ISP or an official company is a popular technique used by these scammers.

How to protect yourself from these scams

The tips that I discussed in 2013 are still valid. The first step is simply being aware that these scams exist!

  • Microsoft will never call you telling you that your PC is infected
  • Never allow strangers to connect to your PC
  • Do not give any credit card info to somebody claiming to be from Microsoft
  • If in doubt, shut down your PC and callWebroot

Tips to best protect yourself:

  • Use a trustworthy antivirus program like Webroot Secure Anywhere
  • Keep Windows updates turned on and set them to automatically update
  • Use a modern secure browser like Firefox or Chrome
  • Update any 3rd party plugins (Java/Adobe Reader/Flash player)
  • Use an ad-blocker add-on in Firefox/Chrome

Looking Forward

I would like to think in two years’ time I won’t be writing another one of these but it’s a popular method to get money so I don’t see it vanishing any time soon. With Windows 10 fast approaching and with it being used on multiple platforms we may see these types of scams on all sorts of devices (perhaps even the Xbox one!). We have already seen CryptoLocker style apps on the Android platform and due to the popularity it’s only a matter of time before we start seeing mobile versions.

My advice would be to let people that aren’t technical know about these types of scams. The advanced user isn’t the target group for these scams so if you have less tech-saavy friends or family, let them know. Remember that as a Webroot customer, we can check your PC for malware free of charge.

Please contact us if you have any questions or issues. Click on the “Get customer Support” button or you can contact us over the phone.

Links: