The computer words, “Ransomware, crypto-locker (virus), and bitcoins” have unfortunately become business words. As a computer security consultant, I have assisted business with surviving this type of attack and I agree with my security colleagues: the best and often only way to recover from this attack is with robust, air gapped backups.
But my business has a firewall, antimalware software, limited user accounts and we don’t install things without our IT department! You’re still at risk. I’ll write more about this in a future article.
In the meantime, you can attend some free training on September 15, 2016. Reservations required. Read more in this PDF.
A client calls me one day with an interesting problem. She is receiving email at an incredible pace. She cannot send anything, and her computer is bogged down with the receive process showing thousands of messages in the queue.
After a few troubleshooting questions and quick look at her computer; I discovered that her email password was “password1”. Yep, she chose one of the absolute worst and most common passwords ever!
So, here’s what happened. Someone (a spammer) guessed her password and was sending out thousands of messages using her account. When a spammer does this, they use email lists gleaned, harvested, developed and guessed from a variety of sources. Much of the data is incorrect. When an email is sent to a non-existent address, the sending server, depending on its configuration, usually replies with a “person not here” or “no such recipient” message. The same thing happens when you make a typo in an email address; the receiving server usually sends you a OOPS message with a bunch of server gibberish. We’ve all seen it.
In this client’s case, she was receiving thousands of “no recipient” or bounced messages. A quick password change to something much more complicated stopped the sending immediately. However, there was a matter of over 10,000 messages that bounced and were still flooding her in box. We did some email voodoo and cleared out those messages and the client is back to normal now.
An elderly client called with a computer problem that sheds light on one of many ways the bad guys trick people. In the fall of 2015, Mr. Victim was planning a road trip and wanted to update his TomTom GPS. However, he was having trouble downloading and installing the necessary software, so he used a popular search engine and keyed in the words “Tom Tom”.
Mr. Victim’s search engine returned several results, and among the top links was this:
He thinks this is the official TomTom site, so he clicks the link, which brings up:
Well, it says TomTom, has the logo, and the download is free! But if you read to the bottom of the page, we see this:
Notice the black text on a dark gray background? This is not only a bad design choice it is downright deceitful. You can barely read it, and the bad guys are hoping you won’t.
Don’t strain your eyes! It says, “ Your download is managed by AirinstallerTM, a modified installer which differs from the original and may offer additional free software at time of install. The user has no obligation to install this additional software. If the user does choose to install the software but wants to uninstall at a later time, instructions to do so can be found on the Removal page. Freewareflow is compensated based on users accepting 3rd party offers during install. This software may also be found for free on the original author’s site, here. Emphasis added.
Mr. Victim installs the software thinking it is an update from TomTom, but it is actually a bait and switch scheme from Omnitech Support. The software identifies hundreds of problems with his computer, using scary terms and bright red warning signs. The client calls the number, gives them his credit card info and they establish a remote session, working for hours on his “problem”. They give up, call the next day and resume troubleshooting and of course, billing the victim hundreds of dollars along the way. After a couple of days of getting no solution to his original TomTom problem, Mr. Victim calls me.
It took about a half hour to remove all of the unnecessary software Omintech installed, and about five minutes to fix his TomTom issue.
But wait! There’s More!
Fast forward one year. Omnitech calls Mr. Victim again, this time apologizing for his dissatisfaction and offering him $100 refund. They talk to him for a short while, and steadily increase the refund offer in $100 increments, every time he balks. At the $400 mark, Mr. Victim falls for it again. Along the way, Omnitech tricks Mr. Victim into downloading and running their remote connection software, seen here:
Once connected, Omnitech tricks Mr. Victim into logging into his online banking, and “attempt” to refund his money directly into his account. Oddly, the attempt fails. They try to refund it to his Discover account, and this fails.
The next step is particularly troubling. Omnitech, now in remote control, transfers $3000 between Mr. and Mrs. Victim’s savings accounts, taking the money from the savings account of Mr. Victim’s wife. Omnitech claims it was their transfer, and Oops! their mistake! So now, they apologize Mr. Victim, and ask him to “simply send them $2600” and keep the $400 as a refund and their apology. Omnitech even searches for Western Union locations near Mr. Victim’s home, finding one at our local Fruth pharmacy. Omnitech puts Mr. Victim on hold, calls Fruth to see if they can initiate wire transfers.
During the pause, Mr. Victim calls me, suddenly very concerned something is awry. So, we take the necessary steps necessary to delouse his computer and protect Mr. Victim’s identity, but that’s a topic for another blog post.
In my role as an IT support technician and cybersecurity engineer in rural America, I see an interesting trend: computer repair necessitated by improper updating, especially in small businesses and home offices.
Although the official numbers are never published, Microsoft Windows in its various flavors contains a reported 50 million lines of code and Microsoft Office contains about 30 million. Herein lies the problem, because amongst this massive complexity are functional and security flaws. The functional flaws are known as “bugs” while the security flaws are known as vulnerabilities. Sometimes benign, bugs are discovered, tracked, and fixed through the Microsoft updates: software released in various ways and called security updates, critical updates, optional updates and service packs.
Security flaws, however, represent the biggest concern, because they can be exploited by the bad guys. How? Well, the malicious among us seek ways to compromise systems by sending specially crafted packets (traffic on the Internet moves in packets) so that the receiving system reacts in a predictable way, giving the attacker remote access or allowing him to retrieve your data. In some cases, the infected machine becomes part of a herd of enslaved computers called a botnet; in this scenario, the bot master (analogous to sheep herder) uses a group of zombie computers to perpetrate his crime: spewing spam, viruses, pornography and in some cases, the infected computers are used in an orchestrated attack called a DDOS or distributed denial of service. If I wanted to keep your webserver busy and I controlled thousands of computers, it would be simple enough to have them all try to load your web page at the same time; your server cannot possibly handle so many requests and balks.
Am I Ever Really Safe?
The complexity of software and ingenuity of attackers creates a limitless playground, and keeping a computer safe becomes a matter of risk management and prophylactic behavior. If you use adequate protective measures, including:
A malware program
An antivirus program
Run the computer as a user and not an administrator
Then you are reasonably safe.
What to do?
If your machine is connected to the Internet, you are at always at some measurable amount of risk!
We are all getting pretty good at picking out SPAM email messages: the Nigerian family with money, the preapproved Visa card, the lottery winner notification, the phony bank email, the fix your PayPal account message, the disaster relief scam, the family member stuck overseas and needs a wire fast, the invoice from UPS/FEDEX, and the account cancelled scam, just to name a few.
One important thing to remember: ANYTHING you click on in the wrong email is a potential way to get infected with malware!
Keep this in mind when the “friendly” email gives you a link to “unsubscribe”. This link is just as nefarious as any other; moreover, the last thing it will do is actually unsubscribe you. Instead, it will probably install malware and validate your email address to the sender.
The best thing to do is delete the entire message.
ANYTHING? Yes, because the link that you click is actually something called hypertext markup language, or HTML. This language specifies something to display and an URL to go to when clicked, but they don’t have to be the same thing. For instance, if you click http://www.cnn.com, it will take you to Fox News instead (go ahead and try – it will open a new window). That’s because I coded the link to go to Fox News. Coders can use this as a way to trick you. Not all links are bad; you just have to use your good judgment.
If you hover your mouse pointer over the link above, it will even say “http://www.cnn.com” but if you notice, while hovering, in the bottom left hand corner of most browsers, it will show you the actual link that will open up. If the words and the link don’t match – be suspicious. If the URL is something that looks like gibberish, be especially cautious.
You should also watch out for misspelled domain names. Bad guys will take a popular domain name, and purchase variants that include common misspellings or other forgery methods, like using the number “one” in place of the lower case letter “L”. In most typefaces, the 1 and l look exactly the same, or similar enough to fool the eye.