Would the last security guru to leave Facebook please turn out the lights?

Veteran (in the nicest possible way) security commentator Graham Cluley is no longer maintaining his Facebook page, saying: ‘For years I’ve been uncomfortable with Facebook, and called them out for their exploitation of a userbase which is mostly unaware of how their personal information is being exploited … Quitting Facebook is hard enough for many people, I don’t want to give anybody another reason to stay.’ In his article An apology to my Facebook followers he does, of course, point out all the other ways in which his opinions and advice (always worth reading) can be followed. 

And he has a point: while my own Facebook audience is much smaller and probably more specialized, I’m considering (again) doing the same thing. (Which would also have the advantage of reducing the number of places where I have to flag my own posts, he said selfishly.) But if the entire security community heads for the exit, that might not be a Good Thing for all the people who rarely use anything but Facebook and who might actually be benefiting occasionally from sound security comment published there. 

(And no, I’m absolutely not trying to say that Graham – or the rest of us – shouldn’t leave.)

David Harley

Advertisements

Social media and privacy

• [April 7th 2018] The Guardian: Christopher Wylie: Why I broke the Facebook data story – and what should happen now – “The whistleblower at the centre of the Cambridge Analytica storm asks if Britain will now address the hard issues which it has raised”
• [April 4th 2018] Daring Fireball quoting New York Times and Washington Post: FACEBOOK SHARPLY INCREASES ESTIMATE OF HOW MANY USERS’ INFORMATION WAS HARVESTED BY CAMBRIDGE ANALYTICA (the Post comment relates to the more recent profile scraping story, but it does tie in).
• [April 6th 2018] Graham Cluley:
  

  Facebook’s secret plan to access hospital patient records – “PRIVACY IS THE FIRST CASUALTY.” Graham rightly notes that this is not the first such case, as Google “attempted similar hook-ups with the UK’s National Health Service, with controversial results“.

  David Harley

17th March 2018 resources and article updates

Specific Ransomware Families and Types

• Checkpoint: The GandCrab Ransomware Mindset
• Kaspersky: GANDCRAB RANSOMWARE CROOKS TAKE AGILE DEVELOPMENT APPROACH

Cryptocurrency/Crypto-mining News and Resources

• PETER KÁLNAI and MICHAL POSLUŠNÝ for ESET (posted 14th March): Dangerous malware stealing bitcoin hosted on Download.com for years
• McAfee: McAfee Researchers Analyze Dark Side of Cryptocurrency Craze: Its Effect on Cybercrime
• Patrick Wardle: A Surreptitious Cryptocurrency Miner in the Mac App Store? > a free calender app possesses more than meets the eye!
• Graham Cluley: Calendar 2 app pulled from Mac App Store after cryptomining controversy – “APPLE APPROVED MISBEHAVING CRYPTOMINING FEATURE.”

Mac Virus (now linked from this portal): Android antics and MacOS malware

David Harley

Support Scamming by the Numbers

Hacked web pages redirecting to tech support scam pages. Info from Jérôme Segura for Malwarebytes: The numeric tech support scam campaign

David Bisson for Graham Cluley’s blog: Compromised websites redirecting tech support scam hosted on numeric domains – Wait, there’s a malvertising vector, as well?!

David Harley

Patcher/Filezip/Filecoder – data recovery and naming

Because of time issues, I added the malware ESET calls OSX/Filecoder.E to the Specific Ransomware Families and Types page but didn’t give it an article of its own here. Since there is important news (to potential victims) from Malwarebytes and Sophos, I’m repairing that omission here.

• MARC-ETIENNE M.LÉVEILLÉ for ESET: New crypto-ransomware hits macOS – malware that calls itself ‘Patcher’, detected by ESET as OSX/Filecoder.E [22nd February 2017]
• Thomas Reed for Malwarebytes: Mac ransomware on piracy sites – Malwarebytes calls it OSX.Findzip.[23rd February 2017]
• Thomas Reed’s follow-up: Decrypting after a Findzip ransomware infection. Very useful work on recovering data (the gang behind the ransomware will take your money, but can’t provide you with a way of decrypting it). [February 28th 2017]
• Paul Ducklin for Sophos: ‘Filecode’ ransomware attacks your Mac – how to recover for free [28th February 2017]
• Commentary by Graham Cluley: How to recover from the FileCoder ransomware on your Mac – Buggy ransomware didn’t offer a method of recovery even if you paid the extortionists. Until now. [March 1st 2017]

Note that both Reed and Cluley sometimes refer to the malware as FileCoder. This is potentially misleading: while ESET, which first uncovered the thing, detects it as OSX/Filecoder.E, the term ‘Filecoder’ is used generically by the company to denote crypto-ransomware, so you/we need to use the full name ‘OSX/Filecoder.E’ to distinguish it from other, unrelated ransomware families.

David Harley

Ransomware targeting schools

Action Fraud warns that:

Fraudsters are posing [as] government officials in order to trick people into installing ransomware which encrypts files on victim’s computers [by] …cold calling education establishments claiming to be from the “Department of Education”. They then ask to be given the personal email and/or phone number of the head teacher/financial administrator.*

They claim that they need to email guidance to the person in authority because of sensitive comment. However, the attachment contains ransomware.

* Contains public sector information licensed under the Open Government Licence v3.0.

Commentary by Graham Cluley for BitDefender: Schools warned about cold-calling ransomware attacks

David Harley

 

Support scammer targeting TalkTalk customer (again)

There have been suspicions before that TalkTalk customers have been targeted by tech support scammers who know more about their intended victims (and their issues with TalkTalk) than they should. I’ve alluded to them in some articles on this site.

I don’t, of course, know the facts behind those suspicions, but I note that Graham Cluley has encountered another curious incident – I won’t say coincidence…

Brand new TalkTalk customer is targeted by phone scammer – A problem at TalkTalk? Say it ain’t so.

David Harley

Reporting cybercrime

I haven’t checked the links yet, but Yasin Soliman’s article for Graham Cluley’s site looks really useful. How to report a cybercrime – Who you gonna call? includes a table with contact points in the US appropriate to several categories: I’m guessing that followers of this blog will find the links for ‘Internet fraud and SPAM’ particularly relevant. There are also links to agencies in other parts of the world.

The trouble with compiling such lists of links (which I’ve done many times over the years, in a variety of contexts) is that the links change over time, not only because web pages get changed around, but because agencies (like security companies) are renamed or replaced, or disappear altogether. Right now, though, this looks like an excellent resource.

David Harley

Ransomware and a rumoured Apple ID breach

For CSO Online, Steve Ragan describes how Ransom demands are written in Russian via the Find my iPhone service. Here’s how he describes the attack:

It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim’s device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it.

Thomas Reed also described a similar attack a few months back using iCloud’s ‘Find My Mac’.

Ragan also mentions ‘a rumor concerning “rumblings of a massive (40 million) data breach at Apple.”‘ I’ve seen no confirmation of that anywhere, but it’s certainly a good time to check that your AppleID credentials are in good shape.

Commentary by Graham Cluley here. You might want to consider taking up his suggestion of  enabling two-step verification on your Apple ID account, too.

David Harley

FLocker: Android Ransomware meets IoT

An article for Trend Micro by Echo Duan illustrates one of the complications of having an operating system that works on and connects all kinds of otherwise disparate objects: FLocker Mobile Ransomware Crosses to Smart TV.

Of course, embedded versions of operating systems such as other versions of Linux, Windows and so on, are not in themselves novel. FLocker, however, seems to lock smart TVs as well as Android phones, as long as they’re not located in one of a number of Eastern European countries. It claims to be levying a fine on behalf of a law enforcement agency. Apparently another of these agencies that prefers its fines paid in iTunes gift cards. As Zeljka Zorz points out for Help Net Security, this doesn’t say much for the credibility of the criminals, but if your device and data have become unavailable to you, knowing that they’re criminals and not the police doesn’t help much.

While the malware locks the screen, Trend tells us that the C&C server collects ‘data such as device information, phone number, contacts, real time location, and other information. These data are encrypted with a hardcoded AES key and encoded in base64.’

Unsurprisingly, Trend’s advice is to contact the device vendor for help with a locked TV, but the article also advises that victims might also be able to remove the malware if they can enable ADB debugging. How practical this would be for the average TV user, I don’t know.

Back in November 2015 Candid Wueest wrote for Symantec on How my TV got infected with ransomware and what you can learn from it, subtitled “A look at some of the possible ways your new smart TV could be the subject of cyberattacks.” Clearly, this particular aspect of the IoT issue has moved beyond proof of concept.

If cited this before, but it’s worth doing again. Camilo Gutierrez, one of my colleagues at ESET (security researcher at the Latin America office) notes that:

… if the necessary precautions are not taken by manufacturers and users, there is nothing to prevent an attacker from seizing control of a device’s functionality and demanding money to return control. Perhaps this is not a threat we expect to see much of in the near future, but we shouldn’t lose sight of it if we are to avoid serious problems later.

Just as I was about to post this, I noticed additional commentary by David Bisson for Graham Cluley’s blog. He notes that there’s an interesting resemblance between FLocker’s interface and the earlier ‘police’ ransomware he calls Cyber.Police.

David Harley