Tag Archives: MalwareBytes

Tech support scam update

Updates to Tech support scams resource page

Jérôme Segura reports (20th September 2018) for Malwarebytes on Mass WordPress compromises redirect to tech support scams. There have been high volumes of hijackings of sites using the WordPress content management system, especially sites using outdated plugins. Prominent among the client-side payloads observed by Malwarebytes are redirections to tech support scams. Segura notes that:

“That .TK URL pattern is well known and has been documented in detail as part of a large Traffic Distribution System (TDS) responsible for massive redirections to browlock pages. Note the custom mouse cursor (the “Evil cursor”), which we reported on recently, has yet to be patched.”

David Harley

Advertisements

Tech support scams: curse of the Evil Cursor, and Technet ads removed

Jérôme Segura for Malwarebytes: Partnerstroka: Large tech support scam operation features latest browser locker – “We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. … we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstrokam …. and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome.”

Summary/commentary from Zeljka Zorz for Help Net: Tech support scammers leverage “evil cursor” technique to “lock” Chrome


John E. Dunn for Sophos: Microsoft purges 3,000 tech support scams hiding on TechNet – “Microsoft has taken down thousands of ads for tech support scams that had infested the company’s TechNet support domain in a sly attempt to boost their search ranking….Microsoft’s site was home to around 3,000 of these ads, mostly associated with the gallery.technet.microsoft.com downloads section.

The ads covered a wide range of fraudulent support issues, from virtual currency sites to Google Wallet and Instagram. Johnston told ZDNet…”

David Harley

April 2nd/3rd 2018 updates

Updates to Anti-Social Media 

[2nd April 2018] Facecrooks: Facebook Is Making Its Privacy Settings Easier To Find

[3rd April 2018] John Leyden for The Register: One solution to wreck privacy-hating websites: Flood them with bogus info using browser tools – Chad Loder is quoted as saying “The internet ought to “route around” known privacy abusers, shifting from passive blocking of cookies, host names, and scripts to a more active deception model. ” Lots of other useful commentary.

Updates to Cryptocurrency/Crypto-mining News and Resources

Updates to Mac Virus

‘Android action updates’

David Harley

Tech support scammers learn to ‘lock’ Chrome

For Malwarebytes, Jérôme Segura continues to fight the good fight against support scammers by warning us that ‘Tech support scammers find new way to jam Google Chrome‘. (If you saw this when it first appeared, note that it has been updated since.) By abusing an API, the scammers manage to freeze the browser in the hope that users will be panicked into calling the fake ‘helpline’ advertised on the pop-up or pop-under that accompanies the freeze.

However, he observes:

Since most of these browser lockers are distributed via malvertising, an effective mitigation method is to use an ad-blocker. As a last resort, the Windows Task Manager will allow you to forcefully quit the offending browser processes.

David Harley

Fake BSOD, Fake Tech Support

Tara Seals for Infosecurity Magazine: Tech Support Scam Malware Fakes the Blue Screen of Death

“The infamous Blue Screen of Death (BSOD) is one of the most-dreaded sights for Windows users. Adding insult to injury, a new malware is making the rounds that fakes a BSOD, and then tries to swindle victims into paying for tech support tools.”

Malwarebytes describes ‘Troubleshooter’ as a hijacker, but it’s one of those instances where a tech support scam edges close to ransomware.

David Harley

Tech Support Scams and Google

And still it goes on…

Tech support scammers poisoning Google search results is hardly new – see My PC has 32,539 errors: how telephone support scams really work – but there’s an interesting example flagged by Malwarebytes in the article Ads in Google Search Results Redirect Users to Tech Support Scam by Catalin Cimpanu. Also some useful commentary by Lisa Vaas for Sophos: Google ads for tech support scams – would you spot one?

David Harley

WannaCryptor – XP patch available

Unusually, Microsoft has provided a patch for systems that are no longer supported, but are vulnerable to the Microsoft Security Bulletin MS17-010 flaw exploited by WannaCryptor (a.k.a. WannaCrypt among other names). These include Windows XP, Windows 8, and Windows Server 2003. A patch for later operating systems (i.e. those versions of Windows still supported) was made available in March 2017.

If you didn’t take advantage of the patch for Windows 8.1 and later at the time, now would be a good time to do so. (A couple of days earlier would have been even better.)

If you’re running one of the unsupported Windows versions mentioned above (and yes, I appreciate that some people have to), I strongly recommend that you either upgrade or take advantage of the new patch.

Microsoft’s announcement is here: Customer Guidance for WannaCrypt attacks, with links to the update and further information. Detection of the threat has also been added to Windows Defender.

Kudos to Microsoft for going the extra mile…

Additional analysis and/or commentary by ESET – Huge ransomware outbreak disrupts IT systems worldwide, WannaCryptor to blame, Malwarebytes – The worm that spreads WanaCrypt0r, and Sophos: Wanna Decrypter 2.0 ransomware attack: what you need to know. Among other vendors, of course. [Added subsequently: Symantec – What you need to know about the WannaCry Ransomware]

David Harley

Patcher/Filezip/Filecoder – data recovery and naming

Because of time issues, I added the malware ESET calls OSX/Filecoder.E to the Specific Ransomware Families and Types page but didn’t give it an article of its own here. Since there is important news (to potential victims) from Malwarebytes and Sophos, I’m repairing that omission here.

Note that both Reed and Cluley sometimes refer to the malware as FileCoder. This is potentially misleading: while ESET, which first uncovered the thing, detects it as OSX/Filecoder.E, the term ‘Filecoder’ is used generically by the company to denote crypto-ransomware, so you/we need to use the full name ‘OSX/Filecoder.E’ to distinguish it from other, unrelated ransomware families.

David Harley

Support Scammers hit Mac users with DoS attacks

 examines another attack somewhere on the thin borderline between ransomware and tech support scams: Tech support scam page triggers denial-of-service attack on Macs. This is another instance of scammers encouraging victims to call a fake helpline by hitting them with some sort Denial of Service (DoS) attack: in this case, by causing Mail to keep opening email drafts until the machine freezes, or using iTunes., apparently to put up a fake alert.

Commentary by David Bisson for Tripwire: Tech Support Scam Creates Series of Email Drafts to Crash Macs.

David Harley