Tag Archives: Microsoft

Tech support scams: curse of the Evil Cursor, and Technet ads removed

Jérôme Segura for Malwarebytes: Partnerstroka: Large tech support scam operation features latest browser locker – “We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. … we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstrokam …. and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome.”

Summary/commentary from Zeljka Zorz for Help Net: Tech support scammers leverage “evil cursor” technique to “lock” Chrome


John E. Dunn for Sophos: Microsoft purges 3,000 tech support scams hiding on TechNet – “Microsoft has taken down thousands of ads for tech support scams that had infested the company’s TechNet support domain in a sly attempt to boost their search ranking….Microsoft’s site was home to around 3,000 of these ads, mostly associated with the gallery.technet.microsoft.com downloads section.

The ads covered a wide range of fraudulent support issues, from virtual currency sites to Google Wallet and Instagram. Johnston told ZDNet…”

David Harley

Advertisements

16th March 2018 resources updates

Added to the AMD section of the Meltdown/Spectre resource page, which for administrative reasons has now been moved here

Added to the Intel section:

John Leyden waxes satirical at Intel’s expense in The Register: Intel: Our next chips won’t have data leak flaws we told you totally not to worry about – “Meltdown, Spectre-free CPUs coming this year, allegedly”

Added to the Microsoft/Windows section:

Richard Chirgwin for The Register: Microsoft starts buying speculative execution exploits – “Adds bug bounty class for Meltdown and Spectre attacks on Windows and Azure”

David Harley

Coercive Messaging

It’s not all about tech support scams, but Microsoft’s announcement about beefing up detection of ‘coercive messaging’ in Windows Defender is certainly related to some approaches used by tech support scammers, such as the use of malware that directs victims to a scam-friendly ‘helpline’.

Coercive messaging? As indicated in Microsoft’s evaluation criteria for malware and unwanted software,  that would be messages that ‘display alarming or coercive messages or misleading content to pressure you into paying for additional services or performing superfluous actions.’ That includes exaggerating or misrepresenting system errors and issues, claiming to have a unique fix, and using the well-worn scamming technique of rushing the victim into responding in a limited time-frame.

Certainly that’s all characteristic of the way that fake tech support is monetized, but it’s also characteristic of the lower-profiled but persistent issue of useless ‘system optimizers’.

Microsoft’s article actually strongly resembles some of the hot potatoes topics addressed by the Clean Software Alliance, which describes itself as ‘a self-regulatory organization for software distribution and monetization’. Unsurprisingly, since Microsoft had a great deal to do with the launching of the initiative. Anyway, it covers a great many issues that are well worth considering. I don’t think Microsoft and Windows Defender will be able to fix all these problems all on its/their own, but any movement in this direction is a Good Thing.

Shorter article focused more on coercive messaging from Barak Shein, of the Windows Defender Security Research Team: Protecting customers from being intimidated into making an unnecessary purchase.

Commentary by Shaun Nichols for The Register: Windows Defender will strap pushy scareware to its ass-kicker machine – Doomed: Junkware claiming it can rid PCs of viruses, clean up the Registry, etc

On behalf of the security industry, which provides a large chunk of my income, maybe I should stress that not all programs that claim to rid PCs of viruses are junkware. 🙂 But perhaps it’s worth remembering that the difference between legitimate and less legitimate marketing is sometimes paper-thin. And talking about papers, here’s one on that very topic. 🙂 However, since that ESET paper for an EICAR conference goes back to 2011, maybe I should consider revisiting the topic.

David Harley

Streamlining a Tech Support Scam

Microsoft’s Windows Security Blog on Technet: New tech support scam launches communication or phone call app

“A new tech support scam technique streamlines the entire scam experience, leaving potential victims only one click or tap away from speaking with a scammer. We recently found a new tech support scam website that opens your default communication or phone call app, automatically prompting you to call a fake tech support scam hotline.”

The scam is supplemented by an audio message from ‘Apple Support’ (yeah, right…) that threatens to ‘disable and suspend your Mac device’ if the prospective victim closes the ‘alert’ window. However, the scam is ‘optimized for mobile phones’.

Commentary from Zeljka Zorz for HelpNet: New scam launches users’ default phone app, points it to fake tech support hotline

David Harley

Windows 10 Controlled folder access

Microsoft describes the new Windows 10 feature ‘Controlled folder access in Windows Defender Antivirus’ in the article Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile. The article specifically mentions ransomware as one of the threats against which it is likely to be effective.

The article states that ‘Controlled folder access monitors the changes that apps make to files in certain protected folders. If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt. You can complement the protected folders with additional locations, and add the apps that you want to allow access to those folders.’

It’s not clear what criteria are used to blacklist an application: as I read it, it may simply use Windows Defender’s scanning engine to determine the status of an app. I guess I’ll wait for more information before deciding how much additional protection this really provides.

Zeljka Zorz comments for Help Net Security :

Whether this security feature will be enough to stop ransomware remains to be seen, especially if ransomware can get a whitelisted application to bypass the protection and offer a way in.

I wasn’t really thinking of this in terms of whitelisting until I read that, but the feature does, in fact, allow the user to add protected locations apart from the default folders, and also to ‘ Allow an app through Controlled folder access’.  Which opens the door to social engineering as well as subversion of apps, but then that’s a persistent issue with whitelisting applications.

David Harley

WannaCryptor news updates

Because of the apparent seriousness of the issue, I borrowed my earlier blogs on this topic for ITsecurity UK. So it’s only fair that I borrow back a couple of updates from that article.

You may have seen that someone was able to ‘switch off’ the attack by registering a domain. (‘Accidental hero’ finds kill switch to stop spread of ransomware cyber-attack.) While it sounds as if this bought the world some time, it doesn’t mean there won’t be further attacks. I still recommend that you patch if you can.

There are reports of further variants, including one which is alleged not to include a kill switch. That might not be an accurate report, but certainly no-one should be relying on the neutralization of kill-switch domains rather than patching.

And if you have been caught out by the malware and were thinking of paying up, be warned that payment may not get your files back, according to Checkpoint: WannaCry – Paid Time Off?

Analysis by Microsoft here. MS recommends that you update to Windows 10 (no comment…) and/or apply the MS17-010 update. If that’s not possible, they recommend that you:

Hat tip to Artem Baranov for links to further information.

David Harley

 

WannaCryptor – XP patch available

Unusually, Microsoft has provided a patch for systems that are no longer supported, but are vulnerable to the Microsoft Security Bulletin MS17-010 flaw exploited by WannaCryptor (a.k.a. WannaCrypt among other names). These include Windows XP, Windows 8, and Windows Server 2003. A patch for later operating systems (i.e. those versions of Windows still supported) was made available in March 2017.

If you didn’t take advantage of the patch for Windows 8.1 and later at the time, now would be a good time to do so. (A couple of days earlier would have been even better.)

If you’re running one of the unsupported Windows versions mentioned above (and yes, I appreciate that some people have to), I strongly recommend that you either upgrade or take advantage of the new patch.

Microsoft’s announcement is here: Customer Guidance for WannaCrypt attacks, with links to the update and further information. Detection of the threat has also been added to Windows Defender.

Kudos to Microsoft for going the extra mile…

Additional analysis and/or commentary by ESET – Huge ransomware outbreak disrupts IT systems worldwide, WannaCryptor to blame, Malwarebytes – The worm that spreads WanaCrypt0r, and Sophos: Wanna Decrypter 2.0 ransomware attack: what you need to know. Among other vendors, of course. [Added subsequently: Symantec – What you need to know about the WannaCry Ransomware]

David Harley

Security Essentials or Support Scam?

Microsoft describes a malicious program that masquerades as an installer for Microsoft’s own Security Essentials program. What Hicurdismos actually does is generate a fake Blue Screen of Death (BSoD) including a ‘helpline number’: so yes, it’s essentially a malware-aided tech support scam. It is spread by drive-by-download, and takes a number of steps to make itself look like a serious system issue, such as hiding the mouse cursor and disabling Task Manager.

Security Essentials is still available from Microsoft’s own support site for Windows version 7 and below. Windows 8.x and 10 users should note that it can’t be used on their systems,. However, they don’t need it since the version of Windows Defender that comes with 8.x and 10 has equivalent functionality (unlike the version on earlier Windows versions). However, apart from the pointer to the ‘helpline’, the fake BSoD closely resembles an error message that may be seen in those versions. Would that convince 8.x and 10 users that they also need the fake Essentials? Microsoft seems to think so.

Fortunately, it’s widely detected.

SHA1: e1e78701049a5e883a722a98cdab6198f7bd53a1

SHA256: 7dcbd6a63cb9f56063d2e8c5b17b3870bb2cbaeaafff98ce205d742cce38ba96

VirusTotal report: at 24th October 2016, 42 out of 56 vendors were shown as detecting it.

Commentary from The Register: Microsoft: Watch out millennials for evil Security Essentials

David Harley

Ransomlock.AT: ransomware meets support scams

It’s been a while since I’ve had occasion to talk about the issues that sometimes link tech support scams and ransomware, but now a couple of relevant items have come along more or less simultaneously. First, let’s look at the malware Symantec calls Trojan.Ransomlock.AT.

Symantec describes ‘a new ransomware variant that pretends to originate from Microsoft and uses social engineering techniques to trick the victim into calling a toll-free number to “reactivate” Windows.’ (That is, to unlock the computer.) The article is here: New ransomware mimics Microsoft activation window. The Symantec researchers tried to contact the ‘helpline’ number 1-888-303-5121 but gave up after 90 minutes of on-hold music and messages. Interestingly, a web search for that number turns up dozens of links to sites claiming to help ‘remove’ the number, which Symantec believes to have been promoted by the ransomware operators or their affiliates.

Fortunately, they spent less time on concealing the unlock code, for the moment at any rate. Symantec tells us that ‘Victims of this threat can unlock their computer using the code: 8716098676542789’.

iYogi tech support – sued by State of Washington

The name iYogi will not be unfamiliar to you, if you’ve been following how the tech support scam has been evolving over the past few years.

In Fake Support, And Now Fake Product Support I described how a legitimate and ethical AV company outsourced its support to the iYogi company  in India. This must have seemed at the time an entirely reasonable way of addressing a difficulty that faces security companies with a product version that is free to consumers: what happens when users of that product need support? Running a tech support operation is a significant cost even for companies that charge for all their products (time-limited trials excepted, of course). The idea was that Avast! customers would get free support for Avast!-related queries, but would then be offered an upgrade to a for-fee iYogi support package. However, the AV company’s understanding was that:

here at AVAST, we never phone our customers (unless they specifically ask us to of course) and none of the partners we work with do either.

Unfortunately, it seemed that iYogi’s understanding of the situation was rather different. According to Brian Krebs, reported incidents of tech support scam coldcalls from “Avast customer service” did indeed turn out to have originated with iYogi.

While someone describing himself as the co-founder and president of marketing at iYogi strongly denied any connection with the usual gang of out-and-out scammers, Avast! found it necessary to suspend its arrangement with the company. Avast!’s later arrangements for customer support are discussed on the company’s blog here.

iYogi’s recent activities seem to have continued to attract controversy.  A recent article from Help Net Security tells us that Washington State has announced a lawsuit against iYogi, alleging that ‘iYogi’s tactics are unfair and deceptive business practices that violate Washington’s Consumer Protection Act.’ The activities in which the company is alleged to have engaged have a familiar ring, involving deceptive online advertisements, misleading ‘diagnostics’, aggressive selling of support plans and the company’s own anti-virus software. In a twist I haven’t encountered before, the Washington suit filed in King County Superior Court claims that:

iYogi tells the consumer that upgrading to Windows 10 from Windows 7 or 8 costs $199.00 if the upgrade is done independently, but that the upgrade is “included” for free as part of iYogi’s five-year service package or for $80 as part of iYogi’s one-year package. In fact, an upgrade to Windows 10 is free for Windows 7 or 8 users who choose to do so independently. In addition, iYogi incorrectly tells consumers that their computers will stop working if they do not upgrade to Windows 10 soon.

Help Net quotes Microsoft as estimating that 71,000 residents of Washington lose $33m each year, a sizeable proportion of the 3.3m Americans who are estimated to lose $1.5b in a year.

 David Harley