Tag Archives: Sophos

Tech support scams: curse of the Evil Cursor, and Technet ads removed

Jérôme Segura for Malwarebytes: Partnerstroka: Large tech support scam operation features latest browser locker – “We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. … we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstrokam …. and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome.”

Summary/commentary from Zeljka Zorz for Help Net: Tech support scammers leverage “evil cursor” technique to “lock” Chrome


John E. Dunn for Sophos: Microsoft purges 3,000 tech support scams hiding on TechNet – “Microsoft has taken down thousands of ads for tech support scams that had infested the company’s TechNet support domain in a sly attempt to boost their search ranking….Microsoft’s site was home to around 3,000 of these ads, mostly associated with the gallery.technet.microsoft.com downloads section.

The ads covered a wide range of fraudulent support issues, from virtual currency sites to Google Wallet and Instagram. Johnston told ZDNet…”

David Harley

Advertisements

Ransomware and support scam updates

 

Updates to Specific Ransomware Families and Types

The Register: Please forgive me, I can’t stop robbing you: SamSam ransomware earns handlers $5.9m – “Sophos has been investigating the SamSam campaign since its emergence. A study (PDF) based on this research – released on Tuesday – summarises its findings about the attacker’s tools, techniques and protocols.” For ZDnet, Danny Palmer tells us that This destructive ransomware has made crooks $6m by encrypting data and backups – “Attackers behind destructive SamSam ransomware show no signs of giving up – and they’re now taking $300,000 a month in ransom from victims.”

Bleeping Computer: BitPaymer Ransomware Infection Forces Alaskan Town to Use Typewriters for a Week – “In a PDF report published yesterday, Wyatt finally identified the “virus” as the BitPaymer ransomware. This ransomware strain was first spotted in July 2017, and it first made news headlines in August 2017 when it hit a string of Scottish hospitals.”

Updates to Tech support scams resource page

Sean Gallagher for ArsTechnica: Click on this iOS phishing scam and you’ll be connected to “Apple Care” – “This phishing attack also comes with a twist—it pops up a system dialog box to start a phone call. The intricacy of the phish and the formatting of the webpage could convince some users that their phone has been “locked for illegal activity” by Apple, luring users into soon clicking to complete the call.”

Commentary from Sophos: Porn-warning security scam hooks you up to “Apple Care”

The FBI and VPNFilter

Updates to Internet of (not necessarily necessary) Things

The Register: FBI to World+Dog: Please, try turning it off and turning it back on – “Feds trying to catalogue VPNFilter infections”

FBI alert: Foreign cyber actors target home and office routers and networked devices worldwide

Sophos commentary: FBI issues VPNFilter malware warning, says “REBOOT NOW” [PODCAST]

Comprehensive article (of course!) from Brian Krebs: FBI: Kindly Reboot Your Router Now, Please

Updates to GDPR page

Sophos: Ghostery’s goofy GDPR gaffe – someone’s in trouble come Monday!

 

David Harley

Thoughts on Sophos commentary on FB and YouTube

Here are a couple of Sophos articles that caught my eye, and which I felt compelled to comment on at more length.

  • For Sophos, Paul Ducklin picked up on Facebook’s page How can I tell if my info was shared with Cambridge Analytica? Useful, I suppose, if you can’t remember whether you might have clicked on Cambridge Analytica’s This is your digital life app. And of limited use if it tells you that one or more of your friends clicked on it and so may have shared your profile data. Limited in that it won’t tell you which of your friends did so. Well, I suppose you should be grateful that Facebook is preserving somebody’s privacy, even if it’s not yours.  And it may be useful in that it prompts you to check your privacy settings.
  • Another Sophos article by Lisa Vaas notes that YouTube illegally collects data from kids, group claims. The group of privacy advocates in question asserts that ‘a study … found that 96% of children aged 6-12 are aware of YouTube and … 83% of children that know the brand use it daily … The group is urging the FTC to investigate the matter as it is illegal to collect data from kids younger than 13 under the Children’s Online Privacy Protection Act (COPPA).’ YouTube’s fallback position would presumably be that it isn’t intentionally contravening COPPA because ‘YouTube is not for children’. Hence the creation of the separate YouTube Kids app.

David Harley

Resource updates: April 5th-7th 2018

Updates to Anti-Social Media 

Updates to Cryptocurrency/Crypto-mining News and Resources

Updates to Meltdown/Spectre – Related Resources

Only distantly related, but…

Updates to Specific Ransomware Families and Types

[3rd April 2018] Peter Kálnai and Anton Cherepanov for ESET: Lazarus KillDisks Central American casino – “The Lazarus Group gained notoriety especially after cyber-sabotage against Sony Pictures Entertainment in 2014. Fast forward to late 2017 and the group continues to deploy its malicious tools, including disk-wiping malware known as KillDisk, to attack a number of targets.”

Updates to Mac Virus

 

David Harley

22nd March Resources Update

Cryptocurrency/Crypto-mining News and Resources

Anti-Social Media

Mac Virus

New information/resource page: [anti-]social media

[This article is itself the first entry on the new page Anti-Social Media.]

Like many others, I’ve been at least partially assimilated by the social media Cookie Monster. Once upon a time I opened accounts on sites like Facebook and Twitter, so as to find out about their implications for security. (Like many others in the security profession, I suspect.) They also quickly became integrated into my armoury as a means of exchanging and disseminating information, whether it’s a matter of hard data or work-oriented PR. And when friends, colleagues and fellow musicians (some people, of course, are members of two or all three of those sets!) found me on those platforms, it would have been churlish not to have accepted invitations to link up there. (Besides, you can’t tell as much about Facebook’s workings, for instance, if you don’t actually have any Facebook friends…)

However, I’ve always borne in mind the wider implications of membership of such platforms (sociological, psychological, and security-specific), and have often written on those topics. (I’ll probably look back at some of those posts and see if any of them are worth flagging here.) But with the excitement over the Cambridge Analytica, it’s self-proclaimed success at social engineering, and its alleged misuse of data harvested from social media, I can’t help but notice that people who’ve previously expressed no interest in privacy and security have started to voice concern. So I’m going to use this page to flag some news and resources of interest. Starting with a minor deluge of advice from various quarters:

David Harley

13th March 2018 resources updates

(1) New section on Trend Micro Resources in Meltdown/Spectre – Related Resources

Trend Micro: Detecting Attacks that Exploit Meltdown and Spectre with Performance Counters
“We worked on a detection technique for attacks that exploit Meltdown and Spectre by utilizing performance counters available in Intel processors. They measure cache misses — the state where data that an application requests for processing is not found in the cache memory — that can be used to detect attacks that exploit Meltdown and Spectre.”

(2) Cryptocurrency/Crypto-mining News and Resources

David Harley

Tech support scams: alive, kicking, and audio talking trash

Paul Ducklin for Sophos: Watch out – fake support scams are alive and well this Christmas

The first part of the article is a recap of old-school tech support scam cold-calling, but the rest describes what happened when someone clicked on ‘one of those “you’ll never believe what happened next” stories’. The resulting ‘alert’ included an automatic voice-over. While the voice-over (which you can hear on the page above) is full of laughable transcription errors and false information, it could certainly scare someone not particularly tech-literate into falling for the scam.

David Harley