Tag Archives: Ransomware

Why Do Users Keep Falling for Scams?

This guest post is contributed by my Aussie mate, Jim Hillier. Jim is the resident freeware aficionado at Dave’s Computer Tips. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele… as well as writing for DCT, of course.


*Social engineering: refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access — Wikipedia

wps_clip_image-25719

It’s unfathomable to me why so many people still get caught out by social engineering techniques, being tricked into clicking that link or opening that attachment.

Social engineering is one of the most prevalent methods used by cybercriminals to infect a system and/or gain a user’s sensitive information. Ransomware, phishing emails, scams, all generally involve an element of social engineering. Why? Because it’s simple, effective, and lucrative. It stands to reason then that the most potent method for eradicating these types of threats would be to make them less effective and less lucrative. The question is; how to achieve that?

You’ve no doubt come across the saying “education is key” – and, when it comes to social engineering, nothing could be truer. Because of the changing nature of socially engineered exploits, security software cannot always protect users from themselves. That’s why Tech blogs are repeatedly issuing the same advice/warnings – don’t click on links in emails from unknown senders, don’t open email attachments from unknown senders, etc., etc., etc. In fact, I recently published yet another list of do’s and don’ts  “10 Golden Rules to Defeat Scammers” . Yet, despite all this, so many people are still falling victim to social engineering.

A large part of the problem I suppose is that the users who need this type of advice the most are generally not the sort of people who tend to visit and read Tech blogs.

I was recently perusing a well-known freeware site and came across a comment from someone complaining that, despite being protected by a commercial grade antivirus, his company’s computers had been infected by ransomware… twice. On both occasions the infection was initiated by an employee clicking on something he or she shouldn’t have clicked on. I suggested to him that perhaps his company needed to review and strengthen its staff training program. Education is key.

My own clientele consists largely of elderly folk and, in my experience, many are highly susceptible to phishing and scams in general. I have a theory about this; I’m sure it’s because they were brought up in an era when trust was inherent; leaving the front door to the house open, leaving the car unlocked and keys in the ignition. Do you know what I mean? It’s not so much that they are gullible, more overly trusting.

These people also tend to be not so computer/security savvy, so rather than hit them with a long list of do’s and don’ts, which might be difficult to follow, I condense it all down to just three rules for them to remember:

1. Treat each and every unsolicited phone call and/or email as highly suspicious.

2. Always be very wary about giving out sensitive personal information over the internet.

3. If it sounds too good to be true, it almost certainly is.

If the more savvy among us would only take the time to pass this type of advice around their own particular circles of family, friends, and acquaintances, I believe that we, collectively, might just make a difference.

image

Advertisements

10 Comments

Filed under cybercrime, Don't Get Hacked, Education, Internet Safety for Seniors, Online Safety, Safe Surfing, System Security, trojans, Viruses, worms

Ransomware! – How A Layered Security Approach Can Defeat It

My Australian mate, Mal Cowan, steps into the breech when his good friend gets infected with one of the most difficult to remove pieces of malware currently ripping up the Internet – ransomware. Follow Mal, in this guest writer article, as he spins up his skill set and puts the hammer to a ransomware payload cybercrime.

imageRecently, I received a frantic call from a good friend.  He informed me that when he booted his computer, there was a message supposedly from Australian Law Enforcement, stating that his PC had been involved in illegal activity and, distributing pornographic material.

Freak-out time – The malware had taken a photo of him via his webcam and placed it in the top  middle of the Law Enforcement notice.

Note: This scam is not restricted to Australia. The graphic below provides ample evidence that this type of ransomware is a global issue.

Graphic courtesy of F-Secure.

Immediately, I knew what this program was – Ransomware.  Tech and blog sites have been full of news of this scourge in the past few months.

At first look, there was a full screen message – complete with an official looking logo from the Australian Federal Police.  The computer’s IP address had been logged, and there was indeed a photo of my friend, along with the messages outlined above.

The clincher? The message stated that he had to pay a fine to unlock his computer.

First, I tried to start Task Manager to stop the malware process.  That did not work – it simply would not load.  The computer was well and truly locked.

Next, I tried to restart the computer in Safe Mode.  No luck.  The message appeared again.  Still frozen.

Then, I inserted Kaspersky Rescue Disk (a fantastic Linux based recovery disk made for just this type of situation), and restarted the computer.

Selecting boot options before Windows started, I loaded Kaspersky and updated the malware database via the Internet.  The wonderful thing about Kaspersky is, it scans the infected machine without Windows running, so anything nasty cannot hide.

After a three hour scan, Kaspersky came up with 50 Trojan detections (one of the biggest I have ever seen).  It was able to eliminate all but one of them.

I crossed my fingers and restarted Windows.  Instead of the message, there was just a big white screen – still locked.  Kaspersky had obviously made a dent, but I needed something more.

Before leaving for my friends house, I had loaded up a USB stick with Hitman Pro Kickstart.  Hitman Pro is a wonderful true cloud antivirus scanner using multiple AV engines, with an excellent detection rate.

Recently, it also added a feature in which one can create a bootable USB stick that can bypasses the infected boot process.  The catch is – this must be done on an uninfected machine (which is why I used my personal computer to create it).

I inserted the USB stick into the slot, restarted the machine, and went to boot options (the F12 key on the infected machine) and selected “Boot from USB”.

Hitman Pro Kickstart came through.  It booted straight into the Windows environment without a hitch, and then proceeded to run a scan (an Internet connection is required).  I was a bit dismayed when the scan came back clean, as I knew Kaspersky had not been able to eliminate one threat.

But now, I was past the ransomware Trojan and able to start other antimalware applications.  Malwarebytes was next.  I updated it and proceeded to run a full scan.  Bingo.  It nailed a few more Trojans that had got past Kaspersky and Hitman Pro, and after deleting these nasties and rebooting the computer normally again, a further scan with Hitman Pro, Malwarebytes and AVG, the computer came up clean.

The point of my story really is quite simple.  NOBODY can rely on one antivirus/antimalware application to catch all malware.  The ransomware obviously got past the onboard, realtime antivirus (which was not AVG, I installed that afterwards).  Kaspersky detected most of the infections, Hitman Pro helped me boot into the Windows environment, and Malwarebytes cleaned up the rest.  AVG came up with a clean scan after I uninstalled the old antivirus.

How did my friend get infected?  Who knows.  There are so many exploits that this Trojan could have used that I don’t have a clue.  The computer is a family machine, used mostly by children for online games and such.

Just visiting a family friendly site can get your computer infected these days. It could have been worse.  It might have been an infection that actually encrypted the contents of the whole computer.  That’s a nightmare I am glad I didn’t have to deal with.

Thanks Mal.   Smile

9 Comments

Filed under Anti-Malware Tools, Free Security Programs, Guest Writers, Malware Removal

Ransom Trojan KDV.153863 – Call Me, Pay The Fee, And I’ll Unlock Your Kidnapped Windows System

imageRansomware is a vicious form of malware, given that that it generally encrypts the victim’s files, or restricts the user’s ability to access the computer in some way. Payment of a ransom fee is the commonality in all ransomware attacks.

According to F-Secure, a new form of ransomware (KDV.153863), which reportedly locks the victim’s computer, leaving the machine essentially unusable, is currently circulating on the Internet .

An infection by KDV.153863 will lead to the following boot screen.

image

Graphic courtesy of F-Secure – click to expand.

In line with previous versions of this type of malware, an unlock code can be had (ostensibly for free), by following a set of specific instructions.

The following graphic sets out the method to be followed by the victim to obtain an activation code. The activation code does, in fact, unlock the victim’s computer. Cybercriminals with a conscience, or just good business strategy?

image

Graphic courtesy of F-Secure – click to expand.

You’ll notice in the screenshot that all of the available telephone numbers are international, and it’s by way of this recovery construction that the cyber crook profits.

The Trojan author, collaborating with rogue call center operators, has designed a four minute message routine which the victim is forced to listen to while exorbitant long distance toll fees are being generated. Similar, in a sense, to the old 900 premium-rate telephone number scams  Apparently, these fees are shared between the cyber crook and the call center operators.

Following the forced four minute message routine, the victim is given an unlock code (1351236) which, according to F-Secure, appears to be the same every time the number is called.

We’ve been dealing with this type of malware, on and off, for years. If previous experience is any indication (and it is), we can expect to see more of this type of malware, in a more general release, through the balance of this year.

Reduce the possibilities of infection by this and other malware, by taking the following precautions:

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable Java, JavaScript, and ActiveX if possible

Disable scripting features in email programs

Make regular backups of critical data. If you are infected this may be your only solution

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer

Install a personal firewall on the computer

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure your anti-virus software scans all e-mail attachments

Don’t store critical data on the system partition

Adhering to the best practices, as noted above, is no guarantee that your system won’t be penetrated. All things considered, running your computer in virtualization mode, while surfing the Net, is highly recommended.

Please read Free BufferZone Pro – Maybe The Best Surfing Virtualization Application At Any Price, on this site, for information on virtualization.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

12 Comments

Filed under Cyber Crime, Cyber Criminals, cybercrime, Don't Get Scammed, Don't Get Hacked, Internet Security Alerts, Malware Advisories, Malware Alert, Ransomware, Software, trojans, Windows Tips and Tools

Hard Drive Kidnapping – GpCode Ransomware On The Attack Again!

imageWhen we think of kidnapping, extortion, or blackmail, I think it’s safe to say, not many of us would consider our computer files being a likely victim. That is, unless we were familiar with a particular form of malware known as Ransomware.

Ransomware is a particular vicious form of malware – malware that encrypts the victim’s files, and then demands a monetary ransom to decrypt those kidnapped files.

Once again the Ransomware Trojan Gpcode, first encountered some years back by Kaspersky Lab, is on the loose. This is the fourth release of GpCode that we’ve covered here in the last few years, and as expected, this version continues to use RSA-1024 and AES-256 encryption.

As opposed to past variants though, this time around GpCode doesn’t delete files after encryption. Instead, to make it more difficult for a victim to recover from the attack – files are overwritten.

Once GpCode has finished its nasty work, the victim is presented with the following Desktop message.

Followed by a ransom note via Notepad, which is launched automatically by GpCode. The ransom note demands payment of a $120 fee.

image

Preliminary indications are; the attack vector is a malicious PDF which when opened, downloads and installs, the ransomware.

Vitaly Kamluk over at Kaspersky Lab’s Securelist site, offers the following advice – “If you think you are infected, we recommend that you do not change anything on your system as it may prevent potential data recovery if we find a solution.

It is safe to shutdown the computer or restart it despite claims by the malware writer that files are deleted after N days – we haven’t seen any evidence of time-based file deleting mechanism. But nevertheless, it is better to stay away from any changes that could be made to the file system which, for example, may be caused by computer restart”.

Reduce the possibilities of infection by this and other malware, by taking the following precautions:

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable Java, JavaScript, and ActiveX if possible

Disable scripting features in email programs

Make regular backups of critical data. If you are infected this may be your only solution

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer

Install a personal firewall on the computer

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure your anti-virus software scans all e-mail attachments

Don’t store critical data on the system partition

Let me reemphasize – Make regular backups of critical data. If you become infected, this may be your only recovery option.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

3 Comments

Filed under cybercrime, Don't Get Scammed, Don't Get Hacked, Internet Safety, internet scams, Internet Security Alerts, Malware Advisories, Ransomware, Windows Tips and Tools

Ransom.K, Bifrost.GEN and Safety Center Fake Antivirus – PandaLabs Takes a Look

Courtesy of Panda Security.

This week’s PandaLabs report looks at two Trojans and a new fake antivirus.

Bifrost.GEN is a backdoor-type Trojan whose objective is to go resident, concealing its presence and displaying no visible symptoms. The malware inserts its code into Internet Explorer and runs it in the background, leaving an open connection to await instructions from the attacker to access the infected computer.

The second Trojan we are looking at today is Ransom.K. It reaches computers with an icon that resembles an application Help file and encrypts the code of the .TXT, .DOC, .XLS and .JPG files detected on the computer, using a file it downloads called CryptLogFile.txt. Additionally, it replaces the desktop wallpaper with a message asking users to pay for the credentials for decrypting the code.

image

This type of extortion is known as “ransomware”. The solution to this problem
is simple, and involves deleting the CryptLogFile.txt file from C:\Windows and re-running the Trojan. When it can’t find the file with the list of documents, it will automatically return the files it encrypted to their original status.

Finally, Safety Center is a new fake antivirus. It is presented as an unregistered multi-tool product.

image

It asks users to purchase the license by registering online in order to use or update all the tools. On reaching computers it carries out a fake hard-disk scan, displaying false infections to trick users. If victims fall for the trap and pay, they will not only be paying for a fraudulent product, but will also have their bank details exposed.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

Safety Center Removal:

If you have become infected by Safety Center, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

2 Comments

Filed under Anti-Malware Tools, Browser add-ons, Don't Get Scammed, Don't Get Hacked, downloads, Encryption, Free Anti-malware Software, Free Security Programs, Freeware, Internet Safety Tools, internet scams, Internet Security Alerts, Malware Advisories, Panda Security, PandaLabs, Ransomware, Rogue Software, Rogue Software Removal Tips, Scareware Removal Tips, Software, trojans, Windows Tips and Tools

Total Security 2009 – PandaLabs Fights Back by Offering Free Serial Numbers

image Once again ransomware is on the loose; but it’s a little bit different this time around. In previous versions of this type of malware, after installation, the victim was informed that the computer’s files had been encrypted and a decrypting tool had to be purchased from the cyber-criminal in order to decrypt the affected files.

Now we have a another new form of ransomware to deal with. Cyber criminals are now combining rogueware with ransomware, enabling them to hijack users’ information and block computer use.

Courtesy of PandaLabs:

PandaLabs, Panda Security‘s malware analysis and detection laboratory, has identified a new, more aggressive trend cyber criminals are using to sell fake anti-virus programs, otherwise known as rogueware. Cyber criminals are now combining rogueware with ransomware, hijacking users’ computers and rendering them useless until victims purchase fake anti-virus programs.

The fake program that PandaLabs has discovered, called Total Security 2009, is being offered to victims for approximately $79.95. Victims can also purchase ‘premium’ tech support services for an additional $19.95.

image

Users who pay the ransom receive a serial number that releases all files and executables, allowing them to work normally and recover their information. The fake anti-virus, however, remains on their systems.

PandaLabs has published a list of serial numbers that victims can use to unblock their computers, as well as a video demonstrating how this scam operates. To obtain a serial number click here.

Previously, when computers were infected by this type of malware, users would typically see a series of warnings prompting them to buy a paid version of the program. The new method of selling rogueware blocks users’ attempts to run programs or open documents, displaying a message falsely informing them that all files on their computers are infected and the only solution is to buy fake anti-virus.

“Users are often infected unknowingly – in most cases through visiting hacked Web sites. Once a computer is infected, it is extremely difficult to eliminate the threat, even for those with a certain degree of technical knowledge,” said Luis Corrons, technical director of PandaLabs.

“Users are also prevented from using any type of detection or disinfection tool, as all programs are blocked. The only application that can be used is the Internet browser, conveniently allowing the victim to pay for the fake anti-virus. For this reason, on the PandaLabs blog, we have published the serial numbers required to unblock the computer if it has been hijacked. Users can then install genuine security software to scan the computer in-depth and eliminate all traces of this fake anti-virus.”

“The way this rogueware operates presents a dual risk: First, users are tricked into paying money simply in order to use their computers; and second, these same users may believe that they have a genuine anti-virus installed on the computer, thereby leaving the system unprotected,” adds Corrons.

“This shift toward hijacking computers indicates either that users are becoming more adept at recognizing these threats or that security companies are beginning to close the gap on this highly sophisticated level of cybercriminal behavior. This would explain why hackers are becoming more aggressive in the methods used to force the victims into purchasing fake anti-virus programs.”

You can download a free trial of Panda Global Protection 2010 to completely remove the infection, once the ransomware feature is removed.

PandaLabs recently published a report about the lucrative business of rogueware. The report is available here.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

6 Comments

Filed under Anti-Malware Tools, Don't Get Scammed, Don't Get Hacked, downloads, Internet Security Alerts, Malware Advisories, Online Safety, Panda Security, PandaLabs, Ransomware, Rogue Software, Rogue Software Removal Tips, Software Trial Versions, System Security, Windows Tips and Tools

Ransomware in Your Browser

image Ransomware, a vicious form of malware, is nothing new. It has been around in one form or another, since the late 1980’s.

Once installed on a victim’s computer, the Trojan will generally encrypt the victim’s files, after which the cyber-criminal demands a monetary ransom to decrypt the kidnapped files.

The ever creative cyber criminal community has now gone one better, with the release of Trojan.Ransompage. This piece of malware is designed to kidnap the victim’s Internet browser, including Internet Explorer, Firefox and Opera.

Note: The latest update of Firefox is apparently unaffected. Another good reason to update.

According to Symantec, Trojan.Ransompage “uses scare or nuisance tactics – similar to rogue antivirus programs, in an attempt to demand ransom from its victims. Once infected with Trojan.Ransompage, a victim’s browser will display a persistent inline ad on every page that the victim visits”.

image

Roughly translated from Russian, the ransom demand reads in part:

To remove the informer, send SMS message with text [5-digit number] to number [4-digit number].
Enter the code, received in response, MC

Affected Systems: Windows 95, 98, NT, 2000, XP, Vista, Server 2003

System Impact:

Deletes Files: Deletes Web Browser files.

Modifies Files: Modifies Web Browser files.

Releases Confidential Info: May send confidential information to a remote location.

Degrades Performance: Displayed image may degrade Web Browser performance.

Action you can take if infected:

According to Symantec, “the ransomware is designed to expire in 30 days, so anyone who falls victim to the infection can remove it simply by setting their system clock forward one month”.

Common sense security precautions:

Make regular backups of critical data. If you are infected this may be your only solution

Don’t store critical data on the system partition

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable scripting features in email programs

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer

Install a personal firewall on the computer

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure your anti-virus software scans all e-mail attachments

The authorities need to kick some ass here, and determine who owns the contact phone number and close it down. How hard is that?

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

8 Comments

Filed under Browsers, Don't Get Scammed, Don't Get Hacked, Firefox, Interconnectivity, Internet Explorer, internet scams, Internet Security Alerts, Malware Advisories, Ransomware, Rogue Software, scareware, Symantec, System Security, trojans, Windows Tips and Tools