Phishing attacks getting more efficient for the bad guys

Folks, please, please, please be very careful of what you click on and what financial information you provide. Especially in response to an ‘alerting’ email!
There are a great number of ‘phishing’ attacks occurring again and they are getting even more sophisticated. Many almost look and sound legitimate. I have written previously on some of this here.

But as a reminder, if you get an email or text telling you you must login to a financial (or any other for that matter) site via a link in an email DO NOT CLICK ON ANY LINK AND MOST IMPORTANTLY DON’T ENTER ANY INFORMATION IF YOU DO!!
If you must visit a bank, credit card or online vendors site for ‘verification’ or what ever do so through the ‘Front Door’. By that I mean open a brand new Web Browser window and log in to ‘their site’ and proceed from there. i.e. https://wellsfargo.com etc.

If you click on many of these links a few things are likely to happen. 1st you will probably be silently infected by a Trojan/backdoor application and 2nd you will probably be brought to a ‘bogus’ site that looks very much like the legitimate site. You will be prompted to enter in financial and/or information such as account/card numbers passwords and other verification. The MOMENT you do you can be assured that your account will be compromised! Sometimes in as little as a few minutes your account can be emptied!

Here is an example of one of the hundreds of emails that have been hitting my email server this weekend. You can see that it almost looks legitimate; the wording is sufficiently scary and authoritative and there is a ‘real logo’. But the link in the email is to a phishing site. AND the email address on the ‘from’ is not correct.

Security

This looks very ‘scary’ and it is – but for the reason that you WILL be screwed, not that you are yet.

Please use some caution in the digital world. You would not give a perfect stranger your bank card and pin but some will do just that in cyberspace.

Be safe folks!

Latest Mac Malware news 06-04-2011

The Mac Trojan/Malware ‘MacDefender’ now calls itself ‘Mac Shield’.

The malware keeps changing names and looks but still is relatively the same as before. However it is still infecting loads of machines and is, in my opinion very dangerous; it lures users into providing sensitive financial information to thieves.

Sophos for Mac will remove it. (free) Get it here.

So will Virus Barrier Express from the Apple App Store; here. also free.

Here is my previous article too.

MacDefender trojan/malware is currently spreading on Mac systems – let’s kill it!

MacDefender, is the rogue antimalware trojan currently spreading on Mac systems. This malware is known by a variety of names, including "Mac Defender", "MacProtector", "Mac Security", "Apple Security", and "Apple Security Center".  It is a great example of how ‘social engineering’ can be used to trick people into harming themselves. Below are clear and easy procedures for removing it, read the quick summary or follow the links at the end for walk-throughs with loads of screen shots

I have written recently about this here, but it appears more people are being ‘snagged’.

Apple support is being of absolutely NO help either! In fact they are telling their people,"Do not attempt to remove malware.." Read about that BS here if you wish. So I thought I’d again provide some tips.

Here is the simple summary of what to do:

  1. In Safari under "Preferences", at the bottom of the "General" tab (the first tab), uncheck "Open safe files". This will prevent Safari from starting threats like MacDefender automatically after downloading them.
  2. Open up "Activity Monitor" (this is in your Utilities folder within Applications)
  3. Find "MacDefender" (or whatever the malware is being called, MacProtector, Mac Security, etc)
  4. Highlight it then click "Quit Process" which looks like a big red stop sign at the top right of the Activity Monitor screen.
  5. Next, open System Preferences, and go to "Accounts". When it appears click on the "Login Items" button, select the program, and then click the "minus" button to remove it from Login Items.
  6. Next, navigate to your Applications folder, find the program, drag it to the trashcan, and then empty the trashcan. Yes. It’s really that simple to remove.

Here are the two best links I could find for simple walk-throughs. I would rather not repeat the tutorials they have already taken the time to do.
Their work is much appreciated.

Now the super links with detailed screen shots and some additional tips:
The HowToGeek.com site has a great walk through here.

VRT-blog has some good information on this also, read that here.

Folks, if you use a Mac and you connect it to any systems – especially the internet, please realize that you are vulnerable to attacks and hacks. NO system is immune to attack! Although Mac’s and Linux systems have benefited by a more secure file system/OS structure (for the most part) than previous Windows systems AND the fact that their numbers were small – about 8% of all network connected desktop machines and presented a ‘low volume’ target they are now increasingly being attacked. This is especially true since many Apple uses have been lied to and told they are invulnerable to attacks.

BE SAFE FOLKS!

New Mac Trojan horse and Security tips from the NSA

There is a new Mac Trojan horse masquerades as virus scanner – read about that here . This is another example of social engineering – tricking users into making security mistakes.
Users looking for legitimate protection against viruses on their Macs might be duped into downloading and installing this. Essentially this is ‘ransomware’. It requires payment to ‘stop’ the ‘infection’. AND the payment information is often then sold to other nefarious people.

Remember that NO operating system is immune to attack. And since every system is utilized by humans they remain the biggest weak link – humans that is.

Also in other security news the NSA has released some good advice and documents for better security practices with your home network, and Operating Systems (including Mac OSX).
Read about that here. [via PCMAG Security watch blog].

Nearly all of this contains information that I and other security people have been saying for years but is well worth reading.

CheckPoint/Zone Alarm Lose with fake threat

I’ve written about this tactic before – using ‘rogue/fake’ threat or infection warnings to distribute REAL malware. This is one very effective way to get unsuspecting or untrained people to accidentally actually ‘infect’ themselves.

It now appears that a legitimate (using that word lightly now) company – CheckPoint, makers of ZoneAlarm is using the same tactic to ‘up sell’ their products to unsuspecting consumers. I hope others do not follow.

Please take the time to read this very short article.

At one time I used and recommended their products and most were quite good. In fact ZoneAlarm was one of the first ‘software firewalls’ I every used consistantly – over a decade ago.
However………

With this move CheckPoint has assured itself that it will be uninstalled and/or blocked on ALL of the machines (hundreds) I manage or have any influence upon.
I am passing this information to EVERYONE in my sphere of influence and I hope they do the same. Maybe even demand a refund pro-rata on any products they have installed.

Real D*%k move CheckPoint. See you later.

Security Threat News

I have mentioned many times before of the need to update your computer Operating Systems, Anti-Virus and Anti-Spyware applications.

But I also must mention again to please update your applications as well – ESPECIALLY ADOBE PRODUCTS.

A 2009 Global Threat Report from ScanSafe, a Cisco company, shows that in the 4th quarter of 2009 80% of all web-based exploits were malicious PDFs! It’s not surprising that the PDF number is large, but this number is so large it’s hard to believe, especially in as much as Flash exploits were 18%!
Those are some frightening numbers!

PDFs and Flash are ground zero for malware on the web these days. Just by keeping up to date on your client software you can protect yourself against almost all of it.
Here is the advisory from Adobe.

Users should update to versions 9.3.1 or 8.2.1, the links to which are in the advisory. Alternatively, you can “Check for Updates” in the Help menu.

Here we go again – Spyware and bogus Antivirus

Folks,
I can’t stress enough the importance of keeping your Operating system patched, up to date and running the latest versions of available applications – especially web browsers!
Several new threats are emerging that are taking advantage of the fact the people are running outdated and un-patched software. Some of the latest hacks have involved un-patched Adobe Acrobat and old un-patched web browsers – IE 6 and Safari. There is no reason to NOT have the latest web browsers and have them patched. I run Firefox primarily myself, as I have mentioned, but always keep all of my browsers (IE, Firefox, Chrome and Opera up to date)

As I have said before never, never and never..
Download supposed toolbars or video player or helpers…that a site says are ‘required’ to…whatever..
These are nearly always ‘trojanware’.
If you need to ‘install’ a special toolbar to ‘play games’ or ‘view a file’ or what ever you can be assured that someone is using that download to ‘view/own’ your system.
Are those ‘smileys’ worth having your entire system compromised or corrupted? I don’t think so.
If you use P2P software Limewire, Gnutella, KaZaA, Napster, BearShare, MySpace, torrents or even some Facebook ‘Apps’ you can expect, repeat EXPECT, to get infected by malicious software! There is no such thing as free ‘premium’ software. If software that normally cost from a vendor somewhere else is ‘found’ for free, you can expect you’ll get what you pay for. We don’t get it in the ‘real’ world why do people continue to believe that it will occur in the cyber world?
Here is an article on some people tricked by the old ‘social engineering’ scam to do just that.
Here is a good article on ‘Scareware’ – essentially it is a ‘social engineering’ tick to get you to install actual spyware/trojanware!
People are hit with this from many sites all the time, and end up screwing themselves to the stoneage.
Please take the time to read this information and how to protect yourself.

The one thing this article doesn’t really explain is how to ‘get out’ of the pop-up hell.
It is simple.
1st.

DO NOT CLICK ON ANY POPUP

WARNING WINDOW TRYING TO

CLOSE/EXIT!!!.
This will infect you!

Press the Ctrl+Shift+Esc keys at the same time (all on the left hand side of the keyboard).
This will bring up the ‘Windows Task Manager’ see attached screen capture.

From here click on the Microsoft Internet Explorer or Mozilla Firefox running ‘Task(s)’ and then click on ‘End Task’. It is wise to End Task ALL of them.

This kind of ploy gets MANY users!
I just the week have had three – count them 3 different people get caught by these methods!!
After closing the pop ups via the task manager run CCleaner BEFORE you open any browser again. If you have followed my previous advice you already have this installed and run it everytime you close your browser.
Please re-read these posts for more information on protecting yourself from malicious software.

Here

And Here

 

Bogus and Malicious emails

Here is a reminder.

Let’s all keep ourselve and our data and systems safe.
I have just recently seen numerous emails comming in supposedly from UPS containing trojan/infected files!!
If you are not expecting and ‘EXPLICIT’ file in an email from a TRUSTED person.

DO NOT OPEN/RUN OR DOWNLOAD IT!!
Info on some here.

Legitimate vendors – eBay, ups, fed-ex amazon etc. will send you notice that you have invoices, receipts, shipping info etc. ready for you viewing.

BUT do not click on links provided in emails requesting personal information – they can contain links to bogus/phishishing sites! [sites that mask as legitimate but instead ‘steal/get you to give them your personal information]

If the email is from a true valid vendor you should be able to go to the appropriate vendor site by typing in the web address into your web browser and logging into your account and checking ‘messages/status etc.

I have spent a lot of time recently cleaning up systems that people inadvertently infected with spy ware/malware. And by trying to ‘fix’ the problem by themselves many of these folks have only infected/wrecked their machines more dramatically.

There are LOADS of malicious emails out there claiming to be ‘security updates/upgrades’ or Outlook system updates etc. that are cleverly (dastardly actually) masked (spoofed) as comming from within your organization, or some other trusted entity (often Microsoft).

Here is a good article on what some of these look like. Here is another. And still another.
You get the idea I hope.
They vary but the result is the same – you infect your system and your entire network with a ‘backdoor’ trojan.
These types of emails are very dangerous ‘phishin’ attacks designed to place a trojan silently onto your machine.

Once again please NEVER click on a link with in an email! From anyone.

The safest thing to do is call the person suposedly sending the email and verify it’s validity, or simply type the address directly into your browser.

As always I hope that any of you who read this have current Antivirus and Anti spyware software installed and most importantly keep them updated daily. And have them currently running.
While there may be advertisements listed on my site for anti-spyware and anti-virus protection, I can’t always control who or what they are for. I can however, recommend the links below.
My recomendations are as follows:

For a very, very good Antivirus and spyware solution (and free at that):

http://free-antivirus.eeye.com/

Their solution – Blink is fantastic.

You may also have Symantec/Norton, McAfee or AVG installed – Great!! but is it updated daily?

http://www.symantec.com/business/security_response/definitions.jsp

http://us.mcafee.com/virusInfo/default.asp?cid=45702

http://www.grisoft.com/us.download-update

Another super free and great anti-spyware is Spybot Search and Destroy (Spybot S&D;).

I have used this to successfully fix/repair dozens of machines.

Beware though there are many ‘bogus/extortion’ appliations that are trying to trade off the ‘Spybot’ name.

The home to the one and only freeware SpyBot Search & Destroy is:
http://www.safer-networking.org/en/spybotsd/index.html

And a very highly rated anti-spyware package by PCWeek is Spyware Doctor. Not free but worth the price:
http://www.pctools.com/spyware-doctor-antivirus/

OS X Security and Malware

Please folks practice safe computing – keep your systems up to date, don’t install pirated software (including music and videos), clear your browser cache often, and don’t install ‘helpers’ or ‘codecs’ you cannot thoroughly verify.
Using the line, “I have a Mac I don’t get worms or virus’ etc.” is not only naively silly, it can also be costly.
Remember OS X is built on a Unix foundation and Unix has been around since 1969! So you can bet as the Mac user population increases the number of hacks ‘ported’ to OS X will start to grow exponentially. That coupled with the Apple’s misleading marketing campaign saying, “Mac’s don’t get virus’ etc.” often leads to poor computing habits that can, and I am sure will be exploited more and more.
So keep safe out here.
Some scary info:
http://www.sophos.com/blogs/sophoslabs/v/post/4811

http://www.sophos.com/blogs/sophoslabs/v/post/3710

Peace out

Let’s Kill Some Spyware!!

I recently had to help some people remove some serious spyware/malware/virii.
No normally if I can’t ‘kill’ the bad stuff fairly quickly. I will simply get the persons ‘data’ – documents, pics, music etc. – off the machine and then delete the partitions. wipe the drives, re-format and re-install the operatiing system clean.
But sometimes in a business situation this is not always possible.
Or sometimes all the needed applications are not available for ‘re-install’
For this you must try and ‘save’ your system without the ‘nuclear option’.
So here is one of the best methods I use on a ‘running’ active system.
Read all the instructions and download ALL of the suggested applications from a ‘non-infected’ machine 1st.
Then place them on a portable drive – usb or a directory on the infected system [c:\killmalwareapps or something]
Ok let’s start.
1st on the infected machine delete the ‘hosts’ and ‘lmhost’ files.
They will be located in the c:\windows\system32\drivers\etc folder.
[Possibly c:\winnt\system32\drivers\etc]
First try an online scan from Trend Micro.
To do this safely – using an ‘external non-infected browser’ you need to run ‘Firefox portable’ off USB drive.
This will allow a ‘clean run’ of a browser for a live malware/spyware scan:
How To:
The article here:
http://firefox-fangirl.livejournal.com/1977.html
explains how to download the latest portable Firefox builds and how to correctly install it as a ‘portable app’ on a separate folder or usb drive. I ‘install’ it to a directory called ‘portablefirefox’ and then I copy that to my USB drive.

Then go to Trend Micro USING THE PORTABLE FIREFOX and run their housecall application and run a scan:
http://housecall65.trendmicro.com/
Make sure you do NOT use any browser installed on the infected system!!!
Use the ‘Firefox Portable’ application to get to the web.

Other tools to have on hand (on your usb drive) before starting.
From Sysinterals
http://technet.microsoft.com/en-us/sysinternals/default.aspx

Get the following apps. Download on clean system and transfer to usb.
Autoruns – Finds all the crap actually loading at startup.
You will finds all kinds of ‘crap’ that shouldn’t be there.
http://download.sysinternals.com/Files/Autoruns.zip
Extract and run this to show EVERYTHING that is loaded at start up.
This includes applications, scripts, drivers, active X controls, dll’s and more.

Process Explorer
http://download.sysinternals.com/Files/ProcessExplorer.zip
This helps find unwanted running strigs and helps in there termination.
Run the application to see every currently running process/application on your system.

You will often need some or all of the following applications to ‘kill’ bad processes.
That is, malicious programs that are running ‘un-authorized’ processes.

unlocker
http://ccollomb.free.fr/unlocker/

wholockme
http://www.dr-hoiby.com/WhoLockMe/

file assassin
http://www.malwarebytes.org/fileassassin.php

A great spyware finder:

spybot s&d;
http://www.safer-networking.org/en/spybotsd/index.html
I install this as my online scan is running (if possible).
Don’t confuse this application with other that are trading on the ‘Spybot’ name and are in and of themselves ACTUALLY spyware. The one and only original FREEWARE application is here.
http://www.spybotupdates.biz/files/spybotsd162.exe

Remember to have all these files already downloaded and copied to your portable drive.

And to assist in cleaning our all ‘temp’ type files:
CCleaner
Especially usefull if there is an ‘unseen’ internet app (ie or firefox) downloading malware in the background continually
I will run this over and over while running spybot scans.

http://www.filehippo.com/download_ccleaner/download/d1565b7fb77b48a3692a199d871845fd/

Anyhow this is just a quick but I think fairly thorough way of cleaning an infected system if you don’t have a ‘Live’ type of utility or rescue disk available such as UBCD (ultimate boot cd), Hiren’s, or a custom Bart PE disk.