techcosupport.com » Security

Visa Scam Email Circulating

bgt — Sun, 27 Nov 2011 20:19:21 +0000

The spam filters are currently picking out a Visa Scam Email circulating at the moment which is claiming that your card has been blocked for security reasons. If your email browser will render the html, it looks something like this Visa Scam Screenshot:

Visa Scam Screenshot

Analysis of the content shows a hyperlink which claims to point to visa.ca, but in fact is a link to an IP address in the Republic of Korea. Launching the link will only get you a page that looks like this:

Visa Scam Link Screenshot

If you have received any of this type of email, and want to find out where the masked link is actually pointing, you could try looking it up via ipchecking.com. However, the best advice with this scam is to press delete, and save your mailbox space.

Bredolab Botnet Still Active

bgt — Wed, 09 Nov 2011 19:25:07 +0000

More Tax Payment malware news today, with a resurgence of the Bredolab botnet.

Our MessageLabs Anti-Virus Service reported a suspicious email, similar to the Tax Spam Malware Warning yesterday. The message title once again was Your Tax Payment ID [Random Number] is failed

This time Symantec reported it as Trojan.Bredolab, which is a likely resurfacing of a Bredolab botnet.

The Bredolab botnet was partially dismantled in November 2010 through the seizure by Dutch law enforcement agents of 143 command and control servers, effectively removing the botnet herder’s ability to control the botnet centrally. Although the botnet’s size and capacity has been severely reduced by the law enforcement intervention.

A PC infected with Bredolab shows a number of effects as the malware:

Downloads more malware on to the compromised computer
Lowers the security settings on the infected computer
May result in file deletion

If your anti virus software or mail gateway informs you that it has detected Bredolab, follow the instructions and do not open any affected files. To make sure that your machine does not get infected keep your anti virus software switched on and the signatures up to date.

Further resources

Tax Spam Malware Warning

bgt — Tue, 08 Nov 2011 21:52:39 +0000

The spam filters are currently working overtime catching dubious email messages about tax payments having failed. As you might expect, this is a Tax Spam Malware Warning, so take care before opening anything that tells you that Your Tax Payment failed.

This email, which purports to be from US tax payment service Electronic Federal Tax Payment System (EFTPS), claims that the recipient’s tax payment has been rejected due to a submission error. The message, which includes a sender address and link that are seemingly valid EFTPS addresses, asks the recipient to click a link in order to review details about the error.

Obviously the email is not from the EFTPS, and the link in the message has been disguised so that it appears to point to the genuine EFTPS website. In fact, it is a phishing scam designed to steal personal information from recipients. A sample of the email appear below:

Your Tax Payment ID [random number] is failed Your Federal Tax Payment ID: 32127292 has been rejected. Return Reason Code R21 - The identification number used in the Company Identification Field is not valid. Please, check the information to get details about your company payment in transaction contacts section: attach name = report.18653.pdf In other way forward information to your accountant adviser. EFTPS: The Electronic Federal Tax Payment System PLEASE NOTE: Your tax payment is due regardless of EFTPS online availability. In case of an emergency, you can always make your tax payment by calling the EFTPS.

Attempting to open the attached file will result in a malware loader executing. This is detected by Sophos Anti-Virus as ‘Virus/Spyware Mal/FakeAV-OQ.

The gramatical errors should give you a clue to the bogus source of this Tax Spam Malware. Do not click on any links in this email or download any attachments. Flag as spam and press delete!

Malware Scripts Added To Websites

bgt — Sun, 06 Nov 2011 22:19:31 +0000

A couple of our customers have experienced hacks to their websites this last week, with malicious code (or malware) added to several pages. Normal visitors to the site have a little extra script added when they load the page, which good antivirus software will identify as a malware script. Kaspersky Labs identifies the Trojan loader as Heur: Trojan Script Generic, which is a generic Trojan loader identified by a heuristic algorithm. Alternatively, it may be identified as as Blackhole Exploit kit by other AV products.

Analysis of samples of the inserted code show some common strings, which can be used to find the script on an infected website. This appears to have been inserted by an automated script loader, probably a bot using brute force to guess FTP passwords.

< b o d y>< d i v id="w3stats"> < s c r i p t language="JavaScript" type="text/javascript"> window.w3ssss=function(){ === Script Link and other code removed === CheckBody(); < / s c r i p t >< / b o d y >< / h t m l >

A quick Google search reveals that quite a few sites have had this little addition. If you find that you have been infected, carry out the following actions as soon as possible:

Search the code on each page for the string “window.w3ssss”
Remove the offending code from all of the pages where it has been installed
Change all your site passwords, including FTP
Monitor the site regularly for reinfection

Thousands of website owners are unaware that their sites are hacked and infected with malware scripts. Here are a few useful links to help:

Spear Phishing Attack Warning

bgt — Thu, 13 Oct 2011 18:59:32 +0000

A warning which is currently circulating in security circles concerns a Spear Phishing attack masquerading as a company virus warning. The object is to trick users into installing malware on their computers which would compromise their security.

Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Named after Fishing, (baiting a hook) the message could claim to be from a bank, online payment processor or a social media site.

Spear Phishing (sometimes written as Spearphishing) is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. This is usually by impersonating a company employee via e-mail to steal usernames and passwords from colleagues and gain access to the company systems. Spear phishing is commonly used to refer to any targeted email attack, not just limited to phishing.

The particular attack which is currently circulating attempts to trick users into believing they are downloading an approved anti-virus update from the company’s IT department, to combat a new kind of virus. However, if they do succumb to temptation, they will install a Trojan horse. According to the Sophos Naked Security blog post, Sophos anti-virus products detect the malware as Mal/Generic-L and Troj/Inject-QL.

If you ever receive an odd email recommending that you click on a link to install something, check with your IT department to see if the instruction is genuine. They would much rather you checked than put the network at risk from malware infection.

For more details of the Spear Phishing Attack Warning, including a sample email message, click here to view the Sophos Sneaky fake company virus warning

Block Spam from WordPress Contact Page

bgt — Tue, 11 Oct 2011 20:20:52 +0000

Have you been having trouble with Spam from your Contact Page on your WordPress blog? This is a quick way to Block Spam from a WordPress Contact Page.

Every good website has a Contact page to ensure that users can get questions answers, and customers can engage before buying goods and services. The trouble is that every bad robot spider trawling the web knows that too, and targets input forms and contact pages. Pretty soon after putting your Contact Page live you can expect to start receiving emails about Viagra, poorly crafted meaningless comments containing back links, or just random strings of characters. While the delete key handles these things quickly and efficiently, the net effect is to dilute our energy which should be directed a answering the real questions from our customers. What we need is a better solution.

What Stops The Bots?
To stop the spiders from even posting the contact form we need to install a WordPress CAPTCHA plugin. A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a challenge-response test used to ensure that the response is not generated by a computer or Bot. It can be as simple as identifying if a picture of an animal is a cat or a dog, which is easy for a human, but a challenge for a Bot. The most common forms use distorted images of letters and numbers, which the human eye can easily distinguish due to pattern matching capabilities within our brains. Go humans!

How To Block Spam from a WordPress Contact Page
If you are using the Contact Form 7 plugin, there is a Really Simple CAPTCHA plugin which integrates right in to the Contact Form 7. While not strongly secure, it will at least stop the script kiddies and bots having an open door. To install it carry out the following steps:

In the Plugins section of the Dashboard, click on Add New
Search for plugins by keyword Term Really Simple CAPTCHA
Next to Really Simple CAPTCHA, click on Install Now

What Else Can Block Spam
If the Really Simple CAPTCHA plugin does not meet the requirements, there are a number of other measures we can use to block Spam from WordPress contact pages, including:

Secure CAPTCHA, which uses hard to break and easy to read secure CAPTCHA images from SecureCAPTCHA.net.
Contact Form by ContactMe.com, which is a fully customizable contact form which automatically adds your contacts to a free online contacts database.
Fast Secure Contact Form which supports sending mail to multiple departments, and redirects to any URL after the message is sent.

Hopefully using one of these methods we can see the back of spam contacts from the contacts page, and get back to the business of responding to or customers and genuine visitors.

Finally, some useful Resources to help block Spam from a WordPress Contact Page

Keylogger virus infects drone plane command centre

bgt — Sun, 09 Oct 2011 20:00:00 +0000

The hot news on the blogosphere at the moment is the revelation that a Keylogger virus has infected the drone plane command centre at Creech air force base in Nevada.

Keylogging (or Keystroke logging) is the action of tracking (or logging) the keys struck on the keyboard, typically in a covert manner so that the person using the keyboard is unaware. The Keylogger virus is used to capture users’ passwords, credit card details and bank account numbers as people type them in. The data is then sent over the web to fraudsters. Security officials are currently unable to completely remove the virus, as it keeps reinstalling itself, suggesting that the attack vector has not been plugged.

Creech air force base in Nevada is the command centre for the remotely piloted aircraft used in Afghanistan including the Predator drone spyplane-bomber. The Predator is a medium-altitude, long-endurance unmanned aircraft system which is used in Afghanistan and, more controversially, across the border in Pakistan.

This is the latest security breach for the hi-tech remotely piloted vehicle system; the US military has previously found out that Iraqi insurgents were able to capture and record the footage being sent to troops and back to the airbase by cameras on the drones. The insurgents hacked into video feeds, which were not encrypted, using a $26 piece of Russian software named SkyGrabber. Apparently The encryption for the feeds were removed for performance reasons.

ACH Spam With Malware Attachment

bgt — Sun, 18 Sep 2011 20:05:01 +0000

The spam filters have been busy over the last couple of days, with a number of Emails with the title of ACH NOTIFICATION and ACH Payment [Number] Rejected. In each case the email contains an attachment purporting to be a self extracting PDF file.

Of course, on closer examination the supposed self extracting PDF file is a malware down-loader, no doubt ready and waiting to connect you to one or more bot nets. This is a common scenario with a spammed-out trojan down-loader triggering the execution of multiple pieces of malware on the unwitting user’s computer. In this case, Sophos anti virus detects the file and identifies it as Mal/BredoZp-B. For a detailed analysis of the activities of the spam payload, see the article on the ACH spam campaign by M86 security labs via the link below.

Automated Clearing House (ACH) is an electronic network for financial transactions in the United States. As usual with this type of spam and associated malware, ACH have no connection with the email, so there is little point in blocking the sender’s address, in our case ach.01 at nacha.org.

Once again our advice is that you should not open any unexpected emails, or unsolicited attachments, as in this case it will attempt to infect your Windows computer. Just press delete and double check that your anti-virus software is up to date.

Resources relating to ACH Spam With Malware Attachment:

Uniform Traffic Ticket Malware Spam

bgt — Thu, 01 Sep 2011 20:20:31 +0000

If you live anywhere except the City of New York you may have been surprised to receive an email recently, which claims to come from the New York State Department of Motor Vehicles. Even if you aren’t based in the United States, or even don’t drive a car, you may well see the posting which poses as a “Uniform Traffic Ticket” and says that you are charged with speeding at 7:25 AM on the 5th July 2011.

People may be tempted to open the attachment out of curiosity, or even alarm if they have been driving in New York City, but do not, or you may end up with a computer infected with malware.

However, the message is certainly not from New York State Police and the attachment does not contain a speeding ticket. In fact, the attachment contains a trojan that, if opened, can install itself on the user’s computer. Typically, such trojans are able to contact a remote server and download further malware that can steal information from the infected computer and allow criminals to control it from afar.

The email sender address has been reported as automailer.nnn, no-reply.nnn and info.nnn, all purportedly at nyc.gov. It goes without saying that the New York State Police and the New York State Department of Motor Vehicles have nothing to do with this email, and this should be treated as all Viruses and Spyware. The New York State Police Computer Crime Unit has issued a Hoax E-mail Alert dealing with the Uniform Traffic Ticket Malware Spam.

The attached file, which is called something like Ticket-O64-211.zip, Ticket-728-2011.zip, or just Ticket.zip, is designed to download further malicious code onto your computer and compromise your security. Sophos anti-virus products detect the malware payload as Mal/ChepVil-A, while the CyberCrime & Doing Time Blog identifies that the malware connects to a Russian domain and downloads files called “/ftp/g.php” and “pusk3.exe”.

The Uniform Traffic Ticket Malware Spam email is probably the work of a Botnet, which is a group of computers infected with malicious software and controlled as a group without the owners’ knowledge. The network of private computers, sometimes known as zombies or robots, run autonomously and automatically to send out spam emails to encourage users to open virus or Trojan infected attachments. This means that it is pointless blocking the sender, as the sender address is forged, and unrelated to the actual computer used to send the email.

We recommend that you delete the e-mail it and not forward it to anyone else. Make sure that you have active anti-virus software, and have your firewall switched on. Of course you should only open e-mails from familiar and trusted sources; if you really have been speeding in New York City, the New York State Department of Motor Vehicles will certainly find a way to let you know!

For further information on this subject:

Google Data Protection Audit Report Published

bgt — Wed, 17 Aug 2011 06:30:35 +0000

Have you ever seen the the ICO auditers? If your company was to receive a call from them, how well do think you would fare?

This week the UK Information Commissioner’s Office (ICO) has published an Executive Summary of its Data Protection Audit Report on Google, following the revelation that Google were inadvertently collecting wi-fi signals while mapping the country. According to their website, the ICO carries out consensual audits with data controllers to assess their processing of personal information.

Last year the ICO became aware that that Google Street View vehicles, which had been adapted to collect publicly available wi-fi radio signals, had mistakenly collected a limited amount of payload data, likely to include a very limited quantity of emails, URLs and passwords. Google agreed to facilitate a consensual audit by the ICO.

The framework that was included in the audit scope is as follows:

Framework: Google will conduct an internal assessment and provide a confidential written report (“Privacy Report”) to the Commissioner. This Privacy Report will analyze Google’s implementation of the privacy process changes it outlined on October 22, 2010 as it applies to Google’s UK operations. The Information Commissioner’s Office may then validate the Privacy Report’s accuracy and findings via an in-person meeting to review the Privacy Report at Google’s U.S. headquarters or at the offices of Google’s UK subsidiary. Google shall provide the Privacy Report to the Commissioner before such meeting.

Google has responded to the ICO report citing that the findings provided “reasonable assurance that Google have implemented the privacy process changes outlined in the Undertaking.” This was posted on the European Public policy Blog by Alma Whitten, Director of Privacy, Product and Engineering, whose appointment was announced on 22 October 2010.

While there are a few areas for improvement noted in the executive summary, there are none that would warrant the description of Earth shattering proportions. We would consider that any company that had been subject to a consensual audit by the Information Commissioner’s Office would be quite satisfied with the report. Knowing how good Google are at marketing, they will probably want to make capital out of it too.

Before we leap to judge Google, it is worth pointing out that in UK, the Data Protection Act 1998 requires every data controller who is processing personal information in an automated form to notify the ICO, unless they are exempt. Failure to notify is a criminal offense, and entries have to be renewed annually. If you are required to notify but don’t renew your registration, you are committing a criminal offense. Do you need to register?

If your company was to receive a visit from the Information Commissioner’s auditors, even with nine months notice like Google, how well do think you would fare? How many pieces of personal data has your company inadvertently collected over the years, and are still retaining for no legitimate purpose? Perhaps it would be worth a visit to the ICO website to find out if you need to do something now?

For more on the story: