ALERT: Evil Android Trojan Empties Your Bank Account

May 17, 2016 by The T By D Team Leave a Comment

ALERT: Evil Android Trojan Empties Your Bank Account

The FBI has identified 2 versions of malware for Android (SlemBunk and Marcher) actively phishing for financial institutions’ customer credentials. According to cyber threat security reports, both types of malware have targeted foreign financial institutions since 2014, gradually broadening the list to include Western banks, and offered the malware for lease or purchase in underground forums.

SlemBunk apps often masquerade as common, popular applications, and stay incognito after running the 1st time. They have the ability to phish for, and harvest, authentication credentials when specified banking and other similar apps are launched. Slembunk currently spoofs the apps of 31 banks across the globe – some of which are among the biggest banks in the world – as well as users of 2 popular mobile payment service provider apps.

Users will only get infected if the malware is accidentally downloaded from a malicious website, the new version of the malware being distributed by porn websites. Users who visit these sites are incessantly prompted to download Adobe Flash update to view the porn, and doing so, downloads the malware.

When the app is launched for the 1st time, it activates the registered receiver, which subsequently starts the monitoring service in the background. On the surface, it pops up a fake UI claiming to be Adobe Flash Player, or whatever it was advertised as being, and requests to be the device admin. Upon being granted admin privileges, it removes the fake icon from the device, and the malware monitors the infected phone for the launch of a targeted mobile banking app. When a mobile banking/payment app is launched, the malware injects a phishing overlay over the legitimate banking/payment app’s user interface (aka login screen). The malware then uses the fake login screen to steal the victim’s banking credentials.

How to Avoid Mobile Device Malware:

If you receive a pop-up telling you that you need to download Adobe Flash or any other software, whether you’re on your desktop or on your mobile device, go directly to the Adobe website or the app store (type it in the address bar), and download it from there.
Keep Android devices updated.

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

ALERT: HTML Attachments

May 10, 2016 by The T By D Team Leave a Comment

ALERT: HTML Attachments

In the past, spam filters have been able to catch most of the malicious emails, based on the types of attachments they were sending (and trying to trick people into opening the attachments, which then downloads malicious files onto your device). Most of the malicious attachments used in the past were “.DOC” or “.JS” files, used mainly for ransomware attacks.

Now, CyberCriminals are trying to trick spam filters into letting their malicious emails through, by sending .HTML attachments, also knows as “attackments”.

CyberCriminals are using these attackments for credentials “phishing” for a few reasons. Namely:

Reduced chance of anti-virus detection: Carefully crafted .HTML files can reduce the chances that phishing emails with these attachments will be stopped by email security software or devices. .HTML files are not commonly associated with email-borne attacks (at least, not until recently). .HTML files can be used to embed redirects that can evade antivirus scanners that check only URLs that appear in the bodies of emails. .HTML files can also be used to deliver obscure web pages that might slip past scanners that do check .HTML attachments.
Users are familiar with these attachments, and usually don’t see them as harmful. Users and employees may be familiar with .HTML attachments, as they are often used by banks and other financial institutions to send secure information and documents. If your company routinely interacts with financial institutions, your employees may view .HTML attachments as simply routine and non-threatening.

Unfortunately, CyberCriminals have recently taken to using .HTML attachments to spoof bank login pages, popular online services, and secure messages from financial institutions (financial institutions often use “.HTML” attachments to send secure messages).

Your spam filters may miss these based on the “.HTML” file.

If you receive an email with an .HTML attachment, be wary!

Do not open it unless you know 100% that it is legitimate, have requested the link to be sent, or have verified with the sender that the attachment is legitimate.

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

ALERT: New Ransomware Also Steals Your Bitcoins

April 26, 2016 by The T By D Team Leave a Comment

ALERT: New Ransomware Also Steals Your Bitcoins

With the rash of new ransomware strains out there, you knew they were going to up the ante somehow…

CryptXXX is built by the same CyberCriminals that are behind the Revelton malware. It is an attempt to one-up the release of the Locky ransomware by their CyberCriminal Competitors.

CryptXXX currently spreads through the Angler Exploit Kit which infects the PC with the Bedep Trojan, which drops information theft software on the PC, then adds professional-grad encryption adding a “.crypt” extension to the filenames.

This ransomware encrypts files locally, and on all mounted drives, and demands $500 Bitcoin/PC to unlock the encrypted files. However, they continue to add insult to injury by also stealing Bitcoins, as well as a large range of data.

CryptXXX tried to avoid detection through “random delayed” execution (which attempts to easily connect the infection to the delivery vector), anti-Virtual Machine, and anti-analysis functions (eg. checking CPU names in the registry, monitoring for mouse events).

The CyberCriminals behind this ransomware is highly skilled and experienced, which means this is professional-grade ransomware. Proofpoint researchers report “Those [ransomware infections] associated with more experienced [CyberCriminals], (such as Locky) have become widespread quickly…Given Revelton’s long history of successful and large-scale malware distribution, we expect CryptoXXX to become widespread. Based on the large number of translations available for the [Bitcoin] payment page, it appears that the Revelton team shares those expectations.”

The ransomware will initially be spread through drive-by downloads, but a deluge of phishing emails can be expected to follow shortly.

What Can You Do to Avoid Becoming a Ransomware Victim:

Backups. Backups. Backups. Maintain current, and reliable backups of all pertinent files. Nothing beats a good, reliable backup! Backing up your data now can prevent a lot of expensive headaches in the future.
AntiMalware Software. Regularly run AntiMalware software to block known strains of ransomware.
Update. Update. Update. Keep all hardware, software, and Operating Systems up-to-date.
Educate. Educate. Educate. Make sure employees and coworkers know about current viruses/malware, and what to look for. Print & post our “Red Flag Emails” for easy reference on what to look for in scam emails.
Install Ad Blockers When Possible. uBlock Origin is a great ad blocker for Chrome and other browsers.
Block Extensions via Email. A good spam blocker will usually handle this for you.
Limit permissions. Allow “Read/Write Access Only” when necessary.
Avoid mapping network shares. If you have to use them, hide them whenever possible. This is sometimes as simple as appending a “$” to your share name.

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

ALERT: Prince’s Last Words

April 22, 2016 by The T By D Team Leave a Comment

ALERT: Prince’s Last Words

Yesterday, news broke that Prince (aka Prince Rogers Nelson) was found dead in his home in Minneapolis at age 57.

CyberCriminals eager, as always, to take advantage of any tragedy, are up to their same tricks. A series of email scams are currently being circulated, one of which is most likely to be a supposed video of Prince’s last words caught on video (this is a frequent scam to use after an especially unexpected celebrity death).

Whatever ploy is being used, you can be sure to end up with either infected computers at home or in the office, giving out personal information, or unleashing ransomware on the network.

Beware of any email, attachments, any social media, texts on your phone…anything.

Another heads-up:

With the recent eqrthquakes in Ecuador and Japan, there are charity scams rearing their ugly heads. If you want to make donations, please go to your favorite charity website directly by opening your browser and typing in their link in the address bar. DO NOT click on any links or open any attachments in emails.

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

ALERT: Jigsaw Sinks to New Low…Even for Ransomware

April 21, 2016 by The T By D Team Leave a Comment

ALERT: Jigsaw Sinks to New Low…Even for Ransomware

Being infected by ransomware is bad enough. Add in being taunted by old horror movie pictures while it slowly deletes your encrypted files, all while increasing the ransom demand, until you pay for the decryption key. And if you reboot your PC, you’re punished with the instant deletion of 1,000 of your files.

Jigsaw, a new strain of ransomware tries to increase the pressure on victims to pay, by referencing the horror movie “Saw”. In fact, the ransomware is named after the film’s fictional serial killer John Kramer’s nickname the “Jigsaw Killer”. The ransomware, still drawing motivation from the horror movie, communicates with victims using a puppet called “Billy”, and uses the red clock to count down to deadlines imposed, which are both used by the killer in the movie. However, in the case of the ransomware, the clock shows victims how much time is left before more files get deleted, and the ransom demand increases. After 72 hours, the ransomware deletes every encrypted file on the PC.

How the ransomware attack unfolds, as seen on an infected PC. (Source: Forcepoint.)

This latest version, in a long list of versions, “appears to have been coded on March 23 and to have been used in live attacks by the end of the month” states Andy Settle, head of special investigations at Ryatheon’s cybersecurity business Forcepoint. “This malicious program starts encrypting your files while adding, with no irony, the ‘.FUN’ file extention.”

“Using horror movie images and references to cause distress in the victim is a new low.”

Jason Sumalapao, malware analyst at Trend Micro, states in a blog post that the ransom note exists in both English and Portutuese-language versions, and that the lowest possible amount that victims can pay, before the demand starts increasing, ranges from $20 to $150 USD in bitcoins.

Jigsaw appears to be distributed through adware and “grayware” (potentially unwanted applications, such as free toolbars), as well as through ‘adult content’ sites, reports Trend Micro.

Forcepoint states that the producers of Jigsaw attempted to prevent detection by writing the ransomware in ‘.NET’ code. However, this attempt failed, and security researchers have been able to recover the encryption key, as well as 100 different bitcoin payment addresses. This information has since been shared with authorities. Since the encryption key was discovered, security researchers have been able to publish instructions on how to remove Jigsaw infections. However, it’s probably not long before Jigsaw producers correct their coding error that lead to the discovery of the decryption key.

How to Avoid Jigsaw and Other Ransomware:

Backups. Backups. Backups. Maintain current, and reliable backups of all pertinent files.
AntiMalware Software. Regularly run AntiMalware software to block known strains of ransomware.
Update. Update. Update. Keep all hardware, software, and Operating Systems up-to-date.
Educate. Educate. Educate. Keep all employees and coworkers informed about current security threats, and what to look for. Check out our ‘Red Flag Emails‘ for tips on what to look for in scam emails.
Install Ad Blockers When Possible. uBlock Origin is a great ad blocker for Chrome and other browsers.
Block Extensions via Email. A good spam blocker will usually handle this for you.

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

ALERT: Emergency Flash Patch Battles Ransomware

April 14, 2016 by The T By D Team Leave a Comment

ALERT: Emergency Flash Patch Battles Ransomware

Active CyberCriminal attacks are occurring that exploit a zero-day flaw in the Windows version of the Adobe Flash to install ransomware.

Security experts are warning all Adobe Flash users to either update Adobe Flash, or uninstall the browser plug-in software if you don’t use it. Recent versions of Flash for Mac OS X, Linux, and Google ChromeOS are also at risk.

Adobe has released updated versions of Flash that fix the flaw, which has been named “CVE-2016-1019”.

Adobe states: “Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier.”

Adobe’s latest Flash update includes fixes for 24 flaws. Adobe reports that many of the fixed flaws are considered “critical vulnerabilites” that “could potentially allow an attacker to take control of the affected system”.

The latest (fully-patched) version of the Flash Player Desktop Runtime is 21.0.0.213. Adobe recommends all users upgrade immediately.

Remember to install updates regularly. Updates plug known security holes that could be putting your computer system (and your business!) at risk!

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

ALERT: Number of Manitoba Victims of Ransomware Increasing!

April 1, 2016 by The T By D Team Leave a Comment

ALERT:

Number of Manitoba Ransomware Victims Increasing

For those of you that still think that ransomware, viruses, or malware doesn’t happen here, or that your business is too small or insignificant to warrant CyberCriminals’ attention…I’ve got news for you! The number of Manitoba businesses being hit with ransomare, malware, viruses, spyware, and just about anything else that CyberCriminals can dream up, has exploded in recent weeks. AND the methods that CyberCriminals are using to trick computer users into opening scam emails, infected files and/or attachments, or providing personal/financial information are getting more and more advanced.

What Is Ransomware?

Ransomware is a serious security threat that basically kidnaps your data. It limits access to files and/or system functions, sometimes even renders systems completely useless. They then force their victims to pay ransom to regain access to their files and/or systems.

How to Protect Yourself & Your Business:

Admit You’re a Possible Target: The #1 step to stepping up your defenses, is to admit that your business could be a target. If you are still in denial about this, you’ve probably already stopped reading, and there is nothing more I can do to help you.
EDUCATION. EDUCATION. EDUCATION. The #2 key to avoid becoming a victim is, you guessed it…education. Most new scams are being spread by social engineering and phishing scams, which are designed to trick people into thinking the emails are legit, and into opening the emails, and links or attachments. The links and/or attachments then infect the workstation, and usually quickly spread through the network to other workstations. Educate yourself and your employees about the dangers out there, and what to look for! This means anyone in your business that even looks at a computer should be informed what scams are currently out there, what to look for, and how to avoid them.
Know How to Recognize a Scam Email: Read our ‘Red Flag Emails‘ for clues on what to look for in suspect emails. The general rule of thumb is: If it looks suspect, and you can’t confirm that it’s the real deal…DELETE IT.
Install Updates: In spite of knowing the importance of installing software/hardware updates, a lot of people either put them off or skip them all together. Either the re-boot that your computer needs after installing the updates is ‘inconvenient’, or there are always ‘glitches’ after installing updates, etc etc. We’ve heard all the excuses. The bottom line: Is a 3 minute inconvenience to re-boot your computer, or putting up with potential glitches, or any other potential ‘inconveniences’ worth plugging any security holes in your computer system. I say yes, but that’s just me…
Keep Hardware and Software Up-to-Date: Outdated hardware and software is often no longer supported by the manufacturer. You’re thinking, “So what? I don’t need their support!”. This is a frequent misconception. Periodically, a manufacturer decides that it will no longer “support” older software and/or hardware, in favor of concentrating on newer, better releases. When a manufacturer no longer supports a piece of hardware/software, this means that they are no longer releasing the updates to plug known security holes. This means HUGE security risk for your company! This could also mean litigation, if you handle client information, payment information, etc.
Do Not Click Links Within Emails: If you receive an email that has a link to a website and/or webpage on it, especially if the link does not match the tone of the email, or if it is to something that this person (if you know them) would normally send you — DO NOT CLICK! A good trick: hover the mouse over the link (Do NOT Click!!). If the ‘box’ that appears does not match what the link states — it’s a fake and will cause you & your business some trouble if you click on it.
Do Not Call Companies From Phone Numbers in Emails: If you receive an email asking you to contact ‘Tech Support’ (or anything else for that matter!), get the phone number to call directly from their website. Lots of scams involve fake phone numbers directing you to a legit-sounding department, then proceed to ask for personal information, credit card information, log in info, etc.
Spam Filter: Tens of trillions of spam email is sent every year, to inboxes across the globe. A spam filter stops 95% of spam emails from ever reaching your employees’ inboxes in the 1st place…for less than a cup of coffee.. Because all it takes is one careless click, and your business could be compromised.
Backup, Backup, Backup. If everyone had reliable backups, ransomware wouldn’t even be an issue. If you have a reliable backup, you don’t have to pay the hundreds or thousands of dollars in ransomware (and put an even bigger target on your business, because CyberCriminals now know that don’t have backups!) to get your own files back. Instead, your files can be retrieved from your last backup, and you’re up and running!

Not sure how secure your network is? Ask us about our Network Security Assessment! Mention this post & get it FREE!

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

ALERT: ‘Locky’ Gaining Momentum…and Victims

March 14, 2016 by The T By D Team Leave a Comment

ALERT: ‘Locky’ Gaining Momentum…and Victims

This new CryptoLocker strain isn’t more sophisticated than any of the other versions of the malware, but it is spreading rapidly. The FBI has released a statement in a recent Wall Street Journal article, stating that the threat from ransomware is expected to grow exponentially.

Forbes claims that ‘Locky’ CryptoLocker is infecting approximately 90,000 computers per day, and is costing victims approximately .5-1 Bitcoin (approx. $420US) to unlock their systems.

Locky is spread through phishing emails containing Microsoft Word attachments. The last few days, Locky creators has sent at least 4 million phishing emails with a zip file as the attachment. The zip file contains a JavaScript file which downloads and installs Locky.

How to Protect Yourself:

Block any and all emails with .zip extensions and/or macros at your email gateway level.
Disable Adobe Flash Player, Java, and Silverlight if possible. These are all used as attack vectors.
Educate your employees and coworkers to the danger, so they can recognize the red flags related to ransomware attacks.
Check out our Red Flag Emails for clues on how to spot a spam email. Print it, and pass it out to all employees and coworkers so they can post it at their workstation as a reminder.
Ask us about a Spam Filter for your company. More affordable than you think, and a very reliable way to eliminate 90% of spam from ever entering your inbox!
Back up your data! Now, more than ever, backups are an everyday essential for every business! Ask us for a FREE quote!

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

ALERT: Netflix At No Charge

February 26, 2016 by The T By D Team Leave a Comment

ALERT:

Netflix At No Charge

With their recent globally launched streaming service, Netflix’s popularity is gaining steam.

Unfortunately, in today’s world popularity equals hacker target.

There are active malware and phishing campaigns targeting Netflix users with several scams:

One scam claims you need to update your payment information

2. Another claims that there has been “unusual” or “unauthorized activity on this account”

3. Still others try to trick you into downloading software for a cheaper version of Netflix

These are just a few of the scams currently circulating.

How To Protect Yourself:

If you receive an email that looks like its from Netflix, and claims you need to update payment information, DO NOT CLICK on any links or open any attachments.
Do not download anything from a MMS or a email. Only download Netflix software directly from the Netflix website or official app stores.
ALWAYS go to the websites yourself, instead of clicking on a link in an email.
If you want to be 100% sure, call their customer service directly, using the 1-800 number you find on their website.

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

ALERT: MS Word Ransomware

February 22, 2016 by The T By D Team Leave a Comment

ALERT:

MS Word Ransomware

Over 400,000 workstations were infected within a few hours of it being released.

24 hours after being released, only 3 very specialized AntiVirus detected the ransomware.

Now, most major AntiVirus products now detect the ransomware

…but only if the user is updating their AntiVirus.

It was only a matter of time before some CyberCriminal figured out how to insert ransomware into a MS Word document.

Some professional CyberCriminal finally did it.

The new ransomware called “Locky”, was first reported in the UK by Kevin Baumont, is causing major headaches for companies all over the globe, and have been received by companies in Canada, and even here in Manitoba.

Emails contain the subject line “ATTN: Invoice J-98223146”, and a message like “Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice”, or something similar. The email looks similar to the one below:

When opened, the attachment is a MicroSoft Word document that looks like the content of the document is scrambled. The document will display a message stating that you should enable the macros if the text is unreadable. The attachment will look similar to this:

Once the victim enables the macros, the macros downloads an executable file from a remote server. This file will be stored in the “%Temp%” folder and, when executed, will encrypt the files on the workstation, then both mapped and unmapped network drives.

Once this has happened, you receive the message below:

Similar to CryptoWall, Locky also completely changes the filenames for encrypted files to make it more difficult to restore the right data. At this time, there is no known way to decrypt files encrypted by Locky.

How to Defend Yourself:

Have your I.T. person hunt for this Group Policy Setting, and set it to “Disable all except digitally signed macros”.

Now check out Trusted Locations: User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations

Set your shared folder location URL in here, e.g. //blah.local/public/office

More details at Microsoft Tehnet here.

The user won’t see a prompt to enable the macro, nor can they from the Office options.

There is a still a small risk that the user will save the malicious email attachment to the network and open it. However, it is a much smaller risk than before.

Here is a very small sample of how far & fast Locky has spread:

Not sure if your company is safe? Ask us for a FREE Network Security Assessment!

Check out our “Email Red Flags” for what to watch for in suspicious emails.