Microsoft Phone Scam Still Running

Have you seen reports about people from Microsoft Tech Support, who call you because you have malware on your computer? Have you had a call from a plausible sounding agency saying you have a virus on your PC? Did you feel uneasy about someone who knew your name and had details about how slow your PC was running? Chances are that you have been at least peripherally involved with a Phishing attack. Today’s security incident concerns the Microsoft Phone Scam, which is still running after eight years or so.

Why the Microsoft Phone Scam?

This attempt to get access to PCs, or personal information on them, often targets Windows users, so the scammer claims to be from Microsoft tech support. They target Windows based PCs, because there are a lot of them, but they are equal opportunity criminals. They will attempt to hack a Mac too.

What the Scammers Do

Today the support line received a call from a very helpful gentleman named Derek, who claimed to be from Microsoft tech support. He asked for me by name, which was nice, but then went on to explain how my PC had become infected by malware, and so was running slowly. A safe bet really. Is there anybody who doesn’t think their Facebook response time could be quicker? Pity that his technical report did not tell him I was using a Mac. Still, we decided to let the call run, as we were recording for training purposes.

He then proceed to explain that the fix for this problem was simple, and would only involve typing something into the command line. We got him to repeat the instructions several times to make sure we got it right. Had we actually been following his very patient instructions, we would have connected to fastsupport.com and accepted a GoTo Assist remote call. This would have given him unrestricted access to our PC, at user level, so he could have installed anything he liked.

Unfortunately we developed “technical difficulties” once we received the support key number, and had to hang up on Derek. He was persistent, and called back five times over the next ten minutes. He even let the phone ring for up to two minutes at a time. When we tired of this game, we answered, and informed Derek that we were cyber security specialists, investigating Phishing attacks. We told him that we were recording the conversation, and pointed out that our PC was, in fact, a Mac. He still tried to get us to accept the remote access call!

You couldn’t make this up!

How the scam works

Rather than producing computer virus directly, which is time consuming and involves skill, these scammers resort to Social Engineering. This is the practice of manipulating people so they give up confidential information. If they can trick you into letting them access your computer remotely, they can secretly install their malicious software themselves. That would give them access to your passwords and bank information, as well as giving them control over your computer.

How to deal with Microsoft phone scam calls

As Fast Support is a legitimate company, they have a mechanism to prevent abuse of their system. If you want to get one back at the scammers, play along up to the point that they give you the support key. Get them to repeat it a couple of times, to make sure you have it right, and then hang up and report the incident to Fast Support using the following link:
www.fastsupport.com/abuse. You will only need the support key number, and it only takes a couple of seconds

What Else You can Do

Probably the most important thing you can do is let people know about the Microsoft phone scam. It preys on people’s insecurity about their lack of technical knowledge. The best defence against Social Engineering is sharing knowledge, so tell everyone about it.

You can also report the incident to the police through www.actionfraud.police.uk/. As we have pointed out previously, they will only record the incident for statistical purposes.

Another PayPal Scam Email To Delete

Another day, another PayPal scam email hits the in-box. It would be easy for someone to think that this was genuine, especially when is rendered with PayPal graphics. This is why we investigate each and every scam email to see how convincing they are, and assess the risk of people getting fooled into responding. We then report them through the appropriate channels, and encourage others to do the same.

What to look for on this PayPal scam email

The email, reproduced below, is based on a genuine PayPal notification, but with subtle differences.

PayPal Scam Email Image
PayPal Scam Email

A quick check of the sender by hovering over the from PayPal  shows that it is directing to someone called anitad@uvigo.es.  So the PayPal scam email would send your  reply there, not to PayPal! Be warned.

The Log in now button, does render in the browser as a button, but we have the html blocked to avoid surprises. As you might expect from a scam email it does not point to PayPal either, but an unlikely domain registered in Australia. This site is buried at the bottom of a deep sub-domain chain, so it is possible that the site owner does not know about it. We will be contacting the organisation separately, as they might not even be aware that their site is being used nefariously.

How to deal with PayPal scam emails

Make sure your family, friends and colleges are aware that these emails are out there, waiting to trap the unwary.  If you receive an email claiming to come from PayPal, please do not reply to it. Do not click on any link or button, or open any attachments. Simply forward the email to spoof@paypal.co.uk, then delete it.

You can also report the incident to the police, although they will only record it for statistical purposes. The police suggest that the public can help disrupt fraudsters by reporting scam emails. People are urged to report them through reportlite.actionfraud.police.uk.

What else can we do?

For further advice on fraud and how to avoid it, see the police fraud action  website: www.actionfraud.police.uk (opens new window)
For further information on phishing and malware please use the following links:
www.actionfraud.police.uk/fraud-az-phishing (opens new window)
www.actionfraud.police.uk/fraud-az-malware (opens new window)

VAT Return and Payment Overdue Scam Email

Why User Vigilance Is Important

Today we received a gentle reminder that no matter how hard we work to keep out cyber-threats, there is always a weak link to target in any business system. The users. This exploit concerns a VAT Return and Payment Overdue scam email which was received in the office today. The instant reaction was to jump to the conclusion that we had to do something quickly, to avoid a penalty. Which is just what the reprobate behind the email was hoping.

What To Look For

This is a warning about a VAT Return and Payment Overdue scam email, which may catch out the unwary. If you are a business owner or have responsibility for finance matters please watch out for this innocent looking communication.

VAT Return and Payment Overdue Scam Email image
VAT Return and Payment Overdue Email Scam

How To Tell It Is A Scam Email

VAT Return and Payment Overdue Scam WhoIs Result Image
WhoIs Result

If you hover the mouse over the sender, most good email systems will tell you the address you will be replying to. In this case you will not be surprised to learn that it is not from HM Revenue and Customs  (HMRC) at all! It comes from a suspicious email address which is registered to someone called Denis. Denis apparently lives in Moscow, and is using the unlikely email address of info@hmrccustomersupport157.top.

When The Penny Drops

After a few laps of the office, looking for a quick solution, or a way to pass responsibility over to someone else, the recipient had the good sense to check up via the HMRC website. The information there on the site , which is linked below, made him think twice. He reported the matter to Information Security, fortunately, before clicking on and opening the email attachment.

Cost of the VAT Return and Payment Overdue Scam

In our case, the cost of this particular email scam was trivial. It mostly involved additional wear and tear on the carpet and some lost productivity. According to an anonymous source in finance, there was also some lost paint from the ceiling. It could have been much more costly, if the user had opened the attachment and did not have up to date anti virus.

While HMRC may send you an email if you are overdue with VAT payments, they will use the normal contact email address, and will recommend that customers pay online to avoid further action. These emails will never ask you to provide personal or financial information. You won’t be able to reply to the emails, which will be sent from no.reply@advice.hmrc.gsi.gov.uk.

In Conclusion

This VAT Return and Payment Overdue scam email has been timed to catch the unwary by being the right date, but a month early. Let people know that they should ignore the call to act immediately, and instead report the matter to IT security. Even if there is no malicious payload in the attachment, scam emails like this can disrupt the flow of energy in a business and ultimately cost money.

The Upside

On the upside, this scam is an early reminder that our VAT return has to completed at the end of this month, so I might go and give the finance team a gentle reminder!

Further Information

For authoritative information about when your VAT return is due, see www.gov.uk/vat-returns/deadlines

To report instances of this email scam, forward the suspicious emails to HMRC phishing team at: phishing@hmrc.gsi.gov.uk

Is W32.Flamer Evidence of Cyberwarfare Activities?

A number of commentators on the Net are suggesting that the recent malware infection in a number of Middle Eastern countries is evidence of Cyberwarfare Activities by a professional team

Flame, or W32.Flamer, or skywiper may have been developed by a nation state as part of cyberwarfare activities, and is targeted at information gathering, rather than distruction of data. Analysts who have been decoding the computer worm have been unable to identify the source, but they say only a professional team working for several months could have been behind it.

The CrySys Laboratory in Hungary was one of the first to attempt analysis, reported that: “The results of our technical analysis supports the hypothesis that skywiper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyberwarfare activities.”It is certainly the most sophisticated malware we have encountered. Arguably, it is the most complex malware ever found.”

According to Symantec, W32.Flamer is a worm that spreads through removable drives. It also opens a back door into the users computer and may steal information from the compromised computer. Symantec Security Response is currently investigating this threat but has classified the Threat Assessment in the wild as Low.

Damage
Damage Level: Medium
Payload: Opens a back door.
Releases Confidential Info: Steals information.

Although the rate of spread may be low, due to the propagation method, this malware is likely to attract a lot of attention and hot debate because of the potential for Cyberwarfare. Watch this space for more news as it emerges.

For more information see:

Visa Scam Email Circulating

The spam filters are currently picking out a Visa Scam Email circulating at the moment which is claiming that your card has been blocked for security reasons. If your email browser will render the html, it looks something like this Visa Scam Screenshot:

Visa Scam Screenshot
Visa Scam Screenshot

Analysis of the content shows a hyperlink which claims to point to visa.ca, but in fact is a link to an IP address in the Republic of Korea. Launching the link will only get you a page that looks like this:

Visa Scam Link Screenshot
Visa Scam Link Screenshot

If you have received any of this type of email, and want to find out where the masked link is actually pointing, you could try looking it up via ipchecking.com. However, the best advice with this scam is to press delete, and save your mailbox space.

Bredolab Botnet Still Active

More Tax Payment malware news today, with a resurgence of the Bredolab botnet.

Our MessageLabs Anti-Virus Service reported a suspicious email, similar to the Tax Spam Malware Warning yesterday. The message title once again was Your Tax Payment ID [Random Number] is failed

This time Symantec reported it as Trojan.Bredolab, which is a likely resurfacing of a Bredolab botnet.

The Bredolab botnet was partially dismantled in November 2010 through the seizure by Dutch law enforcement agents of 143 command and control servers, effectively removing the botnet herder’s ability to control the botnet centrally. Although the botnet’s size and capacity has been severely reduced by the law enforcement intervention.

A PC infected with Bredolab shows a number of effects as the malware:

  • Downloads more malware on to the compromised computer
  • Lowers the security settings on the infected computer
  • May result in file deletion

If your anti virus software or mail gateway informs you that it has detected Bredolab, follow the instructions and do not open any affected files. To make sure that your machine does not get infected keep your anti virus software switched on and the signatures up to date.

Further resources

Tax Spam Malware Warning

The spam filters are currently working overtime catching dubious email messages about tax payments having failed. As you might expect, this is a Tax Spam Malware Warning, so take care before opening anything that tells you that Your Tax Payment failed.

This email, which purports to be from US tax payment service Electronic Federal Tax Payment System (EFTPS), claims that the recipient’s tax payment has been rejected due to a submission error. The message, which includes a sender address and link that are seemingly valid EFTPS addresses, asks the recipient to click a link in order to review details about the error.

Obviously the email is not from the EFTPS, and the link in the message has been disguised so that it appears to point to the genuine EFTPS website. In fact, it is a phishing scam designed to steal personal information from recipients. A sample of the email appear below:

Your Tax Payment ID [random number] is failed

Your Federal Tax Payment ID: 32127292 has been rejected.
Return Reason Code R21 - The identification number used in the Company Identification Field is not valid.

Please, check the information to get details about your company payment in transaction contacts section:

attach name = report.18653.pdf

In other way forward information to your accountant adviser.
EFTPS:
The Electronic Federal Tax Payment System
PLEASE NOTE: Your tax payment is due regardless of EFTPS online availability. In case of an emergency, you can always make your tax payment by calling the EFTPS.

Attempting to open the attached file will result in a malware loader executing. This is detected by Sophos Anti-Virus as ‘Virus/Spyware Mal/FakeAV-OQ.

The gramatical errors should give you a clue to the bogus source of this Tax Spam Malware. Do not click on any links in this email or download any attachments. Flag as spam and press delete!

Malware Scripts Added To Websites

A couple of our customers have experienced hacks to their websites this last week, with malicious code (or malware) added to several pages. Normal visitors to the site have a little extra script added when they load the page, which good antivirus software will identify as a malware script. Kaspersky Labs identifies the Trojan loader as Heur: Trojan Script Generic, which is a generic Trojan loader identified by a heuristic algorithm. Alternatively, it may be identified as as Blackhole Exploit kit by other AV products.

Analysis of samples of the inserted code show some common strings, which can be used to find the script on an infected website. This appears to have been inserted by an automated script loader, probably a bot using brute force to guess FTP passwords.

< b o d y>< d i v id="w3stats">
< s c r i p t language="JavaScript" type="text/javascript">
window.w3ssss=function(){
=== Script Link and other code removed ===
CheckBody();
< / s c r i p t >< / b o d y >< / h t m l >

A quick Google search reveals that quite a few sites have had this little addition. If you find that you have been infected, carry out the following actions as soon as possible:

  • Search the code on each page for the string “window.w3ssss”
  • Remove the offending code from all of the pages where it has been installed
  • Change all your site passwords, including FTP
  • Monitor the site regularly for reinfection

Thousands of website owners are unaware that their sites are hacked and infected with malware scripts. Here are a few useful links to help:

Spear Phishing Attack Warning

A warning which is currently circulating in security circles concerns a Spear Phishing attack masquerading as a company virus warning. The object is to trick users into installing malware on their computers which would compromise their security.

Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Named after Fishing, (baiting a hook) the message could claim to be from a bank, online payment processor or a social media site.

Spear Phishing (sometimes written as Spearphishing) is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. This is usually by impersonating a company employee via e-mail to steal usernames and passwords from colleagues and gain access to the company systems. Spear phishing is commonly used to refer to any targeted email attack, not just limited to phishing.

The particular attack which is currently circulating attempts to trick users into believing they are downloading an approved anti-virus update from the company’s IT department, to combat a new kind of virus. However, if they do succumb to temptation, they will install a Trojan horse. According to the Sophos Naked Security blog post, Sophos anti-virus products detect the malware as Mal/Generic-L and Troj/Inject-QL.

If you ever receive an odd email recommending that you click on a link to install something, check with your IT department to see if the instruction is genuine. They would much rather you checked than put the network at risk from malware infection.

For more details of the Spear Phishing Attack Warning, including a sample email message, click here to view the Sophos Sneaky fake company virus warning

Block Spam from WordPress Contact Page

Have you been having trouble with Spam from your Contact Page on your WordPress blog? This is a quick way to Block Spam from a WordPress Contact Page.

Every good website has a Contact page to ensure that users can get questions answers, and customers can engage before buying goods and services. The trouble is that every bad robot spider trawling the web knows that too, and targets input forms and contact pages. Pretty soon after putting your Contact Page live you can expect to start receiving emails about Viagra, poorly crafted meaningless comments containing back links, or just random strings of characters. While the delete key handles these things quickly and efficiently, the net effect is to dilute our energy which should be directed a answering the real questions from our customers. What we need is a better solution.

What Stops The Bots?
To stop the spiders from even posting the contact form we need to install a WordPress CAPTCHA plugin. A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a challenge-response test used to ensure that the response is not generated by a computer or Bot. It can be as simple as identifying if a picture of an animal is a cat or a dog, which is easy for a human, but a challenge for a Bot. The most common forms use distorted images of letters and numbers, which the human eye can easily distinguish due to pattern matching capabilities within our brains. Go humans!

How To Block Spam from a WordPress Contact Page
If you are using the Contact Form 7 plugin, there is a Really Simple CAPTCHA plugin which integrates right in to the Contact Form 7. While not strongly secure, it will at least stop the script kiddies and bots having an open door. To install it carry out the following steps:

  • In the Plugins section of the Dashboard, click on Add New
  • Search for plugins by keyword Term Really Simple CAPTCHA
  • Next to Really Simple CAPTCHA, click on Install Now

What Else Can Block Spam
If the Really Simple CAPTCHA plugin does not meet the requirements, there are a number of other measures we can use to block Spam from WordPress contact pages, including:

  • Secure CAPTCHA, which uses hard to break and easy to read secure CAPTCHA images from SecureCAPTCHA.net.
  • Contact Form by ContactMe.com, which is a fully customizable contact form which automatically adds your contacts to a free online contacts database.
  • Fast Secure Contact Form which supports sending mail to multiple departments, and redirects to any URL after the message is sent.

Hopefully using one of these methods we can see the back of spam contacts from the contacts page, and get back to the business of responding to or customers and genuine visitors.

Finally, some useful Resources to help block Spam from a WordPress Contact Page