Readers like you help support my blog. When you make a purchase using links on our site, we may earn an affiliate commission! Thank you!

Friday, March 6, 2020

Phishing and Malware via SMS Text Message

Posted on March 6, 2020by Krasimir Konov



We’ve recently noticed an increase in reports of phishing and malware being distributed via SMS text messages.

During one investigation, we identified fake messages sent from a random number pretending to be Amazon. The message contents ask the victim to click on the link to confirm their shipping address.



The URL bears no resemblance to Amazon and clearly doesn’t employ Amazon’s URL shortener (amzn.com). Unfortunately, we were unable to confirm exactly what the attackers were directing users to since hxxp://k8esv[.]info now returns a 404 (Not Found) response, but it's clear that it’s being used for phishing or malware.

In most phishing cases seen distributed via SMS, victims are taken to a fake page ― for example, one that looks like Amazon’s signup page ― and asked to login to access important order information or confirm a purchase.

To the untrained eye, these SMS phishing pages might appear to belong to the real Amazon website, but submitting login credentials typically results in a successful phish ― and an account compromise.

The suspicious domain is hosted on 47.240.4.254 which also appears to be hosting other similar domains:



The IP address belongs to Alibaba Cloud:Alibaba.com LLC AL-3 (NET-47-235-0-0-1) 47.235.0.0 - 47.246.255.255 ALICLOUD-HK ALICLOUD-HK (NET-47-240-0-0-1) 47.240.0.0 - 47.240.255.255


The domain was registered through namecheap.com and has WHOIS protection, so we can’t see who was responsible for registering hxxp://k8esv[.]info. What we can tell is that these other suspicious domains were also registered there, suggesting the same person was involved.

We’re finding many variations of SMS phishing campaigns, and not every text looks the same. Users should always exercise caution when receiving SMS from unknown numbers.

To mitigate risk, avoid clicking on any links inside text messages ― especially if they are coming from an unknown number and lead to suspicious URLs. If you receive an SMS message similar to this one, login directly to your Amazon account via the Amazon website and check if there are any issues or status updates that require your attention from the account dashboard.

We will continue investigating this campaign to see if we can get more details about the attack.

Wednesday, March 4, 2020

Beware of the secret admirer – the attached document is ransomware that will lock you out of access to your files

by Julie Splinters - - 2020-02-28Beware of the secret admirer – the attached document is ransomware that will lock you out of access to your files



On Wednesday, security researchers from Malwarebytes and X-Force IRIS have uncovered a new malspam campaign that installs Nemty ransomware[1] payload. Malicious actors once again rely on social engineering in order to make users open the malicious attachments clipped to the mail – they try to make it seem like the message is coming from a secret admirer.

While the body text usually consists of emotes like “;),” the subject always hints at the intimate nature of the email with titles like” “I love you,” “Can't forget you,” “Letter for you,” “Don't tell anyone, “or “Will be our secret. The attachment is usually a typical booby-trapped .zip package that executes and installs Nemty ransomware once executed.

Nemty ransomware made its grand entry in August 2019, when its developers announced the affiliate program – ransomware-as-a-service, allowing multiple different parties to take care of malware distribution. Initially, it was delivered via weakly protected Remote desktop connections that use the default TCP/UDP port, while later was noticed being spread via RIG and Radio exploit kits,fake PayPal websites, as well as the Trik Botnet.[2] Now, malicious actors returned to the primitive, yet effective method – malspam.
Behind the .zip attachment – obfuscated LOVE_YOU.js file

Some spam emails are compiled in a way that makes just a few users question their legitimacy. This time, threat actors did not go for the regular use of fake invoices, messages from delivery services, or bank statements, and left the body text rather blank, although the wink emoji leaves a lot of room for interpretation. Due to this, Malwarebytes researchers dubbed the campaign “secret lover.”[3]

The attached zip file usually follows the following pattern when it comes to its name, and the only variable is the digits:


LOVE_YOU_######_2020.zip

Inside this archive, lies a highly obfuscated JavaScript file named LOVE_YOU.js, which initially had a very low detection rate on Virus Total. Nevertheless, the definitions of the AV software is constantly updated, and, at the time of the writing, 23 engines already detect the .JS file as malicious.[4]

As soon as victims double-click on the LOVE_YOU.js file, i will contact a remote server and download the Nemty ransomware payload, as explained by X-Force IRIS team:


The downloaded executable was identified to be the Nemty ransomware and performs encryption of system files upon execution, leaving behind a ransom note demanding payment in exchange for the decryption key.
Nemty is one of the bigger projects in the underground cybercriminal scene

Love You spam has been used previously numerous times – just a year before a similar campaign targeted Japanese users and included GandCrab ransomware as its main payload.[5] These love-themed phishing emails are typically observed to show up before and during Valentine's day period – it seems like Nemty ransomware is a little bit late this year. Nevertheless, the malicious actors expect the campaign to work regardless.

During its existence, Nemty ransomware was upgraded several times, and new versions were released. To ensure a comprehensive data encryption process, malware can also stop Windows processes and services that are related to files that are being currently used, maximizing damage caused for the victims.

In October last year, Tesorion security experts managed to create a decryption tool that worked for versions 1.4 and 1.6,[6] although Nemty 2.0 was released soon after, which is no longer decryptable.

Recently, threat actors behind Nemty announced that they would release a public website that will be used to publish files and information about victims who refuse to pay the ransom (this tactic was already adopted by other big names like DoppelPaymer and Maze).

Sunday, March 1, 2020

Προγράμματα Πρόληψης και Καθαρισμού Ιών που θα Πρέπει να Έχετε στο PC, Νέο New!

Προγράμματα Πρόληψης και Καθαρισμού Ιών που θα Πρέπει να Έχετε στο PC, τι χρησιμοποιώ εγώ, what programs i use to secure my pc: 1 Common Sense!!!



Extensions for my browser i use Opera:
First you need to install : Install Chrome Extensions
Install Chrome Extensions allows you to install extensions from Google Chrome Web Store
in your Opera browser.


Malwarebytes Browser Guard
crushes unwanted and unsafe content, giving you a safer and faster browsing, Not only that, it is the world’s first browser extension that can identify and stop tech support scams. We take on the bad guys so you don’t have to.

VT4Browsers, VirusTotal Browser Extension
Imagine you log into your Gmail account and find a suspicious email from your bank. The email informs you about an unauthorized access to your account and asks you to follow a link and provide your credentials to view the account access log. Wouldn't it be great if you could simply right-click on the link and check it against VirusTotal in order to understand whether it is legit or report a phishing site? Wouldn't it be great if you could do this just with that right-click, without having to navigate to VirusTotal and refer to the URL tab? This is what VirusTotal's browser extensions allow you to do.


Emsisoft Browser Security
Blocks dangerous websites that distribute malware and prevents phishing attacks.
-------------

For my win10
Malwarebytes Premium
Malwarebytes Premium is Malwarebytes’ strongest protection ever. It fights threats that antivirus software isn’t advanced enough to stop. All threats are removed including worms, rogues, dialers, trojans, rootkits, spyware, exploits, bots, and other malware. Work, play, and socialize online freely with no worry.



For my android

Malwarebytes for Android


The folks you trust to safeguard your computer now offer powerful protection you can put in your pocket. Malwarebytes for Android automatically detects and removes dangerous threats like malware and ransomware so you don't have to worry about your most-used device being compromised. Aggressive detection of adware and potentially unwanted programs keeps your Android phone or tablet running smooth. A privacy audit tells you which apps are monitoring your every move. All that protection in a lean package.

The NCSC's weekly threat report is drawn from recent open source reporting.




Council confirms ransomware attack


Earlier this week Redcar and Cleveland Borough Council confirmed its IT servers had been affected by a ransomware attack.

The NCSC has been providing support to the council in the wake of this incident and is advising on how to minimise the risk of such an attack occurring in future.

We’ve recently updated our guidance, Mitigating malware and ransomware attacks, which outlines how organisations can defend their systems. We’d encourage all organisations to read this advice and as an immediate step, ensure offline back-ups of servers are in place.

Further guidance on how to effectively detect, respond to and resolve cyber incidents is also available here on the NCSC website.


Rise in the number of Office 365 phishing scams


Cyber security researchers have uncovered an increase in the number of low-quality phishing scams that aim to trick users into revealing their credentials.

According to a new report from Cofense, there has been a surge in scam attempts using illegitimate and badly created Office 365 credentials update forms.

Potential victims receive an email claiming to be from their organisation’s IT team that tells them their account will expire unless they click the link and update their details.

Cofense note that the criminals behind the scam went to great lengths to appear legitimate. The phishing email originates from a compromised company email account, which allows the scam to bypass basic email security checks.

However, the forms that potential victims are directed to are often littered with grammatical and spelling mistakes.

Phishers use a wide variety of techniques to try and scam users into revealing sensitive data about themselves or the businesses they work for. The NCSC has published guidance on how the public and organisations can defend themselves against such attacks.

The NCSC has also published advice on securely configuring Office 365 to protect against the rise in credential stealing attacks.

I've received a suspicious email The National Cyber Security Centre




If you haven't clicked any links in the email, that's good. Until you're certain that the sender is genuine, you should not follow any links, or reply.

The next thing to do is try and identify whether the email is a scam, or genuine.

Here's some tips on spotting phishing emails
Many phishing emails have poor grammar, punctuation and spelling.
Is the design and overall quality what would you'd expect from the organisation the email is supposed to come from?
Is it addressed to you by name, or does it refer to 'valued customer', or 'friend', or 'colleague'? This can be a sign that the sender does not actually know you, and that it is part of a phishing scam.
Does the email contain a veiled threat that asks you to act urgently? Be suspicious of words like 'send these details within 24 hours' or 'you have been a victim of crime, click here immediately'.
Look at the sender's name. Does it sound legitimate, or is it trying to mimic someone you know?
If it sounds too good to be true, it probably is. It's most unlikely that someone will want to give you money, or give you access to a secret part of the Internet.
Your bank, or any other official source, should never ask you to supply personal information from an email.

Try to check any claims made in the email through some other channel. For example, by calling your bank to see if they actually sent you an email or doing a quick Google search on some of the wording used in the email.


Followed the advice?


The above advice will go a long way to helping you secure yourself online but if you do spot a suspicious email, flag it as Spam/Junk or Suspicious in your email inbox. This will take it out of your inbox, and also tell your email provider you've identified it as potentially unsafe. You can report suspicious emails, phone calls or SMS messages to Action Fraud.

For further information on how to keep yourself secure online, check out our top tips.