Malware Payloads

Chapa NO MALWARE

I’ve noticed a lot of malicious emails coming through to one of my addresses lately – interestingly enough not at Gmail, which may even filter these things out before they are even sent to Spam – but to one of my private email addresses. Here are two examples:

Dear info,

Many thanks for your card payment. Please find payment confirmation attached below. Should you have any queries, please do not hesitate to contact Credit Control Team.

Best regards

Dena Carpenter
Director Audit Services
Attachment: 851E2_info_43A8AE.rar
And this one:
Dear info,
Please check the bill in attachment.
In order to avoid fine you have to pay in 48 hours.
Best regards
Antonia Snider
Executive Director Sales Account Management Training Performance Support
Attachment: info_e-bill_669770.zip
Both of these emails came with compressed attachments, one a .zip file and one a .rar file. Inside each was a document with the extension “.js,” meaning it’s a javascript file which would automatically run once the file was clicked on to see the “invoice”or “bill.”

DO NOT DO THIS.

From Microsoft’s Malware Protection Center:

Payload: Downloads malware or unwanted software

This threat can download other malware and unwanted software onto your PC. We have seen it download the following threats:

  • PWS:Win32/Fareit
  • Ransom:Win32/Crowti.A

Connects to a remote host

We have seen this threat connect to a remote host, including:
  • davis1.ru using port 80
Malware can connect to a remote host to do any of the following:

  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate

We have seen this threat access online content, including:

  • two.jpg
  • one.jpg

Another similar threat is 097M/Donoff. This Microsoft Article shows many types of emails that are being sent out to try to get people to run this malware. One of my emails contained Win32/Penzievs, which is so new that Microsoft has no technical details on it yet.

Working at Carbonite™, we have seen many customers who have been infected by the Cryptolocker virus and similar encryption programs. Almost all of these vicious payloads come as email attachments that are opened by the unwary. While having good anti-virus protection and a rcloud-based backup system that protects multiple versions of your files is good insurance, the best procedure is never to open attachments from unknown sources, no matter how legitimate they look. Especially always avoid “.exe,” “.com,” “.zip,” and “.rar” files.

Be careful out there. Protect yourself and your loved ones.

The Old Wolf has spoken.

 

Domain Registraton Scam – Bad Actors from China

Be careful out there. I just got this email the other day, and while it looked dodgy from the outset, I thought I’d follow it down the rabbit hole to see where it went.

Dear sir or madam,

We are a registrar for domain names authorized by Chinese government. Today, we received an application from Daoc International ltd applying to register [domain] as their brand name and some top-level domain names(.CN .HK etc). After our initail checking, We found the main body of domain names is same as yours.

We are handling the application and we need to confirm whether or not you authorize them to register them? Let me know your positon ASAP so as to solve it promptly. Looking forward to your reply.

Best regards,
Elvin Lee
Tel:+86-551- 6349 1191
Fax:+86-551- 6349 1192
Address:No.413,Changjiang Road,Hefei City,Anhui Province

OK. So I simply responded and said, “These domains are not authorized, thank you.”

Next up:

Notice: regarding this case, we did not receive any of your reply until now. Concerning the mentioned brand name please confirm whether you need to register by yourselves? If need, please let us know in time, we can send an application form to you. If you think the registration of that company or the use of the brand name will not bring any negative effect to your company, i suggest you can give up the brand name, then we will accept that company application unconditionally. Further questions please contact me in time.

Followed the same day by this:

Notice: hi, i am Elvin Lee. We had discussed the case about disputing your company’s brand name. You have never registered the brand name, the dispute period will come soon. If your company does not register the brand name, we will start aforesaid company registration within 2 workdays. That company will become the legal owner of the brand name in the world. We had notified you, so we are not responsible for any dispute question about your intellectual property right and trademark after they succeed in registration. If you have any questions, pls contact us within 2 workdays.

Basically telling me I’ll lose worldwide rights to my domain name if I don’t quickly take action, or alternatively, I should abandon my own domain so that they can legally register it with other companies.

Lastly, today:

Thanks for your confirmation. As soon as receiving the application of that company, we checked and found [domain] is your company’s using name. We are concerned that your name might be affected negatively by their applications, this is why we informed you. Following brand name and domain names are applied by that company:
Brand name:
[domain]
Domain names:
[domain].asia
[domain].cn
[domain].com.cn
[domain].com.hk
[domain].com.tw
[domain].hk
[domain].in
[domain].net.cn
[domain].org.cn
[domain].tw
[domain].co.in

You know that the domain names registration is open in the world, that company also has the right to apply for the available domain names. You only have the preferential rights to register them.

At present, we haven’t passed their application, we need your opinion. If your company consider these names of importance to your company’s business or interest, i suggest that your company register these names first so as to avoid confusion or speculation. Of course, If you don’t think their application will affect your company in the future, you can give up these names so that we can finish registering for them. Please give me your company’s decision as soon as possible.
Uh, no. While I have no doubt that there are many good and honest Chinese businesses, this is not one of them – in fact, falls under the rubric of “morals of a honey badger.”
Above and beyond the standard advice, “Never deal with spammers,” I’d add that you be extraordinarily careful when unsolicited business proposals come from China – in other words, be doubly vigilant.
The Old Wolf has spoken.

The Robocalls are Getting Worse

I’ve had five today alone, and now my auto-reject list is full.

Robocall1

Most recently I’ve seen:

  • “Business Opportunity” scam (multi-level marketing, one-up gifting scams, etc.)
  • “Congratulations! Your phone number has been randomly selected by Expedia / Travelocity / Whatever to receive two vacations for a promotional price of $799.00!”
  • “Business Loan Center”

All of these have reps working in call centers in India, the Philippines, and other such places.

I’ve written about these calls before, but the landscape has changed a bit. Instead of using dead numbers to use for their caller ID spoofed number, they are using randomly-generated or dynamically-created phone numbers; since my phone number is based in Utah, I’ve been getting a lot of calls that seem to be from local numbers but which actually originate elsewhere. The Caller ID number, however, may belong to a real person.

I’ve even been called by people asking me to “stop calling them” – clearly my own number is showing up on other people’s screens.

Articles like this one at HuffPo give a few ideas for people with land-lines, but the sad truth is that there is little to nothing that can be done to stop this plague unless some serious effort is made at the legislative level, and our political leaders probably don’t even understand the full scope of the issue. Witness the CAN-SPAM act, for which our legislators roundly congratulated each other, and which actually increased the amount of spam being sent out by unethical and unscrupulous operations.

The FTC has not been idle, but it’s like a hydra – for every bad actor they shut down, ten more seem to spring up. This infographic gives a lot of good information about how the calls are driven, and why the problem is so massive.

The best thing I can think of is for people affected to contact their representatives and in no uncertain terms express how pissed off they are with the criminals who are interrupting our lives multiple times a day with fraudulent proposals.

Maybe we could hire some robocalling outfits to flood their phone lines 24 hours a day with automated requests to do something about the problem؟

The Old Wolf has spoken.

 

 

Beware the IRS Impersonation Scam

Rule No. 1: The IRS will never call you to demand immediate payment of taxes. Ever. If anyone on the phone claims to be from the IRS, threatening to have you arrested if you don’t immediately wire money or get a prepaid card, they are criminals and it is a scam.

12-18 PHONE SCAM


 

Scammers have become far more aggressive with this particular gambit of late, and it would be important to be aware of what’s happening. Forewarned is forearmed.

From the IRS website:

IRS-Impersonation Telephone Scam

An aggressive and sophisticated phone scam targeting taxpayers, including recent immigrants, has been making the rounds throughout the country. Callers claim to be employees of the IRS, but are not. These con artists can sound convincing when they call. They use fake names and bogus IRS identification badge numbers. They may know a lot about their targets, and they usually alter the caller ID to make it look like the IRS is calling.

Victims are told they owe money to the IRS and it must be paid promptly through a pre-loaded debit card or wire transfer. If the victim refuses to cooperate, they are then threatened with arrest, deportation or suspension of a business or driver’s license. In many cases, the caller becomes hostile and insulting.

Or, victims may be told they have a refund due to try to trick them into sharing private information.

If the phone isn’t answered, the scammers often leave an “urgent” callback request.

Note that the IRS will never: 1) call to demand immediate payment, nor will the agency call about taxes owed without first having mailed you a bill; 2) demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe; 3) require you to use a specific payment method for your taxes, such as a prepaid debit card; 4) ask for credit or debit card numbers over the phone; or 5) threaten to bring in local police or other law-enforcement groups to have you arrested for not paying.

A cousin of mine was targeted by these drones, and despite the scammers themselves most likely being in another country, this was doubly frightening because they had accomplices in place who actually appeared at her door with badges and threatened her on the spot.

If this ever happens to you, let no one in and call the police.

Some even more diabolical scammers were frustrated that their victim wouldn’t pay up and swatted them. This refers to prank 911 calls, or the unholy practice of getting police or a SWAT team to show up at someone else’s house. Not only is this terrifying for the victim, and can result in lasting psychological harm and other logistical difficulties, but it’s a terrible waste of police resources. The scammers, however, don’t care.

Be prepared by knowing that the IRS will never try to force you to pay up with these aggressive tactics. If you’re called like this, hang up immediately and notify the police.

The Old Wolf has spoken.

More Domain Registration Jiggery-Pokery

I’ve mentioned domain registration scams before. Here’s another one to watch out for. The scumminess just drips off of this one.

Domain Notice <info@quickdomainsubmit.net> Feb 9 at 1:28 AM
To: [Name redacted]

Attention: Important Notice , DOMAIN SERVICE NOTICE
Domain Name: [redacted]

ATT: [Name Redacted]
Response Requested By
10 – February – 2016

PART I: REVIEW NOTICE

Attn: [Name Redacted]
As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it’s time to send in your registration.
Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.
Privatization allows the consumer a choice when registering. Search engine registration includes domain name search engine submission. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.
This Notice for: [domain redacted] will expire at 11:59PM EST, 10 – February – 2016 Act now!

Select Package:
http://www.quickdomainsubmit.net/?domain=%5Bdomain redacted]

Payment by Credit/Debit Card

Select the term using the link above by 10 – February – 2016
http://%5Bdomain redacted]
unsubscribe:
Please reply with UNSUBSCRIBE subject.
———————————————————————————————————————–
Disclaimer: The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask mailers to stop spamming them. The above mail is in accordance to the Can Spam act of 2003: There are no deceptive subject lines and is a manual process through our efforts on World Wide Web. If you send me an UNSUBSCRIBE email we ensure you will not receive any such mails.

A couple of comments:

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.

This is the purest garbage. Unwitting businesspeople will get the idea that unless they pay for this “domain registration,” people won’t be able to find them on the internet. The major search engines all crawl the web on a regular basis, and unless you have a robots.txt file on your website which blocks search engines, it will automatically be indexed. I am reminded of an old scam my mother (born in 1916) introduced me to as a child – the drone who puts a classified ad in the paper, “Today is the last day to send in your dollar!” and lists a Post Office Box. Nothing is promised, yet people send in their money anyway, fearing that they’ll miss out on something good – and the scammer cleans up.

Search Engine/Directory
1.Google 1 9
2.Bing 23 8
3.Open Directory 1,877 7
4.Yandex 2,323 7
5.ScrubTheWeb 4,926 6
6.EntireWeb 5,817 6
7.ASR 6,273 5
8.Viesearch 7,411 4
9.SWD 7,860 6
10.A1WebDirectory 8,217 5
11.ExactSeek 8,578 6
12.Sites Web Directory 8,740 6
13.SecretSELabs 9,169 4
14.Gain Web 10,790 4
15.Online Society 11,494 4
16.1WebsDirectory 11,681 4
17.W3 Catalog 11,917 4
18.24/7 Web Directory 11,977 4
19.SoMuch 12,750 5
20.9Sites 12,879 4
21.AceWebDirectory 14,331 4
22.Synergy Directory 14,494 4
23.OBLN 14,703 5
24.Anoox 15,080 4
25.GigaBlast 15,572 3
Search Engine/Directory
26.Pegasus Directory 15,921 4
27.SonicRun 16,325 5
28.DirectMyLink 17,001 3
29.Directory Free 17,327 4
30.HotvsNot 17,670 3
31.FyberSearch 18,579 4
32.Elite Sites Directory 19,476 4
33.Nonar 19,614 4
34.IS 21,315 3
35.Info Tiger 21,371 4
36.LinkRoo 21,633 3
37.The Web Directory 21,969 4
38.Triple W Directory 22,775 3
39.BusinessSeek 22,929 4
40.Thales Directory 23,161 4
41.Cipinet 23,185 4
42.LinkPedia 23,717 3
43.Bhanvad 23,846 5
44.Amfibi 24,722 5
45.oneMission 26,602 5
46.MasterMOZ 27,263 5
47.OneMillionDirectory 27,306 3
48.10Directory 28,426 2
49.Link Centre 28,475 4
50.Botid 29,441 4

The above list shows the search engines that this service claims your domain name will be submitted to, for the following prices:

TOP 25 Engines Registration
1 Year – $47

TOP 25 Engines Registration
5 Years – $197 (SAVE : $38)

TOP 50 Engines Registration
1 Year- $97

TOP 50 Engines Registration
5 Years – $297 (SAVE $188)

But notice the Alexa and Google rankings for these sites – aside from Google and Bing, none of these search engines are accessed to any extent at all, making them virtually useless – and the first two will index your domain automatically. You are paying these criminals between $50 and $300… for absolutely nothing.

Be smart. Don’t send in your dollar.

The Old Wolf has spoken.

 

Here’s why you do external backups

ransomware

The BotNet distributing the original Cryptolocker was taken down (I’ve mentioned this malware multiple times), and many people were able to get their data back – but there are still many malicious clones of this supremely evil malware floating around out there.

Per this article (in Norwegian, but you can use Google Translate to get a good gist of its meaning in English), if your files have been encrypted, you’re pretty well screwed. Your only options are to pay the ransom (which does not guarantee that you will get a decryption key) or bring your files back from a non-connected, external backup – this because the encrypting malware can affect cloud storage as well either directly or indirectly.

To protect yourself from this sort of data horror:

  1. Back up your files to an unconnected external drive regularly
  2. Never open email attachments from unknown people, no matter how legitimate they may look

Hell is going to be a busy place. Be careful out there.

The Old Wolf has spoken.

Scam: The Blue Screen of Death

Yesterday while visiting her mother, my wife did a search at YouTube. For some inexplicable reason (I wasn’t there to observe what exactly went down,) this website was accessed:

BlueScreen2

Overlaid on this screen was a scary-looking popup:

BlueScreen1

The page is especially nasty: it disables the back button, the close button, and any other Chrome windows you happen to have open. The only way out is to kill Chrome via the task manager, or by doing that hard reset that the message tells you should not be done.

This would be very unsettling for someone like my mother-in-law who is not terribly computer-savvy (although she’s quite good with email and Facebook) and the deal here is that if you call the number – definitely not Microsoft – you get some agent in an Indian or Pakistani boiler-room who will convince you that they are from Microsoft, fling all sorts of nonsense technobabble at you, talk you through the process of installing TeamViewer or some other such remote-control software, and then upload malware to your machine.

The scam is very similar to what I described in Don’t Help the Scammers (item no. 4); a good comprehensive writeup of this type of scam is also found at MalwareBytes Unpacked.

Please be careful out there, and if you have friends or relations, particularly the elderly, who could be taken in by this jiggery-pokery, please help them to stay safe.

The Old Wolf has spoken.