Your Computer Has Been Blocked! (PS – no, it hasn’t)

scam

If you get a screen like this while doing something like trying to log in to Facebook or something else, usually as a result of clicking on a link after a web search, you are being scammed.

Typically your browser locks up – you can’t go back, you can’t navigate to anything else, and you even can’t close the window. Instructions tell you to call Microsoft support because your system is infected with spyware and viruses.

It hasn’t.

If you call the number (877-382-9050), a friendly person (in India, Pakistan, or somewhere else) will answer. THESE ARE NOT MICROSOFT SUPPORT CONSULTANTS. THEY ARE SCAMMERS AND CRIMINALS. They will ask you some questions about your system, and have you do the following things:

  • Press the windows+R keys to open the “Run” box
  • Type in ” iexplore http://www.go2patch.com ” and hit enter
  • Type in the access code that they give you
  • Press the “Connect” button and then allow the program to run

If you do this, you have just given full access of your system to criminals who will steal valuable information, download real spyware or malware, or turn your computer into part of a botnet to send out spam.

This is just another incarnation of the “Zeus Virus” scam – same technique, different remote connection software.

If this happens to you, hit Ctrl-Alt-Del and open the Task Manager. End the browser task from there, whatever you’re running (IE, Edge, Chrome, Firefox, NCSA Mosaic, etc.)

What do you do if you have already allowed access? According to “Slim,” a registered user at 800Notes.com,

Since the scammers accessed the computer, they probably did one or more of the following:
• Disabled the anti-virus software
• Added nasty malware to the computer
• Copied the Contact List (so they can spam/email your soon-to-be ex-friends)
• Copied any financial data or passwords they could find
• Compromised your ID on Facebook or other social site(s), and perhaps on shopping sites.
• “Zombied” the computer, so it would respond to THEIR commands sent via internet
• Deleted some important files
• Asked for money to repair the damage they caused

What can you do immediately after such an attack?

1.  Pull the cables on the computer, or otherwise disable it, so it cannot access the internet.
2.  Change ALL  passwords stored on the computer.
3.  Run FULL malware scans on the computer, in “SAFE” mode!
4.  Change the passwords again, particularly if the malware scans showed anything.
5.  Inform your bank and credit card companies.
6.  Sign up for credit monitoring, and check the status frequently
7.  Backup non-executable personal, data files to an external storage device.  (Executable files might be infected).
8.  You may have to bring the computer to a local repair shop, and tell them the story.
9.  Tell friends what happened, so they can be aware of strange emails from you.
10.  Connect to the internet only AFTER all the above have been done.
11.  Change the passwords on all online accounts.  Even better – access a “safe”, uninfected  computer, and change your online account passwords RIGHT NOW.

Be careful out there – don’t help the bad guys mess up your machine.

The Old Wolf has spoken.

Beware the Zeus virus (No, you’re not infected)

I’ve written about scams that get you to call a phone number and help bad guys access your computer before. Here’s another variety you need to be aware of.

My wife’s computer has had this happen twice in the last few weeks (click the image for a larger view):

zeus-virus-scam

Chrome is locked up – you can’t close the tab, click away, or do anything else except kill the browser in Task Manager. A computerized voice repeatedly intones, “Your computer is infected. Your data is being stolen. Call this number for support…” You can imagine that this would be very frightening to someone who is not computer-savvy, and a lot of people will fall for it.

Just to see how the scam works, I called the number (855-335-8826 – don’t call this number) and got an agent with a foreign accent (sounded Indian or Pakistani to me) asking how he could help. Putting on my “geezer voice,” I told him that my computer was talking to me and telling me that my data was being stolen.

  • Agent: “Have you downloaded anything lately?”
  • Me: “No.”
  • Agent: “I will direct you through a couple of steps so I can access your computer and help you fix this problem. Look at your keyboard in the lower left – do you see the Window key? I want you to press that key, together with the letter ‘r’. [Note: he wants me to run a program.]
  • Agent: “Type the letters ‘hh’, then a space, then the letter ‘t’ in the ‘open’ box. Then press the “OK” button.

hht.jpg

  • Me: “Ok, I did that.” [This is what I get]

page-display

  • Agent: “Do you see the little question mark in the upper left hand corner? I want you to click that and select the option that says “Jump to URL.”

url

  • Agent: “Now type this in the box: ‘www.support.me’

jumptourl

  • Me: “OK, I’ve done that.” [This is what I get]:

support

  • Agent: “I will now give you a 6-digit code to enter into the box. Your number is 925837. Please type that into the box and click ‘Start Download’.”
  • Me: Do you really think I’m going to allow access to my computer by a bunch of scammers? Get a life. *click*

What’s going on here is that if I had entered the number, I would have given complete control of my machine to a random scammer, and from that point he could have

  1. Stolen sensitive data like passwords, contact lists, or financial information.
  2. Infected my computer with malware
  3. Taken control of my machine and woven it into a spamming botnet.
  4. Other things more horrible that I wish to contemplate.

There are websites out there that tell you how to remove the “infection” that causes this popup; most of them exist to shill programs like Zemana, Malwarebytes, and HitMan Pro. Free versions of these are legitimate, but don’t be conned into buying “Pro” versions unless you really need their features. Others may ask you to download their own proprietary removal tool. Be wary of such sites.

The key here is that if you get the “Zeus” malware popup, NEVER CALL THE NUMBER. You’ll just be opening yourself up to fraudsters who want to do very bad things to you and your computer.

Be careful out there.

The Old Wolf has spoken.

A dozen Crypto attempts today

crypto

All of these arrived in my inbox today; many are duplicated versions of the same message with minor changes.

Dear info,
Cathleen Holcomb asked me to send you the attached Word document, which contains the final version of the report.
Please let me know if you have any trouble with the file, and please let Cathleen know if you have any questions about the contents of the report.
Kind regards
Alisa Harper
Managing Director
Notice that all of these emails begin with “Dear Info,” since the relevant address is “info@devnull.com.” This in itself should be a red flag.
Dear info:
Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am writing to confirm receipt of your order, and to inform you that the item you requested will be delivered by 25 June at the latest. If you require more information regarding this order, please do not hesitate to contact me.
Also, our records show that we have not yet received payment for the previous order of 11 June, so I would be grateful if you could send payment as soon as possible. Please find attached the corresponding invoice.
If there is anything else you require, our company would be pleased to help. Looking forward to hearing from you soon.
Yours sincerely
Benjamin Martin
Chief Executive Officer
Information. A report. An invoice with request for payment. A spreadsheet. All looking innocuous and legitimate.
Dear info,
The reference you requested is attached.
Let me know if you have any questions.
Best regards
Erma Frederick
CEO
No matter how official emails like this look, you should verify every detail before proceeding.
Dear info,
Our records show that we have not yet received payment for the previous order #A-393685
Could you please send payment as soon as possible?
Please find attached file for details.
Yours sincerely
Jami Garrett
Mexico Key Account Director
Don’t open those attachments! They are almost certainly javascript files which will download an encryption virus or something equally vicious.
Be careful out there.
The Old Wolf has spoken.

go0dvinez: Malware Central

With uBlock Origin attached to Chrome and a host of other malware protections on my computer, I almost never see ads, spam, malware, popups, popunders, or any such things.

My phone is not so fortunate.

Recently I’ve checked out a couple of things on my Android that had shown up on my Facebook wall, and it’s been a long time since I’ve seen such a blatant effort to redirect, scam, browser-hijack, deceive, and annoy visitors as I experienced today with go0dvines.com (don’t go there.)

When you get a link like [http://go0dvinez.com/bakla-m3t-gayam-t-loko-ka-barok-xyter-iexsa-sonnn-off/], you know something is going to be off in the first place – but that didn’t show up until I did some researching on my desktop. On the phone, as soon as you hit the site, you’re immediately taken on like a six-level-deep redirect, and this is what you see:

This slideshow requires JavaScript.

I don’t even want to think about what kind of insidious garbage you wuld be downloading to your handheld device if you followed those links or clicked on the install buttons. One of them completely locks your browser; the only way out is to restart.

This is internet evil in its most distilled form, topped only by ransomware viruses and the unspeakable horrors of the deep web where few of us ever wander.

Stay away from this website, and if you see strange things happening to your phone when you follow a link, get out of there as fast as you can. Legitimate websites will never give you virus popup warnings like this.

Be careful out there.

The Old Wolf has spoken.

Nine more Crypto Emails

Today in the mail, another gush of spam emails, each one with a .zip attachment labelled “invoice” or “statement” or “employees” or some other innocuous title. Each one containing a .js (javascript) file which would download encryption software, corrupt my files, and demand a ransom. Please do not be victimized by these criminals.

From: Carole Middleton <MiddletonCarole95@bol.net.in>
Subject: [SPAM] Re: Chart of Accounts
hello info,
You may refer to the attached document for details.
Regards,
Norma Palmer

From: Beatrice Salinas <SalinasBeatrice75015@slotcarsdirect.co.uk> Subject: [SPAM] FW: vendors

Hi info
The attached spreadsheet contains bills. Please review
Regards,
Beatrice Salinas

From: Devon Garcia <GarciaDevon55@uid.uk.com>
Subject: [SPAM] Re:

Hi info,
As promised, the document you requested is attached\
Regards,
Devon Garcia

Subject: [SPAM] Emailing: Photo 05-11-2016, 98 43 44

Your message is ready to be sent with the following file or link attachments:
Photo 05-11-2016, 98 43 44
Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments.  Check your e-mail security settings to determine how attachments are handled.

Note: How kind of them to warn me against viruses.

Subject: [SPAM] Emailing: Photo 05-12-2016, 64 94 68

Your message is ready to be sent with the following file or link attachments:
Photo 05-12-2016, 64 94 68
Note: To protect against computer viruses, e-mail programs may prevent ending or receiving certain types of file attachments.  Check your e-mail security settings to determine how attachments are handled.

From: Kareem Sweeney <SweeneyKareem2103@residenceferrucci.it>
Subject: [SPAM] Re:

hi info,
As promised, the document you requested is attached
Regards,
Kareem Sweeney

From: Kristine Brennan <BrennanKristine0377@lemmertzturismo.com.br>
Subject: [SPAM] build assemblies

hello info
Attached please find the build assemblies report for your review
Thank you.
Regards,
Kristine Brennan

From: Mable Ward <WardMable44090@cmsadv.com.br>
Subject: [SPAM] FW: invoices

Hi info
The attached spreadsheet contains employees. Please review
Regards,
Mable Ward

From: Milagros Wiley <WileyMilagros41@telefonica.de>
Subject: [SPAM] receive payments

hello info
Attached please find the receive payments report for your review
Thank you.
Regards,
Milagros Wiley

From: Norma Palmer <PalmerNorma3969@jpowerassembly.org>
Subject: [SPAM] Re: Chart of Accounts

hello info,
You may refer to the attached document for details.
Regards,
Norma Palmer

I post these only in case people out there are searching the web for similar messages.

Be clear: THESE MESSAGES CARRY ENCRYPTION VIRUSES. Do NOT open the attachments!

Be careful out there

The Old Wolf has spoken.

Malware Payloads

Chapa NO MALWARE

I’ve noticed a lot of malicious emails coming through to one of my addresses lately – interestingly enough not at Gmail, which may even filter these things out before they are even sent to Spam – but to one of my private email addresses. Here are two examples:

Dear info,

Many thanks for your card payment. Please find payment confirmation attached below. Should you have any queries, please do not hesitate to contact Credit Control Team.

Best regards

Dena Carpenter
Director Audit Services
Attachment: 851E2_info_43A8AE.rar
And this one:
Dear info,
Please check the bill in attachment.
In order to avoid fine you have to pay in 48 hours.
Best regards
Antonia Snider
Executive Director Sales Account Management Training Performance Support
Attachment: info_e-bill_669770.zip
Both of these emails came with compressed attachments, one a .zip file and one a .rar file. Inside each was a document with the extension “.js,” meaning it’s a javascript file which would automatically run once the file was clicked on to see the “invoice”or “bill.”

DO NOT DO THIS.

From Microsoft’s Malware Protection Center:

Payload: Downloads malware or unwanted software

This threat can download other malware and unwanted software onto your PC. We have seen it download the following threats:

  • PWS:Win32/Fareit
  • Ransom:Win32/Crowti.A

Connects to a remote host

We have seen this threat connect to a remote host, including:
  • davis1.ru using port 80
Malware can connect to a remote host to do any of the following:

  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate

We have seen this threat access online content, including:

  • two.jpg
  • one.jpg

Another similar threat is 097M/Donoff. This Microsoft Article shows many types of emails that are being sent out to try to get people to run this malware. One of my emails contained Win32/Penzievs, which is so new that Microsoft has no technical details on it yet.

Working at Carbonite™, we have seen many customers who have been infected by the Cryptolocker virus and similar encryption programs. Almost all of these vicious payloads come as email attachments that are opened by the unwary. While having good anti-virus protection and a rcloud-based backup system that protects multiple versions of your files is good insurance, the best procedure is never to open attachments from unknown sources, no matter how legitimate they look. Especially always avoid “.exe,” “.com,” “.zip,” and “.rar” files.

Be careful out there. Protect yourself and your loved ones.

The Old Wolf has spoken.

 

Here’s why you do external backups

ransomware

The BotNet distributing the original Cryptolocker was taken down (I’ve mentioned this malware multiple times), and many people were able to get their data back – but there are still many malicious clones of this supremely evil malware floating around out there.

Per this article (in Norwegian, but you can use Google Translate to get a good gist of its meaning in English), if your files have been encrypted, you’re pretty well screwed. Your only options are to pay the ransom (which does not guarantee that you will get a decryption key) or bring your files back from a non-connected, external backup – this because the encrypting malware can affect cloud storage as well either directly or indirectly.

To protect yourself from this sort of data horror:

  1. Back up your files to an unconnected external drive regularly
  2. Never open email attachments from unknown people, no matter how legitimate they may look

Hell is going to be a busy place. Be careful out there.

The Old Wolf has spoken.