Never download apps that do this.

You’re browsing along on your mobile, and suddenly this screen or one like it pops up. You can’t go back. Sometimes your device begins buzzing. Sometimes there’s an ominous computer-generated voice along with it.

Screenshot_2017-10-25-04-40-30

You can usually quit your browser altogether, but you might lose where you were. If you click “OK”, you might get another warning:

Screenshot_2017-10-25-04-40-54

Click the “Remove viruses” button and you’re taken to the Play Store where you can download the app that “removes viruses.”

Screenshot_2017-10-25-04-41-15

Don’t do this. Just don’t.

If the authors of the application use this technique to terrify you into downloading their app, you can hardly trust software they’ve written.

If this is being done by an affiliate marketer, it could be legitimate, but I wouldn’t bet money on it.

Lastly,  as a general rule Android devices don’t attract viruses. Many of these “cleaners” are devised to either put real malware on your device or generate more scare messages which will lead you to a paid cleaning service.

Best to stay away from all of them; here’s an excellent article on the subject from ExtremeTech.

Be safe out there.

The Old Wolf has spoken.

Advertisements

WOT: (Web of Trust) – A valuable extension

I’ve mentioned WOT in a number of my previous posts, but I thought I’d give it a bit more exposure, given the amount of scams, fake news websites, and general internet douchebaggery that is so prevalent right now.

Web of Trust is a FREE extension that adds a small circle after any clickable link on your computer to let you know how trustworthy that site is. Here’s an example – recently I was trying to remove a hijacker that redirected me to Spectrum’s search service when an unknown URL was encountered:

WOT

Notice that the circles can be green, yellow, and red – just like  stoplight. That’s your first clue – but it pays to drill down for more information as I mention below. Green is generally trustworthy, yellow is questionable, and red is downright dangerous. A gray circle with a question mark means there is no information (yet) about the site in question.

Some dangerous websites will be flagged by Google directly (Click image to enlarge)

Google1

If you have a paid version of Malwarebytes, known malware websites will be automatically blocked:
Malwarebytes

But if neither one of these help, WOT will give you a warning for red-circle links that looks like this (Click image to enlarge):

WOT1

You’ll notice that you get a summary of ratings and reasons why the website is not trusted.

In addition, search engine results can be previewed simply by hovering your mouse over the colored circle:

WOT2

and then you can follow the “click to view details” link to get a full page of information about the website.

WOT3

As with anything that is crowdsourced, one needs to be cautious. A tool like this could be used to give bad ratings to a website by an unethical competitor, so look at the dates of the reviews and get an overall feel for the page in question. In general, though, I’ve found that this tool tends to be self-correcting, so if one person rates a site untrustworthy for malware, and five other more recent users give reasons why it’s safe, I feel pretty confident that the first review is either spurious or outdated.

If you want to rate websites yourself, you can create a free account, log in, and provide details of your experience.

In addition to protecting you from viruses or other malware, WOT can be very useful for verifying whether news sites are reliable or not.

An example: Today on Facebook I saw a link to a story that there was a second shooter in Las Vegas:

Facebook

That yellow circle told me right off that this story is questionable. Hovering over the warning gave me this:

WOT4

And a subsequent search on Google for yournewswire.com confirmed that this is a notorious clickbait, inflammatory, fake-news website:

Founded by Sean Adl-Tabatabai and Sinclair Treadway in 2014. It has published fake stories, such as “claims that the Queen had threatened to abdicate if the UK voted against Brexit” (Wikipedia)

It pays to be safe, and it pays to be careful. This little extension works well with Window 10 and earlier versions (I’ve tried it on XP and 7 both), it’s free, and it provides a wealth of information about internet dangers. I highly recommend it.

The Old Wolf has spoken.

The scammers don’t give up

scam1

The “Microsoft Customer Support” scam: Today’s number is 866-587-7384.

Your screen locks up. You can’t close your browser. You can’t go back. A computerized voice starts talking to you about pornographic malware. A warning message tells you your data is being stolen. You are given a phone number to call for help removing the malware.

Do NOT call this number. It has nothing to do with Microsoft. The page you are seeing is a malicious script that has been loaded from a website that you visited, probably from a banner ad or something else that the page owner is unaware of, and is designed to scare you. If you follow the steps the “support agent” gives you, he or she will have you  give them total control of your system. From there, anything can happen and none of it will be good.

In the event that you went through this process with an “agent,” it will be critical for you to run an anti-malware program such as Malwarebytes (I don’t work for them), or have your computer cleaned by a professional, before you do anything else.

Be careful out there.

The Old Wolf has spoken.

Hard Drive Safety Delete Will Start in Five Minutes

Executive Summary: There is no “hard drive safety delete.” Your machine is not infected. You have been redirected to a malicious web page. Calling “support” will connect you to someone in India who wants to install malware on your computer. Don’t do it.

deleteDelete 2

Just posting this with a sample screen so that anyone who searches for the Zeus virus infection might see it.

A full description of this scam can be found at a previous entry.

Do NOT call 844-813-1552 to ask for support. Be very careful out there.

The Old Wolf has spoken.

Your Computer Has Been Blocked! (PS – no, it hasn’t)

scam

If you get a screen like this while doing something like trying to log in to Facebook or something else, usually as a result of clicking on a link after a web search, you are being scammed.

Typically your browser locks up – you can’t go back, you can’t navigate to anything else, and you even can’t close the window. Instructions tell you to call Microsoft support because your system is infected with spyware and viruses.

It hasn’t.

If you call the number (877-382-9050), a friendly person (in India, Pakistan, or somewhere else) will answer. THESE ARE NOT MICROSOFT SUPPORT CONSULTANTS. THEY ARE SCAMMERS AND CRIMINALS. They will ask you some questions about your system, and have you do the following things:

  • Press the windows+R keys to open the “Run” box
  • Type in ” iexplore http://www.go2patch.com ” and hit enter
  • Type in the access code that they give you
  • Press the “Connect” button and then allow the program to run

If you do this, you have just given full access of your system to criminals who will steal valuable information, download real spyware or malware, or turn your computer into part of a botnet to send out spam.

This is just another incarnation of the “Zeus Virus” scam – same technique, different remote connection software.

If this happens to you, hit Ctrl-Alt-Del and open the Task Manager. End the browser task from there, whatever you’re running (IE, Edge, Chrome, Firefox, NCSA Mosaic, etc.)

What do you do if you have already allowed access? According to “Slim,” a registered user at 800Notes.com,

Since the scammers accessed the computer, they probably did one or more of the following:
• Disabled the anti-virus software
• Added nasty malware to the computer
• Copied the Contact List (so they can spam/email your soon-to-be ex-friends)
• Copied any financial data or passwords they could find
• Compromised your ID on Facebook or other social site(s), and perhaps on shopping sites.
• “Zombied” the computer, so it would respond to THEIR commands sent via internet
• Deleted some important files
• Asked for money to repair the damage they caused

What can you do immediately after such an attack?

1.  Pull the cables on the computer, or otherwise disable it, so it cannot access the internet.
2.  Change ALL  passwords stored on the computer.
3.  Run FULL malware scans on the computer, in “SAFE” mode!
4.  Change the passwords again, particularly if the malware scans showed anything.
5.  Inform your bank and credit card companies.
6.  Sign up for credit monitoring, and check the status frequently
7.  Backup non-executable personal, data files to an external storage device.  (Executable files might be infected).
8.  You may have to bring the computer to a local repair shop, and tell them the story.
9.  Tell friends what happened, so they can be aware of strange emails from you.
10.  Connect to the internet only AFTER all the above have been done.
11.  Change the passwords on all online accounts.  Even better – access a “safe”, uninfected  computer, and change your online account passwords RIGHT NOW.

Be careful out there – don’t help the bad guys mess up your machine.

The Old Wolf has spoken.

Beware the Zeus virus (No, you’re not infected)

I’ve written about scams that get you to call a phone number and help bad guys access your computer before. Here’s another variety you need to be aware of.

My wife’s computer has had this happen twice in the last few weeks (click the image for a larger view):

zeus-virus-scam

Chrome is locked up – you can’t close the tab, click away, or do anything else except kill the browser in Task Manager. A computerized voice repeatedly intones, “Your computer is infected. Your data is being stolen. Call this number for support…” You can imagine that this would be very frightening to someone who is not computer-savvy, and a lot of people will fall for it.

Just to see how the scam works, I called the number (855-335-8826 – don’t call this number) and got an agent with a foreign accent (sounded Indian or Pakistani to me) asking how he could help. Putting on my “geezer voice,” I told him that my computer was talking to me and telling me that my data was being stolen.

  • Agent: “Have you downloaded anything lately?”
  • Me: “No.”
  • Agent: “I will direct you through a couple of steps so I can access your computer and help you fix this problem. Look at your keyboard in the lower left – do you see the Window key? I want you to press that key, together with the letter ‘r’. [Note: he wants me to run a program.]
  • Agent: “Type the letters ‘hh’, then a space, then the letter ‘t’ in the ‘open’ box. Then press the “OK” button.

hht.jpg

  • Me: “Ok, I did that.” [This is what I get]

page-display

  • Agent: “Do you see the little question mark in the upper left hand corner? I want you to click that and select the option that says “Jump to URL.”

url

  • Agent: “Now type this in the box: ‘www.support.me’

jumptourl

  • Me: “OK, I’ve done that.” [This is what I get]:

support

  • Agent: “I will now give you a 6-digit code to enter into the box. Your number is 925837. Please type that into the box and click ‘Start Download’.”
  • Me: Do you really think I’m going to allow access to my computer by a bunch of scammers? Get a life. *click*

What’s going on here is that if I had entered the number, I would have given complete control of my machine to a random scammer, and from that point he could have

  1. Stolen sensitive data like passwords, contact lists, or financial information.
  2. Infected my computer with malware
  3. Taken control of my machine and woven it into a spamming botnet.
  4. Other things more horrible that I wish to contemplate.

There are websites out there that tell you how to remove the “infection” that causes this popup; most of them exist to shill programs like Zemana, Malwarebytes, and HitMan Pro. Free versions of these are legitimate, but don’t be conned into buying “Pro” versions unless you really need their features. Others may ask you to download their own proprietary removal tool. Be wary of such sites.

The key here is that if you get the “Zeus” malware popup, NEVER CALL THE NUMBER. You’ll just be opening yourself up to fraudsters who want to do very bad things to you and your computer.

Be careful out there.

The Old Wolf has spoken.

A dozen Crypto attempts today

crypto

All of these arrived in my inbox today; many are duplicated versions of the same message with minor changes.

Dear info,
Cathleen Holcomb asked me to send you the attached Word document, which contains the final version of the report.
Please let me know if you have any trouble with the file, and please let Cathleen know if you have any questions about the contents of the report.
Kind regards
Alisa Harper
Managing Director
Notice that all of these emails begin with “Dear Info,” since the relevant address is “info@devnull.com.” This in itself should be a red flag.
Dear info:
Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am writing to confirm receipt of your order, and to inform you that the item you requested will be delivered by 25 June at the latest. If you require more information regarding this order, please do not hesitate to contact me.
Also, our records show that we have not yet received payment for the previous order of 11 June, so I would be grateful if you could send payment as soon as possible. Please find attached the corresponding invoice.
If there is anything else you require, our company would be pleased to help. Looking forward to hearing from you soon.
Yours sincerely
Benjamin Martin
Chief Executive Officer
Information. A report. An invoice with request for payment. A spreadsheet. All looking innocuous and legitimate.
Dear info,
The reference you requested is attached.
Let me know if you have any questions.
Best regards
Erma Frederick
CEO
No matter how official emails like this look, you should verify every detail before proceeding.
Dear info,
Our records show that we have not yet received payment for the previous order #A-393685
Could you please send payment as soon as possible?
Please find attached file for details.
Yours sincerely
Jami Garrett
Mexico Key Account Director
Don’t open those attachments! They are almost certainly javascript files which will download an encryption virus or something equally vicious.
Be careful out there.
The Old Wolf has spoken.