TRI October 2018 Newsletter

TRI Newsletter – October 2018

Browser Spyware Infections “scareware”

Please continue to be diligent and aware when going online to surf the web or check your email.   I still get calls 2-4 time a day about attacks of “Scareware”. The first thing you should do is Shut Down your computer. Many of them tell you not to, but that is because the scareware is loaded into your RAM (temporary storage). Once the computer shuts down that is cleared. The first thing I will ask when called is did you shut down your computer.

(Example of browser “scareware”)
https://www.malwarerescue.com/wp-content/uploads/2014/03/systemversion.com-pop-up.png

If you get a page that tells you that you are infected with XXX many viruses and to call their tech support number right away, DON’T.  What’s happening is your browser has being hijacked by the people claiming to have identified your infection. If you were to call, they will appear to be as legitimate as they can as they request your payment information.  Because this is attempting to ‘get a reaction’ from you, both PC and MAC computers are at risk. HP, Dell, Microsoft and all other legitimate technicians will only call you when you have initiated a call to their support. Additionally, and unfortunately, due to these scareware tactics, if you attempt to Google or execute a web search for one of these legitimate company resources, it is even possible that the page you find is a fake landing page published by these malicious persons.  (Look in your computer, software or printer documentation for a customer support number.)

What can you do now?  If shutting down didn’t solve the problem, we can usually walk you through resetting your browser over the phone. If you clicked on/called the number, Shut Down your computer and call us. Most spyware can be cleaned off your computer in about an hour ($125).

 

50 million Facebook accounts breached by access-token-harvesting attack
Bugs in two features enabled mass harvest of single sign-on tokens.
Sean Gallagher – 9/28/2018, 1:35 PM

Excerpt

Facebook reset logins for millions of customers last night as it dealt with a data breach that may have exposed nearly 50 million accounts. The breach was caused by an exploit of three bugs in Facebook’s code that were introduced with the addition of a new video uploader in July of 2017. Facebook patched the vulnerabilities on Thursday, and it revoked access tokens for a total of 90 million users

In a call with press today, Facebook CEO Mark Zuckerberg said that the attack targeted the “view as” feature, “code that allowed people to see what other people were seeing when they viewed their profile,” Zuckerberg said. The attackers were able to use this feature, combined with the video uploader feature, to harvest access tokens. A surge in usage of the feature was detected on September 16, triggering the investigation that eventually discovered the breach.

 

NewEgg cracked in breach, hosted card-stealing code within its own checkout
Like British Airways breach, attack blended with site code, sent data to lookalike domain.
Sean Gallagher – 9/19/2018, 2:30 PM

Excerpt

The popular computer and electronics Web retailer NewEgg has apparently been hit by the same payment-data-stealing attackers who targeted TicketMaster UK and British Airways. The attackers, referred to by researchers as Magecart, managed to inject 15 lines of JavaScript into NewEgg’s webstore checkout that forwarded credit card and other data to a server with a domain name that made it look like part of NewEgg’s Web infrastructure. It appears that all Web transactions over the past month were affected by the breach.

 

If you feel that your account has been breached what should you do?

  • Close accounts affected and/or create new accounts with the company.
  • Verify all charges on credit cards were done by you.
  • At the least, change passwords to a secure and different password.

 

Thank you,
James, Chris, Michael, Clint, Brett & Suzi
Technical Reinforcements
612-720-0233
info@reinforceme.com
www.reinforceme.com

Sextortion Emails With A Twist

There’s a new email scam in town, and it’s taking people for quite a bit of money. The scam asserts that it has captured video of the recipient watching porn using their computer’s web cam, and threatens to send that video, along with the video the recipient was supposedly watching, to everyone in the recipients contact list. The twist? They give the recipient a password that the recipient has used in the past. It might be the distant past, or recent past, or even a password that’s currently in use.

This new twist lends a scary amount of credibility to the scam. To that end, as Vice reports, the culprits have made off with over half a million dollars so far in this scam. We’ve already had a number of clients call in about this scam, and our advice is to not pay the extortion money. You can find the full text of one of these emails on Kerbs On Security’s site, but I will post a snippet below.

 

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

 

The fact that they have a valid password is really the scariest part for most people. I would recommend that if the password they present to you is one that you currently use, change that password. If you are still concerned about an email you’ve received, or someone you know needs to be talked out of paying the extortion fee, please give us a call. Our clients’ information is always confidential, but we can discuss the similarities between the different instances of this that we have seen.

Uptick In Phony Tech Support Scams

Microsoft is stating that there is an increase in the number of phony tech support calls, The Register reports. Microsoft puts the number of tech support scam calls at about 153,000, and roughly 15 percent of those calls resulting in the victim losing money.

It’s important for everyone to remember that Microsoft will not call you to fix a problem with your computer. The two big reasons are that basically 90% of the computer-using world are their customers.  That’s a lot of customers, and would require an impossibly large support team. The other reason is verification. Microsoft cannot verify who you are, and you cannot verify that it is actually Microsoft that’s actually calling you.

If you get a call from someone claiming to be Microsoft, do not give them any of your personal information, and do not let them remotely connect to your computer. If you have any concerns about such a call, feel free to reach out to us and we will assist in any way that we can.

Malware Disguising Itself As An Update

An ArsTechnica article posted today is talking about a rash of websites that have been compromised, and are now delivering phony web browser updates to site visitors.

What’s important for our clients to understand is that all major web browsers have a control method for updates. Internet Explorer and Edge are updated through Windows Update. Chrome and Firefox both phone home and download updates from their trusted sources. There is never a legitimate reason for a website to distribute an update to your web browser.

As always, keep your anti-virus software up-to-date, and if you run into any problems, Reinforcements are just a phone call away.

Secure Website Warnings

Symantec had a bit of a bumpy 2017, starting out with the mis-issuance of roughly 30,000 secure website certificates. For a very in-depth read on that, check out Ars Technica’s post here.

With the mis-issuance issue in mind, The Register kindly reminds us that in mid-April of this year, Google Chrome is going to stop considering certain certificates issued by Symantec as being valid. This means that if you visit a site with one of these certificates, you will get a security warning before you see the actual web site you were intending to visit.

We just want you to be aware that these security warnings could be coming. It’s possible that site owners will have upgraded all of their certificates before the deadline. But if they don’t, then for those of you using the Google Chrome browser, you may expect to start seeing these warnings sometime in April. For those of you using Mozilla Firefox, the warnings should be popping up a month later in May. Unfortunately I couldn’t find time lines for Microsoft Internet Explorer or Edge.

The main take away is that if you see these alerts, give it some time. Don’t put any personal information into a site that has thrown one of these warnings. Given the wide spread popularity of Google and Firefox, web site administrators will be keenly aware when the switch has been flipped, if they weren’t aware already.

Vulnerable Cisco Firewalls

Ars Technica reports on a vulnerability to some Cisco firewalls. You can read their article here:

https://arstechnica.com/information-technology/2018/01/cisco-drops-a-mega-vulnerability-alert-for-vpn-devices/

What does this mean to TRI customers?

Well, it looks like the vulnerability exists in Cisco’s ASA software that is used in many of their firewalls (note: some of the firewalls running the software don’t necessarily say ASA on them). If you’re using one of the affected firewalls, and you’re using WebVPN, you should patch immediately. That brings us to the next hurdle. Patches for Cisco devices either come from behind their paywall, or by contacting their Technical Assistance Center (TAC). Some people are reporting slow response times from TAC, and if you don’t have current support with Cisco, the download behind their paywall is out of reach.

Need Help?

If you’d like assistance assessing your firewall, working with TAC, or even replacing your firewall if it’s simply too old, we are here to help.