Blog

Google Spearphishing attack installs malicious app

On Tuesday May 3rd a massive spearphishing campaign targeted Google users by sending a link to a fake “Google Docs” app that downloads a malicious app to your device.

The links are spread through an email that comes addressed to you and “hhhhhhhhhhhhhhhh@mailinator.com.” The link looks legitimate and asks you to allow it permission to access your Google account.

The spam message not only accesses your Google account, it also sends itself to anyone you have as a contact. In addition it bypasses Google’s login alerts and Two Factor Authentication, granting access without setting off any alarms if you approve installation.

If you have received the email that looks like the image above, delete it immediately. If you clicked on it and gave it permissions on your device you need to immediately revoke permissions from the fake app and start changing passwords for anything associated with the email the phishing attack was sent to.

Redditor JakeStream has provided an excellent step-by-step explanation of what the infection process looks like and how to minimize the impact of the attack if you’ve been hit.

Since so many people have been compromised by this attack and since the malicious link is so hard to distinguish from a legitimate link to Google it is safest to refrain from clicking on shared Google documents in the near future.

Google has stated that the malicious page has been disabled and that they are investigating the attack. If you believe that your account has been compromised you can go to the Google Security Checkup page and follow the instructions there to secure your account.

Again if you clicked on the phishing email or if you believe that you were compromised you need to change the passwords for any accounts associated with the email that was attacked. At the moment no one is sure what, specifically, this spearphishing attack was targeting but it likely collected a tremendous number of emails, contact lists, and gained unprecedented access to Google accounts.

If you are concerned that you may have been compromised in this attack and want help to ensure that your computer is clean and secure, please give PMCS a call at (818)957-5647 and we can help you clear your computer of any viruses and recover from an attack.

Infection Risk – Microsoft Word Zeroday Vulnerability a Threat to Your Computer

Exploits take advantage of the vagaries of code.

On April 8th 2017 a zeroday exploitable vulnerability was identified in Microsoft Office as a campaign of infected Word documents targeted users worldwide. The documents were sent out by a group known as Dridex, who are known for abusing Office Macros to install malware, but who have found a route that bypasses macros for this attack.

The Proofpoint Analysis is as follows:

Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from “”. [device] may be “copier”, “documents”, “noreply”, “no-reply”, or “scanner”. The subject line in all cases read “Scan Data” and included attachments named “Scan_123456.doc” or “Scan_123456.pdf”, where “123456” was replaced with random digits. Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing.

While this particular email campaign was specifically targeted by a group that regularly attacks banking information it should be a concern for everyone who uses Microsoft Office because it reveals an exploit that others might make use of to send malicious files in the future.

The April 8th attack is disconcerting for several reasons:

  • It is fairly sophisticated and infected files look like a file sent from a hardware in the target’s office.
  • It avoids the most common routes of detection from antiviruses and security protocols by exploiting a new Microsoft vulnerability.
  • Microsoft waited and unusually long time to disclose this vulnerability, which is surprising considering the scope of the attack and exploitation of Microsoft software.
  • Zeroday attacks more commonly target individuals in high-security positions. Seeing an attack of this type launched against a wide base of users is unusual.

A patch for the vulnerability was released by Microsoft on Tuesday, April 11th. Regardless of whether or not your device is patched PMCS recommends the following protocols to protect yourself from infection:

  • Never open emails or documents from unknown sources.
  • Don’t open documents unless you know the sender and know the sender meant to send a file to you.
  • Disable macros on your devices.
  • If you open a file in protected view and cannot understand the document do not disable Protected View.

Protected view is enabled by default on Microsoft Word, but in case you want to ensure that you have the extra protection offered by Protected View, follow the instructions below to make sure Protected View is enabled:

  1. Click the File tab in the upper left corner.
  2. Select Options.
  3. Select Trust Center in the left pane.
  4. Click Trust Center Settings.
  5. Select Protected View.
  6. Check all three options under Protected View and Click Ok.

Zeroday attacks are relatively uncommon but pose a large threat because they are difficult to protect against. Antivirus programs can’t protect against threats that are undefined, so zerodays often meet no resistance from your computer. The best way to avoid being harmed by zeroday attacks is to implement good safety protocols and follow them regardless of whether a new threat has been identified.

If you are concerned that you may be infected or would like to plan to prevent infections in the future please give us a call at (818)957-5647. PMCS has decades of experience preventing infections and repairing the damage done by malware and viruses. We are here to help if you are concerned about this new threat.

 

How to take down the internet with one DDoS attack

On October 21st the US lost access to a large part of the internet. Here’s how that happens.

If someone wants to take down your website they can orchestrate what’s called a Denial of Service (DoS) attack, which involves sending thousands and thousands of requests to your website’s server. The server can’t respond to the volume of requests and in its attempts to fill them slows your server’s response time, making it impossible for legitimate users to access your site or for you to make changes. If all of these requests are coming from a small number of computers you can block the attacker’s IP address on your router and free up your server’s resources for legitimate use.

The attack on the 21st was much grander in scale. A Distributed Denial of Service (DDoS) attack doesn’t use only one or two computers to generate attacks but tens of thousands, most of which are likely botnet computers owned by casual computer users who aren’t aware that their devices have been repurposed by a virus or malware into a node on a botnet. This alone makes it hard enough to block attacking IP addresses but DDoS attacks also frequently involve proxy services and packet anonymization to disguise the original IP addresses and make them impossible to block. Sometimes you’ll hear of a large company or a government agency being taken down, but it is rare to lose access to whole sections of the internet as the result of an attack.

So how did it happen?

Whether you know it or not your computer relies on Domain Name Servers (DNSs) to find their way around the internet. The website you know as google.com is known to computers as 8.8.8.8. DNSs are the servers that check how to route your computer to 8.8.8.8 and make sure that you aren’t getting sent to 8.8.8.148 instead, or that 8.8.8.148 isn’t pretending to be 8.8.8.8. There are millions of DNSs constantly checking that sites are what they say they are and allowing your computer to access them. Some are small and private, some are clusters at large server farms. The attack on the 21st was a series of massive DDoS attacks aimed at a company in New Hampshire called Dyn, which happens to be a major DNS provider for a lot of what we use online every day. The attack disabled Dyn’s DNS servers and as a result DNS went down for some major services, effectively barring the door to users whose computers were trying to find a location without a map.

Post-incident reports indicate that the attack was the result of a Mirai botnet, largely made up of web-enabled devices such as CCTV cameras. The fact that these cameras were so easily hijacked and have so little in-built security raises a lot of questions about the direction the tech industry has taken in supporting the internet of things, and the fact that large portions of the internet went dark on the 21st has raised valid concerns about the viability of cloud software in a world where access to your business infrastructure can be taken down by a smart refrigerator.

Solid security and physical redundancy can do a great deal to protect your business productivity. If you’re interested in an assessment of your security standards or curious to learn more about what a physical server can do for your office give PMCS a call for a consultation at (818)957-5647

Why do cellphones and speakers keep blowing up?

batteries

A selection of AA batteries

Lithium-ion (LI) batteries have become a major part of daily life in the last decade. They’re in your camera, your phone, your computer, and maybe even in your car. There are tremendous advantages to LI batteries over other types of batteries; they are much lighter weight and a lower rate of energy loss, but there’s a fine line that has to be walked to keep the more energetic LI composition safe.

A battery is a chemical reaction that you can keep in your pocket. LI batteries use a lithium electrolyte to create the chemical reaction that allows you to power your phone; lithium salt gel is wrapped in a thin, non-reactive envelope and connected to a positive and a negative electrodes which are separated so they can’t touch. When phone batteries explode it’s because one way or another the lithium electrolyte gel has come into contact with other metals in your phone and caused a reaction.

Sometimes this contact is caused by “thermal runaway” – overheating that causes the volatile electrolyte to continue reacting even if it isn’t connected to a power source. Thermal runaway can be caused by overcharging (as a result of the battery’s self-limiting computer failing) or from leaving it in a very hot location. As electricity causes a reaction inside your phone the Lithium batteries warm up and as they warm they expand. Normally this isn’t a problem – manufacturers are aware of heat causing expansion and leave space inside your phone for that expansion to occur safely and include limits to prevent anything that might cause a thermal reaction (like including a battery computer to prevent it from overcharging). When thermal runaway happens the battery expands past the intended limits and cracks its casing, reacts to other parts of your phone, and can catch on fire if it expands out enough to come into contact with air.

See a video of it happening: This person removed the safeguards that prevent a phone battery from overcharging.

Something similar but much faster can happen as a result of a short in the battery. Shorts in the battery can be caused by a leak in the envelope holding the electrolyte gel or by a conductive material accidentally connecting the positive and negative electrodes. Shorts can be caused by mechanical damage (a puncture or tear in the electrolyte envelope) if it causes the electrolyte gel to leak.

See a video of it happening: This person created a short circuit by connecting the negative and positive electrodes on a small battery.

If you have a device with LI batteries, whether it’s a cell phone or a hoverboard, make sure to store it at appropriate temperatures, avoid overcharging it, and take precautions to avoid puncturing or significantly cracking the casing. LI battery explosions are incredibly uncommon, which is why they dominate the news cycle when they do happen. Statistically these batteries are very safe and have a very low failure rate but there are risks that arise as a result of the continuing pursuit of a long-lasting, light-weight battery.

Ransomware Shows the Importance of Updating Software

People are frequently frustrated by the need to update software. “I paid for Adobe already” or “I bought a Microsoft license years ago, why do I need to pay again for a new one” is a refrain we hear frequently. Ransomware is the perfect example of why using up-to-date software is vital. It perfectly illustrates the risks of relying exclusively on your antivirus for security.

Ransomware can take advantage of macros in outdated versions of programs to encrypt all the files on your computer. It can even encrypt your entire network if your computer is connected to a network. In particular Locky Ransomware is an example that attacks outdated copies of Microsoft Word. It appears as a Word Document in an email, posing as an invoice. Once the document is opened installs malware on your computer if macros are enabled. If macros aren’t enabled the ransomware asks you to enable macros. Here are the simple steps you can take to prevent yourself from being infected:

  • 1 – Don’t open email attachments from people you don’t know. Locky Ransomware poses as an invoice from a vendor. Make sure you are only opening files from companies you work with.
  • 2 – Don’t follow instructions from strangers. Locky Ransomware only works if macros are enabled. If macros aren’t enabled the ransomware asks you to change your settings. If an attachment from a stranger requires you to update or change your settings it is almost certainly going to be to your detriment.
  • 3 – Don’t use outdated software. You should never use software that is outside of the manufacturer support period (for example, Microsoft Office 1997 or Windows XP). Manufacturer support means there are patches and fixes still being written for the software while unsupported software is vulnerable to attack and will not be fixed or patched by the manufacturer.
  • 4 – Keep an up-to-date antivirus. Even though antivirus software won’t catch everything it’s much safer to have an antivirus than to have no protection at all.

If you aren’t sure if your Microsoft Office is up-to-date or if you need an antivirus license for your individual desktop or for an office-wide network please give us a call.

If you think you might have been infected with Ransomware or any other viruses or malicious software please also give us a call and we will do what we can to save your data and protect you in the future.

Reach out to us a (818)957-5647 or through our contact page.