malware Tag

Onliner Spambot dumps 711 million records

A spambot called Onliner been dumping batches of email addresses and passwords into text files on a server hosted in the Netherlands. The data appears to be at least partially related to LinkedIn breaches. The information has been collected by the Onliner Spambot as part of a campaign of social media phishing, data-collection malware, and responses to email spam.

How do Spambots collect data?

In addition to collecting and dumping records in plaintext Onliner is also sending banking malware to the email addresses it has collected, extending its reach and the amount of data it has amassed.

Onliner primarily works by scraping data from previous breaches or vulnerabilities, like Heartbleed in 2014, and then sending out test emails to the addresses it has collected. The test emails will appear to be legitimate but will have a hidden pixel-sized image that, when opened, will collect information such as your IP address, operating system, and device information and send that information back to its servers. Once it has that info Onliner will send phishing messages to attempt to collect more saleable data.

Why a Spambot? What’s the point?

The goal of spambots like Onliner is to perpetuate themselves and steal data. It uses stolen data to steal more data, then uses its new stolen data to generate “trusted” emails to install malware on desktops to steal further data. Onliner is like a perpetual motion machine dedicated to stealing your credentials and infecting your computer.

Even if your computer isn’t being infected by a spambot simply having phishing attacks levied against your business can be a risk – untrained employees, busy schedules, and hectic environments can create an opportunity for abuse from spammers and phishers. Someone with a data snapshot from Onliner’s hidden image emails might be enough to convince someone in your business (or one of your customers or one of your vendors) to share more information or pay money to a malicious attacker, a situation that recently cost a Canadian university 10 million dollars.

Am I at risk?

If you use social media, have a LinkedIn account, have ever used the same password across multiple accounts, let your antivirus expire, or just have an email address there’s probably a chance that your data has been scraped from the internet at some point. You can find out by checking out a wonderful tool called Have I Been Pwned? that was put together by malware researcher Troy Hunt. Hunt’s website also includes a list of websites that have had their data pulled. For major breaches Hunt has organized a short summary of how the breach occurred and its history to help users decide if it’s secure to create accounts with those sites.

If you want to know if your email address has been picked up or if your data is at risk check out Hunt’s page and take a look around; at the very least it will let you know if perhaps it’s time to change your email address or password.

Moving Forward

So how do we go on when this kind of thing is becoming more and more common? Aside from practicing good internet hygiene like logging out of accounts, not using unprotected wireless access, and changing passwords frequently PMCS recommends a strong spam filter to keep you safe. We offer Spam Filtering in the form of Nuked Spam, a service that passes your email through our secure servers before it goes to your inboxes, insuring that anything potentially harmful stays out of your server environment. Because we work with industry leaders in spam identification and tagging we are able to keep bots like Onliner off of your system, so that they’re never able to collect data about your users or infect their desktops. In addition to strong spam filtering the protection of a good firewall will go a long way toward protecting your network and keeping your business up and running.

If you’re interested in improving your spam filter or would like to talk to us about security in the era of spambots like Onliner please give us a call at 818-957-5647 and we’ll create a solution perfectly tailored to your needs.

Google Spearphishing attack installs malicious app

On Tuesday May 3rd a massive spearphishing campaign targeted Google users by sending a link to a fake “Google Docs” app that downloads a malicious app to your device.

The links are spread through an email that comes addressed to you and “hhhhhhhhhhhhhhhh@mailinator.com.” The link looks legitimate and asks you to allow it permission to access your Google account.

The spam message not only accesses your Google account, it also sends itself to anyone you have as a contact. In addition it bypasses Google’s login alerts and Two Factor Authentication, granting access without setting off any alarms if you approve installation.

If you have received the email that looks like the image above, delete it immediately. If you clicked on it and gave it permissions on your device you need to immediately revoke permissions from the fake app and start changing passwords for anything associated with the email the phishing attack was sent to.

Redditor JakeStream has provided an excellent step-by-step explanation of what the infection process looks like and how to minimize the impact of the attack if you’ve been hit.

Since so many people have been compromised by this attack and since the malicious link is so hard to distinguish from a legitimate link to Google it is safest to refrain from clicking on shared Google documents in the near future.

Google has stated that the malicious page has been disabled and that they are investigating the attack. If you believe that your account has been compromised you can go to the Google Security Checkup page and follow the instructions there to secure your account.

Again if you clicked on the phishing email or if you believe that you were compromised you need to change the passwords for any accounts associated with the email that was attacked. At the moment no one is sure what, specifically, this spearphishing attack was targeting but it likely collected a tremendous number of emails, contact lists, and gained unprecedented access to Google accounts.

If you are concerned that you may have been compromised in this attack and want help to ensure that your computer is clean and secure, please give PMCS a call at (818)957-5647 and we can help you clear your computer of any viruses and recover from an attack.

Infection Risk – Microsoft Word Zeroday Vulnerability a Threat to Your Computer

Exploits take advantage of the vagaries of code.

On April 8th 2017 a zeroday exploitable vulnerability was identified in Microsoft Office as a campaign of infected Word documents targeted users worldwide. The documents were sent out by a group known as Dridex, who are known for abusing Office Macros to install malware, but who have found a route that bypasses macros for this attack.

The Proofpoint Analysis is as follows:

Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from “”. [device] may be “copier”, “documents”, “noreply”, “no-reply”, or “scanner”. The subject line in all cases read “Scan Data” and included attachments named “Scan_123456.doc” or “Scan_123456.pdf”, where “123456” was replaced with random digits. Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing.

While this particular email campaign was specifically targeted by a group that regularly attacks banking information it should be a concern for everyone who uses Microsoft Office because it reveals an exploit that others might make use of to send malicious files in the future.

The April 8th attack is disconcerting for several reasons:

  • It is fairly sophisticated and infected files look like a file sent from a hardware in the target’s office.
  • It avoids the most common routes of detection from antiviruses and security protocols by exploiting a new Microsoft vulnerability.
  • Microsoft waited and unusually long time to disclose this vulnerability, which is surprising considering the scope of the attack and exploitation of Microsoft software.
  • Zeroday attacks more commonly target individuals in high-security positions. Seeing an attack of this type launched against a wide base of users is unusual.

A patch for the vulnerability was released by Microsoft on Tuesday, April 11th. Regardless of whether or not your device is patched PMCS recommends the following protocols to protect yourself from infection:

  • Never open emails or documents from unknown sources.
  • Don’t open documents unless you know the sender and know the sender meant to send a file to you.
  • Disable macros on your devices.
  • If you open a file in protected view and cannot understand the document do not disable Protected View.

Protected view is enabled by default on Microsoft Word, but in case you want to ensure that you have the extra protection offered by Protected View, follow the instructions below to make sure Protected View is enabled:

  1. Click the File tab in the upper left corner.
  2. Select Options.
  3. Select Trust Center in the left pane.
  4. Click Trust Center Settings.
  5. Select Protected View.
  6. Check all three options under Protected View and Click Ok.

Zeroday attacks are relatively uncommon but pose a large threat because they are difficult to protect against. Antivirus programs can’t protect against threats that are undefined, so zerodays often meet no resistance from your computer. The best way to avoid being harmed by zeroday attacks is to implement good safety protocols and follow them regardless of whether a new threat has been identified.

If you are concerned that you may be infected or would like to plan to prevent infections in the future please give us a call at (818)957-5647. PMCS has decades of experience preventing infections and repairing the damage done by malware and viruses. We are here to help if you are concerned about this new threat.

 

Ransomware Shows the Importance of Updating Software

People are frequently frustrated by the need to update software. “I paid for Adobe already” or “I bought a Microsoft license years ago, why do I need to pay again for a new one” is a refrain we hear frequently. Ransomware is the perfect example of why using up-to-date software is vital. It perfectly illustrates the risks of relying exclusively on your antivirus for security.

Ransomware can take advantage of macros in outdated versions of programs to encrypt all the files on your computer. It can even encrypt your entire network if your computer is connected to a network. In particular Locky Ransomware is an example that attacks outdated copies of Microsoft Word. It appears as a Word Document in an email, posing as an invoice. Once the document is opened installs malware on your computer if macros are enabled. If macros aren’t enabled the ransomware asks you to enable macros. Here are the simple steps you can take to prevent yourself from being infected:

  • 1 – Don’t open email attachments from people you don’t know. Locky Ransomware poses as an invoice from a vendor. Make sure you are only opening files from companies you work with.
  • 2 – Don’t follow instructions from strangers. Locky Ransomware only works if macros are enabled. If macros aren’t enabled the ransomware asks you to change your settings. If an attachment from a stranger requires you to update or change your settings it is almost certainly going to be to your detriment.
  • 3 – Don’t use outdated software. You should never use software that is outside of the manufacturer support period (for example, Microsoft Office 1997 or Windows XP). Manufacturer support means there are patches and fixes still being written for the software while unsupported software is vulnerable to attack and will not be fixed or patched by the manufacturer.
  • 4 – Keep an up-to-date antivirus. Even though antivirus software won’t catch everything it’s much safer to have an antivirus than to have no protection at all.

If you aren’t sure if your Microsoft Office is up-to-date or if you need an antivirus license for your individual desktop or for an office-wide network please give us a call.

If you think you might have been infected with Ransomware or any other viruses or malicious software please also give us a call and we will do what we can to save your data and protect you in the future.

Reach out to us a (818)957-5647 or through our contact page.