Malware | Bach Seat

Tag Archive for Malware

RB | October 3, 2020

Comments Off

Seven Social Engineering Classics

Social engineering describes various non-technical attack techniques cybercriminals use to manipulate users. The attackers hope the user will bypass security or other business process protocols, perform harmful actions, or disclose sensitive information. Beware of these social engineering classics.

Business Email Compromise

Don’t get fooled by official-looking emails even though the email appears to be work-related. Subject lines such as “Invoice Attached” or “Here’s the file you needed” might be a social engineering classic. To be sure, you should hover your cursor over email addresses and links before clicking to see if the sender and type of file are legitimate. BEC is the most costly form of cybercrime. It stems from faked emails called “Business Email Compromise” or BEC scams. A typical BEC scam involves phony emails in which the attacker spoofs a message from an executive at a company and tricks someone into wiring funds to the fraudsters.

Vishing

Corporate phone systems are often set up to forward voice mail audio files to employees’ inboxes. While this is convenient, forwarding the files can be risky. It makes it harder to determine if the email is phony or legit. Since 2014, scammers have been installing malicious software through emails designed to look like internal voicemail messages, making vishing a social engineering classic.

With vishing, cybercriminals use an urgent or alarming voicemail message to try to get potential victims to call back with their personal information. Fake caller ID information is often used to make the calls appear to be from a legitimate organization or business.

Free Stuff, a social engineering classic

Free Stuff is one of the oldest social engineering classics. Most people can’t resist free Stuff, from pizza to software downloads, and they will click just about any link to get it. Of course, nothing is truly free. Sophisticated attackers might send a link to genuine free software, but they’re sending you through their website, which means you may get infected or compromised.

Baiting

Baiting is a variant of “Free Stuff.” The attacker hopes to trick their victims into executing code by piquing their curiosity or convincing them to run hardware or software with hidden malware. For example, innocent-looking USB sticks handed out at a conference or casually “dropped” in the parking could contain malware. They then detonate when the curious user plugs it into their PC. This is how Stuxnet attacked the Iranian nuclear program.

Quid pro quo social engineering classic

Another version of “Free Stuff.” In Latin, Quid pro quo means “something for something.” In exchange, the attacker offers something of genuine worth to the victim and will work their way into the target’s network. An example: The attacker poses as tech support and solves a problem for you, then convinces you to type in a line of code that serves as a “backdoor.” On the other hand, it may be as simple as trading a candy bar in exchange for a password!

Waterholing

This attack plants malware on a website you and your colleagues frequently visit. The next time you surf the site, the malware—such as a remote-access Trojan or RAT—is downloaded to your computer. And just like that, the attacker can begin exfiltrating data from your employer’s network.

Pretexting

Pretexting is another form of social engineering in which attackers focus on creating a fabricated scenario that they can use to try to steal their information. It is a true con game. It relies on the crook fostering a sense of trust in the victim.

Pretexting can also impersonate co-workers, police, banks, or tax authorities. It pretends to be any individual who could have perceived authority or right-to-know in the targeted victim’s mind. In some cases, all that is needed is an authoritative voice, an earnest tone, and an ability to think on one’s feet to create a pretext scenario.

Stay safe out there!

Related article

Why the $26 billion in BEC scams are worse than you think (SC Media)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2020, BEC, Malware, Phishing, Pizza, Ransomware, RAT, Security, Social engineering, USB, Voice mail

RB | July 25, 2020

Comments Off

Fix Your Slow Mac Apps

I have been an ambidextrous computer user for many years. I use a Windows 10 machine for work and an Apple Macbook for personal business like working on the Bach Seat. For a while the performance of the Mac Apps were terrible – the $%&(% jumping icons while waiting for an app to load – Word, Excel, Chrome, Firefox – was driving me nuts.

After investigating a myriad of other reasons the Mac Apps were running slow, I came across this hint. Reset the SMC. According to Apple Support, the SMC is the Macbook System Management Controller on Intel-based Macbook’s. The SMC is responsible for:

Responding to presses of the power button
Responding to the display lid opening and closing
Battery management
Thermal management
Sudden Motion Sensor (SMS)
Ambient light sensing
Keyboard backlighting
Status indicator light (SIL) management
Battery status indicator lights
Selecting an external (instead of internal) video source

Those all really sound like hardware problems – but it also fixed my very long application load time.

Here’s how to reset the SMC:

Shut down the computer
Plugin the power adapter
Press the Shift + Control + Option keys and the power button at the same time
Release all the keys and the power button simultaneously
Press the power button to turn on your Mac

rb-

If you’ve updated your MacOS and applications, run a malware check, and flushed caches – and you still feel your Mac is sluggish resetting the SMC it’s worth a try – I did not see any negative consequences from resenting the SMC on my Apple Macbook.

Stay safe out there!

Related article

Apple Just Killed The MacBook As We Know It: ‘Don’t Buy A Mac’ Is Good Advice — MacBook Pro, MacBook Air On Hold (Forbes)

Category: Uncategorized | Tags: 2020, AAPL, Apple, Hardware, Macbook, Malware, Slow, SMC, Troubleshooting

RB | November 1, 2019

Comments Off

Celebrities You Shouldn’t Google in 2019

It is time once again for McAfee’s annual search for the most dangerous celebrity online. The 2019 version of the cyber-security firm’s research found which celebrities’ internet searches expose users to the most risk from malicious websites, malware, and ransomware, and other risky outcomes. McAfee says that criminals use deceptive websites to dupe unsuspecting consumers into accessing malicious files or content.

McAfee crowned actress Alexis Bledel the riskiest celeb online for 2019. Searches for the actress, known for her role as Rory Gilmore. in the TV show Gilmore Girls landed the most users on risky websites that carry viruses or malware in 2019.

McAfee speculates that the Texas-born Bledel’s role as Ofglen in the fan-favorite Hulu series “The Handmaid’s Tale” and big-screen role in the “Sisterhood of the Traveling Pants” movies led to her top ranking.

The actress takes over the number one spot from Ruby Rose, who topped last year’s list mainly because of fans’ interest in her playing Batwoman.

The second most dangerous celebrity online was British comedian and actor and host of the Late Late Night show, James Corden. The popularity of viral videos from the Late Late Show gives attackers more options to spread their malware.

Sophie Turner made the list at number 3. She has been trending lately due to her role on “Game of Thrones,” as well as her relationship with singer Joe Jonas.

Pitch Perfect series’ actress Anna Kendrick reached 4th place. She was followed by Lupita Nyong’o as the 5th riskiest position on the risky celebrity list. McAfee speculates that interest in “Star Wars: The Rise of Skywalker” put Ms. Nyong’o on the list.

Comedian, former SNL star, and current Tonight Show host Jimmy Fallon is ranked number 6. Viral videos from Tonight Show are popular with threat actors.

Martial arts master Jackie Chan, who came in at 7. McAfee explained that rumors circulated about his return to the big screen in “Rush Hour 4” and “The Karate Kid 2.” His team denied the gossip, but cyber-criminals took advantage of fans’ nostalgia to spread their malware.

Rappers take the #8 and 9 positions on McAfee’s list. Lil Wayne was named the eighth most dangerous driven by his summer tour with Blink-182 and fans search for illegal downloads. Nicki Minaj came in at 9. She caused many of her fans to panic in September after she tweeted she was retiring from music and attackers took advantage of her fans’ quest for more information by poisoning her searches.

Tessa Thompson, known for her role as Valkyrie, Marvel’s first LGBTQ superhero, was listed as the number 10 riskiest popular search term this year thanks to her leading roles in “Men in Black: International” and “Avengers: Endgame.”

Cyber-criminals also use the same celebrity-baiting tactics internationally. According to McAfee, the most dangerous online celebs around the world are:

Australia – Comedian, actor, and TV host John Oliver.
France – Actor/producer Jamel Debbouze.
Germany – Heidi Klum and actress Emilia Clarke tied as Germany’s riskiest celebs.
India – Cricketer M.S. Dhoni.
Singapore – Malaysian actress Michelle Yeoh
.Spain – Singer Camila Cabello.
U.K. – TV host of the reality show “Love Island,” Caroline Flack.

Gary Davis, chief consumer security evangelist at McAfee explained the risks involved with searches for these celebrities.

Consumers may not be fully aware that the searches they conduct pose risk, nor may they understand the detrimental effects that can occur when personal information is compromised in exchange for access to their favorite celebrities, movies, TV shows, or music

He warns celebrity seekers to be cautious.

It is essential that consumers learn to protect their digital lives from lurking cyber-criminals by thinking twice before they click on suspicious links or download content.

rb-

Cord-cutting could be driving some of this risky behavior. McAfee found that the names of the risky celebs like Bledel, Fallon, and Chan are strongly associated with searches including the term “torrent.”

These users are bypassing the subscription services like Hulu and Amazon to save a few bucks put their digital lives at risk in exchange for pirated content.

Related article

11 Malware Attacks That Nearly Wrecked the Internet (Popular Mechanics)

Category: Uncategorized | Tags: 2019, Alexis Bledel, Heidi Klum, Jackie Chan, Jimmy Fallon, Malware, McAfee, Security, Star Wars

RB | June 17, 2019

Comments Off

Is Yuzo on Your WordPress site?

I am still busy unpacking and re-arranging the furniture at the new home of Bach Seat. One of the nicer things about my new host is that I can now get WordPress alerts. And I have been getting a ton of alerts from the firewall that it blocked “yuzo-related” attack attempts. So I decided to see WTF “yuzo-related” attack attempts were about and found an excellent explanation on the WordFence site.

60,000 WordPress websites

Dan Moen at WordFence explains that the Yuzo Related Posts (YRP) plugin for WordPress has an unpatched vulnerability that was publicly disclosed by a security researcher on March 30, 2019. The flaw which allows stored cross-site scripting (XSS), is now being exploited in the wild. The buggy plugin is installed on over 60,000 websites and has been removed from the WordPress.org plugin directory.

WordFence recommends that all users remove the plugin from their sites immediately.

The blog’s author writes that the vulnerability in YRP stems from missing authentication checks in the plugin routines responsible for storing settings in the database. The code below is the crux of the problem. There is more in-depth coding tech-talk at WordFence.

8 }elseif( is_admin() ){ // only admin

He says developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used.

Injects malicious JavaScript

The result is that an unauthenticated attacker can inject malicious content, such as a JavaScript payload, into the plugin settings. That payload is then inserted into HTML templates and executed by the web browser when users visit the compromised website. This security issue could be used to deface websites, redirect visitors to unsafe websites, or compromise WordPress administrator accounts, among other things.

As evidenced by the number of probes against my site, threat actors have begun exploiting sites with YRP installed. The exploits in the wild inject malicious JavaScript. When a visitor lands on a compromised website containing the malicious payload, they will be redirected to malicious tech support scam pages – like this example:

The WordFence analysis shows that the attempts to exploit this vulnerability in YRP share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP.

The security researchers found all three campaigns so far have used these exploits:

A malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53.
Involved exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects.

WordFence is confident that the tactics, techniques and procedures in all three attacks point to a common threat actor.

WordFence recommends WordPress Site owners running the Yuzo Related Posts remove it from their sites immediately, at least until a fix has been published by the author.

rb-

What to do?

- Keep your WordPress and plugins up to date.
- Do you really need Yuzo Related Posts? Here is a list of alternatives from WordPress.
- Make sure you have good backups of your WordPress site – and you can restore it.
- Get a firewall on your WordPress site
- Block the IP 176.123.9[.]53. From your site.
- Harden your WordPress site.

WordPress plugin sees second serious security bug in six weeks (Naked Security)

Category: Uncategorized | Tags: 2019, administrative privileges, JavaScript, Malware, Security, Social engineering, Wordpress, XSS, Yuzo

RB | February 17, 2019

Comments Off

Volunteers Take Down 124K Malware Sites

CircleID reports that abuse.ch, a non-profit cybersecurity organization based in Switzerland kicked off a volunteer-based information sharing project called URLhaus in March 2018. URLhaus collects and shares URLs identified to be distributing malware. Since its start up, URLhaus has proven to be quite effective in taking down over 124,000 malware distribution sites.

Abuse.ch’s URLhaus project allows anyone to sign up with a Twitter account to report malicious URLs. The system will download and analyze the site’s payload and try to identify it before submitting it to Anti-Virus vendors and blacklist providers such as Google Safe Browsing, Spamhaus DBL, and SURBL, according to the blog post.

CircleID reports that 265 security researchers located all over the world have identified and submitted on average 300 malware sites to URLhaus each day. The article said URLhaus succeeded beyond the infosec community; the project also managed to get the attention of many hosting providers which is not an easy task, especially for large hosting providers that have tens of thousands of customers and hence a significant amount hijacked websites in their network that are getting abused by cybercriminals to distribute malware.

The chart below produced by abuse.ch shows the number of active malware distribution sites tracked since the launch of URLhaus.

abuse.ch reports that the US or China hosts 2/3 of the top malware hosting networks. The overall average malicious site take-down time is 8 days, 10 hours, 24 minutes. The three top Chinese malware hosting networks have an average abuse desk reaction time of more than a month!

That’s more than enough time to infect thousands of devices every day.

Top malware hosting networks

The top malware hosting networks, hosting active malware content identified by abuse.ch as of January 2019.

Rank	ASN	Country	Average Reaction Time	Malware URLs
1	AS14061 DIGITALOCEAN-ASN - DigitalOcean, LLC	US	6 days, 12 hours, 56 minutes	307
2	AS4134 CHINANET-BACKBONE No.31,Jin-rong Street	CN	1 month, 9 days, 19 hours, 22 minutes	256
3	AS4837 CHINA169-BACKBONE CHINA UNICOM China169	CN	1 month, 23 days, 8 hours, 41 minutes	163
4	AS48815 CRITICALCASE	IT	21 hours, 58 minutes	151
5	AS46606 UNIFIEDLAYER-AS-1 - Unified Layer	US	2 days, 11 hours, 54 minutes	127
6	AS53667 PONYNET - FranTech Solutions	US	13 days, 3 hours, 37 minutes	105
7	AS16276 OVH	FR	5 days, 22 hours, 6 minutes	104
8	AS60144 THREE-W-INFRA-AS -- TRANSIT --	NL	9 days, 10 hours, 37 minutes	83
9	AS13335 CLOUDFLARENET - Cloudflare, Inc.	US	13 days, 7 hours, 5 minutes	67
10	AS37963 CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba	CN	1 month, 2 days, 0 hours, 1 minutes	66
11	AS8342 RTCOMM-AS	RU	10 days, 8 hours, 9 minutes	63
12	AS36352 AS-COLOCROSSING - ColoCrossing	US	16 days, 9 hours, 57 minutes	53
13	AS3462 HINET Data Communication Business Group	TW	17 days, 6 hours, 19 minutes	51
14	AS23650 CHINANET-JS-AS-AP CHINANET jiangsu province	CN	3 days, 11 hours, 50 minutes	51
15	AS3462 HINET Data Communication Business	TW	17 days, 6 hours, 19 minutes	51

rb-

abuse.ch offers the URLhaus black list for free to help protect your networks and users from malware. You can get more details from abuse.ch here.

US Tops Global Malware C2 Distribution (Dark Reading.com)

Category: Uncategorized | Tags: 2019, abuse.ch, Alibaba, ASN, China, China Unicom, Chinanet, Cloudflare, DigitalOcean, Malware, Security, UnifiedPlayer, URLhaus

« Older Entries Recent Entries »

Bach Seat

Tag Archive for Malware

Fix Your Slow Mac Apps

Celebrities You Shouldn’t Google in 2019

Volunteers Take Down 124K Malware Sites

Top malware hosting networks

Related articles

Meta