malware

New Phishing Scam Using Microsoft Office 365

*** Attention Required ***

It seems that the bad guys are at it once again with an attempt to collect information by phishing credentials from those of us using Office 365 for corporate emails.  The characteristics of this particular attack the hackers intention is to deceive Office 365 users into providing their login credentials”.

The user sees a fake Office 365 login page, which requests their credentials. Once the Office 365 usernames and passwords have been compromised, the hackers can:

  • Send emails to other users in the victim’s address book, asking them for anything, sending fake invoices, sending more phishing emails, etc.
  • Access the user’s OneDrive account, to download files, install more malware, infect files with malware, etc.
  • Access the users SharePoint account, to download files, install more malware, etc.
  • Steal company intellectual property or other customer information such as customer SSNs, credit card numbers, email addresses, etc.

One of the characteristic of this recent attack is an email being sent with an embedded image which resembles an Microsoft Office Word document containing a link back to a site with a fake Office 365 logon page.  In addition to this the site URL ends in php?userid= syntax.

I have provided the following YouTube video to illustrate the interaction of the fake Office 365 logon page.

Link: https://youtu.be/wHxkzxGF4JY

 

Advice:

It’s an important part of your responsibility to be cautious when accessing emails even from known senders to ensure its legitimate by reviewing the email to ensure that its legitimate.

If in doubt do not open the email and reach out to the sender to ensure they sent you the email.  If you self-determine an email to be suspicious immediately report incidents as soon as they happen.

 

Here are a few guidelines below that could be followed.  Please review:

 

Check the sender.

Sometimes, cybercriminals and hackers will fake (or “spoof”) the sender of an email. If the “from” address doesn’t match the alleged sender of the email, or if it doesn’t make sense in the context of the email, something may be suspicious.

Check for (in)sanity.

Many typical phishing emails are mass-produced by hackers using templates or generic messages. While sophisticated attacks may use more convincing fake emails, scammers looking to hit as many different inboxes as possible may send out large numbers of mismatched and badly written emails. If the email’s content is nonsensical or doesn’t match the subject, something may be suspicious.

Check the salutation.

Many business and commercial emails from legitimate organizations will be addressed to you by name. If an email claims to come from an organization you know but has a generic salutation, something may be suspicious.

Check the links.

A large number of phishing emails try to get victims to click on links to malicious websites in order to steal data or download malware. Always verify that link addresses are spelled correctly, and hover your mouse over a link to check its true destination. Beware of shortened links like http://bit.ly, http://goog.le, and http://tinyurl.com. If an email links to a suspicious website, something may be suspicious.

Don’t let them scare you.

Cyber criminals may use threats or a false sense of urgency to trick you into acting without thinking. If an email threatens you with consequences for not doing something immediately, something may be suspicious.

Don’t open suspicious attachments.

Some phishing emails try to get you to open an attached file. These attachments often contain malware that will infect your device; if you open them, you could be giving hackers access to your data or control of your device. If you get an unexpected or suspicious attachment in an email, something may be suspicious.

Don’t believe names and logos alone.

With the rise in spear phishing, cybercriminals may include real names, logos, and other information in their emails to more convincingly impersonate an individual or group that you trust. Just because an email contains a name or logo you recognize doesn’t mean that it’s trustworthy. If an email misuses logos or names, or contains made-up names, something may be suspicious.

If you still aren’t sure, verify!

If you think a message could be legitimate, but you aren’t sure, try verifying it. Contact the alleged sender separately (e.g., by phone) to ask about the message. If you received an email instructing you to check your account settings or perform some similar action, go to your account page separately to check for notices or settings.

 

 

Disabling SMB1.0/CIFS File Sharing Support

There is a lot of buzz these days about new ransomware hijacking systems worldwide. The malware, dubbed NotPetya because it masquerades as the Petya ransomware. One of the many ways to help the spread of malware is to patch your computer, effectively stopping the SMB exploits by disabling SMBv1.

Here are steps which can be used to disable (remove) SMBv1 support.

For client operating systems:

  1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
  2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
  3. Restart

For server operating systems:

  1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
  2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
  3. Restart

Ref: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows

HP Launches Web Series about Security Starring Christian Slater

Excellent video and start to a security web series about security starring actor Christian Slater. Purposed to elevate security awareness around the risks that businesses and consumers face daily. “The Wolf, highlighting how corporate networks can be hacked and what companies must do to protect themselves.”

If you’re not taking your printer security seriously, someone else might be. From director Lance Acord comes The Wolf starring Christian Slater.
To learn more about how to protect your business visit http://www.hp.com/go/ReinventSecurity

Over 1 Million Google Accounts Hacked by ‘Gooligan’

As you know by now from the latest buzz. Over 1 Million #Google Accounts Hacked by ‘Gooligan’. Gooligan itself isn’t new, as its just a variant of  Ghost Push, a piece of Android malware

Researchers from security firm Check Point Software Technologies have found the existence of this malware in apps available in third-party marketplaces.

Once installed it then roots the phone to to gain system level access.  The rooted devices then download and install software that steals the authentication tokens that allow the phones to access the owner’s Google-related accounts without having to enter a password. The tokens work for a variety of Google properties, including Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite

In a recent blog post by the folks over at Check Point:  http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/

“The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.

Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.

After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:

  • Steal a user’s Google email account and authentication token information
  • Install apps from Google Play and rate them to raise their reputation
  • Install adware to generate revenue

Ad servers, which don’t know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play. After an app is installed, the ad service pays the attacker. Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C&C server.”

Android users who have downloaded apps from third-party markets can visit the Check Point blog post for a list of the apps known to contain Gooligan.

Also Check Point has released what is being called the Gooligan Checker web page to be used to check if you have been compromised by this latest threat.

 

 

SOTD: Internal ONLY

This is a forged email originating from Administrator@<yourdomain><tld>

– body –

**********Important – Internal ONLY**********

File Validity: 16/03/2015
Company : http://<domain>.com
File Format: Adobe Reader
Legal Copyright: Adobe Corporation.
Original Filename: Internal.pdf

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from your system and destroy all copies of it.

– end message –

Atatched file info:

SHA256: de72bdf40d62fc9d9be022d0990bcd73bd2845bacb7d012254c4009c9849b541
File name: SecureMessage.zip

Profiled via virustotal:
https://www.virustotal.com/en/file/de72bdf40d62fc9d9be022d0990bcd73bd2845bacb7d012254c4009c9849b541/analysis/1426513930/

 

Please note:  The company associated with the domain used for this email may not have any knowledge of this email being sent out as its clearly forged.

The best suggestion is to delete this if your spam / malware /antivirus solution has not.

SOTD: Quote

-email body-

Dear,

Per your request, here is the quote from PermaTherm (please see attached). After your review of the quote please give me a call to discuss if you have any questions.

Please let me know if your project requires engineering services or shop drawings. These services are not provided by Permatherm but we will be happy to provide a referral.

Thanks again for the opportunity to serve you,

Brigette Adams
Inside Sales

PermaTherm Inc.
The Green Choice
269 Industrial Park Rd.
Monticello, GA 31064
706-468-7500 (Main)
706-819-5072 (Direct)
877-468-7500 (Toll Free)
706-819-3012 (Cell)
brigette@permatherm.net
www.permatherm.net

-end email-

Attached file info:

SHA256: 1b8a0ee0ad1e9349ea8c6a20929759a1f22395a4d71f3e2c158f28edd99e0b28
File name: document.zip

Profiled via virustotal

https://www.virustotal.com/en/file/1b8a0ee0ad1e9349ea8c6a20929759a1f22395a4d71f3e2c158f28edd99e0b28/analysis/1426168464/

 

Please note:  The company associated with the domain used for this email may not have any knowledge of this email being sent out as its clearly forged.

The best suggestion is to delete this if your spam / malware /antivirus solution has not.

SOTD: Please

-email body-

Good Afternoon,

 

Please find attached notice regarding carriers pre-filing for an additional General Rate Increase for effective date of April 9, 2015.  Please note, we are advising you of this filing in order to comply with FMC regulations.  However, we feel it is unlikely that the carriers will be successful in implementing this increase, especially since the March 9th GRI has already been postponed to March 17th.  We will continue to keep you updated as we receive additional information pertaining to these filed rate increases.

 

Phoenix Zhang-Shin

Director

P & J International Ltd

Calverley House, 55 Calverley Road

Tunbridge Wells, Kent, UK TN1 2TU

Tel: 0044 1892 525588

Fax: 0044 1892 522277

Mob: 0044 7771802252

 

This email and any attachments are confidential and solely for the use of the intended recipient. They may contain material protected by legal, professional or other privilege. All correspondence with and communication with us is governed by and subject to our Standard Terms and Conditions of Sale (March 2010) (Our STCs), a copy of which has been provided to you and which is available on request or on our web-site

– end email – 

Attached file:

SHA256: e2b2d125ccc83ce749c6e5bcba2e64c764f764afe35d13616c4d348a45c8bf3b
File name: documents-id323.zip

Analysis reference: https://www.virustotal.com/en/file/e2b2d125ccc83ce749c6e5bcba2e64c764f764afe35d13616c4d348a45c8bf3b/analysis/1426087752/

 

SOTD: Statement from MARKETING & TECHNOLOGY GROUP, INC.

Another case of Monday morning spam/malware

– message body –

Dear Customer :

Your statement is attached. Please remit payment at your
earliest convenience.

Thank you for your business – we appreciate it very
much.

Sincerely,

MARKETING & TECHNOLOGY GROUP, INC.

– end of message –

 – message also has a file attachment –

docs2015.zip

– inside of the zip file is an executable –

docs2015.exe

Virus Found: Win32/Kryptik.DBCZ trojan

– end –

Please note:  The company associated with the domain used for this email may not have any knowledge of this email being sent out as its clearly forged.

The best suggestion is to delete this if your spam / malware /antivirus solution has not.

 

SOTD: JP Morgan Access Secure Message

This one comes in via email with the attachment: JP Morgan Access – Secure.zip

SHA256: 45dd07fc7308fc60110b3bad211c0e4c2b7e9797f1a3a857aef357277f487777

Flagged by the following: https://www.virustotal.com/en/file/45dd07fc7308fc60110b3bad211c0e4c2b7e9797f1a3a857aef357277f487777/analysis/1425311041/

 

Email Body:

Please check attached file(s) for your latest account documents regarding your online account.

Leon Hartman
Level III Account Management Officer
817-666-9746 office
817-802-6412 cell
Leon.Hartman@jpmorgan.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

2015 JPMorgan Chase & Co.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.

SOTD: My posts of spam emails

We all dislike it and there seems to be no end to it.  So why not blog about it.

SPAM!  The unsolicited email message that you never wanted, didn’t ask for, yet receiver of daily

I will be posting the email subject, and body along with found attachments (attachments will not be in my posts but their names and found malware info)