Wednesday, April 23, 2014

The Web This Site

Scam Of The Week: Blended XP Phishing Security Threat

During the first quarter, I have been warning about the coming wave of Windows XP-related scams having to do with the April 8 End Of Life of XP. Here is what you can expect, and many variants will follow. It is important to warn your end-users about this, even if they -are- running more recent versions of Windows, because often they do not know what version they actually are running, and easily get scared into doing something that may damage your network.

So here is the scam, cybercriminals either send phishing emails or make cold calls and claim to represent either Windows Helpdesk, Microsoft Tech Support, Windows Support Group, or other Microsoft support teams.

They claim that there are now no more official security patches for XP, (true) refer to the Windows popups stating: Windows XP End of Support April 8th, 2014, but Microsoft still releases updates for Win7 and 8, (true) and that hackers have analyzed these updates and found new security holes in Windows XP that cannot be fixed anymore (half-truth). Next, the bad guys claim that they -do- have an urgent update but that they need to apply this patch manually (blatant lie). The end-user gets tricked to allow remote access to the scammers, using admin tools like and others.

Once that is the case, the bad guys own the workstation of the employee and can hack into your network, or they take over their home machine and try to charge them hundreds of dollars on their credit card. So, urgently remind your users (again) of the following:

"In the office or at the house, when anyone sends phishing emails or calls claiming to be from 'Support', and claims that they need to 'update' your computer for any reason and ask for remote access, hang up the phone immediately and report the email or the call to the correct team in your organization." (Note: often these callers have foreign accents.)

Redmond's Security Center states neither Microsoft nor its partners make unsolicited phone calls, but end-users often do not know this. For the rest of this year, we need to be on the look-out for XP-themed scams like this. Security Awareness Training is a -must- these days. Find out how affordable this is for your own organization here:

BONUS Scam Of The Week: Starbucks Gift From a Friend Phishing Emails

Love your tall latte? Better watch it, as a "friend" might send you an email with a fake Starbucks Coffee Gift offer. These emails read something like this in broken English: "Your friend just made an order at Starbucks Coffee Company a few hours ago. He pointed he is planning to make a special gift for you and he have a special occasion for that. We’ve arranged an awesome menu for that case that can really surprise you with our new flavors."

They then continue with describing the whole menu, and when you can come over and celebrate the day with your friend. The only thing you need to do is (of course) open the attachment.

Granted, Starbucks does have options for people to give gifts to friends, but this phishing attack has nothing to do with that. There are several red flags, the language is broken, the emails come from hacked accounts at Yahoo and Gmail, and they are sent with "high importance."

In the malicious attachments sits a variant of the banking Trojan ZeuS, directly attached without any attempt to hide, and will install itself as a hard-to-remove rootkit. They probably hope you get so excited about the free offer that you will ignore all the warnings. Don't fall for it. Think Before You Click! For a screen shot of the email, check the KnowBe4 Blog:

Scam Of The Week: Heartbleed Phishing Attack

The Heartbleed vulnerability truly is causing almost everyone a major headache. Talk about a FIRE that needs to be put out. On a scale of 1 to 10, this is an 11.

And to throw some gasoline on this fire, there are hackers sending out phishing emails related to Heartbleed. One of these is that they try to trick users to give passwords that have not been compromised yet!

A list of more than 10,000 domains that were vulnerable, patched or unaffected by the bug was found on Pastebin by Easy Solutions. The fraud prevention company believes hackers are most likely behind the list.

"A lot of time what these guys will do is dump a list of inventory on Pastebin, cut that link and then share the link with their friends on a (underground) forum," Daniel Ingevaldson, Chief Technology Officer for Easy Solutions, said. "So, it's essentially a billboard for a service."

There are now world-wide scans going on across the whole 'Net, many of these are legit scans, but the bad guys are not sitting still and they are also looking for potential victims. "We're seeing a systematic canvassing of the entire Internet right now to see what's vulnerable and what isn't," Ingevaldson said. "It's a bit of a gold rush."

Tell your users to watch out for any emails (or scam phone calls) that relate to the Heartbleed bug. Any emails with links should not be followed, any attachments should not be opened, and in case they want to change a password, wait until that site has announced they are patched, and they should go to that site directly and not click on any link to get there.