Ransomware steals email addresses and passwords; spreads to contacts.
Recently a lot of users in Russian-speaking countries received emails similar to the message below. It says that some changes in an “agreement’ were made and the victim needs to check them before signing the document.
The files have .btc attachment, but they are regular executable files.
coherence.btc is GetMail v1.33
spoolsv.btc is Blat v3.2.1
lsass.btc is Email Extractor v1.21
null.btc is gpg executable
day.btc is iconv.dll, library necessary for running gpg executable
tobi.btc is Browser Password Dump v2.5
sad.btc is sdelete from Sysinternals
paybtc.bat is a long Windows batch file which starts the malicious process itself and its replication
After downloading all the available tools, it opens a document with the supposed document to review and sign. However, the document contains nonsense characters and a message in English which says, “THIS DOCUMENT WAS CREATED IN NEWER VERSION OF MICROSOFT WORD”.
This question, from a small-site owner with tens or hundreds of visitors per day, is an unfortunate but all too familiar one.
One morning I started getting emails from my customers complaining that their antivirus reported my site as infected and won’t let them in. It must be some mistake because I don’t have an e-shop. There is just a contact form and information for customers. Is it possible that someone is attacking my business?
Why do hackers attack small webpages when there are larger targets?
Small websites have a very low frequency of updates, and the possibility that somebody would find and fix malicious code is almost non-existent, which make them attractive targets to hackers. Hackers seek unpatched pages based on open-source solutions because they can attack them quickly and easily. These pages are later used for sorting users – by those who have vulnerable applications on their computer and by those who cannot be attacked – or simply to hide their true identity. Attackers close “the door” behind them by patching the vulnerability that leads them in and simultaneously create another backdoor, only for them, so the page does not show as suspicious when tested for vulnerabilities.
In general, there are three common types of hacking events a web administrator could encounter:
This type is recognizable on the first look because the site has been changed to display a message from hackers showing off their skills and mocking the web administrator. This is usually a less harmful attack, and although your page was deleted, you don’t have any financial loss because the motivation for this attack was to show the lack of security on your pages and get credit from other hackers. People which make these attacks usually follow the rule, Don’t learn to hack, hack to learn.
For example, there are PHP shells that lets you select the method and reason of defacement and post it online. The image below shows part of a PHP-shell that sends statistics.
According to statistics from Zone-H, there were 1.5 million sites defaced during 2010, and the screenshot to the right shows the reasons for the attacks. A million and half seems like big number, but these are only documented attacks and the actual number would be much higher.
During the last few years, defacement has been used to display political or ethical opinions by attacking sites with lots of daily visitors. This is turn attracts media and gets as much attention as possible. Even antivirus companies are not spared, as you can read in a recent article about the hack against AVAST.
A YouTube video called Movies vs. Life compares scenes embellished with movie magic to their real-life equivalents. We like to think that an avast! Antivirus cameo during a computer hacking scene (pay attention around 0:22 seconds) is one of the reasons that this hilarious video has gone viral.
A round of applause from avast! to French comedy troupe Golden Moustache for producing this funny video.
Make sure you turn on captions for the English subtitles.
Recently we encountered a very suspicious piece of code on some Joomla-powered webpages. The code looks as if garbled and without any special meaning, and starts like this:
Last month we wrote about a flaw in Microsoft’s Internet Explorer that could allow cybercrooks to take control of a Windows-based computer if the user browses to a malicious website. The website making news for that attack was the US-based think tank, the Council on Foreign Relations (CFR). Avast Virus Lab has since discovered that two Chinese human rights sites, a Hong Kong newspaper site, a Russian science site, and weirdly, a Baptist website (see the recent tweet) are also infected with the Flash exploit of IE8.
You can imagine the interesting audience that frequents sites such as these. The CFR, for example, attracts high ranking government officials including former presidents and secretaries of state, ambassadors, journalists, and leaders of industry. These sites were chosen on purpose; instead of targeting the general masses, like in a phishing attack, the perpetrators of a so-called “watering hole attack” target specific topics like defense or energy and lie in wait for persons of interest to visit, similar to a predator at a watering hole waiting for its victims to come to it. Read more…
When it comes to hotel security, I usually check two things: 1. Does the door open to an inside hallway or directly to the outside?, and 2. Does the room have a safe to store my passport and other valuables? Now, it seems, I have a third thing to think about: The electronic key.
Those sturdy plastic keycards have always seemed secure, and up to now, my only concern has been losing it, and having to ask the clerk at the front desk for a replacement. But recently, burglaries in American hotel rooms were linked to an electronic ‘hack’ which can open 4-5 million electronic locks in 200 hotel chains worldwide.
Back in July, at the Black Hat security conference, a Mozilla software developer exposed flaws he discovered in hotel room locks from the lock manufacturer Onity. He demonstrated the ability to break into rooms with a simple, cheap device that could be hidden in an iPhone case. Read how he did it. Since the summer, others have perfected the technique, and now thefts have taken place and an arrest was even made in Texas.
Your data is more important than the device it’s on
With all the devices we carry with us these days – I have a smartphone, laptop, and tablet – securing these gadgets is important. The most important thing about these devices is the data that’s on them, so before you leave on your travels, make sure you backup your files, photos, music, etc. Avast! BackUp is an online backup and recovery service that allows you to select sets of data or individual files you want to back up. You can quickly and easily restore files with the avast! BackUp software on your computer and you may also log in to your account online to restore files. Download a free trial here.
For your Android smartphones and tablets, make sure you install and setup avast! Free Mobile Security, our anti-theft and anti-malware app. It has special “stealth” and remote-access features, including lock, wipe and siren, as well as remote text commands, so you are protected against the loss or misuse of your phone. Get avast! Free Mobile Security for free from Google Play.
Other valuables, such as travel documents, can be placed in the hotel safe. But be aware that even those aren’t entirely secure. Reports have been made that some can be opened with a default code of all zeroes, 0000. Check it out next time. If you don’t trust the in-room safe or your items won’t fit, consider using the hotel front desk guest safes. If you don’t want to make use of a safe, make sure you bring luggage equipped with locks, so you can secure your valuables inside.
Do you have any other tips to keep your devices and yourself secure while staying in a hotel? Please share them.
It mostly happens in London, but I have seen it happen in Manila and Madrid too. My friends seem to travel a lot, and according to the tear-drenched emails, they have a tendency to get mugged. You might have seen it too – the “Stranded Traveler” message from a friend that goes something like this:
I’m writing this email with tears in my eyes, I came down to London for a program unfortunately, i was mugged at the park of the hotel where i stayed, all cash, credit and cell were stolen off me but luckily for me i still have my passport with me, I have no access to my account. I have been to the embassy and the police here but they are not helping issue at all and my flight leaves tomorrow night but i am having problems settling the hotel bills and the hotel manager won’t let me leave until i settle the bills. Am freaked out at the moment. I need about 2,250 pounds or any amount you can lend me to sort-out the bills, i will refund you as soon as i get back home.
I remember the first time I saw the message. It alarmed me with its urgency, and I felt compelled to help my friend get out of the mess. Questions about how to wire money to her darted through my mind. But then I remembered that I had just seen her post something on Facebook hours before, and she was most definitely not in London getting mugged.
Here’s what happened: Cybercrooks hacked into my friend’s Facebook and Yahoo accounts. They stole her identity, address books, changed her passwords, then sent out a message to all of her contacts using her email address.
This scam has happened so frequently, and there have been so many complaints, that the FBI issued a warning – over 2 years ago! Amazingly, the scam is still making its way through cyberspace (our CEO received one the other day), and the FBI says that they now have about 150,000 complaints on file. ABC’s Nightline actually answered one of the emails this summer and tracked what happened next. Read their account and watch the video here.
To avoid being a victim of this scam
- Secure your passwords on all your email and social media accounts. If you have lots of user names and passwords to remember, you might like a password management system like avast! EasyPass.
- Avoid clicking attachments in unknown emails.
- If you get an email like this, call your friend to verify the authenticity of the message.
- Scam victims should file a complaint with the FBI at www.ic3.gov.
We have another entry on the growing list of hacks – Blizzard Entertainment, publisher of popular games such as World of Warcraft and the Diablo and Starcraft series, reported last week that a large amount of user account data for Battle.net gamers was compromised.
“This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened,” wrote Blizzard President Mike Morhaime. “We take the security of your personal information very seriously, and we are truly sorry that this has happened.”
Stolen data includes email addresses, answers to security questions, a database of “cryptographically scrambled” passwords, and data related to dial-in and smartphone app-based two-factor authentication. Battle.net users should change their account passwords immediately. You can do that here.
Jindrich Kubrec, Avast Virus Lab senior analyst gives some tips for securing your passwords:
1. Avoid anything ‘personal’ such as names and birth dates – see this list for examples of passwords to avoid
2. Avoid overly complex passwords as you don’t want to write them down
3. Don’t reuse passwords anywhere – leaks will happen in the future and you don’t want a single leak giving the bad guys keys to all the online services you use
4. Longer passwords are always better
5. Beware the phishers: always ensure you’re doing sensitive operation on the legitimate site, under a secure and verified connection. I’d also recommend never clicking on links in emails to update sensitive information Instead, manually enter the site and make changes.
6. If you can’t be bothered with steps 1 – 5, try avast! EasyPass to generate strong, unique passwords for every site you visit. The best part is that you access your passwords using one Master Password, so you don’t have to remember lots of passwords.
Yesterday, LinkedIn started investigating a password leak, followed by online dating site eHarmony, and now online music streaming site LastFM has announced on their blog that they too are investigating the leak of user passwords. As a precautionary measure, they are advising all their users to change their passwords immediately. You can do that here.
Yesterday, a Russian hacker reportedly stole 6.5 million LinkedIn passwords and 1.5 million passwords from eHarmony. It is not yet known if the hacking incidents are related.
It’s worth repeating the password tips my colleague Jindrich Kubec wrote in an earlier blog post.
A simple 5 step procedure for creating new passwords:
- 1. Avoid anything ‘personal’ such as names and birth dates – see this list for examples of passwords to avoid
- 2. Avoid overly complex passwords as you don’t want to write them down
- 3. Don’t reuse passwords anywhere – leaks will happen in the future and you don’t want a single leak giving the bad guys keys to all the online services you use
- 4. Longer passwords are always better
- 5. Beware the phishers: always ensure you’re doing sensitive operation on the legitimate site, under a secure and verified connection. I’d also recommend never clicking on links in emails to update sensitive information Instead, manually enter the site and make changes.
Turns out that the popular online shoe and clothing retailer was attacked by cybercriminals who gained access to parts of the internal network through one of the servers in Kentucky. One Sunday, Tony Hsieh, CEO of Amazon-owned Zappos wrote on the company blog that 24+ million customers were affected, but critical credit card and other payment data was not affected or accessed. The hackers failed to get payment card numbers, because that data is encrypted, as required by the Payment Card Industry Data Security Standard.
The company sent an email to every one of their customers explaining the situation including what information was stolen: Customer name, email address, billing and shipping addresses, phone number, the last four digits of customers’ credit card number, and/or cryptographically scrambled passwords.
Zappos took swift action by expiring and resetting passwords, and they set up a password change webpage for customers to create new ones. “We also recommend that you change your password on any other web site where you use the same or a similar password,” the email sent to affected customers states.
As a result of stolen credentials, phishing attacks that try to steal sensitive information like social security numbers or lead you to a website that attempts to install a virus, are more likely. “As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail,” the blog statement says. “Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.”
avast! EasyPass is a fast, easy way to manage all your passwords. avast! EasyPass generates strong, unique passwords for every site you visit – with just one click. The best part is that you access your passwords using one Master Password, so you don’t have to remember lots of passwords. Learn more about avast! EasyPass.