Posts

Managed Security Services

Ransomware Variants an MSP Should Watch Out For

We can all agree that ransomware is one of the biggest and most destructive threats managed service providers and their clients have faced in recent years. Currently, there are well over 120 separate ransomware families, and there’s been a 3,500% increase in cyber criminal internet infrastructure for launching attacks since the beginning of 2016. And nearly 90% of MSP report their clients have been hit by ransomware in the last year. But, in spite of these numbers, nearly 70% of MSP still aren’t completely confident their clients’ endpoints are secure against these insidious attacks.

Know Your Enemy

In addition to maintaining up-to-date endpoint security that uses real-time analysis to detect zero-day attacks, it’s important to know your enemy. Cybersecurity provider Webroot recently put together a list of the top 10 nastiest ransomware variants of 2017. You’ve probably heard of the big, newsworthy names that made the list, like WannaCry, NotPetya, and Locky, but here’s a few more MSPs should watch out for.

  1. CrySis
    CrySis attacks by compromising Remote Desktop Protocol (RDP). RDP is a common method for deploying ransomware because criminals can get into admin accounts that have access to an entire organization. First detected in February 2016, CrySis took some time to spread, and really came into its own in 2017.
  2. Nemucod
    This ransomware variant arrives via phishing emails disguised as a shipping invoice. Nemucod downloads malware and encryption components stored from hacked websites, and would have most likely been the worst of the phishing email attacks for the year, had Locky not resurfaced in August.
  3. Jaff
    Like Nemucod and Locky, Jaff uses phishing emails to spread. It also uses similar techniques to other successful ransomware attacks, including Dridex.
  4. Spora
    This ransomware is distributed by legitimate websites that have been compromised with malicious JavaScript code. The sites display a pop-up prompt to visitors, instructing them to update their Chrome browsers to continue viewing the page. But when the unsuspecting user downloads the “Chrome Font Pack”, they get the infection instead.
  5. Cerber
    Cerber also uses phishing and RDP, but unlike some of its colleagues, it distributes ransomware-as-a-service (RaaS). This “service” allows aspiring cybercriminals to use pre-packaged ransomware tools as they choose, while the Cerber author gets a 30% cut of any profits made.
Keeping Your Clients Safe

There are a number of steps an MSP can take to keep clients safe.

  • First, educate your clients. Be sure to teach them how to spot suspicious emails and how to check legitimacy any time an email seems a little off. We also recommend implementing an end user cybersecurity training program.
  • Second, keep applications and plugins up to date, and make sure your clients are using reliable cloud-based antimalware, web filtering, and firewalls.
  • Third, use your operating system to your advantage. Set up Windows® OS policy restrictions, disable auto-run, disable VBS, and filter executables from emails.
  • Fourth, ensure your clients run regular backups, set up offline air gap backups with multiple copies of each file, and maintain up-to-date business continuity measures.

This article was provided by our service partners Webroot & Connectwise.

Internet Security : New Cryptojacking Tactic may be Stealing Your CPU Power

What if cybercriminals could generate money from victims without ever delivering malware to their systems? That’s exactly what a new phenomenon called “cryptojacking” entails, and it’s been gaining momentum since CoinHive first debuted the mining JavaScript a few months ago. The environmental and social impact of this online was significant, the statistic speak for themselves, almost everyone was affected in some way or another.

The intended purpose: whenever a user visits a site that is running this script, the user’s CPU will mine the cryptocurrency Monero for the site owner. Find out the DC Forecasts for the next couple weeks. This isn’t money out of thin air, though. Users are still on the hook for CPU usage, the cost of which shows up in their electric bill. While it might not be a noticeable amount on your bill (consumer CPU mining is very inefficient), the cryptocurrency adds up fast for site owners who have a lot of visitors. CoinHive’s website claims this is an ad-free way for website owners to generate enough income to pay for the servers. All altruistic excuses aside, it’s clear threat actors are abusing the tactic at the victims’ expense.

cryptojacking

In the image above, we can see that visiting this Portuguese clothing website causes my CPU to spike up to 100%, and the browser process will use as much CPU power as it can. If you’re on a brand new computer and not doing anything beyond browsing the web, a spike like this might not even be noticeable. But if you’re using a slower computer, just navigating the site will become very sluggish.

If you see the news, youll know that cybercriminals using vulnerable websites to host malware isn’t new, but injecting sites with JavaScript to mine Monero is. In case you’re wondering why this script uses Monero instead of Bitcoin, it’s because Monero has the best hash rate on consumer CPUs and has a private blockchain ledger that prevents you from tracking transactions. It’s completely anonymous. Criminals will likely trade their Monero for Bitcoin regularly to make the most of this scam.

CoinHive’s JavaScript can be seen in this website’s HTML:

Cryptojacking Javascript

CoinHive maintains that there is no need block their scripts because of “mandatory” opt-ins:

“This miner will only ever run after an explicit opt-in from the user. The miner never starts without this opt-in. We implemented a secure token to enforce this opt-in on our servers. It is not circumventable by any means and we pledge that it will stay this way. The opt-in token is only valid for the current browser session (at max 24 hours) and the current domain. The user will need to opt-in again in the next session or on a different domain. The opt-in notice is hosted on our servers and cannot be changed by website owners. There is no sneaky way to force users into accepting this opt-in.”

For reference, here’s what an opt-in looks like (assuming you ever do see one):

Cryptojacking-Opt-In-Example

 

Why Webroot blocks cryptojacking sites

Unfortunately, criminals seem to have found methods to suppress or circumvent the opt-in—the compromised sites we’ve evaluated have never prompted us to accept these terms. Since CoinHive receives a 30% cut of all mining profits, they may not be too concerned with how their scripts are being used (or abused). This is very similar to the pay-per-install wrappers we saw a few years ago that were allegedly intended for legitimate use with user consent, but were easily abused by cybercriminals. Meanwhile, the authors who originated the wrapper code made money according to the number of installs, so the nature of usage—benign or malicious—wasn’t too important to them.

To protect our users from being exploited without their consent, we at Webroot have chosen to block websites that run these scripts. Webroot will also block pages that use scripts from any CoinHive copycats, such as the nearly identical Crypto-Loot service.

According to https://www.foam.space/, there are a few other ways to block these sites. You can use browser extensions like Adblock Plus and add your own filters (see the complete walkthrough here.) If you’re looking for more advanced control, extensions like uMatrix will allow you to pick and choose which scripts, iframes, and ads you want to block.

This article was provided by our service partner Webroot.com 

 

vpn

Security : Why You Should Use a VPN on Public WiFi

Working remotely? It only takes a moment on a free WiFi connection for a hacker to access your personal accounts. While complimentary WiFi is convenient, protecting your connection with a VPN is the best way stay safe on public networks, keeping your data and browsing history secure.  

What is a VPN?

VPN stands for “virtual private network” and is a technology that can be used to add privacy and security while online. It’s specifically recommended when using public WiFi which is often less secure and is often no password protected.  

VPN’s act as a bulletproof vest for your internet connection. In addition to encrypting the data exchanged through that connection, they help safeguard your data and can enable private and anonymous web browsing. However, even if you’re using a VPN, you must still be careful about clicking on suspicious links and downloading files that may infect your computer with a virus. Protecting yourself with antivirus software is still necessary.

When and why should you use a VPN?

When checking into your hotel, connecting to the WiFi is often one of the first things you do once settling in. While it may sound like a tempting offer, logging in to an unsecured connection without a VPN is a very bad idea. In July, ZDNet reported the return of hacker group DarkHotel which aims to target hotel guest’s computers after they have logged on to the building’s WiFi. Once compromising a guest’s WiFi, the hacker group can then leverage a series of phishing and social engineering techniques to infect targeted computers. 

Traveling and lodging is just one example of when you can use a VPN to help stay secure and avoid potential attacks, however anyone can benefit from using a VPN.  

From checking Facebook on an airport hotspot, accessing your company files while working remotely or using an open network at your local coffee shop, regardless of the scenario, using a public WiFi can potentially put the data you’re sending over the internet at risk.

This article was provided by our service partner Webroot

Internet Security

Internet Security – Two-Factor Authentication: Why & How You Should Use it

Conventional wisdom about passwords is shifting, as they are increasingly seen as a less-than-ideal internet security measure for securing digital accounts. Even the recommended rules for creating strong passwords were recently thrown out the window. Average users are just too unreliable to regularly create secure passwords that are different across all accounts, so using technology to augment this traditional internet security is imperative.

From online banking to email to cloud-based file storage, much of our high-value information is in danger if a hacker gains access to our most frequently visited sites and accounts. That’s where two-factor authentication comes in.

Two-factor authentication (2FA) adds an extra layer of security to your basic login procedure. When logging into an account, the password is a single factor of authentication, and requiring a second factor to prove you are who you say you are is an added layer of security. Each layer of security that you add, exponentially increases protection from unauthorized access.

Three categories of two-factor authentication:
  1. Something you know, such as a password.
  2. Something you have, such as an ID card, or a mobile phone.
  3. Something you are, a biometric factor such as a fingerprint.

The two factors required should come from two different categories. Often, the second factor after entering a password is a requirement to enter an auto-generated PIN code that has been texted to your mobile phone. This combines two different types of knowledge: something you know (your password) and something you have (your mobile phone to receive a code in SMS text or code from a 2FA app).

Protect accounts with an extra layer of security

Popular social media sites, including Twitter, Facebook, Instagram and Pinterest, have added 2FA to help protect users. In addition, you may have noticed that services from companies such as Apple, Google and Amazon will notify you via email each time you log in from a different device or location.

While 2FA from an SMS text message is popular and much more secure than a password alone, it is one of the weaker types of 2FA. This is because it’s relatively easy for an attacker to gain access to your SMS texts. When you log in to your account and it prompts for a SMS code, the website then sends the code to a service provider and then that goes to your phone.

This is not as secure as everyone thinks, because the phone number is the weakest link in the process. If a criminal wanted to steal your phone number and transfer it to a different SIM card, they would only need to provide an address, the last four digits of your social security number, and maybe a credit card number.

This is exactly the type of data that is leaked in large database breaches, a tactic to which most Americans have fallen victim at some point or another. Once the attacker has changed your phone number to their SIM card, they essentially have your number and receive all your texts, thus compromising the SMS 2FA.

Many people are guilty of using weak passwords or the same login information across several accounts, and if this sounds like you, we recommend that you use authenticator apps such as Google Authenticator and Authy. These apps are widely supported and easy to setup.

Simply go to the “account settings” section on the site you want to enable. There should be an option for 2FA if it is supported. Use the app on your phone to scan the QR code and, just like that, it’s configured to give you easy six-digit encrypted passwords that expire every 30 seconds.

What happens when you’re not using sites that have 2FA enabled? Quite simply, security is not as tight and there’s a higher risk of a hacker gaining access to your accounts. Depending on what is stored, your credit card information, home address, or other sensitive data could be stolen and used to commit fraud or sold on the DarkWeb.

And until passwords are put to death completely, be sure to heed a few safety tips from Gary Hayslip, Webroot CISO, in addition to using two-factor authentication:

“Change passwords periodically, do not recycle passwords, don’t use the same password for your social media account and your bank account, and finally store your passwords in a safe place. Consider using some type of password vault program, avoid keeping passwords on a Post-it note under your keyboard, on your monitor or in a drawer near your computer.” – Webroot CISO Gary Hayslip

—————————————————————————
This article was provided by our service partner : webroot.com
Internet Security

Internet Security : 10 Fundamentals to Fight Breach Fatigue

You don’t have to spend a lot of years in internet security to experience a phenomenon that’s been dubbed breach fatigue: the tendency to get tired of hearing about data security breaches. Breach fatigue can affect people differently based on their professional roles. For IT managers at smaller companies, breach fatigue can lead to a “why bother?” attitude. After all, if a major bank that spends hundreds of millions of dollars a year on internet security can still get hacked, is there any hope for small to midsize businesses?

Unfortunately for MSPs, attitudes like that can undermine your efforts to sell security products and services, so it is important to be ready with a response to this rebuttal. For example, I would say: “Your chances of surviving a cyberattack are actually quite high IF you’ve taken care of the fundamentals.” Before I describe those fundamentals, let me explain why I am confident in that statement.

First, I should note that each time a new data breach makes headlines, it adds to the workload for security researchers. Why? Because we want to find out how that breach happened so we can tell people how to avoid succumbing to the same type of attack. Unfortunately, it can take days or weeks, sometimes even years before we get the full story (which often differs from the first reports of the event).

Remember when JPMorgan Chase suffered what prosecutors later described as “the largest theft of customer data from a US financial institution in history”? When the news of that breach first got out, there was talk of a sophisticated nation state attack, even Russian involvement. We later learned that, although the bank had very sensibly installed two-factor authentication on its servers, it had missed one. That one server was how the hackers, con artists not a nation state, got in.

More recently we learned that an even more shocking breach – Equifax – was due to a failure to patch a well-publicized vulnerability (the congressional testimony of the Equifax CEO, who stepped down in the wake of the breach, suggested that the responsibility for patching rested with one person, who apparently slipped up). Back when Target was breached, internet security alarm bells were ignored and people failed to notice plaintext files full of credit card data being shipped to unapproved FTP servers in Russia.

The overarching theme here is that taking proper care of the fundamentals I’m about to discuss would have stopped many big-name breaches from happening. The good news for smaller companies is that they are likely to have fewer servers to watch over, fewer rogue projects flying under the radar, and simpler data flows to monitor.

So here is my pick of 10 fundamentals which, when properly managed, will go a long way in thwarting the bad guys:

  • 1. Timely patching of vulnerabilities
  • 2. Endpoint protection on all endpoints, including servers, at all times
  • 3. Encryption of data at rest
  • 4. Multi-factor authentication on all remote access, RDP, etc.
  • 5. Network segmentation
  • 6. Network monitoring / data loss prevention
  • 7. Removable media controls
  • 8. Backup and recovery plan
  • 9. Incident response plan
  • 10. Employee security awareness

To do all this, you must have a secure and dedicated internet provider for your business like EATEL Business Managed Wi-Fi. Yes, that’s a lot of work, but if you get it done, your odds of both avoiding and surviving breaches will improve greatly.

This article was provided by our service partner: ESET.

Cisco Umbrella

Cisco Umbrella Has Something New for MSPs

The threat landscape continues to get more sophisticated and complex. In a continued partnership to help MSPs protect their clients, Cisco is excited to announce a new Advanced Cisco Umbrella package specifically designed to help MSPs deliver even deeper protection.

As part of the Cisco Umbrella rollout for MSPs Advanced, centrexIT has become an early adopter. centrexIT, an award-winning Managed Services Provider in Southern California, stands out in the IT industry with a unique take on information technology and business alignment. Although their clients engage with them to support their business technology, network health, cybersecurity, and more, centrexIT’s most important metric isn’t how well the technology is working. It’s how to make their client’s lives easier, more productive, and ultimately make them more profitable. A large part of that goal in 2018, and beyond, is practicing good cybersecurity management.

“We value people over technology,” says Eric Rockwell, CEO of centrexIT. “And that commitment to our Culture of Care in turn leads us to focus on providing excellence in service while using technology that meets the highest of standards.”

That standard is even higher when it comes to security — especially in the face of the many high-profile breaches in security that have taken place throughout the tech industry over the past few years.

“Without following the standards for good cybersecurity controls and adhering to applicable regulations, you’re at a much higher risk of your information being breached — and that’s what you’re seeing on the daily news,” Rockwell says.

Cisco plays a major role in helping centrexIT protect their clients. As long-time partners with Cisco, centrexIT was given the opportunity to be the first to adopt Cisco’s latest security features.

“centrexIT is in the process of transitioning to a Next Gen MSP — an MSP with an MSSP (Managed Security Services Provider) practice,” Rockwell says. “We’re expecting huge growth in our MSSP line of business next year, both from existing MSP clients buying MSSP services as well as non-MSP clients buying MSSP services. Our focus on quality and security will only continue to grow as our clients keep demanding it.”

With the company’s growth and the Culture of Care at the forefront, the centrexIT team was more than ready to adopt the latest features.

“We’re using the new Cisco Umbrella features such as file inspection with anti-virus (AV) engine, Cisco Advanced Malware Protection (AMP), and custom URL blocking to help further protect our clients,” Rockwell says.

File inspection provides centrexIT with even deeper protection. When Umbrella receives a DNS request, it uses intelligence to determine if the request is safe, malicious, or risky — meaning the domain contains both malicious and legitimate content. Safe and malicious requests are routed as usual or blocked, respectively. Risky requests are routed to our cloud-based proxy for deeper inspection. The Umbrella proxy uses Cisco Talos web reputation and other third-party feeds to determine if a URL is malicious. With the advanced package, the proxy will also inspect files attempted to be downloaded from those risky sites using anti-virus (AV) engine and Cisco Advanced Malware Protection (AMP). Based on the outcome of this inspection, the connection is allowed or blocked.

Through custom URL blocking, centrexIT has even more control over information being accessed and in discovering potential security threats. Custom URL blocking gives MSPs the ability to enforce against malicious URLs in a destination list. It provides the flexibility to block specific pages without blocking entire domains.

These new security features are a huge plus for centrexIT and its clients. They help fulfill its core value and meet its key metric, says Rockwell. “At the end of the day, our client’s lives are easier and they’re at peace because they know we’re working tirelessly to care for them and keep their information safe and private.”

Managed Security Services

Ransomware Spares No One: How to Avoid the Next Big Attack

With global ransomware attacks, such as WannaCry and not-Petya, making big headlines this year, it seems the unwelcomed scourge of ransomware isn’t going away any time soon. While large-scale attacks like these are most known for their ability to devastate companies and even whole countries, the often under-reported victim is the average home user.

We sat down with Tyler Moffit, senior threat research analyst at Webroot, to talk ransomware in plain terms to help you better understand how to stop modern cybercriminals from hijacking your most valuable data.

 To put it simply, your files are stolen. Basically, any files that you would need on the computer, whether those are pictures, office documents, movies, even save files for video games, will be encrypted with a password that you need to get them back. If you pay the ransom, you get the password (at least, in theory. There’s no guarantee.)

How does the average home user get infected with ransomware?

Malspam” campaigns are definitely the most popular. You get an email that looks like it’s from the local post office, saying you missed a package and need to open the attachment for tracking. This attachment contains malware that delivers the ransomware, infecting your computer. It is also possible to become infected with ransomware without clicking anything when you visit malicious websites. Advertisements on legitimate websites are the biggest target. Remote desktop protocol (RDP) is another huge attack vector that is gaining traction as well. While controlling desktops remotely is very convenient, it’s important to make sure your passwords are secure.

How is the data ? Is the ransomed data actually taken or transmitted?

When you mistakenly download and execute the ransomware, it encrypts your files with a password, then sends that password securely back to the attacker’s server. You will then receive a ransom demand telling you how to pay to get the password to unlock your files. This is a really efficient way to prevent you from accessing your files without having to send gigabytes of information back to their servers. In very simple terms, the files are scrambled using a complex algorithm so that they are unreadable by any human or computer unless the encryption key is provided.

What types of files do ransomware attacks usually target?

Most ransomware is specifically engineered to go after any type of file that is valuable or useful to people. Around 200 file extensions have been known to be targeted. Essentially, any file that you’ve saved or open regularly would be at risk.

How does the attacker release the encrypted files?

The attacker provides a decryption utility via the webpage where you make the payment. Once you receive the decryption key, all you have to do is input that key into the tool and it will decrypt and release the files allowing you to access them again. Keep in mind, however, that the criminal who encrypted your files is under no obligation to give them back to you. Even if you pay up, you may not get your files back.

Tips for protecting your devices:
  • Use reliable antivirus software.
  • Keep all your computers up-to-date. Having antivirus on your computer is a great step towards staying safe online; however, it doesn’t stop there. Keeping your Windows PCs and/or Mac operating systems up-to-date is equally important.
  • Backup your data. Being proactive with your backup can help save your favorite vacation photos, videos of your kid’s first piano recital, not to mention sensitive information that could cost you thousands by itself.

This article was provided by our service partner Webroot.

 

cyber secuirty

Five Crucial Components of a Layered Security Strategy

Modern cyber threats are evolving at an alarming pace. Today’s thieves are constantly devising new tactics, angles, and technologies that can be used to victimize your customers—everything from malicious mobile apps to phishing emails and malware, and the consequences can be costly. Last year, the FBI estimated that criminals would net $1 billion in ransomware profits alone.

To truly ensure your customers are safe from these increasingly complex attacks, they need multiple defense layers to protect against every tactic at every attack stage. Here are a few essential layers that should be a part of any successful cyber security strategy.

Multi-Vector Protection

Cyber criminals are more organized and better educated than ever before. This means they’re increasingly savvy in implementing multistage, multi-vector attacks. Multi-vector protection ensures that your customers’’ endpoint security covers threats that cross multiple vectors, through multiple stages, reducing the opportunity for cyber criminals to successfully breach their networks.

Web Filtering

In many cases, by the reports made by this IT support company in London, the weakest links in a security strategy are the very same end users it’s intended to protect. In order to ensure end user behaviors don’t jeopardize the security of business networks, effective domain-level protection is a must. Using a cloud-based, web accessible security layer protects a TSP’s customers by reducing the flow of malware into the network by up to 90 percent. Plus, it gives TSPs granular control of all users’ internet activities, blocking dangerous websites automatically, and placing others under real time policy control.

End User Education

According to the Verizon Data Breach Investigations Report, phishing—a practice in which cyber criminals impersonate a legitimate company to steal personal information or login credentials—was behind 90 percent of security breaches in 2016. Plus, thanks to an increasingly mobile workforce, an organization’s data often leaves its secured network perimeters, creating a major vulnerability. For these reasons, implementing a recurring and continuously updated security education program is more important than ever to help end users remain current on increasingly sophisticated and realistic phishing attempts.

Patch Management

Patching ensures that your customers’’ systems are up-to-date making it more difficult for the majority of hackers to penetrate. Regularly scanning for vulnerabilities in your customers’ environments can help you determine if patches are necessary. It’s a low-cost practice that can dramatically improve security.

Backup

Backups are essential for remediating malicious activity and eliminating the effectiveness of ransomware. Having a regular backup in place also addresses concerns about whether your customers have ready access to the latest versions of their applications and data. This is critical for organizations that must meet certain compliance mandates such as HIPAA or PCI-DSS.

Webroot SecureAnywhere® solutions specialize in providing all the layers of security you need to protect your customers from complex, zero-hour cyber threats.

This article was provided by our service partner Webroot.

ransomware attack

Is Your Organization Ready to Defend Against Ransomware Attacks?

Without question, cybercrime is escalating and ransomware attacks and threats abound. Learn how to defend against ransomware, how infection can occur and how you can fight back.

Cybercrime is reaching unprecedented heights. And with the recent “WannaCry” ransomware attack, cyberthreats are back at the top of every IT department’s list of priorities and concerns. Unfortunately, it’s a trend that is unlikely to be curbed anytime soon. Cybersecurity communities have estimated that the total cost of cybercrime damage worldwide is estimated at $6 Trillion annually by the end of 2021, forcing more and more businesses to invest in cybersecurity spending on products and services to protect their business critical data from potential ransomware attacks.

Here I’ll talk more about what ransomware is, how infections can occur and how your business can be more prepared to defend against potential attacks.

What is ransomware?

Ransomware is typically defined as a subset of malware where the data on a victim’s computer becomes inaccessible and payment is demanded (usually in the form of bitcoin or other cryptocurrencies), before the data is decrypted and the victim can re-access their files.

Ransomware attacks can present themselves in a variety of forms but Microsoft Malware Protection Center explains that the two most widespread ransomware families to be reported in 2016/17 were:

  • Lock-screen ransomware
  • Encryption ransomware

Typically, lock-screen ransomware will present victims with a full-screen message which then prohibits the user from accessing their PC or files, until a payment is made. Whereas encryption ransomware will modify the data files via encryption methods so that the victim cannot open them again. In both cases, the attackers are in total control and demand large sums of money to access or unlock the files.

How does a ransomware infection occur?

On average, most ransomware infections occur through email messages carrying Trojans that attempt to install ransomware when opened by victims, or alternatively, websites that attempt to exploit vulnerabilities in the victim’s browser before infecting the system with ransomware.

Multiple high-profile incidents in 2016/17 alone, have demonstrated the destruction ransomware attacks can have on enterprise networks just as easily as on individual PCs.  For example, EternalBlue (a Windows exploit) released by the mysterious hacking group Shadow Brokers in April 2017 breached spy tools at the National Security Agency (NSA) and offered stolen data for auction, and the WannaCry strain targeted thousands of targets including the National Health Service in the UK (in total netting ~52 bitcoins or around $130,000 worth of ransom).

Not to mention many other widespread strains of ransomware including Petya, Nyetya, Goldeneye, Vault 7, Macron which have had devastating effects on countries, enterprises, election debates and individuals around the world. Attacking enterprise networks in this manner, is even becoming even more attractive because of the value of the files and data that large enterprises own means attackers can demand higher monetary values for ransom.

How to fight back

The increasing threats of ransomware attack should come as no surprise, because in reality organizations have always been under threat from malicious cyberattacks, viruses and ransomware, just more so now than ever before, and IT managers should continually be looking for ways to better protect their valuable data. Therefore, it is essential that your organization has a plan in place to defend against such attacks, minimize financial impact, reduce IT impact and maintain brand reputation.

The industry recognized recommendations suggest organizations follow the simple 3-2-1 rule and the implementation of a strong security plan. The goal of the 3-2-1 rule is to provide customers with a data protection solution that maximizes application uptime, and data availability in the event of a disaster striking.

With the proper execution of the 3-2-1 backup principles, IT managers can protect their data by:

  • Maintaining 3 copies of data (primary data and two copies)
  • Store backup copies on 2 different media types (such as tape, disk, secondary storage or cloud)
  • Keep 1 copy off-site (either on tape or in the cloud, since disasters can strike without notice, if all other forms of protection fail, you still have access to offline data!)

 

Links in phishing-like emails lead to tech support scam

Tech support scams continue to evolve, with scammers exploring more ways to reach potential victims. Recently, we have observed spam campaigns distributing links that lead to tech support scam websites.

Anti-spam filters in Microsoft Exchange Online Protection (EOP) for Office 365 and in Outlook.com blocked the said emails because they bore characteristics of phishing emails. The said spam emails use social engineering techniques—spoofing brands, pretending to be legitimate communications, disguising malicious URLs—employed by phishers to get recipients to click suspicious links.

However, instead of pointing to phishing sites designed to steal credentials, the links lead to tech support scam websites, which use various scare tactics to trick users into calling hotlines and paying for unnecessary “technical support services” that supposedly fix contrived device, platform, or software problems.

The use of email as an infection vector adds another facet to tech support scams, which are very widespread. Every month, at least three million users of various platforms and software encounter tech support scams. However, tech support scams are not typical email threats:

  • Many of these scams start with malicious ads found in dubious web pages—mostly download locations for fake installers and pirated media—that automatically redirect visitors to tech support scam sites where potential victims are tricked into calling hotlines.
  • Some tech support scams are carried out with the help of malware like Hicurdismos, which displays a fake BSOD screen, or Monitnev, which monitors event logs and displays fake error notifications every time an application crashes.
  • Still other tech support scams use cold calls. Scammers call potential victims and pretend to be from a software company. The scammers then ask victims to install applications that give them remote access to the victim’s devices. Using remote access, the experienced scam telemarketers can misrepresent normal system output as signs of problems. The scammers then offer fake solutions and ask for payment in the form of a one-time fee or subscription to a purported support service.

The recent spam campaigns that spread links to tech support scam websites show that scammers don’t stop looking for ways to perpetrate the scam. While it is unlikely that these cybercriminals will abandon the use of malicious ads, malware, or cold calls, email lets them cast a wider net.

An alternative infection path for tech support scams

The spam emails with links to tech support scam pages look like phishing emails. They pretend to be notifications from online retailers or professional social networking sites. The suspicious links are typically hidden in harmless-looking text.

Figure 1. Sample fake Alibaba order cancellation email. The order number is a suspicious link.

Figure 2. A sample of a fake Amazon order cancellation email. Similarly, the order number is a suspicious link.

Fig 3. Sample fake LinkedIn email of a message notification. The three hyperlinks in the email all lead to the same suspicious link.

The links in the emails point to websites that serve as redirectors. In the samples we analyzed, the links pointed to the following sites, which are most likely compromised:

  • hxxp://love.5[redacted]t.com/wordpress/wp-content/themes/acoustician.php
  • hxxp://s[redacted]t.com/wp-content/themes/paten.php
  • hxxp://k[redacted]g.org/wp-content/categorize.php

Interestingly, the redirector websites contain code that diverts some visitors to pharmaceutical or dating websites.

Fig 5. Redirects to support scam site

Landing on typical support scam websites

Tech support scams sites often mimic legitimate sites. They display pop-up messages with fake warnings and customer service hotline numbers. As part of the scam, calls to these phone numbers are answered by agents who trick users into paying for fake technical support.

Fig 6. Tech support scam site with fake warning and support number

The technical support scam websites employ various social engineering techniques to compel users to call the provided hotlines. They warn about malware infection, license expiration, and system problems. Some scams sites display countdown timers to create a false sense of urgency, while others play an audio message describing the supposed problem.

Tech support scam websites are also known to use pop-up or dialog loops. A dialog loop refers to malicious code embedded in sites that causes the browser to present an infinite series of browser alerts containing falsified threatening messages. When the user dismisses an alert, the malicious code invokes another one, ad infinitum, essentially locking the browser session.

More advanced tech support scam sites use web elements to fake pop-up messages. Some of these scam sites open full screen and mimic browser windows, showing spoofed address bars.

This article was first published at microsoft.com