05/10/2017

When Antivirus Software Fails You: How to Spot (and Defeat!) a Real Malware Attack


It isn't every day you get to see what a real Trojan attack looks like.

When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.

But, this time, in putting together material for our upcoming free workshop when I happened across a real attack I was able to record it.

If you've ever wondered what an attack looks like, here's your chance to see one.

Here's the best/worst part: nothing stopped it.

  • Not our Internet Security Software.
  • Not any of our browsers' built-in malware protection
  • Not even Windows 10 built-in security.

See for yourself how it happened and what you can do to stop it.

 



Be the first to know about
our upcoming free workshop!

We'll cover problems like this, plus free, easy-to-do PC optimization, and other useful, real-world PC help topics.

I promise you, it'll be some of the
best, most useful stuff you'll ever see.


Put in your details here to be the first notified.

[Click here to download the printable step-by-step companion "recipe" file.]
This file opens in a new tab / Window for you.


04/13/2017

Mac OSX Fake Installer / Malware Spotted in the Wild

 

OSX-Malware-Social-Engineering-Installer

 

Whilst traversing The Tubes yesterday doing some research on credit card processing across a host of different sites, I was hit with an old school malware installer technique with a couple of new twists at one of them. (That's what it looks like above.)

What's old school about it, is it's using an old social engineering ruse to trick people into installing it. Make no mistake: it's fake software. Well, it might play media files, but I guarantee there's some sort of unwanted malware / adware payload along with it.

As you can tell from the Finder icon in the top left, and the "Accept and Install" button in the lower right, it's obviously geared for people on a Mac, and here are some telltale signs it's fake.

  1. Every media type that matters is playable out of the box on a Mac.
  2. "Media Player" is Windows-only software, and it's built into Windows, i.e. no need to install it like this.
  3. The Accept and Install button and the Finder icon are the (now very) old Mac interface style.
  4. Powered by "MediaDownloader," yet the software is called, "Media Player"? 
  5. What the heck is the Finder icon even doing on a an installer for a third-party product?

 

Curiously, both Bitdefender and Webroot for Mac missed identifying the serving URL as malicious:

cdn.brigeo.info

(Whether it has a trojan or some other malicious payload or if it's "just" adware, I don't know, and honestly, does it really matter? Its goal is to trick people into installing it.)

So, if you come across this bugger (or something similar in the wild), get the heck out of Dodge and for cryin' out loud, keep your mouse away from the  "Accept and Install" button, will ya?

 

 

04/02/2012

New Phishing Tricks by the Bad Guys



UPDATE: Looks like I'm not the only one getting these emails!

Dancho Danchev with Webroot also has a great blog post on these email. His is called, Spamvertised 'US Airways' themed emails serving client side exploits and malware

One bit of good news/bad news on them: we can be even more certain that the domain owner shown in my post is an innocent victim, too, as Dancho's blog shows many other URLs being used for serving the malware. In fact, his blog post doesn't even mention the domain name that was in the email I received.


Sometimes, you really just have to laugh.

I got a phishing spam today. Really, you might even call it a spear-phishing spam, given that it had my name and email address correct.

It was an email that looked every bit like a legitimate Check-in Confirmation email from US Airways. The problem: I'm not traveling anytime soon, so I know it's a fake.

Here's what it looked like:



Examining the link shows it was destined to go to an Indian website (.in) that's registered with the following info:

Domain ID:D5073610-AFIN
Domain Name:RUPEERUPAYA.IN
Created On:27-May-2011 21:14:29 UTC
Last Updated On:27-Jul-2011 19:20:22 UTC
Expiration Date:27-May-2012 21:14:29 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R101-AFIN)
Registrant ID:CR84151356
Registrant Name:ian jamieson
Registrant Organization:perdita & pongo llc
Registrant Street1:po box 2225
Registrant City:manchester ctr.
Registrant State/Province:Vermont
Registrant Postal Code:05255
Registrant Country:US
Registrant Phone:+1.8022360304
Registrant Email:ianpjamieson@gmail.com

Whether or not the registrant name is legit is anyone's guess, but it's hosted at this IP 184.168.172.1 by GoDaddy.

It's exceedingly rare that anyone uses their real info to host a phishing site--much less one hosted with a legitimate company like GoDaddy, so the domain has probably been compromised. Either that or the registrant name is completely falsified.

The bottom line: don't click on links in emails, even if you think they're legit and from someone you know.

Instead, by doing a "Right Click," you can copy the link out of the email and paste it into Notepad. From there, it doesn't take a rocket scientist to see this link is going to an Indian website (.in) and not to US Airways.

For a quick-and-dirty email, one has to wonder what kind of success rate they're having with this particular email. After all, it is a relatively clever bit of social engineering, some people will, no doubt, fall for.

Even still, if you do get sucked into clicking a link like the one in this phishing email (or click it accidentally), this is where good antivirus software can make all the difference.

Here's what happens when you click this particular link, if you're running the 2012 VIPRE Internet Security Suite:



As you can see, VIPRE 2012 blocked it as a trojan, so there should be little doubt in your mind now that between
  1. the "US Airways" link mysteriously going to a .in website...
  2. it being registered to an "ian jamieson..."
  3. and VIPRE ISS blocking the first thing on the site as a trojan
This is a malicious website and a phising/spear-phishing attack.

Now, it's time to contact GoDaddy to get the site yanked before more people get infected.

Oh, and in case you're wondering here are the threat details from VIPRE: