PDA

View Full Version : Beware of a hacking/phishing thing with Windows



Norman Bernstein
08-29-2017, 11:13 AM
I got hit with an attempted hack of my computer this morning.... one which was so sophisticated, that I very nearly fell for it. I'll spare everyone from the details, but trust me, even the most cynical and suspicious could get caught up in this thing.

I can tell you, though, what really saved me. My machine here in the office has a pair of 250Gb SSD drives. One is my main OS drive, the other identical drive is used to periodically clone the main drive. I keep no data of any sort on either of these drives.... just the OS and the applications (plus perhaps a few files on the desktop that would be no disaster if I lost them).

So, recovery from disaster is simple: I just disconnect the cable to the main drive, and plug it into the close drive. Instant recovery!

To be safe, I updated my antivirus immediately.

jack grebe
08-29-2017, 11:17 AM
A little more detail would be helpful......

Norman Bernstein
08-29-2017, 11:20 AM
A little more detail would be helpful......

It starts when you get a pop-up that looks, for all the world, like a genuine Windows Defender warning about a potential hack to your computer, with a telephone number to call... the warning tells you to NOT touch your computer again until instructed... and it proceeds from there.

StevenBauer
08-29-2017, 11:36 AM
Glad I have no need for a Windows based computer.

Norman Bernstein
08-29-2017, 11:44 AM
Glad I have no need for a Windows based computer.

Don't get TOO comfortable... contrary to popular myth, MAC's are also vulnerable to all sorts of viruses, Trojans, and hackers... perhaps not to the same degree. I suppose that Linux would be the safest... but then again, I couldn't do any engineering with Linux; all the apps I need are Windows-based.



Examples of Mac malware

Despite Apple's best efforts, Mac malware does exist, we describe some cases below...

Apple is also sometimes in a race against time to update the list of malware in its Xprotect file, leaving the system exposed for a few days. And in the past there have been flaws delected in the OS that could allow access to your Mac, such as the SSL error (http://www.macworld.co.uk/how-to/mac-software/do-macs-get-viruses-do-macs-need-antivirus-software-3454926/#SSL) that meant it was possible for a hacker to access your machine if you were using public WiFi, more on that below.

From time to time you will hear of big profile trojans, malware, and ransomware that is targetting the Windows world, very rarely is this a threat to Macs. For example, the WannaCry/WannaCrypt ransomware that bought the NHS to its knees in May 2017 was only targetting Windows machines and therefore no threat to Macs.

OSX/Dok

Security analysis firm CheckPoint Software Technologies spotted a new OS X malware at the end of April 2017.

Apple rushed to block it.

The macOS Trojan horse appeared to be able to bypass Appleís protections and could hijack all traffic entering and leaving a Mac without a userís knowledge - even traffic on SSL-TLS encrypted connections.

OSX/Dok was even signed with a valid developer certificate (authenticated by Apple) according to CheckPointís blog post. It is likely that the hackers accessed a legitimate developersí account and used that certificate. Because the malware had a certificate, macOSís Gatekeeper would have recognized the app as legitimate, and therefore not prevented its execution. Apple has since revoked that developer certificate and updated XProtect, itís malware signature system.

The attacker could gain access to all victim communication by redirecting traffic through a malicious proxy server, there's more information about how the attack worked here (http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/).
OSX/Dok was targeting OS X users via an email phishing campaign. The best way to avoid falling fowl to such an attempt in the future is not to respond to emails that require you to enter a password or install anything.

Xagent

Xagent is capable of stealing passwords, taking screenshots and grabbing iPhone backups stored on your Mac.

It's thought (https://betanews.com/2017/02/17/xagent-macos-malware/) to be the work of the APT28 cybercrime group, according to Bitdefender.

OSX/Pirrit

OSX/Pirrit was apparently hidden in cracked versions of Microsoft Office or Adobe Photoshop found online. It would gain root privileges and create a new account in order to install more software, according to Cybereason researcher Amit Serper in this report (http://www.tomsguide.com/us/mac-malware-threats-rsa2017,news-24501.html).

MacDownloader

In February 2017 researchers found the MacDownloaded software lurking in a fake update to Adobe Flash. When the installer is run you'll get an alert claiming that there is adware on your Mac.

You'll be asked to click to "remove" the adware, and when you enter your password on your Mac the MacDownloader malware will attempt to transmit data including your Keychain (so that's your usernames, passwords, PINs, credit card numbers) to a remote server.

Luckily the threat seems to be contained for now: the remote server it the malware tries to connect is now offline.

The best way to avoid such attacks is to always check on Adobe's site to see if there is an update to Flash you should be installing.

The MacDownloader malware is thought to have been created by Iranian hackers and was specifically targetted at the US defense industry. It was located on a fake site designed to target the US defence industry (so likely not yourself). In this case the phishing attempt would have been activated via a Flash file, and since Apple has stopped Flash opening by default, again this is unlikely to have affected you.

Word macro virus

PC users have had to contend with macro viruses for a long time. Applications, such as Microsoft Office, Excel, and Powerpoint allow macro programs to be embedded in documents. When these document are opened the macros are run automatically which can cause problems.

Mac versions of these programs haven't had an issue with malware concealed in macros because since when Apple released Office for Mac 2008 it removed macro support. However, the 2011 version of Office reintroduced macros, and there has now been malware discovered in a Word macro, in a Word doc about Trump.

If the file is opened with macros enabled (which doesnít happen by default), it will attempt to run python code that could have theoretically perform functions such as keyloggers and taking screenshots. It could even access a webcam. The chance of you being infected in this way is very small, unless you have received and opened the file referred to (which would surprise us), but the point is that Mac users have been targeted in this way.

Mac users should still be fairly safe from macros thanks to a warning that appears on screen should a user attempt to open a document containing macros.

Fruitfly

According to a report (https://arstechnica.co.uk/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/) in January, the Fruitfly malware had been conducting surveillance on targeted networks for possibly two years.

The malware captures screenshots and webcam images, as well as looking for information about the devices connected to the same network - and then connects to them.
Malwarebytes claims the malware could have been circulating since OS X Yosemite was released in 2014.

Apple is already detecting Firefly via own built in anti-malware tool. Apple has all the malware definitions in its XProtect file which sits on your Mac, and everytime you download a new application it checks that none of those definitions are present. This is part of Apple's Gatekeeper software that blocks apps created by malware developers and verifies that apps havenít been tampered with.

George Jung
08-29-2017, 11:47 AM
So... if that happens... do you need to 'click' on it, in order to fall prey? Shut off the machine?

For the love of... well, what's the deal?

Too Little Time
08-29-2017, 11:48 AM
It starts when you get a pop-up that looks, for all the world, like a genuine Windows Defender warning about a potential hack to your computer, with a telephone number to call... the warning tells you to NOT touch your computer again until instructed... and it proceeds from there.
I had that happen yesterday. While I was on this board.

Power off. Power on.

Norman Bernstein
08-29-2017, 12:07 PM
So... if that happens... do you need to 'click' on it, in order to fall prey? Shut off the machine?

For the love of... well, what's the deal?

Don't click on it. Shut off the machine, reboot, and go immediately to your antivirus provider's website and update the virus definitions... as well as enable all the features they provide. Also, even though they can be insufferable, we all need to do the annoying Microsoft Windows updates.

I'm too embarrassed to tell you just how far they strung me along... trust me, it was a VERY sophisticated scheme... but it DID reach a point where my suspicions turned into an absolute certainty.

Peerie Maa
08-29-2017, 12:13 PM
Don't click on it. Shut off the machine, reboot, and go immediately to your antivirus provider's website and update the virus definitions... as well as enable all the features they provide. Also, even though they can be insufferable, we all need to do the annoying Microsoft Windows updates.

I'm too embarrassed to tell you just how far they strung me along... trust me, it was a VERY sophisticated scheme... but it DID reach a point where my suspicions turned into an absolute certainty.

Is that when they asked you to help them remote on.

I occasionally get a cold call claiming to be from Windows advising me that I have issues. First thing that I do is ask them if they are going to ask me to let them remote on. They hang up as soon as I ask.

Dan McCosh
08-29-2017, 12:26 PM
Many around here have been getting phone calls allegedly from Microsoft, saying they are fixing something and want you to turn your computer on, etc. Sounds quite similar. Another one is numerous offers for a $50 coupon from Amazon and dozens of other outlets. I'm getting 20-50 daily. The sheer number is starting to swamp the actual use of the computer.

ron ll
08-29-2017, 01:39 PM
You don't really have to shut off the machine unless you feel more comfortable doing that. Often just a CTL ALT DEL to the Task Mananger and shut down the browser will be sufficient. But then still scan with your malware scanner. Just don't ever click on anything in the pop up warning, including the X to close their pop up.

peb
08-29-2017, 01:52 PM
A few years ago, my mom had a similar popuop. She is very computer illiterate and I had set up her windows 7 machine with Windows defender. Showed her how to run the antivirus. She fell for it, and called the number. They told her they were Microsoft, and her machine had been infected with a new virus that required them to put extra antivirus on her computer. The cost was 500 dollars. She told them her son had specifically told her to let no one put software on her computer without checking with him, so they actually called me into a three-way call. It was unbelievable how they stuck to their story. I told the guy to show me, on a Microsoft website the software they were going to sell us. They said it wasn't sold over the website. I told them I one Microsoft gave their anti virus SW away free with the OS. They said it was a new virus and the developers had not had time to update Defender. This was their "professional" anti virus software that Microsoft had developed specifically for the DoD.
I told them to go to h$_l. My mom said I should not treat people that way.

Sent from my BLN-L24 using Tapatalk

Norman Bernstein
08-29-2017, 02:02 PM
A few years ago, my mom had a similar popuop. She is very computer illiterate and I had set up her windows 7 machine with Windows defender. Showed her how to run the antivirus. She fell for it, and called the number. They told her they were Microsoft, and her machine had been infected with a new virus that required them to put extra antivirus on her computer. The cost was 500 dollars. She told them her son had specifically told her to let no one put software on her computer without checking with him, so they actually called me into a three-way call. It was unbelievable how they stuck to their story. I told the guy to show me, on a Microsoft website the software they were going to sell us. They said it wasn't sold over the website. I told them I one Microsoft gave their anti virus SW away free with the OS. They said it was a new virus and the developers had not had time to update Defender. This was their "professional" anti virus software that Microsoft had developed specifically for the DoD.
I told them to go to h$_l. My mom said I should not treat people that way.


This event for me, this morning, was even more sophisticated.. including tremendous efforts they made to assure me that this was coming from a genuine Microsoft source.

I've been an intensive PC user since the very first IBM PC in 1980, so I'm hardly an unsophisticated user.... but initially, the thing looked remarkably official. I can only imagine that unsophisticated users like your Mom would be naturals for being scammed.

Fortunately, my dual-SSD scheme made recovery almost instantaneous.... all I had to do was disconnect the former OS disk, and transfer the cable from the clone SSD, and I was back in business. I highly recommend this approach; each 250Gb SSD cost only $55, and re-writing the clone takes only 20 minutes or so, using a freeware program. That, plus never leaving any data on either of those disks (I use an external 1Tb USB drive, for data) makes things pretty much invulnerable to getting messed up. Furthermore, running the OS on an SSD is like a jump to hyperspace, compared to a rotating disk.

Garret
08-29-2017, 02:09 PM
MS will never pop up a "you need to fix something" message in a browser, nor will Mozilla (Firefox) - but hackers/scammers will.

I just end task on the browser & move along.

peb
08-29-2017, 02:44 PM
Glad I have no need for a Windows based computer.

Norman is correct, there is nothing inherently safer about Maxs or Linux except for one thing: the user base is smaller, as such it is a smaller target area, so scammers target Windows.
It is a myth they are safer, indeed, I would almost guanantee when Max OS first went to a Unix base, it was less safe. But no one targeted it.

Norman Bernstein
08-29-2017, 02:50 PM
Norman is correct, there is nothing inherently safer about Maxs or Linux except for one thing: the user base is smaller, as such it is a smaller target area, so scammers target Windows.

Agreed... as a practical matter, the smaller installed base IS a fair argument for somewhat 'increased' resistance to viruses and hacking, albeit not a complete immunity.

peb
08-29-2017, 02:53 PM
This event for me, this morning, was even more sophisticated.. including tremendous efforts they made to assure me that this was coming from a genuine Microsoft source.

I've been an intensive PC user since the very first IBM PC in 1980, so I'm hardly an unsophisticated user.... but initially, the thing looked remarkably official. I can only imagine that unsophisticated users like your Mom would be naturals for being scammed.

Fortunately, my dual-SSD scheme made recovery almost instantaneous.... all I had to do was disconnect the former OS disk, and transfer the cable from the clone SSD, and I was back in business. I highly recommend this approach; each 250Gb SSD cost only $55, and re-writing the clone takes only 20 minutes or so, using a freeware program. That, plus never leaving any data on either of those disks (I use an external 1Tb USB drive, for data) makes things pretty much invulnerable to getting messed up. Furthermore, running the OS on an SSD is like a jump to hyperspace, compared to a rotating disk.

Only thing that saved my mom was the $500 price tag and I had really gotten onto her once before for letting a friend install a version of Norton anti-virus. By that time, Defender had become superior to Norton, IMO, but you can't tell some computer guy that who has been using Norton since the 80s.

seanz
08-29-2017, 03:21 PM
Dual SSD? Noted.

Garret
08-29-2017, 03:30 PM
Only thing that saved my mom was the $500 price tag and I had really gotten onto her once before for letting a friend install a version of Norton anti-virus. By that time, Defender had become superior to Norton, IMO, but you can't tell some computer guy that who has been using Norton since the 80s.

Easy to do - Norton is junk.