Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted, the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software which will give them access to said passwords and bank information as well as giving them control over your computer.

Cybercriminals use social engineering tactics because it is often easier to exploit your natural inclination to trust than it is to discover ways to hack your software.  For example, it is much easier to fool someone into giving away their password than it is to hack their password (unless the password is really weak).

Security is all about knowing who and what to trust – Knowing when and when not to take a person at their word, when to trust that the person you are communicating with is indeed the person you think you are communicating with, when to trust that a website is or isn’t legitimate or when to trust that the person on the phone is or isn’t legitimate, and knowing when providing your information is or isn’t a good idea.

Ask any security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. Hypothetically speaking, it doesn’t matter how many locks and deadbolts are on your doors and windows, or how many alarm systems, floodlights, fences with barbed wire, and armed security personnel you have; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate, you are completely exposed to whatever risk he represents.

Common social engineering attacks

Email from a ‘friend’ – If a cybercriminal manages to hack or socially engineer a person’s email password, they have access to that person’s contact list, too. And because many people use one password everywhere, they probably have access to that person’s social networks, banking accounts, and other personal accounts.

Once the criminal has that email account under their control, they send emails to all the person’s contacts or leave messages on all their friend’s social pages, and possibly on the pages of the person’s friend’s friends as well.

These messages may use your trust and curiosity. For example, they may:

• Contain a link that you just have to check out–and because the link comes from a friend and you’re curious, you’ll trust the link and click–and as a result, be infected with malware so the criminal can take over your machine and collect your contacts’ info and deceive them like they just deceived you.
• Contain a download such as pictures, music, movies, documents, etc., that has malicious software embedded. If you download–which you are likely to do since you think it is from your friend–you become infected. Now, the criminal may have access to your machine, email account, social networks and contacts, and the attack spreads to everyone you know. And on, and on.

These messages may create a compelling story or pretext:

• Urgently ask for your help–your ‘friend’ is stuck in country X, has been robbed, beaten, and is in the hospital. They need you to send money so they can get home, but in reality, they give you instructions on how to send the money to the cybercriminal.
• Ask you to donate to their charitable fundraiser, or some other cause, which is of course a front. Really, they’re again providing you with instructions on how to send the money to the cybercriminal.

Phishing attempts. Typically, a phisher sends an e-mail, instant message, comment, or text message that appears to come from a legitimate (and typically popular) company, bank, school, or institution.

These messages usually have a scenario or tell a story:

• The message may explain there is a problem that requires you to “verify” your information by clicking on the displayed link and provide information in their form. The link location may look very legitimate with all the right logos and content (in fact, the criminals may have copied the exact format and content of the legitimate site). Because everything looks legitimate, you trust the email and the phony site and provide whatever information the crook is asking for. These types of phishing scams often include a warning of what will happen if you fail to act soon, because criminals know that if they can get you to act before you think, you’re more likely to fall for their phishing attempt.
• The message may notify you that you’re a ‘winner’. Perhaps the email claims to be from a lottery, or a dead relative, or a site claiming that you’re the millionth person to click, etc. In order to claim your ‘winnings’, you have to provide information, such as your bank routing number, so they know how to send it to you, or give your address and phone number so they can send the prize, and you may also be asked to prove who you are often being asked to provide your Social Security Number. These are the ‘greed phishes’ where even if the story pretext is thin, people want what is offered and fall for it by giving away their information, then having their bank account emptied and identity stolen.
• The message may ask for help.  Preying on kindness and generosity, these phishing attacks ask for aid or support for whatever disaster, political campaign, or charity is trending at the moment.

Baiting scenarios. These socially engineering schemes know that if you dangle something people want, many people will take the bait. These schemes are often found on Peer-to-Peer sites offering a download of something like a hot new movie or music album. But these schemes can also be found on social networking sites, malicious websites you find through search results, and so on.

Alternatively, the scheme may show up as an amazingly great deal on classified sites, auction sites, etc.. To allay your suspicion, you can see the seller has a good rating (all planned and crafted ahead of time).

People who take the bait may be infected with malicious software that can generate any number of new exploits against them and their contacts, may lose their money without receiving their purchased item, and, if they were foolish enough to pay with a check, may find their bank account empty.

Response to a question you never had. Criminals may pretend to be responding to your ‘request for help’ from a company while also offering additional help. They pick companies that millions of people use like a large software company or bank.  If you don’t use the product or service, you will ignore the email, phone call, or message, but if you do happen to use the service, there is a good chance you will respond because you may actually need help with a problem.

For example, even though you know you didn’t originally ask a question, you may have a problem with your computer’s operating system (such as slow-downs) and you seize on this opportunity to get it fixed, for ‘free’ no less. The moment you respond, however, you have bought the crook’s story, given them your trust and opened yourself up for exploitation.

The representative, who is actually a cybercriminal, will need to ‘authenticate you’, have you log into ‘their system’ or, have you log into your computer and either give them remote access to your computer so they can ‘fix’ it for you, or tell you the commands so you can ‘fix’ it yourself with their ‘help’. In actuality, some of the commands they tell you to enter will open a way for the criminal to get back into your computer later.

Creating distrust. Some social engineering is all about creating distrust, or starting conflicts; these are often carried out by people you know and who are angry with you, but it is also done by nasty people just trying to wreak havoc, people who want to first create distrust in your mind about others so they can then step in as a ‘hero’ and gain your trust, or by extortionists who want to manipulate information and then threaten you with disclosure.

This form of social engineering often begins by gaining access to an email account or other communication account on an IM client, social network, chat, forum, etc. They accomplish this either by hacking, social engineering, or simply guessing really weak passwords.

• The malicious person may then alter sensitive or private communications (including images and audio) by using basic editing techniques and forward these to other people to create drama, distrust, embarrassment, etc.  They may make it look like it was accidentally sent, or appear like they are letting you know what is ‘really’ going on.
• Alternatively, they may use the altered material to extort money either from the person they hacked, or from the supposed recipient.

There are literally thousands of variations to social engineering attacks. The only limit to the number of ways a cybercriminal can socially engineer users through this kind of exploit is the their imagination.  And you may experience multiple forms of exploits in a single attack.  Afterwards, the criminal is likely to sell your information to others so they too can run their exploits against you, your friends, your friends’ friends, and so on, as cybercrooks like to leverage people’s misplaced trust.

Don’t become a victim

• Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency, or uses high-pressure sales tactics, be skeptical and never let their urgency influence your careful review.
• Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site. You can also find their  real support phone number listed on the site.
• Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
• Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. Furthermore, if you did not specifically request assistance from the sender, consider any offer to ‘help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
• Don’t let an email link control dictate where you land. Stay in control by finding the website yourself by using a search engine to be sure you land where you intended to. Hovering over links in an email will show the actual URL at the bottom, but a good fake can still steer you wrong.

Curiosity leads to careless clicking–if you don’t know what the email is about, clicking links is a poor choice. Similarly, never use phone numbers from the email as it is easy for a scammer to pretend you’re talking to a bank teller, a support agent, etc.

• Secure your computing devices. Install an effective anti-virus solution that can keep up with ever-evolving threats. Make sure to keep your OS and browsers updated, and if your smartphone doesn’t automatically update, make sure to manually update it whenever you receive a notice to do so.
• Email hijacking is rampant. Hackers, spammers, and social engineers gaining access to people’s emails (and other personal accounts) has become commonplace. Once they control someone’s email account, they prey on the trust of all that person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment, be sure to check with your friend before opening links or downloading. Even then, the legitimacy of the links isn’t guaranteed, which is why it’s critical to be using anti-virus software.
• Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
• Foreign offers are fake. If you receive email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money, it is guaranteed to be a scam.
• Set your spam filters to high. Every email program has spam filters. To find yours, look under your settings options, and set these to the highest setting; just remember to check your spam folder periodically to see if legitimate email has been accidentally trapped there. You can also search for a step-by-step guide to setting your spam filters by searching on the name of your email provider plus the phrase ‘spam filters’.

The post What is Social Engineering? appeared first on Webroot Threat Blog.

What is a computer virus?

Think of a biological virus – the kind that makes you sick. It’s persistently nasty, keeps you from functioning normally and often requires something powerful to get rid of it. A computer virus is very similar. Designed to relentlessly replicate, these threats infect your programs and files, alter the way your computer operates or stop it from working altogether. It’s estimated that the ‘Conficker’ malware infected more than 10 million computers in 2009, which was a massive amount back then.

The amount of viruses and their capability to inflict damage have only increased since then. Today, hundreds of thousands of them operate over the internet, and new variants are discovered every day. When you couple this with the discoveries of mass-scale security flaws/vulnerabilities (such as ‘Heartbleed’ and ‘Bash’ in 2014), the cyber-world really starts to look like a scary place. It is. But that doesn’t mean there’s nothing you can do to protect yourself and your devices.

How does it find me?

Even if you’re careful, you can pick one up through normal online activities like:

• Sharing music, files or photos with other users
• Visiting an infected website
• Opening spam email or an email attachment
• Downloading free games, toolbars, media players and other system utilities
• Installing mainstream software applications without fully reading license agreements

What does it do?

Some computer viruses are programmed to harm your computer by damaging programs, deleting files, or reformatting the hard drive. Others simply replicate themselves or flood a network with traffic, making it impossible to perform any internet activity. Even less harmful versions can significantly disrupt your system’s performance, sapping computer memory and causing frequent computer crashes.

What are the symptoms?

Your computer may be infected if you recognize any of these malware symptoms:

• Slow computer performance
• Erratic computer behavior
• Unexplained data loss
• Frequent computer crashes

Arming yourself with the best protection

When you arm yourself with information and resources, you’re wiser about computer security threats and less vulnerable to threat tactics. Take these steps to safeguard your PC with the best protection:

An unprotected computer is like an open door for malware. Firewalls monitor Internet traffic in and out of your computer and hide your PC from online scammers looking for easy targets. Products like Webroot SecureAnywhere Complete provide total protection from the most dangerous threats out there, thwarting them before they can enter your PC, and standing guard at every possible entrance of your computer to fend off any malware that tries to enter, even the most damaging and devious strains.

While free anti-virus software is available, it simply can’t offer the consistent protection that you need to keep up with the continuous onslaught of new strains. Previously undetected forms of can often do the most damage, so it’s critical to have up-to-the-minute protection that won’t take a break to update and miss the oncoming threat.

The post Computer Virus 101 appeared first on Webroot Threat Blog.

There’s a lot that happens in the security world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.

Compromised RDP Servers Offer Cheap Attack Platform

Recently, researchers discovered an online marketplace that allowed for the purchase of hacked remote desktop servers for a minimal fee. The Russian-based site, known as the xDedic Marketplace, has listings for over 70,000 servers located in 173 different countries, which range from government institutions to universities.

http://www.theregister.co.uk/2016/06/15/hacked_server_market/

Chat Support: The Latest Ransomware Feature

Ransomware has become an all-too-common occurrence in the cyber world, and a new variant named ‘Jigsaw’ has a curious surprise for its victims: live phone support. An option on the lock screen offers the victim a chance to speak with someone about paying the ransom by using ‘onWebChat’, a free-to-use chat program. This feature is just another step towards professionalizing the ransomware industry and instilling trust in their worldwide “customer” base that they will decrypt the user’s files once a payment has been made.

http://www.darkreading.com/attacks-breaches/ransomware-now-comes-with-live-chat-support/d/d-id/1325879

Lone Hacker Claims Responsibility for DNC Breach

Earlier this week, it was reported that the DNC’s (Democratic National Committee’s) official servers had been compromised and sensitive information regarding opponent Donald Trump had been stolen by the Russian Government. Shortly after Kremlin officials stated their innocence in the matter, a hacker going by Guccifer 2.0 posted a blog on WordPress where he took full credit for the hack and included several (supposedly) related documents. Security officials are working to determine the authenticity of the documents, while further research has turned up additional information about other intrusions into the DNC network.

http://www.reuters.com/article/us-usa-election-hack-idUSKCN0Z209Q

Japanese Travel Agency Hacked

In the past week, the Japanese travel agency JTB announced a data breach encompassing nearly 8 million customers. The leak is said to contain not only the names and addresses of users, but passport information as well. It is believed that the attack stemmed from a phishing email attachment, which was downloaded by an unsuspecting employee. Fortunately, after further investigation, it seems only 4,300 of the passport numbers are actually valid.

http://www.zdnet.com/article/japans-largest-travel-agency-fears-data-leak-impacting-8-million-users/

Android TV Ransomware Spotted

A variant of ransomware that’s been around since 2015, known as ‘Frantic Locker’, has started to appear on Android Smart TVs with a demand for ransom in the form of iTunes gift cards. The infection initiates via a downloaded file from an infected site, then determines its geolocation and, based on its region, either launches a lock screen or shuts down. While users in Eastern Europe seem unaffected by the infection, victims in other regions are already discovering various methods to simply remove the infection, rather than paying the ransom.

http://www.theregister.co.uk/2016/06/13/android_ransomware_infects_tvs/

The post Threat Recap: Week of June 13th appeared first on Webroot Threat Blog.

There’s a lot that happens in the security world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.

First ‘Hack the Pentagon’ Event a Major Success

Several months ago, the Department of Defense launched a program designed to bring in registered hackers and have them attempt to breach several public-facing websites, for cash prizes. With over 1,400 hackers participating, the DoD was able to confirm 138 discovered vulnerabilities and paid out amounts up to $15,000. Furthermore, in the 3-week period, not a single malicious attack was attempted on DoD sites.

http://www.darkreading.com/vulnerabilities—threats/hack-the-pentagon-paid-117-hackers-who-found-bugs-in-dod-websites/d/d-id/1325999?

Apple Customers Targeted With Phishing Campaign

In the last week, many Apple users had received an email warning them of a virus in the iTunes Database that required all users to re-validate all of their user information, and threatened to delete accounts if the user delayed inputting the information. However, with a redirected splash page riddled with misspelling, this phishing attempt was quickly thwarted and the associated pages were taken down, though Apple still warns users to be vigilant for similar emails in the future.

https://www.helpnetsecurity.com/2016/06/21/itunes-database-phish/

Ded Cryptor, Latest Bilingual Ransomware Variant

Researchers have uncovered another ransomware variant, this time with a less-than-jolly Santa figure appearing alongside the ransom instructions, written in both English and Russian. The so-called Ded Cryptor replaces the user’s wallpaper with the ransom note and gives an email address to contact for further steps towards payment and decryption of their files, which are appended with a .ded extension upon encryption.

http://www.bleepingcomputer.com/news/security/the-ded-cryptor-ransomware-thinks-you-have-been-naughty-this-year/

Court Rules FBI No Longer Needs Warrant to Hack Computers

In a recent court ruling surrounding a child pornography case, the FBI had granted a warrant to hack into certain computers and retrieve information that lead to multiple offenders being arrested. The presiding judge had determined that while the offenders had used Tor to anonymize their browsing, having a publicly accessible IP address removed the need for law enforcement to obtain a warrant when gaining unauthorized access to any computer, regardless of probable cause or any real suspicion.

http://www.csoonline.com/article/3088270/security/us-court-rules-that-fbi-can-hack-into-a-computer-without-a-warrant.html

Acer Security Breach

Recently, Acer has come forward and admitted to a breach in their systems that allowed hackers to access the sensitive information of over 34,000 customers, which ranges over a course of a year and contains a full year’s worth of transactions. This information includes names, addresses, and credit card information (that may or may not have been encrypted prior to the breach), and other private information that criminals could use to commit fraud.

http://www.csoonline.com/article/3085503/data-breach/massive-acer-security-breach-exposes-highly-sensitive-data-of-34500-online-shoppers.html

The post Threat Recap: Week of June 20th appeared first on Webroot Threat Blog.

It was only a matter of time before phone hacking rose to the top of the media-driven hysteria list

Thanks to the rapid growth of mobile device adoption and the subsequent rapid growth in mobile threats, phone hacking prevention is a hot topic. A headache reserved for celebrities in the past, smartphone-infiltration concerns have crossed the VIP vs. everyone else blood-brain barrier and now potentially impacts anyone who owns a smartphone.

But is this really a serious problem for us regular folks? Are our voicemail messages so interesting that someone would invade our privacy to listen in? Before we go barking up the narcissism tree, it’s best to examine what phone hacking is and whether you really need to worry about it.

With everything I’ve got going on, do I need to worry about my phone’s security?

This security threat can be broken down into two types: hacking into a live conversation or into someone’s voicemail, and hacking into data stored on one’s smartphone. Just as the majority of abductions are carried out by a member of the abductee’s family—unless you go by code name POTUS or are Hugh Grant—the person most likely to hack into your live conversation or voicemail will be someone that you know who has an ax to grind.

And in today’s mobile world, mobile security is a growing issue. As people increasingly store sensitive data on their mobile devices, the opportunity to exploit privacy weaknesses becomes more tempting to unscrupulous ‘frenemies’, exes or the occasional stranger.

It doesn’t help that there is a cottage industry of software ostensibly developed for legal uses but is easily abused (password crackers aptly named ‘John the Ripper’ and ‘Cain and Abel’ are two examples). Opportunistic hackers can wreak havoc with data deletion or install malicious software that gathers bank account logins and confidential business emails.

So what’s a smartphone owner to do?

If you want to be proactive, there are several measures you can take to protect yourself against this threat, most of which involve common sense. For example:

• Don’t leave your phone unattended in a public place.
• Be sure to change the default password that comes with a new phone to something more complex (resist the usual “1234,” “0000” and 2580)
• Avoid using unprotected Bluetooth networks and turn off your Bluetooth when you aren’t using it.
• Use a protected app to store pin numbers and credit cards, or better yet, don’t store them on the phone at all.

Throwing the baby out with the bathwater

If you’re still worried about your smartphone’s security, there are further steps you can take to protect yourself. However, taking things too far will defeat the purpose of having a smartphone at all.

• Avoid accessing important locations such as bank accounts via public Wi-Fi that may not be secure.
• Turn off your auto complete feature so critical personal data isn’t stored on the phone and must be re-entered every time you need it.
• Regularly delete your browsing history, cookies and cache so your virtual footprint is not available for prying eyes.
• If you have an iPhone, you can enable ‘Find My iPhone’ in your settings, and it will locate your phone if you misplace it before the hackers can lay their hands on it.
• Use a security app that increases protection. For Android owners, Webroot offers the all-in-one SecureAnywhere Mobile app that provides antivirus protection and allows you to remotely locate, lock and wipe your phone in the event you lose track of it.

Remember—if the thought of your smartphone getting breached has you tossing and turning at night, you can just turn the phone off, remove the battery and hide it under your pillow for some sweet lithium-ion induced dreams.

The post How to Prevent Phone Hacking and Sleep Like a Baby Again appeared first on Webroot Threat Blog.

With the sheer amount of available pornographic images of child abuse – often called child porn – available online, it may seem that there is little you can do to protect your children, or yourself, from this type of content. This isn’t true.

Here are eight key tools and tactics to eliminate – or significantly reduce – the risks of you or your child coming across pornographic material.

Eight tools to help block internet pornography

1. Set your search engine to “safe search” mode: Google users can visit the ‘Google Safety Center‘ to adjust the settings, while Bing users can change preferences in the Bing Account Settings. If you use another search engine, it’s usually straight-forward to access the equivalent settings for that specific search engine.  Also, if you child uses YouTube, be sure you have set the “safe” mode on that platform as well.
2. Use the family safety tools provided by your computer’s/other device’s operating system: Windows and Mac operating systems provide family safety settings. Many mobile device manufacturers also provide a wide variety of safety settings within their mobile devices.
3. Use family safety tool services: Sometimes called parental controls, these tools allow you to set specific filters to block types of content you find inappropriate. This isn’t just something to apply to youth; plenty of adults prefer to filter out pornographic and other types of content like ‘hate’ and ‘violence’.  The appropriateness of some types of content will change as children mature; other types of content may always be unacceptable. To find the tools that best fit your family’s needs, search for parental-control or family-safety-tool reviews. Keep in mind that these tools need to be installed on every device your child uses to go online: game consoles, smartphones, tablets, personal laptops and computers. Some services have coverage for all types of devices, others are limited to just computers or phones. You may find that using a single solution on all devices makes your monitoring much easier.
4. Periodically look at your children’s browser history. There are a number of phrases youth use to get around pornography filters – like “breast feeding” and “childbirth” – and some fast-changing slang terms that filters may not have caught up with like “walking the dog,” which is a slang term for sex. If you see odd search terms, give the sites a quick look.
5. Have your children restrict access to their social networking sites to only known friends, and keep their sites private. A great deal of pornography is shared among private albums on social networking sites.
6. Scan the photos on your child’s smartphone/mobile device time-to-time. While the youngest kids aren’t ‘sexting’, by the time they’ve hit their ‘tweens’, there’s a chance that they have begun participating in this type of behavior. Let your children know that you plan to sit down with them and go through the pictures they have stored on their phone.
7. Review the applications your child has downloaded to their phone or tablet. Mobile content filters may not catch all the potentially inappropriate apps.
8. You are your strongest tool. No technical blocking solution alone is enough to protect a determined child or teen from finding pornography online. Have the “talk” on an ongoing basis with your children about the content your family finds appropriate and inappropriate; this exchange should never be a one-time conversation.

Teens in particular may balk at the conversations, but they do listen far more than you might imagine. To learn more about your influence on your teens’ lives, see Psst! Parents! If you talk to your teen, they will listen to you, as well as this article about how to talk to teens.

The post How to Block Pornography on Internet-Connected Devices appeared first on Webroot Threat Blog.

There’s a lot that happens in the security world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.

Hard Rock Las Vegas Confirms Credit Card Breach

Recently, the Hard Rock Cafe in Las Vegas issued a statement regarding the unauthorized access to its card processing systems, confirming that a breach had occurred and that affected customers from the last 9 months. The resort has since been in contact with customers that may have been affected by any fraudulent activity and are working to determine how the breach was carried out.

https://threatpost.com/hard-rock-las-vegas-noodle-and-co-confirm-hacks/118966/

Auto-rooting Malware? There’s An App For That!

In the past week, researchers have identified a new app on the Google Play marketplace that, once installed, will give itself root access to the device and begin installing new apps without any user interaction. The app, called ‘LevelDropper’, appears to be a simple horizontal leveling app, but once it’s active on the device with elevated permissions, it allows for attackers to install numerous other apps in order to increase ad revenue per installation.

https://threatpost.com/google-play-hit-with-rash-of-auto-rooting-malware/118938/

CCTV Botnet Used to DDoS Jewerly Shop

While stories of DDoS attacks targeting banks and other financial institutions are quite common these day, using a botnet comprised solely of hacked CCTV security cameras to attack a jewelry store website seems a bit out of place. The botnet in question is currently in control of over 25,000 cameras across at least 100 different countries. At this strength, it was capable of sending over 50,000 requests per second, rendering the jewelry site completely inaccessible.

http://arstechnica.com/security/2016/06/large-botnet-of-cctv-devices-knock-the-snot-out-of-jewelry-website/

Microsoft Loses Lawsuit Over Windows 10

With the deadline for the free Windows 10 upgrade only a few weeks away, some users who have been automatically updated to the latest Microsoft OS are less-than-pleased with it. One such case is a travel agent in California who went to court seeking restitution for her lost revenue and the cost of a new computer after the automatic Windows 10 upgrade failed and caused her computer to become unusable. Microsoft declined to appeal the case and the resulting judgement cost them $10,000.

http://www.seattletimes.com/business/microsoft/microsoft-draws-flak-for-pushing-windows-10-on-pc-users/?utm_source=twitter&utm_medium=social&utm_campaign=article_left_1.1

NASCAR Team Hit With Ransomware Prior to Race

In a time where ransomware is running rampant, it comes as no surprise that one of the highest grossing entertainment events in the world would enter the crosshairs of cybercriminals. Shortly before the race at Texas Motor Speedway in April, the Circle-Sport Leavine Family Racing team was hit with the TeslaCrypt ransomware variant that effectively shut down their 3-computer system, and almost cost them years of time and money spent on racing technology. The team paid the $500 ransom in bitcoins and was able to successfully decrypt their computers in time for race start.

https://www.helpnetsecurity.com/2016/06/27/nascar-team-victim-ransomware/

The post Threat Recap: Week of June 27th appeared first on Webroot Threat Blog.

Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted, the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software which will give them access to said passwords and bank information as well as giving them control over your computer.

Cybercriminals use social engineering tactics because it is often easier to exploit your natural inclination to trust than it is to discover ways to hack your software.  For example, it is much easier to fool someone into giving away their password than it is to hack their password (unless the password is really weak).

Security is all about knowing who and what to trust – Knowing when and when not to take a person at their word, when to trust that the person you are communicating with is indeed the person you think you are communicating with, when to trust that a website is or isn’t legitimate or when to trust that the person on the phone is or isn’t legitimate, and knowing when providing your information is or isn’t a good idea.

Ask any security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. Hypothetically speaking, it doesn’t matter how many locks and deadbolts are on your doors and windows, or how many alarm systems, floodlights, fences with barbed wire, and armed security personnel you have; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate, you are completely exposed to whatever risk he represents.

Common social engineering attacks

Email from a ‘friend’ – If a cybercriminal manages to hack or socially engineer a person’s email password, they have access to that person’s contact list, too. And because many people use one password everywhere, they probably have access to that person’s social networks, banking accounts, and other personal accounts.

Once the criminal has that email account under their control, they send emails to all the person’s contacts or leave messages on all their friend’s social pages, and possibly on the pages of the person’s friend’s friends as well.

These messages may use your trust and curiosity. For example, they may:

• Contain a link that you just have to check out–and because the link comes from a friend and you’re curious, you’ll trust the link and click–and as a result, be infected with malware so the criminal can take over your machine and collect your contacts’ info and deceive them like they just deceived you.
• Contain a download such as pictures, music, movies, documents, etc., that has malicious software embedded. If you download–which you are likely to do since you think it is from your friend–you become infected. Now, the criminal may have access to your machine, email account, social networks and contacts, and the attack spreads to everyone you know. And on, and on.

These messages may create a compelling story or pretext:

• Urgently ask for your help–your ‘friend’ is stuck in country X, has been robbed, beaten, and is in the hospital. They need you to send money so they can get home, but in reality, they give you instructions on how to send the money to the cybercriminal.
• Ask you to donate to their charitable fundraiser, or some other cause, which is of course a front. Really, they’re again providing you with instructions on how to send the money to the cybercriminal.

Phishing attempts. Typically, a phisher sends an e-mail, instant message, comment, or text message that appears to come from a legitimate (and typically popular) company, bank, school, or institution.

These messages usually have a scenario or tell a story:

• The message may explain there is a problem that requires you to “verify” your information by clicking on the displayed link and provide information in their form. The link location may look very legitimate with all the right logos and content (in fact, the criminals may have copied the exact format and content of the legitimate site). Because everything looks legitimate, you trust the email and the phony site and provide whatever information the crook is asking for. These types of phishing scams often include a warning of what will happen if you fail to act soon, because criminals know that if they can get you to act before you think, you’re more likely to fall for their phishing attempt.
• The message may notify you that you’re a ‘winner’. Perhaps the email claims to be from a lottery, or a dead relative, or a site claiming that you’re the millionth person to click, etc. In order to claim your ‘winnings’, you have to provide information, such as your bank routing number, so they know how to send it to you, or give your address and phone number so they can send the prize, and you may also be asked to prove who you are often being asked to provide your Social Security Number. These are the ‘greed phishes’ where even if the story pretext is thin, people want what is offered and fall for it by giving away their information, then having their bank account emptied and identity stolen.
• The message may ask for help.  Preying on kindness and generosity, these phishing attacks ask for aid or support for whatever disaster, political campaign, or charity is trending at the moment.

Baiting scenarios. These socially engineering schemes know that if you dangle something people want, many people will take the bait. These schemes are often found on Peer-to-Peer sites offering a download of something like a hot new movie or music album. But these schemes can also be found on social networking sites, malicious websites you find through search results, and so on.

Alternatively, the scheme may show up as an amazingly great deal on classified sites, auction sites, etc.. To allay your suspicion, you can see the seller has a good rating (all planned and crafted ahead of time).

People who take the bait may be infected with malicious software that can generate any number of new exploits against them and their contacts, may lose their money without receiving their purchased item, and, if they were foolish enough to pay with a check, may find their bank account empty.

Response to a question you never had. Criminals may pretend to be responding to your ‘request for help’ from a company while also offering additional help. They pick companies that millions of people use like a large software company or bank.  If you don’t use the product or service, you will ignore the email, phone call, or message, but if you do happen to use the service, there is a good chance you will respond because you may actually need help with a problem.

For example, even though you know you didn’t originally ask a question, you may have a problem with your computer’s operating system (such as slow-downs) and you seize on this opportunity to get it fixed, for ‘free’ no less. The moment you respond, however, you have bought the crook’s story, given them your trust and opened yourself up for exploitation.

The representative, who is actually a cybercriminal, will need to ‘authenticate you’, have you log into ‘their system’ or, have you log into your computer and either give them remote access to your computer so they can ‘fix’ it for you, or tell you the commands so you can ‘fix’ it yourself with their ‘help’. In actuality, some of the commands they tell you to enter will open a way for the criminal to get back into your computer later.

Creating distrust. Some social engineering is all about creating distrust, or starting conflicts; these are often carried out by people you know and who are angry with you, but it is also done by nasty people just trying to wreak havoc, people who want to first create distrust in your mind about others so they can then step in as a ‘hero’ and gain your trust, or by extortionists who want to manipulate information and then threaten you with disclosure.

This form of social engineering often begins by gaining access to an email account or other communication account on an IM client, social network, chat, forum, etc. They accomplish this either by hacking, social engineering, or simply guessing really weak passwords.

• The malicious person may then alter sensitive or private communications (including images and audio) by using basic editing techniques and forward these to other people to create drama, distrust, embarrassment, etc.  They may make it look like it was accidentally sent, or appear like they are letting you know what is ‘really’ going on.
• Alternatively, they may use the altered material to extort money either from the person they hacked, or from the supposed recipient.

There are literally thousands of variations to social engineering attacks. The only limit to the number of ways a cybercriminal can socially engineer users through this kind of exploit is the their imagination.  And you may experience multiple forms of exploits in a single attack.  Afterwards, the criminal is likely to sell your information to others so they too can run their exploits against you, your friends, your friends’ friends, and so on, as cybercrooks like to leverage people’s misplaced trust.

Don’t become a victim

• Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency, or uses high-pressure sales tactics, be skeptical and never let their urgency influence your careful review.
• Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site. You can also find their  real support phone number listed on the site.
• Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
• Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. Furthermore, if you did not specifically request assistance from the sender, consider any offer to ‘help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
• Don’t let an email link control dictate where you land. Stay in control by finding the website yourself by using a search engine to be sure you land where you intended to. Hovering over links in an email will show the actual URL at the bottom, but a good fake can still steer you wrong.

Curiosity leads to careless clicking–if you don’t know what the email is about, clicking links is a poor choice. Similarly, never use phone numbers from the email as it is easy for a scammer to pretend you’re talking to a bank teller, a support agent, etc.

• Secure your computing devices. Install an effective anti-virus solution that can keep up with ever-evolving threats. Make sure to keep your OS and browsers updated, and if your smartphone doesn’t automatically update, make sure to manually update it whenever you receive a notice to do so.
• Email hijacking is rampant. Hackers, spammers, and social engineers gaining access to people’s emails (and other personal accounts) has become commonplace. Once they control someone’s email account, they prey on the trust of all that person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment, be sure to check with your friend before opening links or downloading. Even then, the legitimacy of the links isn’t guaranteed, which is why it’s critical to be using anti-virus software.
• Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
• Foreign offers are fake. If you receive email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money, it is guaranteed to be a scam.
• Set your spam filters to high. Every email program has spam filters. To find yours, look under your settings options, and set these to the highest setting; just remember to check your spam folder periodically to see if legitimate email has been accidentally trapped there. You can also search for a step-by-step guide to setting your spam filters by searching on the name of your email provider plus the phrase ‘spam filters’.

The post What is Social Engineering? appeared first on Webroot Threat Blog.

What is a computer virus?

Think of a biological virus – the kind that makes you sick. It’s persistently nasty, keeps you from functioning normally and often requires something powerful to get rid of it. A computer virus is very similar. Designed to relentlessly replicate, these threats infect your programs and files, alter the way your computer operates or stop it from working altogether. It’s estimated that the ‘Conficker’ malware infected more than 10 million computers in 2009, which was a massive amount back then.

The amount of viruses and their capability to inflict damage have only increased since then. Today, hundreds of thousands of them operate over the internet, and new variants are discovered every day. When you couple this with the discoveries of mass-scale security flaws/vulnerabilities (such as ‘Heartbleed’ and ‘Bash’ in 2014), the cyber-world really starts to look like a scary place. It is. But that doesn’t mean there’s nothing you can do to protect yourself and your devices.

How does it find me?

Even if you’re careful, you can pick one up through normal online activities like:

• Sharing music, files or photos with other users
• Visiting an infected website
• Opening spam email or an email attachment
• Downloading free games, toolbars, media players and other system utilities
• Installing mainstream software applications without fully reading license agreements

What does it do?

Some computer viruses are programmed to harm your computer by damaging programs, deleting files, or reformatting the hard drive. Others simply replicate themselves or flood a network with traffic, making it impossible to perform any internet activity. Even less harmful versions can significantly disrupt your system’s performance, sapping computer memory and causing frequent computer crashes.

What are the symptoms?

Your computer may be infected if you recognize any of these malware symptoms:

• Slow computer performance
• Erratic computer behavior
• Unexplained data loss
• Frequent computer crashes

Arming yourself with the best protection

When you arm yourself with information and resources, you’re wiser about computer security threats and less vulnerable to threat tactics. Take these steps to safeguard your PC with the best protection:

An unprotected computer is like an open door for malware. Firewalls monitor Internet traffic in and out of your computer and hide your PC from online scammers looking for easy targets. Products like Webroot SecureAnywhere Complete provide total protection from the most dangerous threats out there, thwarting them before they can enter your PC, and standing guard at every possible entrance of your computer to fend off any malware that tries to enter, even the most damaging and devious strains.

While free anti-virus software is available, it simply can’t offer the consistent protection that you need to keep up with the continuous onslaught of new strains. Previously undetected forms of can often do the most damage, so it’s critical to have up-to-the-minute protection that won’t take a break to update and miss the oncoming threat.

The post Computer Virus 101 appeared first on Webroot Threat Blog.

HSBC Sites Downed Briefly After Cyber Attack

Earlier this week, it was reported that HSBC had been the victim of a cyber attack and both it’s US and UK sites had been taken offline. The messages remaining on both sites announced that an organization called OurMine had found a vulnerability and would only stop the attack once an HSBC employee contacted them. Seemingly as promised, the attack ceased and the sites were brought back online early Wednesday morning.

http://www.dailystar.co.uk/news/latest-news/529814/HSBC-suffers-major-security-breach-as-hackers-launch-cyber-attack-on-bank-s-servers

Malicious Pokemon Go Look-alike Apps On the Rise

With the recent popularity of the Pokemon Go app, it comes as no surprise that a massive influx of third-party apps claiming to be related have hit the appstore. While many of these are seemingly harmless, some offer cheats and other Pokemon-related info to attract users and then require permission to view personal information stored on the phones. With nearly 200 unofficial apps found so far, it is likely that more will replace the ones that are being removed.

http://www.csoonline.com/article/3095706/security/a-surge-of-pokemon-go-related-apps-is-out-to-steal-your-data.html

Ransomware’s Latest Scam Skips Encryption

Recently, researchers have discovered a new variant of ransomware that operates with significantly less sophistication than normally seen. Ranscam, the variant in question, lives up to it’s name by simply deleting the files once the ransom message is displayed, while stating the usual encryption and bitcoin payment instructions. Regardless of the victims payment status, the files are completely removed, leaving nothing to decrypt if/when a payment is made.

https://threatpost.com/ranscam-ransomware-deletes-victims-files-outright/119197/

Omni Hotels Face Data Breach

This week, Omni Hotels & Resorts made a statement that they had suffered a security breach over the past 6 months on it’s point-of-sale systems. The attack follows the long string of hotel security infractions that have occurred in the last year, as they make for highly profitable targets in an industry with out-of-date cyber protection. Fortunately for Omni, their recently appointed CIO has already begun implementing new solutions to protect against similar attacks in the future.

http://www.csoonline.com/article/3094997/data-breach/omni-hotels-new-cio-shores-up-cybersecurity-amid-data-breach.html

Stampado Ransomware Available On Dark Web For Low Price

In an unusual move by malware authors, the creators of the Stampado ransomware variant have released a lifetime license for a measly $39 USD. The variant itself is similar to Cryptolocker, but with the additional function of not requiring administrator privileges when launching. While it’s currently not widespread, the price point removes a major barrier for cyber criminals who may be deterred by a high upfront cost.

http://www.infosecurity-magazine.com/news/brand-new-stampado-ransomware/

The post Threat Recap: Week of July 11th appeared first on Webroot Threat Blog.

How are they a security threat?

People, not computers, create computer threats. Computer predators victimize others for their own gain. Give them access to the internet — and to your PC — and the threat they pose to your security increases exponentially. Computer hackers are unauthorized users who break into computer systems in order to steal, change or destroy information, often by installing dangerous malware without your knowledge or consent. Their clever tactics and detailed technical knowledge help them access information you really don’t want them to have.

How do they find me?

Anyone who uses a computer connected to the internet is susceptible to the threats that these cybercriminals pose. These online villains typically use phishing scams, spam email or fake websites to deliver dangerous malware to your computer and compromise your computer security. Computer hackers can also try to access your computer and private information directly if you are not protected with a firewall. They may also monitor your chat room conversations or peruse your personal webpage. Usually disguised with a fake identity, online predators can lure you into revealing sensitive personal and financial information, or much worse.

What can they do to me?

While your computer is connected to the internet, the malware a hacker has installed on your PC quietly transmits your personal and financial information without your knowledge or consent. Or, an online crook may pounce on the private information you unwittingly revealed. In either case, they may:

• Hijack your usernames and passwords
• Steal your money and open credit card and bank accounts in your name
• Ruin your credit
• Request new account Personal Identification Numbers (PINs) or additional credit cards
• Make purchases
• Add themselves or an alias that they control as an authorized user so it’s easier to use your credit
• Obtain cash advances
• Use and abuse your Social Security number
• Sell your information to other parties who will use it for illicit or illegal purposes

In addition to the above dangers, an online stalker can pose a serious physical threat. Use extreme caution when agreeing to meet an online “friend” or acquaintance in person.

How will I know?

Check the accuracy of your personal accounts, credit cards and documents. Are there unexplained transactions? Questionable or unauthorized changes? If so, dangerous malware installed by these cyber criminals may already be lurking.

What can I do to protect myself?

When you arm yourself with information and resources, you’re wiser about computer security threats and less vulnerable to threat tactics. Both online predators and hackers pose equally serious and but very different threats.

To protect your computer against the former:

• Continually check the accuracy of personal accounts and deal with any discrepancies right away
• Use extreme caution when entering chat rooms or posting personal webpages
• Limit the personal information you post on personal webpages
• Carefully monitor requests by online “friends” or acquaintances for predatory behavior
• Keep personal and financial information out of online conversations
• Use extreme caution when agreeing to meet an online “friend” or acquaintance in person

An unprotected computer presents an open door for these cyber crooks. Make sure that you’re keeping all your devices protected with security that actually works, preventing attacks and keeping the threats they pose at bay.

The post Computer Hackers and Predators appeared first on Webroot Threat Blog.

Anti-virus software is a program or set of programs that are designed to prevent, search for, detect, and remove viruses, and other forms of malware such as worms, trojans, adware, and more.

As our world continues to become ever more connected, anti-virus remains critical for users seeking to keep their devices protected. However, it’s vital that the security one chooses is always up-to-date with automatic updates, as a device without proper security software may be infected within minutes of connecting to the internet.

Unfortunately, because today’s threats are so sophisticated and are constantly being updated, traditional cybersecurity companies are incapable of updating their detection tools fast enough to handle many of these threats, particularly the ones that are not yet ‘known’ by the anti-virus software.

Pretty much all of today’s anti-virus solutions offer a host of features and are able to perform the following task:

• Scan specific files or directories for any malware or known malicious patterns
• Allow you to schedule scans to automatically run for you
• Allow you to initiate a scan of a specific file or of your computer, or of a CD or flash drive at any time
• Remove any malicious code detected – sometimes you will be notified of an infection and asked if you want to clean the file, other programs will automatically do this behind the scenes
• Show you the ‘health’ of your computer

However, while these tactics were enough to keep a device safe two or three years ago, malware has evolved at too rapid a pace for these features to remain the only thing a user needs to stay protected.

Thanks to the influx of more sophisticated phishing attacks and polymorphic malware capable of replicating and altering itself enough to not be caught by ‘traditional’ security solutions, many threats slip by, undetected. Today, an effective security solution is one that can stay ahead of these threats by automatically updating, monitoring unknown files to ensure they’re not making changes to your devices, protecting against phishing attacks and other online threats, and having the ability to roll-back any changes a file makes on a user’s device. In other words, users need to use smarter cybersecurity.

The post What is Anti-Virus Software? appeared first on Webroot Threat Blog.

CrytpoMix has been gaining some traction over the past few months, so it’s a good idea that we provide a rundown of this variant in the ransomware family.

This is ‘barebones ransomware’, so victims aren’t presented with a GUI or a desktop background change. All that is presented is a text file and webpage showing the same text.

This is one of the FEW ransomware variant that doesn’t have some payment portal in the darknet. There is no need to download any tor browser, as they don’t provide any onion links.

With this variant, victims literally have to email and wait around 12 hours for a response and those responses are encrypted and password protected (to protect the bitcoin wallet address the cybercriminals want payment to be made to).

Example response:

While CryptoMix isn’t fancy, it’s price sure is. 5 BTC (Bitcoin) is an insane amount of money (>$3000), and it wasn’t a few months ago that ransom increases to $700 were all the rage. Also, these criminals even claim that you’ll receive free tech support and all your ransom money goes to a child charity. Please do not be fooled.

Registry Entries added

» HKLM\Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
» HKLM\Software\Microsoft\Cryptography\DESHashSessionKeyBackward
» HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader UpdateSoftWare
» HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Adobe Reader Update32
» HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobeFlashPlayerSoftWare
» HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*AdobeFlashPlayers32
» HKCU\Software\Adobe Reader LicensionSoftWare\AdobeFirstVersionSoftWare
» HKCU\Software\Adobe Reader LicensionSoftWare\AdobeLicensionSoftWare

MD5 hashes analyzed :

b778bda5b97228c6e362c9c4ae004a19

a0fed8de59e6f6ce77da7788faef5489

Webroot will catch this specific ransomware in real time before any encryption takes place. We’re always on the lookout for more types of threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files (up to ten previous copies). Please see our community post on best practices for securing your environment against encrypting ransomware.

The post CryptoMix Ransomware: What You Should Know appeared first on Webroot Threat Blog.

Cerber is yet another newer ransomware that has been gaining some traction over the past couple months, so we’re providing a breakdown of this new variant. First, here is how it looks:

Unlike some other ransomware variants, Cerber is certainly not going for aesthetics. It also lacks any type of GUI. However, it does change your background to an awful pixelated image of static that’s not comfortable to look at, but it achieves its goal of getting the victims’ attention.

The ransom text is quite extensive and attempts to answer as many questions as the victims might have. The end goal is to get the user to follow directions to install a layered tor browser so they can access the dark net and pay the ransom with Bitcoins. This is what the ransom portal looks like:

This Cerber variant specifically wants 2 BTC, which is a huge sum of money (around $1,300) compared to variants seen in the past. As with older types, there is a ‘late fee’ that doubles the ransom if it isn’t paid in the original time frame. It appears that this trend of charging more money is new and is continuing to catch on. Also included with Cerber are “freebies”, which means that you get one free decrypt of a file. This was introduced by coinvault in 2014 to great success, so now almost all ransomware types include it.

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for new threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

MD5 Analyzed:

c3cd90c3e406981bece559a43fe64414

383803a90293408e36063809319f5982

065033243f30b1e54241a932c5e706fd

The post Cerber Ransomware: The Facts appeared first on Webroot Threat Blog.

When it comes to drive-by attacks, CryptXXX is king. In fact, out of all the exploit kits dropping payloads on victims, 80% result in CryptXXX. The creators attacked vulnerabilities in Flash Player, Java and Silver Light through using the Angler exploit kit, with malvertising helping boost their success. The malware authors were able to generate $3 Million per month almost exclusively from ransomware.

But how exactly does malingering work? In a nutshell, cyber criminals submit booby trapped advertisements to ad networks for a real-time bidding process. Malicious ads then rotate in with normal ads on legitimate, highly reputable sites. Users then visit these site and click on an infected ad. An invisible iframe injection then redirects the user to the exploit landing page, where a payload is then dropped. Here’s an example:

Since Angler was shut down earlier last month, CryptXXX was presumed to also die with it. However, it’s taken new life with the Neutrino exploit kit, and can now exploit out of plugins like WordPress. Here’s how this looks:

Once a user is unlucky enough to click an infected ad, a ransomware payload is dropped and they become the victim. Here are the instructions that are presented to victims. Pictured below, they are presented the form of a desktop background:

Once a user’s files are encrypted, the steps are the same as most ransomware – install a layered tor browser, then pay the ransom using bitcoins. This variant specifically only asks for 1.2 bitcoins ($800), which is the most ‘mild’ demand of recent ransomware variants, but the amount will double after 5 days if the ransom isn’t paid. It is worth noting that other sites have offered free decryptors for this malware, but they seldom last longer than a few days before the malware authors change it up yet again.

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for new and updated ransomware threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

MD5 analyzed

75EF6891AE7214AD17679CB88DC3B795

7BB58C27B807D0DE43DE40178CA30154

05825F3C10CE814CE5ED4AE8A74E91A2

The post CryptXXX now looking to Neutrino for exploit support appeared first on Webroot Threat Blog.

There’s a lot that happens in the security world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.

Rio Olympics: A Cyberthreat Goldmine

With the 2016 Olympic games right around the corner, it’s already being anticipated as a highly targeted event for cyber criminals. With lax cyber-crime laws in Brazil coupled with hackers that are well versed in banking data theft, visitors to Rio should be cautious of any suspicious emails they might receive and of the many ATMs and card-reading machines that could contain malware. Additionally, mobile users should be wary of accessing unsecured WiFi networks as there is no way to tell who else may be monitoring the traffic being sent through.

http://www.csoonline.com/article/3098305/security/hackers-are-targeting-the-rio-olympics-so-watch-out-for-these-cyberthreats.html

Pokémon Go Spawn Locations Revealed

In the weeks since Pokémon Go’s release, the game has brought a sweeping wave of change over the world, providing players the incentive to explore the world around them and to interact with others also playing the game. However, some users have taken the hunt for Pokémon a step further – by monitoring the data traffic being sent to and from the Pokémon Go servers and producing a Google Maps layout showing all local Pokémon that are currently spawned. While this does breach Niatic’s terms of service, the users in question believe it to be more of a service to other players, rather than for personal gain.

http://arstechnica.com/gaming/2016/07/how-hackers-are-revealing-the-hidden-pokemon-go-monsters-all-around-you/

Two-Factor Authenticated Calls Exploited for Major Profits

Many service providers offer VoIP calls, but one researcher found a method to make hundreds of calls to a premium-rate number that he owned at a profit nearing $750,000 before the process would be terminated. By exploiting this bug from Google, Microsoft, and Instagram, the researcher could have turned an annual profit well into the millions. Fortunately, he was able to contact the bug bounty programs for each company and ensure the vulnerabilities were patched before any hacker exploited them.

http://www.theregister.co.uk/2016/07/18/researcher_hacks_twofactor_flaws/?utm_content=bufferc6697&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

Ransomware ‘Customer Service’ Willing to Haggle

Thousands of users become the victims of ransomware annually, and while law enforcement agencies argue both for and against paying the ransom, the fact is that customer support for these criminals has improved immensely. This increase likely stems from the malware authors knowing they can still make money, although the amount may be less than their initial ransom, if they are willing to work with their victims to pay it. In a recent study, 3 out of 5 ransomware variants’ ‘customer support’ agents (aka employed cybercriminals) were willing to negotiate a lower ransom if the victim remained firm against paying a high amount in order to get something rather than nothing.

http://www.darkreading.com/attacks-breaches/ransomware-victims-rarely-pay-the-full-ransom-price/d/d-id/1326304?

Oracle Patches Record Number of Bugs

In what might be their biggest patch update ever, Oracle has pushed a critical patch that covers 276 different bugs found across hundreds of their products. Many of the vulnerabilities were remotely exploitable and could have been extremely damaging had they been discovered in the wild. While some of the updates are based around non-network connected applications, Oracle still advises to push the updates quickly to ensure against any unauthorized access.

https://www.helpnetsecurity.com/2016/07/20/oracle-squashes-276-bugs/

The post Threat Recap: Week of July 18th appeared first on Webroot Threat Blog.

There’s a lot that happens in the security world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.

Wireless Keyboards Found To Be Vulnerable To Radio Hack

In a recent study, it was shown that a large number of wireless keyboards use no encryption when sending data to a corresponding computer, leaving the keystrokes of users accessible to anyone with the right equipment. Among the offenders, the biggest vulnerability was a lack of Bluetooth functionality for connecting to the computer. Instead, the keyboards are using more generic methods, which don’t offer the same security measures.

https://www.wired.com/2016/07/radio-hack-steals-keystrokes-millions-wireless-keyboards/

Researchers Net $22,000 From Pornhub’s Bug Bounty Program

The adult site, which averages over 60 million daily views and nearly 4 million registered accounts, is a lucrative target for cyber criminals. With the offer of a large monetary reward, two researchers set out to break into Pornhub’s main site with the goal of performing remote code execution. By exploiting several vulnerabilities in PHP, they gained the capability to dump the entire Pornhub database to a remote server, which earned them the bounties offered by Hackerone and Pornhub itself.

http://www.infosecurity-magazine.com/news/pornhub-hacked-to-access-billions/

CryptXXX Thriving With Neutrino Exploit Kit

After the widely-used Angler exploit kit died off back in June, many believed that CryptXXX would also see a decline in use (as it utilized Angler), though the opposite has come to be true instead. By making the switch to the Neutrino exploit kit, CryptXXX has been able to extend it’s reach even further to allow WordPress exploitation as well as the typical Flash Player and Java vulnerabilities. After clicking the infected link, the ransomware payload is dropped and a ransom note with instructions for payment are displayed to the users, along with a warning that the ransom amount will double after 5 days.

https://www.webroot.com/blog/2016/07/22/cryptxxx-utilizes-new-exploit-kit/

Windows 10 Vulnerability Allows for Bypass of User Account Control

Recently, researchers have discovered a method for allowing malicious DLLs on a Windows 10 machine, while bypassing the User Account Control pop-up warning about the heightened privilege access. By replacing one of the DLLs that is launched by the ‘diskcleanup’ application with a malicious version of the same name, the malicious code was executed with administrator privileges and no user input or verification was needed.

https://www.helpnetsecurity.com/2016/07/26/user-account-control-bypass/

Turkish Gas Provider Targetted by Anonymous

In their latest hacktivist attack, OpTurkey, Anonymous has taken aim at a Turkish gas company’s website in protest of local government officials activities as well as their relationship with the company’s top executives. The attackers were able to access the personal and financial records of nearly 500 individuals, the contents of which were subsequently posted online.

http://www.scmagazineuk.com/anonymous-breaches-turkish-natural-gas-company/article/512101/

The post Threat Recap: Week of July 25th appeared first on Webroot Threat Blog.

Encrypting ransomware is so popular now that competitors will sabotage one another to get the upper hand. This is refreshing for victims, however, as they reap the benefit of these potential clashes between cybercriminals. ‘Chimera Ransomware’ has just had its keys leaked to the public, which is fantastic news for anyone who has been a victim of this ransomware.

@JanusSecretary  (presumed author of Mischa and Petya) was quick to tweet the news:

The keys are linked here which is a zip of the text file with over 3,500 keys. Below is a summary of the leak, where it is explained that Mischa used Chimera sourcecode. While the authors of Mischa and Chimera are not affiliated, they did get access to big parts of Chimera’s development system.

This allowed access to the decryption keys that have now been released. With these keys now released, it shouldn’t be too longer before a decryption tool is created for all the victims of Chimera.

Also included is a shameless plug for his RaaS (Ransomware As A Service) portal, where anyone can create new ransomware payloads.

For any successful ransoms that result in payment, a cut will be taken by Janus based on how successful the ransoms are. For a complete rundown on RaaS variants check our our blogs on Ransom32 and Encryptor RaaS samples.

The post Chimera Keys Leaked From Rival Ransomware Author appeared first on Webroot Threat Blog.

There’s a lot that happens in the security world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.

Banner Health Warns Patients Over Cyber Attack

Recently, Banner Health has begun notifying nearly 4 million of its patients about a possible data breach that occurred around the start of July. Along with patient information, the credit card processing systems were affected at refreshment outlets located in three Tucson facilities. Officials claim that not all of their 29 locations were targeted, however. Patients of the affected sites are being notified by mail.

http://tucson.com/news/local/banner-health-notifying-million-people-of-cyber-attack/article_81861b1e-59b9-11e6-87fe-b3263dd6bd7d.html

Apple Uses Bug Patch To Cease Jailbreaking of iOS

With the most recent update of iOS (9.3.4), Apple resolved a vulnerability that could allow for unauthorized code execution. The bug was found by Team Pangu, a prominent figure in the jailbreaking community. The patch also means that current jailbreaking tools may no longer work in the new version of iOS, but this likely won’t slow down the developers that are updating their jailbreaking tools just as quickly.

http://arstechnica.com/apple/2016/08/apple-thwarts-jailbreakers-with-ios-9-3-4-update/

iPhone Phishing Emails Getting More Convincing

Attempts at email phishing are starting to look ever more convincing, and Apple users are the latest target. Recently, users have been seeing email order confirmations for new iPhones, but with incorrect shipping addresses and accompanied with a single clickable link for those wanting to ‘claim’ they didn’t authorize the purchase. By simply using a fake shipping address, many victims would likely look past the rest of the email in an effort to stop the transaction from occurring. Unfortunately for those who click the hyperlink, they are brought to a fake Apple Login page that requests payment information to “cancel” the order.

https://www.helpnetsecurity.com/2016/08/05/fake-iphone-order-dispatch/

Iris Scanning For Mobile Hits The Market

Samsung has recently announced its new Galaxy Note 7, which has a feature that is meant to replace passwords for mobile devices and PCs in the near future: iris scanning. With a simple infrared scanner located on the front of the device, users are able to scan their way into accessing their Galaxy phones. While Samsung is not the first company to offer iris scanning, it is projected to be soon available from other manufacturers, including Microsoft who will be looking to use it with their Windows 10 operating system.

http://www.csoonline.com/article/3103516/security/kill-a-smartphone-password-with-a-scan-of-your-eye.html

Brazilians Target of Latest Zeus Variant

With the Rio 2016 Olympic games a mere day away, more bad news is plaguing Brazilians and visitors alike. A recent variant of the Zeus Trojan, labeled Panda Banker, has its sights set on many of the largest Brazilian banks and other local services. Like many others trojans, this particular variant is spread through spam email and exploit kits, but operates using account takeover in real-time by holding the victim in a loop of pop-up windows while the account is compromised.

https://www.helpnetsecurity.com/2016/08/05/zeus-panda-steals-everything/

The post Threat Recap: Week of August 1st appeared first on Webroot Threat Blog.

We all know that Internet of Things (IoT) is the future and that everything from your refrigerator to your toaster may eventually connect to the internet. With that being the case, it’s important to remember that these connected devices need to be designed with security in mind. On Saturday at the Def Con hacking conference in Las Vegas, Andrew Tierney and Ken Munro showcased a ‘smart’ thermostat hack, in which they were able to install encrypting ransomware onto the device, fortunately just as a proof of concept. Check it out:

The hacked thermostat (displayed in the screenshot above) runs a Linux operating system and has an SD card slot for owners to load custom settings and wallpapers. The researchers found that the thermostat didn’t check what files were being loaded or executed. Theoretically, this would allow hackers to hide malware into an application that looks just like a picture and fool users into transferring it onto their thermostat, which would then allow it to run automatically. At that point, hackers would have full control of the device and could lock the owner out. “It actually works, it locks the thermostat,” Munro said. This achieves the predictions of others in the security industry.

Despite the above tweet, Tierney and Munro declined to confirm the brand of this particular thermostat that they hacked. Because this test was so new, despite the vulnerability being showcased, the reserachers haven’t yet disclosed the vulnerability to the manufacturer, but the plan is to disclose the bug today. They also said that the fix should be easy to deploy. While this ransomware isn’t an immediate threat to anyone using smart devices in their homes today, the point has been proven that it’s very possible to create ransomware for these new and emerging IoT devices. “You’re not just buying [Internet of Things] gear,” Tierney warned, “You’re inviting people on your network and you have no idea what these things do.”

The post Ransomware for Thermostats appeared first on Webroot Threat Blog.