All posts
Forgotten, infected websites can haunt users with malware.
Last night, I received a malicious email. The problem is, it was sent to an account I use to register for websites and nothing else.
Over the years, I’ve signed up for hundreds of sites using this account, from news to garden centres. One of them has been compromised. The mere act of receiving the email immediately marked it out as dodgy.
Continue reading “Infected websites, back from the dead”All posts
No one publishes successful phishing and ransomware emails. Jon Thompson thinks he knows why spammers fail so often.
Running an email honeypot network, you receive a flood of malicious email every day. Most is littered with glaring errors that point to lazy, inarticulate crooks trying to make the quickest buck from the least effort. When you do come across a rare, well though-out campaign, it shines like a jewel in a sea of criminal mediocrity.
To the average spammer, however, it’s all just a numbers game. He cranks the handle on the botnet, so to speak, and money comes out.
This poses an important question: why, given the quality of most malicious spam, are new ransomware infections and high profile phishing attacks still making headlines almost every single day? Clearly, we’re massively overestimating the amount of effort and intelligence invested by spammers.
With that in mind, what follows is a short list of 17 mistakes I routinely see spammers make. All of them immediately guarantee that an email is malicious. There are others, but these are the main ones. If this list reflects the mistakes found in the spam behind the headlines, then the size yet lack of sophistication of the problem should become apparent.
This error is particularly prevalent in ransomware campaigns. Messages whose payloads have very low VirusTotal scores are being sent with no subject header. Maybe the sender thinks it’ll pique the curiosity of the recipient, but it should also alert spam filters even before they examine the attachment.
Look at any real communication from a bank, PayPal, a store, etc. It is well formatted, the HTML is clean, the language is clear, and the branding is obvious. Legitimate companies and banks don’t tend to send important messages in plain text.
Generic companies are rare but I do occasionally see them. Who is “the other financial institution” and why has it refused my transaction? Vague, instantiated company names like this, with an accompanying attachment, are clear indicators of spam.
This is another example of laziness on the part of spammers. OK, they may have found an open relay to willingly spread messages rather than buy extra time on a botnet, but anything other than a one-to-one sender to recipient ratio should be an instant red flag.
Much apparently personalised spam doesn’t use a competent salutation, or uses a salutation that is simply the user name part of the email address (i.e.: “Dear fred.smith”). It would take effort to code a script that personalises the messages by stripping off the first name and capitalising the initial. Effort is the enemy of the fast buck.
Sending an email with a tantalizing subject header such as “Overdue – Please Respond!” but no body text explaining what or why it’s overdue is as common in commodity ransomware as having no subject header. The attack again relies entirely on the natural curiosity of the recipient, who can and should simply ignore it. Spam filters should also take a keen interest.
Machine translation has the amusing habit of mapping the grammar of one language onto another, resulting in errors that no native speaker would ever make. Manual translation by a highly fluent speaker is far superior to machine translation, but the translator must also have knowledge of the subject matter for his text to appear convincing. Again, this is effort.
This is a great example of a spammer trying to distance himself from his crime. “PayPal has detected an anomaly in your account” and “they require you to log in to verify your account” just look weird in the context of a security challenge. This is supposed to be from PayPal, isn’t it?
I’m fast concluding that some cybercriminals really do wear thick leather gloves while typing, just like in the pictures. Either that or they’re blind drunk. Random punctuation marks and extra characters that look like they’ve been hit at the same time as the correct ones don’t make a good impression. Simply rejecting emails that have more than a certain percentage of spelling mistakes might prevent many of these messages from getting through.
Using “informations” instead of “information” is a dead giveaway for spam and should be blocked when in combination with other indicators. Phrases such as “we detect a problem” instead of “we detected a problem” also stick out a mile as being from spammers.
Many spam emails stand out as somehow “wrong” because they miss out the definite article. One recent example I saw read: “Access is blocked because we detect credit card linked to your PayPal account has expired.” An associated Yandex.ru return address gave the whole thing a distinct whiff of vodka.
“Please review the document and revert back to us immediately”. Revert? Really? Surely, you mean “get back”, not “revert back”. It may be difficult for spam filters to weed out this kind of error, but humans should spot it without difficulty.
Unusually capitalised phrases such as “You must update Your details to prevent Your Account from being Suspended” look weird. Initial capitalisation isn’t used for emphasis in English sentences, and hints at someone trying to make the message sound more official and urgent than it is.
“It is extremely mandatory that you respond immediately”. Not just mandatory but extremely mandatory? Wow, I’d better click that link right away! Urgent calls to action like this overplay the importance of the message in ways that mark them out as fake.
Using grand words where normal ones should appear to make a message sound more authoritative are a dead giveaway. Here’s an example from last September when a gang famously tried to distribute malware on the back of a new media player release: “To solemnise the release of our new software”. Solemnise means to mark with a formal ceremony.
What they really meant was: “To mark the release of our new software”. The whole message was also riddled with the most outrageous auto-translate errors that it made difficult reading.
Why would the Microsoft Chief Support Manager be contacting me personally all the way from the US to give me a refund? Wouldn’t he delegate this important work to a local minion? Similarly, the head of the IMF doesn’t usually spend their days emailing strangers about ATM cards stacked high with cash. Spammers would, though.
If the collar doesn’t match the cuffs, it’s a lie. In other words, if the message contains the name of a high-street bank (for example) and a URL from a shortening service such as bit.ly, spam filters should be blocking the message without question, regardless of the rest of the content.
All posts
… and how do we know it works?
What’s the difference between artificial intelligence and machine learning? Put simply, artificial intelligence is the area of study dedicated to making machines solve problems that humans find easy, but digital computers find hard. Examples include driving cars, playing chess or recognising sarcasm.
Continue reading “What is Machine Learning?”All posts
Uncover dodgy and malicious connections on your network with this handy, free utility.
If you’ve ever downloaded an unknown executable or suspect something may have subverted your defences, you need to know of any malicious connections.
Written and maintained by Nir Sofer, CurrPorts gives you a clear, interactive view of all TCP and UDP connections being made by your Windows computer.
Continue reading “Malicious Connections monitoring with CurrPorts”All posts
IoT security is a mess, but who’s to blame? The tech industry must improve security for the internet of things.
The internet of things is quickly becoming every cybercriminal’s wet dream, especially given the release of the Mirai botnet source code. The cause is shockingly insecure devices, but can shaming manufacturers avert the coming chaos?
Continue reading “Security for the internet of things”All posts
If you search for the phrase “very sophisticated hack” and do a little digging, you’ll soon discover that what are initially claimed to be diabolical plots by fiendish cybercriminals often turn out to be nothing more than incompetence or naivety on the part of the victims. They only appear sophisticated to the average Joe.
Banks, casinos, hospitals, health insurers, dating sites, even telecoms providers have all fallen in the past year. Digging reveals SQL injections (I’m looking at you, TalkTalk) to second hand switches with no firewalls protecting the SWIFT network in Bangladesh.
While these issues are bread and butter to security testing and code review companies, there is one piece of the IT security puzzle that can never be truly secured, no matter how hard you try. It weighs about 1.3Kg (about 3lbs in old money) and it sits in front of every endpoint, every BYOD, every spam email, everything, wondering whether to click that link, install that program, insert the flash drive it found, or type in its credentials.
It’s been said that your brain starts working the moment you wake, and doesn’t stop until you get to work. Many incidents reported as “sophisticated” confirm this truism, along with the one about not being able to make anything idiot proof because idiots are so ingenious. Fooling someone into doing or telling you something they shouldn’t is the oldest hack in the book, but it’s no less potent for its age. For that reason, the unwitting symbiosis of naive user and cybercriminal is virtually unbeatable.
Part of my work involves maintaining the company spam honeypot network. By the time you’ve seen your 100th identical, badly-spelt phishing email whizz by in the logs, you can’t believe anyone would fall for them. But they do, especially spear phishing attacks. There’s a ransomware epidemic, and it’s making millions a day.
I’m left concluding that people don’t approach their inboxes with a high enough degree of
cynicism. Would HR really summon you to a disciplinary meeting by sending you an email demanding you click a link to an external web site and enter your corporate username and password to prove it’s you?
Like suspiciously quiet toddlers, the human element will always be the unpredictable elephant in the cybersecurity room. At SE Labs, we test the endpoint protection that keeps users safe from themselves. To do so, we use fresh threats caught painstakingly in the wild on a daily basis. We can always help build better protection, but cybercriminals will always strive to make better toddlers out of users.
But users are not toddlers; they’re responsible, busy adults. To them, cybersecurity is just a very dull art practised by dull people in IT, and their equally friends who come in with laptops every so often to check everything.
This point leads me to one final truism: get them laughing, get them learning. All the user security training in the world will fail to change behaviours if it’s dull. People best remember what they enjoy. Make cyber security fun for users, and you may just get them to apply a healthy dose of cynicism to their inboxes.
All posts
Back in the salad days of early summer, JavaScript was usually employed to download ransomware payloads. Now, however, JavaScript is the ransomware.
The reason is the direct nature of the attack. There’s no connection to a suspicious subdomain, no payload to download and no relying on the user to run a suspicious “upgrade“ to a Windows component.
Simply open the email attachment promising unexpected riches and, to misquote the 1980s game Zero Wing, “All your file are belong to us“.
All posts
How can we spread the word to users and stop the spread of ransomware?
According to a recent Herjavec Group report, profits from ransomware will spiral this year to over $1bn, and next year will see further explosive growth. The main vector for ransomware is always email. The reason is simple: Ignorance of the risks equals fat profits. It’s that obvious. The solution is to stop users clicking dodgy attachments, but how?
For the seeds of a possible answer, cast your mind back in the mid-1980s. As the AIDS epidemic hit the UK, the government’s response was a huge public awareness campaign. Everyone who was around at the time remembers “AIDS: Don’t Die of Ignorance“. There were TV and radio adverts, cinema and press adverts, and every home received a frank leaflet explaining everything. Cool new condom brands popped up almost overnight (pun intended). OK, since then, infection rates have risen, but the point is it seemed to help at the time, as the sharp dip in infection rates around that time implies.
Back to 2016, and according to Get Safe Online in the year to March cybercrime cost UK businesses over £1bn. The total figure will be much higher in the coming year due to ransomware. A recent Malwarebytes report claims that over half of all UK businesses have already been hit by ransomware. 9% were completely unable to function after the attack. Only 40% of those affected didn’t pay the ransom, so a whopping 60% decided to cough up.
If this is blindingly obvious to the cybersecurity industry, and to the pundits surrounding it, it should be equally apparent to the UK government and its advisors. But where are the hard-hitting TV and adverts and the leaflet campaigns aimed at the end user? After all, it’s the end user putting themselves and the companies they work for at risk.
Ransomware awareness campaigns are happening, but they can be limited in scope. They tend to be targeted at individual sectors, and at C-level executives, rather than end users. Until public awareness changes fundamentally, ransomware will charge ahead at full speed, and so will the otherwise avoidable financial losses.
If this is a war, then the sky is black with metaphorical bombers. Can you imagine the outcry if, during WWII in Britain, people were unaware that they should not open their blackout curtains to look at the planes going over? Equate this to opening dodgy attachments to see what they are, and you begin to see the scale and seriousness of the problem.
All posts
Ransomware is a nasty category of attack that we’ve seen dominating the so-called ‘threat landscape’ in recent months. It can affect every type of computer user including home users, small businesses and even extremely large enterprises.
Anyone who stores valuable data on a computer is at risk of this digital extortion racket, which encrypts data files and offers the key to recovery for a hefty price.
Continue reading “Anti-malware vs. ransomware: latest reports”All posts
Ransomware is a serious problem but protecting your data can be simple and inexpensive – if you choose your cloud storage provider carefully…
I know, I know. You were tired at the time and not really concentrating. You double-clicked an infected attachment and the world suddenly became a very hostile place.
Your files might as well be in Swahili. A ransom note, with a grasp of English you’d normally find endearing, is mocking you for your bad luck. If you don’t figure out what a Bitcoin is, and how to send one to a person whom you’d very much like to die a slow and painful death, you’ll lose everything forever. Or will you?
Give us a few details about yourself and describe your inquiry. We will get back to you as soon as possible.
info@selabs.uk
Connect with us
Find us
