Category Archives: Internet crime

What is a DoS attack?

A Denial of Service (DoS) attack is a type of cyber attack in which the attacker attempts to make a network resource or website unavailable to users by overwhelming it with a flood of traffic or requests. This can be accomplished by using multiple computers or devices to send a large amount of traffic to the targeted resource, or by exploiting vulnerabilities in the software or hardware running the resource. The goal of a DoS attack is to disrupt normal traffic and make the targeted resource unavailable to legitimate users.

(Ed: written by ChatGPT; verified by jrivett.)

What is a computer trojan?

A Trojan, or Trojan horse, is a type of malware that is disguised as legitimate software. It is called a Trojan because it typically presents itself as something harmless, like a game or utility program, but once executed, it can perform malicious actions on the infected computer. These actions can include stealing sensitive information, downloading and installing other malware, or allowing unauthorized remote access to the computer. Trojans are often distributed through email attachments, instant messaging, and social media, and they can be very difficult to detect and remove.

(Editor’s note: I’m going to keep posting these definitions as long as ChatGPT is able to generate accurate and useful text. I have no plans to allow ChatGPT to take over all of my writing duties.)

What is ransomware?

Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. When the ransomware is installed on a device, it encrypts the files on the device and displays a message that demands payment in exchange for the decryption key that is needed to unlock the files. Ransomware attacks can be particularly damaging to individuals and businesses because they can disrupt access to important data and systems, and they can be costly to remedy. It is important to protect your devices and systems from ransomware by keeping your software and antivirus programs up to date and being careful about the emails and links that you open.

(Editor’s note: in case you hadn’t noticed, this is another guest post from ChatGPT. I’m going to keep posting these, but they will always be clearly labeled as ChatGPT’s work. You can play around with the chatbot yourself, but you’ll need to create an OpenAI account first.)

What is phishing?

Phishing is a type of cyber attack that involves the use of fraudulent emails or websites that appear to be legitimate in order to trick people into revealing sensitive information such as passwords, credit card numbers, and account login details. These attacks often use social engineering techniques to manipulate people into taking action, such as clicking on a malicious link or opening an attachment. Phishing attacks can be difficult to identify because they are designed to look legitimate and can be highly targeted, making them a common and effective method used by cybercriminals to steal sensitive information.

(Editor’s note: This is a guest post by ChatGPT, a chatbot launched by OpenAI in November 2022. I asked it the question “What is phishing?”, and it generated the text above. I verified the response as accurate.)

Also see Phishing – What is it? on the Opera web site. Ars Technica has a post about a particularly nasty phishing web site.

Fake malware warning scams

A recent example of a full-screen browser window that appears to be a serious malware alert.

Web sites that make their money from advertising usually subscribe to one or more advertising providers, such as Google Adsense. There are many others, including some that push ads that are really just scams.

One popular type of scam ad takes the form of a malware warning, presented to the unsuspecting user in a full-screen web page that seems to lock out the user completely. The example above (provided recently by a client) appears to be from Microsoft, generated by Windows anti-malware software, and it includes what is supposedly a Microsoft phone number.

In reality, this is just a web page, generated by Javascript from an advertisement on a shady web site. The full screen effect is produced by your web browser’s built-in full-screen view feature, triggered by the ad. These messages are not reporting the presence of malware; they are intended to scare you into calling a phone number. Messages of this type are categorized as ‘scareware‘.

A Google search for the phone number in the example above shows that it’s definitely associated with support scams.

These fake alerts vary in appearance and quality. Some are more convincing than others. Many are based on real malware warnings. You can see other examples by searching Google Images for ‘fake malware warning’.

It’s important to understand that legitimate anti-malware software won’t ‘lock’ your computer when it detects malware, and it won’t insist that you call a phone number.

If you see one of these scary-looking screens, don’t panic. Obviously, don’t call the phone number shown on the screen. Nothing good will come from that. Try pressing the F11 key on your keyboard. This is the near-universal key that toggles full screen view in web browsers. If it is just a web page, pressing F11 will reveal your web browser’s user interface, and you should regain your bearings immediately. Close the tab, and/or close the browser.

Also, please reconsider visting any web site that’s operated by people who care so little for visitors that they are willing to inflict this kind of dangerous garbage on them, albeit indirectly.

More useful information about this from the Safety Detectives site.

Blocking IP ranges at the router

I’m sure that Russia is a wonderful place, and I’m sure that the vast majority of people there are lovely, and have no interest in harming anyone.

Sadly, from the perspective of a server operator, it sometimes feels that nothing good ever comes from Russia.

Being the diligent server operator that I (hopefully) am, I monitor things pretty closely. That includes network traffic coming from the Internet. Over the years, I’ve noticed that a huge proportion of the probes, DDoS attacks, spam, phishing, and hack attempts against my network come from IP addresses in Russia.

It’s gotten to the point where I am now actively blocking huge swathes of Internet addresses (IPs) that originate in Russia and neighbouring countries like the Ukraine.

Blocking those nasty IPs

I run a Linux web server, as well as several Internet-enabled services, at my home office. All of the communications between my server and the Internet pass through a router, making it the ideal place to block unwanted traffic for my entire network, which includes media computers, development systems, and the Windows computer on which I’m writing this.

I’m using a commercial router, but I’ve replaced the original firmware with Advanced Tomato. Doing this provides many benefits, including making it easier to manage the router’s firewall, IPTABLES. Here’s a typical IPTABLES command to block an IP address from the router’s Linux command line:
iptables -I FORWARD -s 185.219.52.90 -j DROP

The DROP directive tells the router to unceremoniously drop any traffic from the specified IP, without logging this action. Traffic can also be logged when it’s dropped, but excessive logging can cause performance problems and fill up logs with junk, so I just drop this traffic.

I issue commands like the one above at my router’s command line to block the traffic immediately, and then I update the router’s startup firewall script with the same command, so that it persists after the next router restart.

So there’s this one guy

There’s been one particularly persistent attacker in the last year or so. This person wants desperately to gain access to one of my Internet-accessible services, but he’s not particularly intelligent, because he keeps trying the same things over and over, in rapid succession. So much so, that at times the traffic he generates comes within shouting distance of a DDoS attack.

I started paying particular attention to traffic associated with a series of ports that are used by the service, and blocking the IP addresses at the other end of that traffic. Whereupon we embarked upon a long game of whac-a-mole, in which I blocked an IP or IP range, and the attacker moved to another host or VPN provider and resumed his attacks from there. It seems clear that this was all being done by one attacker, based on his quick reactions to my blocking.

This went on for several months, but now he appears to have given up. Or at least he’s moved on to other methods.

In the process of blocking all these IPs and networks, the attacker has also helpfully provided me with a list of VPN providers that should be blocked by, well, everyone. Everyone who doesn’t specifically need to allow them.

IP addresses and ranges I’m blocking

Almost all of these IPs and IP ranges are in Russia and the Ukraine. A few are elsewhere in Asia. Most of the ranges are VPN providers.
103.48.51.116
104.129.18.0/23
104.237.192.0/19
104.237.203.0/24
141.98.10.0/24
173.244.208.60
176.67.85.0/24
185.156.72.0/24
185.156.74.0/24
185.193.88.0/24
185.217.69.157
185.219.52.112
185.219.52.90
185.219.52.91
193.106.191.25
193.106.191.35
193.106.191.41
193.32.164.85
193.93.62.0/24
195.54.160.27
198.8.81.220
216.131.114.0/24
216.131.116.0/23
216.131.68.0/24
216.131.88.0/23
217.138.255.202
31.43.185.29
31.43.185.9
37.120.218.0/24
45.134.26.0/24
45.143.203.121
45.145.64.0/23
45.145.65.11
45.146.164.0/23
45.146.166.0/23
45.155.204.0/24
45.155.205.0/24
45.227.253.0/24
45.9.20.0/24
5.188.206.230
71.19.251.0/24
76.180.16.74
77.243.191.120
77.83.36.0/24
78.128.112.18
82.145.32.0/19
84.17.41.141
84.17.41.151
87.251.75.0/24
89.187.182.87
89.187.183.76
91.191.209.110
92.204.240.75
92.255.85.0/24
94.232.40.0/21
98.175.213.148

Here are a few other ranges I’m blocking for various reasons:

  • Hungarian ISP MAGYAR-TELEKOM-MAIN-AS IP range (unceasing garbage): 94.27.128.0/17
  • MediaLand BPH IP range (generally just horrible): 45.141.84.0/24
  • EE-GIGAHOSTINGSERVICES (constant email relay attempts): 176.111.173.0/24

Pegasus spyware

Pegasus is spyware that can be installed on Apple and Android mobile systems. It’s difficult to detect, and difficult to remove. Pegasus is developed by NSO Group, who deny that the software is being used for anything nefarious, or that if it is, that use has nothing to do with NSO Group.

The methods used to install Pegasus on mobile devices have changed over the years. It can be installed directly, with physical access to the target device, which is presumably how it ends up on devices legitimately. Pegasus can also be installed more surreptitiously. Previously, that involved inviting the user to click a link in an email or SMS message. More recently, it’s being installed using app and O/S exploits that require no interaction from the user, including a very nasty exploit for WhatsApp.

Pegasus is not a virus. It does not spread on its own. Further, it’s important to distinguish between Pegasus and the methods used to install it. Pegasus does not typically arrive on a device at random. Devices are specifically targeted, and those targets are often used by journalists, suspected terrorists, and other people whose activities are tracked by government agencies and criminal organizations.

The main problem here is not Pegasus, but the way security vulnerabilities are discovered and — more importantly — how information about vulnerabilities is disseminated. Unfortunately, some organizations perform this research not for the public good, but for themselves and their partners, legitimate and otherwise. In an ideal world, when a vulnerability is discovered, the vendor is informed privately and then proceeds to develop and release a fix. In reality, vulnerabilities and exploits are often hoarded.

Advice to anyone who operates a mobile device and wants to reduce the likelihood of Pegasus or other unwanted software being installed without their knowledge: stay informed regarding security vulnerabilities in your device’s O/S and any apps you run. When you learn about a zero-click exploit, immediately install a fix if one is available, or uninstall the affected app. If it’s an unpatched O/S vulnerability, all you can do is hope that you’re not being targeted.

Related

Canada Revenue Agency hacked; shuts down online services

Canadians: if you’ve tried to access your CRA accounts recently, you probably noticed that you can no longer log in. That’s because normal access has been disabled while the CRA works to undo the damage caused by two recent attacks on their services.

The CRA systems were penetrated by persons unknown over the past two weeks. According to the CRA, the breaches have been contained, but the My Account, My Business Account and Represent a Client services have been disabled as a precaution.

Several thousand user accounts have been compromised. Starting in early August, unusual and unauthorized access to accounts was noticed by the account holders and reported to the CRA. In some cases, email, banking, and other account details were changed by the attackers. Fraudulent CERB payments were also issued.

Access to the compromised accounts was apparently gained via ‘credential stuffing’, which is based on the sadly-still-true fact that many people continue to use specific passwords on multiple systems. To be clear: if nobody ever did that, this type of attack would never be successful.

“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity,” according to a statement from the CRA.

The CRA is in the process of alerting people whose accounts were compromised.

COVID-19 scams are everywhere

Major events are viewed as opportunities by scammers worldwide. Same as it ever was. These days, the scammer’s tools of choice involve computers, because the potential victim pool is far beyond any alternative.

In keeping with this sad reality, COVID-19 scams are showing up everywhere on the web, and in our email inboxes.

Please exercise caution when you receive email or visit web sites that advertise cures, or entice you to click links or open attachments claiming to provide COVID-19/Coronavirus help.

If you’re looking for legitimate information about COVID-19, visit the web sites of major health organizations and local governments.

In Canada, visit the federal government’s COVID-19 page.

In the USA, try the web site for the Centers for Disease Control and Prevention.

For a global overview of the spread of COVID-19, see the frequently updated map of Coronavirus COVID-19 Global Cases by the Center for Systems Science and Engineering (CSSE) at Johns Hopkins University (JHU).

Ars Technica has more information about this.

LifeLabs hacked; patient data compromised

Some security breaches are worse than others. If your bank suffers a breach, the potential for damage is enormous, because banks necessarily store a lot of critical information about you and your money.

Almost as bad are breaches of health-related services, because those systems may store extremely private information about you and your medical history.

Which makes the recently-announced breach of Canada’s LifeLabs (PDF) very disturbing.

The Ars Technica story about this provides a helpful summary of what happened, although it starts out by saying that LifeLabs “paid hackers an undisclosed amount for the return of personal data they stole”. Data can be copied, and when someone copies data to which they have no legal access, it’s a crime. But the idea that data can be ‘returned’ is bizarre.

It’s more likely that LifeLabs was the victim of a ransomware attack, in which data is encrypted by attackers, rendering the data useless until a ransom is paid and the data decrypted by the attackers.

However, it’s also possible that the attackers copied the data to their own systems before encrypting it, with the aim of selling that extremely valuable data, containing names, addresses, email addresses, customer login IDs and passwords, health card numbers, and lab tests. So far, there’s no evidence that the data has made its way to any of the usual dark web markets for such data, but there’s no way to be sure that won’t happen.

Charles Brown, President and CEO of LifeLabs, posted An Open Letter to LifeLabs Customers on December 17, in which he discloses the breach and apologizes to customers. While it’s good to see the company take responsibility, an apology is hardly sufficient. Even the offer of “one free year of protection that includes dark web monitoring and identity theft insurance” seems unlikely to satisfy affected customers. There’s at least one petition in the works, “calling on Parliament’s Standing Committee on Access to Information, Privacy and Ethics (ETHI) to investigate LifeLabs, and put forward recommendations to ensure this doesn’t happen again.”

In British Columbia, users access their LifeLabs test results online using a service called eHealth. It’s not clear whether LifeLabs’ relationship with eHealth is in any way related to this breach. At this point it appears that it makes no difference whether you signed up to access your test results using eHealth. In other words, changing your eHealth password, while advisable, seems unlikely to mitigate the potential damage.

However, as usual in the case of any breach, you should review your passwords, and if you’ve used your LifeLabs or eHealth password for any other site or service, change those passwords to something unique. Do it now.