Category Archives: Internet crime

Fake malware warning scams

A recent example of a full-screen browser window that appears to be a serious malware alert.

Web sites that make their money from advertising usually subscribe to one or more advertising providers, such as Google Adsense. There are many others, including some that push ads that are really just scams.

One popular type of scam ad takes the form of a malware warning, presented to the unsuspecting user in a full-screen web page that seems to lock out the user completely. The example above (provided recently by a client) appears to be from Microsoft, generated by Windows anti-malware software, and it includes what is supposedly a Microsoft phone number.

In reality, this is just a web page, generated by Javascript from an advertisement on a shady web site. The full screen effect is produced by your web browser’s built-in full-screen view feature, triggered by the ad. These messages are not reporting the presence of malware; they are intended to scare you into calling a phone number. Messages of this type are categorized as ‘scareware‘.

A Google search for the phone number in the example above shows that it’s definitely associated with support scams.

These fake alerts vary in appearance and quality. Some are more convincing than others. Many are based on real malware warnings. You can see other examples by searching Google Images for ‘fake malware warning’.

It’s important to understand that legitimate anti-malware software won’t ‘lock’ your computer when it detects malware, and it won’t insist that you call a phone number.

If you see one of these scary-looking screens, don’t panic. Obviously, don’t call the phone number shown on the screen. Nothing good will come from that. Try pressing the F11 key on your keyboard. This is the near-universal key that toggles full screen view in web browsers. If it is just a web page, pressing F11 will reveal your web browser’s user interface, and you should regain your bearings immediately. Close the tab, and/or close the browser.

Also, please reconsider visting any web site that’s operated by people who care so little for visitors that they are willing to inflict this kind of dangerous garbage on them, albeit indirectly.

More useful information about this from the Safety Detectives site.

Blocking IP ranges at the router

I’m sure that Russia is a wonderful place, and I’m sure that the vast majority of people there are lovely, and have no interest in harming anyone.

Sadly, from the perspective of a server operator, it sometimes feels that nothing good ever comes from Russia.

Being the diligent server operator that I (hopefully) am, I monitor things pretty closely. That includes network traffic coming from the Internet. Over the years, I’ve noticed that a huge proportion of the probes, DDoS attacks, spam, phishing, and hack attempts against my network come from IP addresses in Russia.

It’s gotten to the point where I am now actively blocking huge swathes of Internet addresses (IPs) that originate in Russia and neighbouring countries like the Ukraine.

Blocking those nasty IPs

I run a Linux web server, as well as several Internet-enabled services, at my home office. All of the communications between my server and the Internet pass through a router, making it the ideal place to block unwanted traffic for my entire network, which includes media computers, development systems, and the Windows computer on which I’m writing this.

I’m using a commercial router, but I’ve replaced the original firmware with Advanced Tomato. Doing this provides many benefits, including making it easier to manage the router’s firewall, IPTABLES. Here’s a typical IPTABLES command to block an IP address from the router’s Linux command line:
iptables -I FORWARD -s 185.219.52.90 -j DROP

The DROP directive tells the router to unceremoniously drop any traffic from the specified IP, without logging this action. Traffic can also be logged when it’s dropped, but excessive logging can cause performance problems and fill up logs with junk, so I just drop this traffic.

I issue commands like the one above at my router’s command line to block the traffic immediately, and then I update the router’s startup firewall script with the same command, so that it persists after the next router restart.

So there’s this one guy

There’s been one particularly persistent attacker in the last year or so. This person wants desperately to gain access to one of my Internet-accessible services, but he’s not particularly intelligent, because he keeps trying the same things over and over, in rapid succession. So much so, that at times the traffic he generates comes within shouting distance of a DDoS attack.

I started paying particular attention to traffic associated with a series of ports that are used by the service, and blocking the IP addresses at the other end of that traffic. Whereupon we embarked upon a long game of whac-a-mole, in which I blocked an IP or IP range, and the attacker moved to another host or VPN provider and resumed his attacks from there. It seems clear that this was all being done by one attacker, based on his quick reactions to my blocking.

This went on for several months, but now he appears to have given up. Or at least he’s moved on to other methods.

In the process of blocking all these IPs and networks, the attacker has also helpfully provided me with a list of VPN providers that should be blocked by, well, everyone. Everyone who doesn’t specifically need to allow them.

IP addresses and ranges I’m blocking

Almost all of these IPs and IP ranges are in Russia and the Ukraine. A few are elsewhere in Asia. Most of the ranges are VPN providers.
103.48.51.116
104.129.18.0/23
104.237.192.0/19
104.237.203.0/24
141.98.10.0/24
173.244.208.60
176.67.85.0/24
185.156.72.0/24
185.156.74.0/24
185.193.88.0/24
185.217.69.157
185.219.52.112
185.219.52.90
185.219.52.91
193.106.191.25
193.106.191.35
193.106.191.41
193.32.164.85
193.93.62.0/24
195.54.160.27
198.8.81.220
216.131.114.0/24
216.131.116.0/23
216.131.68.0/24
216.131.88.0/23
217.138.255.202
31.43.185.29
31.43.185.9
37.120.218.0/24
45.134.26.0/24
45.143.203.121
45.145.64.0/23
45.145.65.11
45.146.164.0/23
45.146.166.0/23
45.155.204.0/24
45.155.205.0/24
45.227.253.0/24
45.9.20.0/24
5.188.206.230
71.19.251.0/24
76.180.16.74
77.243.191.120
77.83.36.0/24
78.128.112.18
82.145.32.0/19
84.17.41.141
84.17.41.151
87.251.75.0/24
89.187.182.87
89.187.183.76
91.191.209.110
92.204.240.75
92.255.85.0/24
94.232.40.0/21
98.175.213.148

Here are a few other ranges I’m blocking for various reasons:

  • Hungarian ISP MAGYAR-TELEKOM-MAIN-AS IP range (unceasing garbage): 94.27.128.0/17
  • MediaLand BPH IP range (generally just horrible): 45.141.84.0/24
  • EE-GIGAHOSTINGSERVICES (constant email relay attempts): 176.111.173.0/24

Pegasus spyware

Pegasus is spyware that can be installed on Apple and Android mobile systems. It’s difficult to detect, and difficult to remove. Pegasus is developed by NSO Group, who deny that the software is being used for anything nefarious, or that if it is, that use has nothing to do with NSO Group.

The methods used to install Pegasus on mobile devices have changed over the years. It can be installed directly, with physical access to the target device, which is presumably how it ends up on devices legitimately. Pegasus can also be installed more surreptitiously. Previously, that involved inviting the user to click a link in an email or SMS message. More recently, it’s being installed using app and O/S exploits that require no interaction from the user, including a very nasty exploit for WhatsApp.

Pegasus is not a virus. It does not spread on its own. Further, it’s important to distinguish between Pegasus and the methods used to install it. Pegasus does not typically arrive on a device at random. Devices are specifically targeted, and those targets are often used by journalists, suspected terrorists, and other people whose activities are tracked by government agencies and criminal organizations.

The main problem here is not Pegasus, but the way security vulnerabilities are discovered and — more importantly — how information about vulnerabilities is disseminated. Unfortunately, some organizations perform this research not for the public good, but for themselves and their partners, legitimate and otherwise. In an ideal world, when a vulnerability is discovered, the vendor is informed privately and then proceeds to develop and release a fix. In reality, vulnerabilities and exploits are often hoarded.

Advice to anyone who operates a mobile device and wants to reduce the likelihood of Pegasus or other unwanted software being installed without their knowledge: stay informed regarding security vulnerabilities in your device’s O/S and any apps you run. When you learn about a zero-click exploit, immediately install a fix if one is available, or uninstall the affected app. If it’s an unpatched O/S vulnerability, all you can do is hope that you’re not being targeted.

Related

Canada Revenue Agency hacked; shuts down online services

Canadians: if you’ve tried to access your CRA accounts recently, you probably noticed that you can no longer log in. That’s because normal access has been disabled while the CRA works to undo the damage caused by two recent attacks on their services.

The CRA systems were penetrated by persons unknown over the past two weeks. According to the CRA, the breaches have been contained, but the My Account, My Business Account and Represent a Client services have been disabled as a precaution.

Several thousand user accounts have been compromised. Starting in early August, unusual and unauthorized access to accounts was noticed by the account holders and reported to the CRA. In some cases, email, banking, and other account details were changed by the attackers. Fraudulent CERB payments were also issued.

Access to the compromised accounts was apparently gained via ‘credential stuffing’, which is based on the sadly-still-true fact that many people continue to use specific passwords on multiple systems. To be clear: if nobody ever did that, this type of attack would never be successful.

“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity,” according to a statement from the CRA.

The CRA is in the process of alerting people whose accounts were compromised.

COVID-19 scams are everywhere

Major events are viewed as opportunities by scammers worldwide. Same as it ever was. These days, the scammer’s tools of choice involve computers, because the potential victim pool is far beyond any alternative.

In keeping with this sad reality, COVID-19 scams are showing up everywhere on the web, and in our email inboxes.

Please exercise caution when you receive email or visit web sites that advertise cures, or entice you to click links or open attachments claiming to provide COVID-19/Coronavirus help.

If you’re looking for legitimate information about COVID-19, visit the web sites of major health organizations and local governments.

In Canada, visit the federal government’s COVID-19 page.

In the USA, try the web site for the Centers for Disease Control and Prevention.

For a global overview of the spread of COVID-19, see the frequently updated map of Coronavirus COVID-19 Global Cases by the Center for Systems Science and Engineering (CSSE) at Johns Hopkins University (JHU).

Ars Technica has more information about this.

LifeLabs hacked; patient data compromised

Some security breaches are worse than others. If your bank suffers a breach, the potential for damage is enormous, because banks necessarily store a lot of critical information about you and your money.

Almost as bad are breaches of health-related services, because those systems may store extremely private information about you and your medical history.

Which makes the recently-announced breach of Canada’s LifeLabs (PDF) very disturbing.

The Ars Technica story about this provides a helpful summary of what happened, although it starts out by saying that LifeLabs “paid hackers an undisclosed amount for the return of personal data they stole”. Data can be copied, and when someone copies data to which they have no legal access, it’s a crime. But the idea that data can be ‘returned’ is bizarre.

It’s more likely that LifeLabs was the victim of a ransomware attack, in which data is encrypted by attackers, rendering the data useless until a ransom is paid and the data decrypted by the attackers.

However, it’s also possible that the attackers copied the data to their own systems before encrypting it, with the aim of selling that extremely valuable data, containing names, addresses, email addresses, customer login IDs and passwords, health card numbers, and lab tests. So far, there’s no evidence that the data has made its way to any of the usual dark web markets for such data, but there’s no way to be sure that won’t happen.

Charles Brown, President and CEO of LifeLabs, posted An Open Letter to LifeLabs Customers on December 17, in which he discloses the breach and apologizes to customers. While it’s good to see the company take responsibility, an apology is hardly sufficient. Even the offer of “one free year of protection that includes dark web monitoring and identity theft insurance” seems unlikely to satisfy affected customers. There’s at least one petition in the works, “calling on Parliament’s Standing Committee on Access to Information, Privacy and Ethics (ETHI) to investigate LifeLabs, and put forward recommendations to ensure this doesn’t happen again.”

In British Columbia, users access their LifeLabs test results online using a service called eHealth. It’s not clear whether LifeLabs’ relationship with eHealth is in any way related to this breach. At this point it appears that it makes no difference whether you signed up to access your test results using eHealth. In other words, changing your eHealth password, while advisable, seems unlikely to mitigate the potential damage.

However, as usual in the case of any breach, you should review your passwords, and if you’ve used your LifeLabs or eHealth password for any other site or service, change those passwords to something unique. Do it now.

More about those troubling emails

Some months ago I wrote about the flood of ‘sextortion’ emails almost all of us have been receiving since mid-2018.

Now Brian Krebs reports that the person who most likely wrote the code that started the wave of sextortion emails has surrendered to authorities in France, after being pursued across Europe.

It’s too soon to know what kind of punishment this jerk will face, but here’s hoping it’s significant.

About those troubling emails you’ve been getting…

If you have an email address, and you’ve ever used it to register for online services and sites, there’s a good chance you’ve received email that threatens you in some way, and some of it is downright creepy.

This email may refer to your name. It may include a password you’ve used in the past, or even currently. The email may appear to have been sent from your own email address, and may claim to have taken over that email account.

A sextortion email I received recently.

The good news is that very little of what these emails claim is actually true. The bad news is that you still have a problem.

But why does this happen?

It all starts when someone gets careless, or someone else decides that the IT budget is too high.

Imagine that you’re the person responsible for information security at any company that… uses computers (so basically, any company on the planet). Now imagine that you’re bad at your job. Or disgruntled. Or your manager keeps cutting your budget. Inevitably, things start to slide. Security updates don’t get installed. Software that isn’t properly checked for security implications gets installed on company computers. Users don’t get security training. Bad decisions are made, such as not properly encrypting user passwords. And so, the company’s computers, and the data they contain, become vulnerable. Eventually, malicious people figure this out, and through various means — many of which are trivially simple to carry out — gain access to your data. And that data includes information about your customers. That information is then sold online, to other, even less scrupulous people. Brian Krebs documents many of these breaches; here’s one example.

You can find these lists online if you know where to look. Some are only accessible from the dark web. Some are published more brazenly, on easily-accessed public web sites, including Facebook.

Sometimes these lists contain passwords. In really awful cases, the passwords aren’t even encrypted. But usually they are encrypted, which makes them slightly less useful. Only slightly, because many people still use terrible passwords: common passwords, like 1234; passwords that are used by the same person in multiple places; and passwords that are easy to crack.

Any password can be cracked, by which I mean converted from its encrypted form to its original, unencrypted form. Short and simple passwords can be cracked in nanoseconds. Longer, more complex passwords take longer. At any given point in time, passwords that are long and complex enough simply can’t be cracked quickly enough to be worth the attempt. This is a moving target. As computers get faster, the point at which a password becomes worth cracking gets nearer.

You can find out just how terrible your password is using howsecureismypassword.net. Note: the site is safe to use: it uses a small Javascript program that runs only on your computer. Your password is never transmitted anywhere. And it’s not actually being cracked; the Javascript code just assesses the complexity of your password based on various formulae. It’s an estimate, but reasonably accurate. Go ahead, I’ll wait.

Useful lists

These shady lists of users, passwords, and email addresses can be used for lots of things, ranging from merely irritating to criminal. But there’s money to be made, as long as you don’t care about being a world-class asshole.

If you’re an asshole, and you’re looking for an easy way to make money and irritate people, just shell out a few bucks for one of these lists, and download a few scripts that turn that list into spam. Because computers are really good at things like this, you hardly have to do any actual work. Just feed a list into some crappy script, sit back, and watch the money pour in. If you had to do this with paper and snail mail, it clearly would not be worthwile.

A user’s story

Let’s look at this another way: from the perspective of Iam Notreal, an ordinary Internet user. Iam registered for an account at LinkedIn in 2011 using his real name and his NopeMail account, iam.notreal@nopemail.com. He also used the same password he uses everywhere else: banana1234.

In 2012, intruders gained access to LinkedIn servers and were able to download its user database. The database included usernames, email addresses, and poorly-encrypted passwords. Now Iam’s real name, real email address, and an encrypted form of his one and only password are on a list, and, beginning in 2016, that list is being sold on the dark web to anyone who has a few bucks to spare.

In 2016, Iam starts getting spam to his NopeMail account. Most of it is ordinary spam: poorly-worded appeals to click a link. Occasionally he receives spam that mentions his real name, which is alarming, but not particularly harmful. At some point, Bill tries to ‘unsubscribe’ from what he believes is a mailing list, by replying to one of these spam emails. Congratulations, Iam, you’ve just graduated to a new list, of confirmed, valid, active email addresses. This list will also be sold on the dark web, at a higher price than the original list.

Meanwhile, other dark forces are at work behind the scenes. Someone runs the original list through a widely-available password cracker. This software looks at each encrypted password and attempts to decrypt it based on a set of parameters, including lists of commonly-used passwords. Sadly, Iam’s password is rather short, and contains a common word, and it takes the software about a nanosecond to crack it. Now Iam is on an even more valuable list, which includes cracked passwords.

Fast forward to 2018, and now Iam is getting email that claims to have taken over his email account, or to have video from Iam’s own webcam showing him doing unmentionable things, and it also includes Iam’s one and only password, right there in plain text. Iam is panicked: if the sender knows his password, are the rest of the claims true? He doesn’t know it, but the sender’s claims are bullshit.

As scary as this sounds, it’s only the most common use of lists like these circa late 2018, early 2019. The same information could be used to take over Iam’s LinkedIn account (if he ignored warnings from LinkedIn to change his password, or if he changed it back to the same password), take over his NopeMail account (if he failed to change its password after the LinkedIn breach), or take over any other account that can be found on any other service he uses, once it’s discovered.

Questions

Why is that spam coming from my own email address or my own mail server?

Unfortunately, it remains trvially easy to spoof almost all information contained in an email message. Current anti-spam efforts like SPF, DKIM, and DMARC are focused on validation, and there’s nothing stopping anyone from spewing out email with mostly-forged headers. That includes the FROM header, which means scammers can make email look like it came from just about any address they want. Only close inspection of all the headers reveals the actual source.

Why does that spam contain my password?

If a scammer has access to a purloined user list that includes plaintext or cracked passwords, it’s a simple matter of customizing the content of their malicious spam so that the username and/or password vary, depending on the unlucky recipient.

What you should do

Stop using crappy passwords. If you’re not sure how crappy your password is, check it at howsecureismypassword.net. You can also install this extension in your Chrome browser; it will warn you if your password is too weak.

Stop re-using passwords. If site A is hacked, and your password for site A is the same as for site B, you’ll have to change your password on both sites.

Use a password manager. Yes, it’s annoying to have an extra step whenever you want to log in somewhere, but using a password manager means that you only ever have to remember one password. They can also generate passwords for you, saving you the trouble.

Check Have I been pwned to see how many breaches have included your email addresses and passwords.

Sign up at Spycloud to continuously monitor your email address for inclusion in breaches.

Making noise

Although there are ways to use purloined user lists besides spam, most of the damage we see is related to email.

Despite being really old technology, email has continually improved in terms of security. Newer technologies like SPF, DKIM, and DMARC make it much easier for email providers to determine which email is legitimate and which is not.

You can help by making sure any email domains you manage use SPF, DKIM, and DMARC. If your mail provider doesn’t use these technologies, lean on them to start. If they resist, find another provider. I have several clients who use the business mail service provided by telecom giant Telus here in Canada. Telus farms this work out to a provider in the USA called Megamailservers. The Megamailservers service does not currently support DKIM or DMARC, and there’s nothing on their web site (or that of Telus) about any plans to change that.

Password Management Software

So, everyone should use a password manager. But wait, didn’t I just read that all the most popular password managers can be bypassed very easily? Yup. Opinions vary as to whether the risk of such exploits is significant. From my perspective, the risk is this: yes, a malicious actor needs physical, remote, or programmatic access to your computer to use these exploits. But once they have access, they no longer have to waste time looking for interesting information. All they need to do is look for password manager data and sent it to themselves. That makes their job MUCH easier.

But using a password manager is still much safer than not using one.

References

What you need to know about VPNFilter

Update 2018Jun11: According to the latest report from security researchers at Talos, the list of routers affected by VPNFilter is now much larger. The malware’s capabilities are now better understood, and include the ability to intercept and modify network traffic passing through affected devices. To see the updated list of devices known to be affected by VPNFilter, scroll to the bottom of this page and look for the heading Known Affected Devices. Bruce Schneier weighs in.

Over the last week or so, you’ve probably noticed several stories about some malware called VPNFilter. For most people — and for a number of reasons — VPNFilter doesn’t pose a significant risk. But it’s a good idea to make sure. Here’s what you need to know:

  • VPNFilter is designed to infect SOHO (Small Office / Home Office, aka consumer-grade) network routers and Network Attached Storage (NAS) devices. It appears to have been active since 2016, and is known to have infected hundreds of thousands of devices worldwide.
  • Only a few specific router models are known to be vulnerable to VPNFilter, but there may be more. The list of vulnerable devices includes several models from Linksys, Mikrotik, Netgear, QNAP, and TP-Link. If you know (or can find) the make and model of your router, check to see whether it’s on the list.
  • On May 23, the US Justice Department announced that they had effectively neutered VPNFilter by taking over one of its command and control domains. But VPNFilter remains on many infected devices, as do the vulnerabilities that allowed infection in the first place.
  • The FBI is asking everyone on Earth who manages or is responsible for any consumer-grade router, to restart it. This will remove the second stage of a VPNFilter infection from a router. It may seem like overkill, but until we have a complete list of vulnerable devices, it’s a risk-free way to disrupt VPNFilter’s activities.
  • If you think your device has been infected — perhaps because it’s on the list of known affected devices — the only way to fully remove the infection is to reset the device to its factory settings. This sounds simple but can actually be problematic. Resetting a router can cause connected devices to lose access to the Internet, and things gets worse from there. If you want to attempt this, you should first log into your device’s web interface and document all important settings, because you’ll need to reconfigure the device after it’s been reset. Disconnect the device from the Internet before resetting it, because its administration password will be reset to a known default. Change that password as soon as possible after the reset.
  • If you manage your own router or NAS device, it’s critically important to configure it sensibly. That means changing its default password, and disabling any features that allow for remote (i.e. from the Internet) administration.

Timeline: NSA hacking tool to WannaCry

A recent Washington Post article is helping to answer some questions about Microsoft’s actions in recent months. Here’s a timeline of events:

2012 (or possibly earlier): The NSA identifies a vulnerability in Windows that affects all existing versions of the operating system, and has the potential to allow almost unfettered access to affected systems. A software tool — an exploit — is developed either for, or by, the NSA. The tool is called EternalBlue. People at the NSA worry about the potential damage if the tool or the vulnerability became public knowledge. They decide not to tell anyone, not even Windows’ developer, Microsoft.

EternalBlue finds its way into the toolkit of an elite hacking outfit known as Equation Group. Although it’s difficult to know for certain, this group is generally assumed to be operating under the auspices of the NSA. Equation Group may work for the NSA as contractors, or they may simply be NSA employees. Regardless, the group’s actions seem to align with those of the NSA: their targets are generally in places like Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.

Early to mid-2016: A hacking group calling themselves The Shadow Brokers somehow gains access to NSA systems or data, and obtains copies of various NSA documents and tools. Among those tools is EternalBlue.

August, 2016: The Shadow Brokers begin publishing their NSA haul on public services like Tumblr.

January 7, 2017: The Shadow Brokers begin selling tools that are related to EternalBlue.

Late January to early February 2017: The NSA finally tells Microsoft about the vulnerability exploited by EternalBlue. We don’t know exactly when this happened, but it clearly happened. The NSA was Microsoft’s source for this vulnerability.

February 14, 2017: Microsoft announces that February’s Patch Tuesday updates will be postponed. Their explanation is vague: “we discovered a last minute issue that could impact some customers.

Late February 2017: The Windows SMB vulnerability exploited by EternalBlue is identified publicly as CVE-2017-0144.

March 14, 2017: March’s Patch Tuesday updates from Microsoft include a fix for CVE-2017-0144, MS17-010. The update is flagged as Critical and described as Security Update for Microsoft Windows SMB Server (4013389). Nothing in Microsoft’s output on March 14 calls special attention to this update.

April 14, 2017: The Shadow Brokers release 300 megabytes of NSA material on Github, including EternalBlue.

May 12, 2017: WannaCry ransomware infection wave begins. The malware uses EternalBlue to infect vulnerable computers, mostly Windows 7 PCs in Europe and Asia. Infected computers clearly had not been updated since before March 14, and were therefore vulnerable to EternalBlue.


It’s now clear that the NSA is the real problem here. They had several opportunities to do the right thing, and failed every time, until it was too late. The NSA’s last chance to look at all good in this matter was after the vulnerability was made public, when they should have made the danger clear to the public, or at least to Microsoft. Because, after all, they knew exactly how useful EternalBlue would be in the hands of… just about anyone with bad intent.

Everyone involved in this mess acted foolishly. But whereas we’ve grown accustomed to corporations caring less about people than about money, government institutions — no matter how necessarily secretive — should not be allowed to get away with what the NSA has done. Especially when you consider that this is just the tip of the iceberg. For every WannaCry, there are probably a thousand other threats lurking out there, all thanks to the clowns at the NSA.

Ars Technica’s analysis.

Techdirt’s analysis.