Category Archives: Things that are bad

Fake malware warning scams

A recent example of a full-screen browser window that appears to be a serious malware alert.

Web sites that make their money from advertising usually subscribe to one or more advertising providers, such as Google Adsense. There are many others, including some that push ads that are really just scams.

One popular type of scam ad takes the form of a malware warning, presented to the unsuspecting user in a full-screen web page that seems to lock out the user completely. The example above (provided recently by a client) appears to be from Microsoft, generated by Windows anti-malware software, and it includes what is supposedly a Microsoft phone number.

In reality, this is just a web page, generated by Javascript from an advertisement on a shady web site. The full screen effect is produced by your web browser’s built-in full-screen view feature, triggered by the ad. These messages are not reporting the presence of malware; they are intended to scare you into calling a phone number. Messages of this type are categorized as ‘scareware‘.

A Google search for the phone number in the example above shows that it’s definitely associated with support scams.

These fake alerts vary in appearance and quality. Some are more convincing than others. Many are based on real malware warnings. You can see other examples by searching Google Images for ‘fake malware warning’.

It’s important to understand that legitimate anti-malware software won’t ‘lock’ your computer when it detects malware, and it won’t insist that you call a phone number.

If you see one of these scary-looking screens, don’t panic. Obviously, don’t call the phone number shown on the screen. Nothing good will come from that. Try pressing the F11 key on your keyboard. This is the near-universal key that toggles full screen view in web browsers. If it is just a web page, pressing F11 will reveal your web browser’s user interface, and you should regain your bearings immediately. Close the tab, and/or close the browser.

Also, please reconsider visting any web site that’s operated by people who care so little for visitors that they are willing to inflict this kind of dangerous garbage on them, albeit indirectly.

More useful information about this from the Safety Detectives site.

Cisco Immunet anti-malware software

In brief: stay away from this software.

I’m always interested in evaluating anti-malware/antivirus software, especially when it claims to be ‘lightweight’. All too often, anti-malware software that’s configured to run in the background has a very noticeable effect on performance.

So I installed Cisco’s Immunet on my main Windows computer. About ten minutes later, I removed it.

The user interface is horrible, seeming more like a first-time coder might have produced it, rather than an organization with the resources of Cisco.

I was very careful to configure Immunet before I ran any scans. In particular, I configured it to ask me before quarantining any files. Imagine my surprise when on its initial scan, it went ahead and quarantined three executables, none of which were actually malware.

Of the three quarantined files, I was able to use Immunet to restore one. The others were irretrievable, and I had to reinstall the associated software. For one of them, I lost its settings as well.

Normally I would persist with an evaluation like this, to give it a thorough test. But really, having suffered this much in such a short space of time, why bother?

This is crappy software. Avoid at all costs.

Microsoft updates still breaking things

Is it just me, or is Microsoft actually getting worse at this? It seems that every month there are more horror stories about problems caused by MS software updates. Given that Microsoft is still pushing hard for all Windows updates to happen automatically, this is very troubling.

In the latest instance, updates pushed out for January’s Patch Tuesday caused some Windows servers to reboot continuously. For server admins, this is a nightmare scenario.

One could argue that since the problem only affected a specific subset of Windows servers, this was less serious than something that affects all Windows 10 users. But affected servers were potentially used by hundreds or even thousands of people, which amplifies the scope of the problem.

Microsoft’s approach to testing changed with the release of Windows 10, and they now rely on reports from regular users who have opted in to pre-release versions of Windows. It’s clear that this kind of testing is much less useful than proper, methodical testing. Whether Microsoft will eventually go back to proper testing remains unclear. Meanwhile, we all suffer. And wonder whether the next Patch Tuesday is going to be a day of disaster.

Ars Technica and The Verge have more.

COVID-related phish received via text

I just received a text message from someone pretending to be a representative of the Liberal Party of Canada.

The message, sent via SMS to my mobile phone from a phone number in Toronto, offers a monetary reward for being vaccinated for COVID-19, and invites the recipient to click a link to liberalparty-assist[dot]com. Here it is:

The phishing message I received on my phone this morning

If you receive this message, or anything similar, please do not click the provided link. I can’t be sure what will happen, but it won’t be good.

While I avoided clicking the phishing link, I did look into the site it points to. The domain is actually owned by a provider in Paris, France: M247-LTD-Paris. Definitely not anything to do with a political party in Canada. The phone number has been reported numerous times as a scam source.

Since the majority of Canadians have been vaccinated, this phishing message seems likely to attract many clicks from unsuspecting people. Sadly, that will include people who desperately need the money, as well as older folks and others who may not be as technically astute as the rest of us.

Some day it may be possible to track down the people responsible for these scams. I enjoy dreaming up interesting forms of punishment for these people.

Pegasus spyware

Pegasus is spyware that can be installed on Apple and Android mobile systems. It’s difficult to detect, and difficult to remove. Pegasus is developed by NSO Group, who deny that the software is being used for anything nefarious, or that if it is, that use has nothing to do with NSO Group.

The methods used to install Pegasus on mobile devices have changed over the years. It can be installed directly, with physical access to the target device, which is presumably how it ends up on devices legitimately. Pegasus can also be installed more surreptitiously. Previously, that involved inviting the user to click a link in an email or SMS message. More recently, it’s being installed using app and O/S exploits that require no interaction from the user, including a very nasty exploit for WhatsApp.

Pegasus is not a virus. It does not spread on its own. Further, it’s important to distinguish between Pegasus and the methods used to install it. Pegasus does not typically arrive on a device at random. Devices are specifically targeted, and those targets are often used by journalists, suspected terrorists, and other people whose activities are tracked by government agencies and criminal organizations.

The main problem here is not Pegasus, but the way security vulnerabilities are discovered and — more importantly — how information about vulnerabilities is disseminated. Unfortunately, some organizations perform this research not for the public good, but for themselves and their partners, legitimate and otherwise. In an ideal world, when a vulnerability is discovered, the vendor is informed privately and then proceeds to develop and release a fix. In reality, vulnerabilities and exploits are often hoarded.

Advice to anyone who operates a mobile device and wants to reduce the likelihood of Pegasus or other unwanted software being installed without their knowledge: stay informed regarding security vulnerabilities in your device’s O/S and any apps you run. When you learn about a zero-click exploit, immediately install a fix if one is available, or uninstall the affected app. If it’s an unpatched O/S vulnerability, all you can do is hope that you’re not being targeted.

Related

Deceptive design patterns

There’s an informative post over on the Mozilla Explains blog, about deceptive design patterns. From the article:

Deceptive design patterns are tricks used by websites and apps to get you to do things you might not otherwise do, like buy things, sign up for services or switch your settings.

The post goes on to list some common examples. I’m sure you’ll recognize at least some of these.

Unfortunately, this kind of deception is not limited to the online world, and most of us don’t even raise an eyebrow when we encounter shady sales practices in the ‘real’ world. But the online world is already much more confusing for many people, so recognizing deception can be difficult.

It’s an interesting read, and it may help you to understand some of what you see online, and on your connected devices.

Flagging software as dangerous for the wrong reasons is idiotic

There’s a disturbing trend in the world of malware detection: falsely labeling software as malware.

For example, there’s an entire category of software that’s being mislabeled as malware by an increasing number of anti-malware providers: torrent software.

Torrent software is widely used by people trying to get access to cultural material that is otherwise locked away by the gatekeepers of big media (by way of prohibitive pricing, overlapping services, poor or unavailable service, geo-locking, release windows, and other big media fuckery).

Torrent software is used all over the world to legally share media in an extremely efficient, and Internet-friendly way.

But big media doesn’t care about any of that, because torrent software is also used for piracy.

Currently, there are efforts underway by media organizations to discredit and cripple torrent software in any way possible. Apparently they are now leaning on anti-malware software and service providers.

Why would an otherwise reputable anti-malware organization erroneously flag software as malicious? There are a number of possibilities:

  • They are being fed false information
  • Industry/corporate threats
  • Financial incentives

Why is this a problem?

  • It’s an extremely annoying inconvenience for users. Unable to install the falsely-labeled software, or exclude it from malware scans, some users will resort to uninstalling their anti-malware software.
  • It’s increasingly difficult for users to distinguish between actual threats and bullshit.
  • If an actually malicious version of one of these programs comes along, there’s no way to distinguish it from other versions that are erroneously flagged as malicious.
  • A general loss of trust in anti-malware providers and their services.

Big media will keep playing this idiotic game of whac-a-mole in any way their lawyers dream up. Media piracy continues, despite these efforts, and the only people affected are innocent users.

Advice to anti-malware purveryors: stop doing this. It’s short-sighted, dangerous, and stupid.

Don’t bother trying to uninstall Microsoft Edge

If you’re old enough to remember the browser wars of the 1990s, you probably remember that Microsoft got into trouble for pushing their web browser, Internet Explorer, using tactics tied to the dominance of Windows.

Competitors were less than thrilled with Microsoft’s tactics. In 1998, an anti-trust suit was launched by the US Department of Justice against Microsoft, alleging that Microsoft was using unfair tactics, in particular by embedding Internet Explorer into Windows, making it difficult to remove.

Microsoft argued that Internet Explorer was a core part of the operating system, and could not be easily excised from Windows. This didn’t help their case much, as you can imagine.

The court agreed with the DOJ, recommending that Microsoft be broken into two organizations, one for Windows and the other for applications like Internet Explorer. After appeals, the final settlement required Microsoft to share its API (Application Programming Interface) documentation with third party companies. The idea was to remove any head start Microsoft would have in developing changes to its web browser based on technology advancements.

The DOJ did not require Microsoft to change any of its code or prevent Microsoft from tying other software with Windows in the future.

Microsoft’s tactics this time around

Fast forward to today, and Microsoft is again using questionable tactics in its fight for web browser dominance. This time around, with Internet Explorer soon to be discontinued, the browser in question is Edge (the newer, Chromium-based version).

Microsoft recently published a small support article about the new version of Edge, presumably in response to user questions. In part, it states: “The new version of Microsoft Edge is included in a Windows system update, so the option to uninstall it or use the legacy version of Microsoft Edge will no longer be available.”

So, once again, Microsoft is apparently trying to use its dominance in the desktop operating system market to push its web browser on people.

It’s hard to predict whether this tactic will actually help Edge, or whether anyone will care enough to claim antitrust activity again. I like to think people are generally somewhat better informed, and recognize that there are other, better web browsers than Edge.

UPDATE 2020Sep12: Microsoft has revised the wording of the support article about this, but the new version sounds like more of the same weak arguments they used in the 1990s:

Because Windows supports applications that rely on the web platform, our default web browser is an essential component of our operating system and can’t be uninstalled.

Windows users can download and install other browsers and change their default browser at any time.

Giant corporations trying to sound innocent when caught in their shenanigans is just embarassing.

Canada Revenue Agency hacked; shuts down online services

Canadians: if you’ve tried to access your CRA accounts recently, you probably noticed that you can no longer log in. That’s because normal access has been disabled while the CRA works to undo the damage caused by two recent attacks on their services.

The CRA systems were penetrated by persons unknown over the past two weeks. According to the CRA, the breaches have been contained, but the My Account, My Business Account and Represent a Client services have been disabled as a precaution.

Several thousand user accounts have been compromised. Starting in early August, unusual and unauthorized access to accounts was noticed by the account holders and reported to the CRA. In some cases, email, banking, and other account details were changed by the attackers. Fraudulent CERB payments were also issued.

Access to the compromised accounts was apparently gained via ‘credential stuffing’, which is based on the sadly-still-true fact that many people continue to use specific passwords on multiple systems. To be clear: if nobody ever did that, this type of attack would never be successful.

“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity,” according to a statement from the CRA.

The CRA is in the process of alerting people whose accounts were compromised.

Windows 10 update problems continue

With Windows 10, Microsoft shifted a lot of their testing to users, through the Windows Insider program. Anyone can join the Insider program, and what you get is early access to new versions of Windows 10.

In return, you are expected to provide feedback to Microsoft when you encounter problems, primarily via the Windows 10 Feedback Hub app. I’ve used the Feedback Hub, and Microsoft does indeed seem to look at — and act on — user feedback.

While I do appreciate having the option of contributing to the quality of Windows 10, it seems clear that relying on users for testing is woefully inadequate, and hardly a substitute for systematic, formal software testing. Each new set of Windows 10 updates, and especially new versions, seem to cause more problems than they solve.

Windows 10 version 2004, released on May 27, is no exception. Microsoft has identified at least ten separate problems with the new version, mostly related to device drivers. Users unlucky enough to have the affected devices are reporting application crashes and good old Blue Screens of Death (BSODs). In some cases the new version renders affected computers unusable.

At least updates can now be delayed. Earlier versions of Windows 10 forced new updates on all computers. Without the ability to to put off updates, these unwanted and problematic changes would cause worldwide carnage at least every Patch Tuesday.

Hey, Microsoft. Thanks for giving us the option to help out with Windows testing. But please go back to doing more formal testing. Nobody needs these headaches. We’ve got enough problems without you piling on.

Update 2020Jun02: Microsoft has put a ‘compatibility hold’ on the recent problematic updates. If Microsoft decides that your device may have problems with an update, it won’t get installed until the hold is released. Of course that doesn’t help people who installed those updates before they were held.