Share This with your friends and contacts. Help THEM to stay safe:
This blog will help keep you up to date with Security warnings, Phishing, Currently spreading Malware and Email spoofs, Windows updates and my general thoughts about the online world today and how to keep yourself safe online and not become a victim.
The majority of posts are about malware and phishing scams received via emails. Most people don't really want to know what the malware is that was attached to an email. They just want to know if it is good or bad. Everybody just looks at the email quickly, so it can be very hard to decide if it comes from a genuine sender or a scumbag trying to scam you, steal your money or infect you.
All you want to know quickly: Is the email likely to be safe or dangerous?
We try to post as many examples of currently spreading emails as quickly as we can to alert everybody to the latest fast spreading method of scamming or infecting you.
Are you frustrated with your computer?
Do you want to do this when the computer won't work properly?
Don't get all worked up, Don't panic, Don't get upset.
Do you have any problems with malware, viruses or trojans?
Is your computer plagued with pop ups?
Do you get diverted to wrong sites when searching?
For help with these and any malware related or other computer problems visit the computer help and malware cleaning forum: Techguy.org
You usually get infected because your security settings are too low or you blindly click yes to everything. This article will show you How to protect yourself, keep yourself safe online and tighten security.
Do you cyber-blab? Are you a compulsive Tweeter or Facebooker? Think carefully about what you post. A simple post about your daily visit to the local coffee shop could be enough to tell a burglar when it is safe to rob your house. Remember EVERYTHING on a Social Media site is public.
You can submit suspicious files and Web sites ( URLs) for examination and submission to Antivirus companies, Other Malware Researchers that I co-operate with and Phishing Block lists.
You can also upload copies of the email you received ( that helps to track down and report the sending email servers so they can be cleaned up )
One of the very popular methods of spreading malware and infecting you are emails with malformed or infected Word docs and Excel spreadsheets containing embedded malicious macros. Or Embedded OLE Objects. You only have to look through this blog to see hundreds of examples of emails with attachments using these malicious Office files
Share This with your friends and contacts. Help THEM to stay safe:
This is slightly more difficult post than usual to write. We have been seeing large email based malware campaigns over the last few days. All the emails are coming from a handful of hosting companies/ servers either in Russia, Ukraine or India. So far that is nothing really unusual. What is difficult to accept is the number of what appear to be legitimate domains that are sending these emails. There are hundreds, if not thousands of domains involved in these campaigns. Almost all the domains have been registered for many years, some for more than 10 years. That makes it …Continue reading →
We are seeing a fairly large Ursnif /Gozi /ISFB campaign hitting the UK since Yesterday. Earlier we saw a Brexit theme and now we are seeing emergency exit notices. The subject this time is consistent in all versions “Urgent to all residents of the building”. The name in the body of the email matches the alleged sender & is different in each version. These are coming from dozens ( or even hundreds) of different email addresses and IP addresses all from 1 hosting company using the IP range of 193.233.30.* This appears to be a server based in Russia, mgnhost.ru AS202423 PE …Continue reading →
We are seeing a fairly large Ursnif /Gozi /ISFB campaign hitting the UK since Yesterday. The criminals are using the theme of Brexit which is very topical in UK ( and the rest of Europe) at the moment. There are numerous subjects all with Brexit somewhere in the subject line and there is a link to a google docs page that downloads the malware file. Some subjects I have seen include: Brexit 2019 Brexit 29/03/2019 Brexit 29-03-2019 Brexit | 29-03-2019 Brexit Barometer Brexit These are coming from dozens ( or even hundreds) of different email addresses and IP addresses all from 1 hosting company using …Continue reading →
We are still seeing a lot of Lokibot hitting the UK. We don’t bother to post about most of them, because the subjects & emails are so generic that there normally is nothing particularly identifiable about them. However overnight we received a whole slew of emails that are very identifiable. I received about a dozen since about 9pm last night all addressed to various email addresses under my control. ( All caught by spam filters & Malware quarantine settings) This email with the subject of “UNILEVER PURCHASE ORDER #091223 for acknowledgement” pretends to come from Jon Strachan <firstname.lastname@example.org> They use …Continue reading →
This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Payment Advice Ref: 2 / Customer Ref: P” pretends to come from HSBC but actually comes from “DoNotReply@pa-hsbc.co.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. Today they are using XLS Excel spreadsheet files. It looks like there might be some changes to the Trickbot modules & binaries today. We haven’t seen any Trickbot targeting …Continue reading →
We are seeing an Ursnif /Gozi /ISFB campaign hitting the UK since yesterday. I was first alerted by this Twitter post. I started to investigate quickly last night and several much better researchers and analysts have taken over and found much more details. I posted some basic details in THIS Tweet. Then the main analysis appears via THIS. Whichever bad actor is running this campaign is using extremely good social engineering tricks to imitate multiple well known companies to persuade the recipient to follow the links and get infected. Anyway back to this morning and Ursnif /Gozi /ISFB continues to …Continue reading →
Seeing some changes to Lokibot with this malware delivery campaign overnight. I don’t know if it is a complete change to the C2 url naming convention or whether it is only this particular actor using a different C2 url naming convention. Generally with Lokibot the quickest & easiest way to identify it, is the “fre.php” in the C2 URL. Today we are seeing “cat.php”. The delivery email with the subject of Request For Invoice pretending to come from email@example.com with a malicious word doc attachment that contains an RTF exploit is typical of common malware delivery methods that is currently being used …Continue reading →
An old favourite lure with this email with the subject of “DHL Shipping of Original invoice B/L dated 26/10/2018” pretending to come from DHL EXPRESS – < firstname.lastname@example.org > with a malicious word doc attachment delivers Remcos RAT The idea of Fake DHL invoices or delivery notes is nothing new. What is different about this campaign is the way the criminals are using non standard Office XML files with base 64 encoded sections containing the macros instead of proper office ( word) docs. These still open in Microsoft Office and will run. They still open in Protected view mode, so …Continue reading →
I don’t normally post much about Emotet here for a few reasons. I don’t see much sent to me in UK, although it is prolific. The emails are generally so generic and are fake invoices or orders, with nothing particularly interesting or alerting to warn about. They either attach macro enabled word docs or as in this case are using links in emails to dozens or even hundreds of compromised sites to deliver malicious word docs. Each word doc is individually generated and the file hash either changes on each visit to the compromised site or changes every few minutes. …Continue reading →
This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of ” BACs Transaction Report – Important Information! ” Pretends to come from The Bacs service but is actually coming from “email@example.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These all have either a malicious office file attachment or link to download the malicious office doc or XLS file from a remote website. The BACS service has not been hacked or had …Continue reading →