Share This with your friends and contacts. Help THEM to stay safe:
This blog will help keep you up to date with Security warnings, Phishing, Currently spreading Malware and Email spoofs, Windows updates and my general thoughts about the online world today and how to keep yourself safe online and not become a victim.
The majority of posts are about malware and phishing scams received via emails. Most people don't really want to know what the malware is that was attached to an email. They just want to know if it is good or bad. Everybody just looks at the email quickly, so it can be very hard to decide if it comes from a genuine sender or a scumbag trying to scam you, steal your money or infect you.
All you want to know quickly: Is the email likely to be safe or dangerous?
We try to post as many examples of currently spreading emails as quickly as we can to alert everybody to the latest fast spreading method of scamming or infecting you.
Are you frustrated with your computer?
Do you want to do this when the computer won't work properly?
Don't get all worked up, Don't panic, Don't get upset.
Do you have any problems with malware, viruses or trojans?
Is your computer plagued with pop ups?
Do you get diverted to wrong sites when searching?
For help with these and any malware related or other computer problems visit the computer help and malware cleaning forum: Techguy.org
You usually get infected because your security settings are too low or you blindly click yes to everything. This article will show you How to protect yourself, keep yourself safe online and tighten security.
Do you cyber-blab? Are you a compulsive Tweeter or Facebooker? Think carefully about what you post. A simple post about your daily visit to the local coffee shop could be enough to tell a burglar when it is safe to rob your house. Remember EVERYTHING on a Social Media site is public.
You can submit suspicious files and Web sites ( URLs) for examination and submission to Antivirus companies, Other Malware Researchers that I co-operate with and Phishing Block lists.
You can also upload copies of the email you received ( that helps to track down and report the sending email servers so they can be cleaned up )
One of the very popular methods of spreading malware and infecting you are emails with malformed or infected Word docs and Excel spreadsheets containing embedded malicious macros. Or Embedded OLE Objects. You only have to look through this blog to see hundreds of examples of emails with attachments using these malicious Office files
Share This with your friends and contacts. Help THEM to stay safe:
We see lots of phishing attempts for banking, Paypal and other login credentials. This is newer entry to the lists. I don’t often see Shopify phishing emails. I was quite suprised to see a double phishing scam here. First asking for your Shopify shop address, then your email address associated with the shop, then log in password for the shop. Then to add a bit of flavour they ask you to link your PayPal account and want that email address & password. This phisher is out of luck and the site has been reported for immediate takedown. I don’t expect …Continue reading →
I am having difficulty working out what is happening with this malware. The details about it were uploaded via our submissions system yesterday afternoon when I was out for a medical appointment. I don’t have a copy of the original email, only the body content which was pasted in to the message and the link it led to, with details of the alleged original sender. I think it is a banking trojan / Info-stealer UPDATE: Being told it is Ursnif / Gozi banking trojan that is heavily geo-ip restricted The email pretends to be from HMRC with a link in …Continue reading →
We are seeing massive changes with the Trickbot delivery campaign overnight. I have only seen 1 mention on Twitter about this campaign and 1 on a private malware research mailing list, so it can’t be affecting too many recipients. This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “You have a new eFax message! ” pretends to come from Efax but actually comes from “firstname.lastname@example.org” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the …Continue reading →
The latest version of these horrific porn related Sextortion, blackmail scams has changed slightly and pretends to be a message from a CIA employee who is part of the task force on paedophilia. There are multiple different senders and all the case numbers are different in each example received. It states you are on the list to be investigated and are about to be arrested on 8th April 2019. However if you pay her $10,000 by bitcoin, before 27th March 2019, she will remove all your details from the database. Of course this is a total fabrication. And just yet …Continue reading →
Yet another Gandcrab ransomware campaign. This time spoofing DHL Express with a fake delivery notification email. This delivers Gandcrab 5.2 ransomware that currently does not have free decryption available yet. This bad actor is getting a bit lazy and has reused the same word template that we saw earlier in the week with the CDC version to deliver the malware. All they have done is changed the file download url in the macro. It is highly likely that they are using an off the shelf exploit kit, rather than actually creating the docs themselves. However they are using different sending …Continue reading →
A somewhat interesting and slightly alarming malware campaign, spreading worldwide but supposed to be targeting the USA that pretends to be an urgent message from the CDC ( Centre for Disease Control ) warning about a flu outbreak. This delivers Gandcrab 5.2 ransomware that currently does not have free decryption available yet. They are using email addresses and subjects that will scare, shock, persuade or entice a recipient to read the email and open the attachment. Remember many email clients or webmail services, especially on a mobile phone or tablet, only show the Name in the From: and not the …Continue reading →
This is a weird one and I can’t determine what the final payload does via running the files in an online sandbox. I really don’t know if the bad actor has messed up or whether it is an anti-vm or anti-sandbox protection on it. The .z attachment on the emails is not correct and the actual attachment is a .iso file that has been renamed or mistakenly given a .z extension. I received 2 different copies of this email with the same payload and email content but coming from different email addresses and domains both on the same server with …Continue reading →
There are still using this new version of the Trickbot delivery system where Bitsadmin is used to download the payload in small sections to a victims computer where it is all joined together to make 1 file. This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “RE: Tax verification documents ” pretends to come from Paychex but actually comes from “J.Clark@paychex.email” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have …Continue reading →
Continuing with the recent changes to the Trickbot delivery system and possibly the payloads and configs today. This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of ” FW: Company Complaint #DNBC920201TF” pretends to come from Dun & Bradstreet but actually comes from “email@example.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. Today they are using macro enabled word docs that fire off on both …Continue reading →
A compromised site we saw yesterday delivering Hawkeye keylogger /Infostealer is being used today in an Agent Tesla campaign. I am not 100% positive it is the same bad actors involved but the distribution method, Sites and hosting companies involved in sending the emails, together with the email template style ( the way they use the recipient’s email address in the subject line ) suggests it probably is. However whoever is actually sending these today are not making the same careless or stupid mistakes that we have been seeing recently with the hawkeye campaigns. They are using email addresses and …Continue reading →