Share This with your friends and contacts. Help THEM to stay safe:
This blog will help keep you up to date with Security warnings, Phishing, Currently spreading Malware and Email spoofs, Windows updates and my general thoughts about the online world today and how to keep yourself safe online and not become a victim.
The majority of posts are about malware and phishing scams received via emails. Most people don't really want to know what the malware is that was attached to an email. They just want to know if it is good or bad. Everybody just looks at the email quickly, so it can be very hard to decide if it comes from a genuine sender or a scumbag trying to scam you, steal your money or infect you.
All you want to know quickly: Is the email likely to be safe or dangerous?
We try to post as many examples of currently spreading emails as quickly as we can to alert everybody to the latest fast spreading method of scamming or infecting you.
Are you frustrated with your computer?
Do you want to do this when the computer won't work properly?
Don't get all worked up, Don't panic, Don't get upset.
Do you have any problems with malware, viruses or trojans?
Is your computer plagued with pop ups?
Do you get diverted to wrong sites when searching?
For help with these and any malware related or other computer problems visit the computer help and malware cleaning forum: Techguy.org
You usually get infected because your security settings are too low or you blindly click yes to everything. This article will show you How to protect yourself, keep yourself safe online and tighten security.
Do you cyber-blab? Are you a compulsive Tweeter or Facebooker? Think carefully about what you post. A simple post about your daily visit to the local coffee shop could be enough to tell a burglar when it is safe to rob your house. Remember EVERYTHING on a Social Media site is public.
You can submit suspicious files and Web sites ( URLs) for examination and submission to Antivirus companies, Other Malware Researchers that I co-operate with and Phishing Block lists.
You can also upload copies of the email you received ( that helps to track down and report the sending email servers so they can be cleaned up )
One of the very popular methods of spreading malware and infecting you are emails with malformed or infected Word docs and Excel spreadsheets containing embedded malicious macros. Or Embedded OLE Objects. You only have to look through this blog to see hundreds of examples of emails with attachments using these malicious Office files
Share This with your friends and contacts. Help THEM to stay safe:
WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. Today is no exception with quite a few so far. I don’t always post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies & most times tweet the details to other security researchers. This version is noteworthy because the Exfil / C2 is an Iraq government site which “should” be 100% secure but obviously isn’t. The email is the usual junk email that should be blocked by most …Continue reading →
Every now and again we see a phishing scam that stops you in your tracks and you think ” I really don’t believe it”. this is another one of them. I am absolutely gobsmacked by the amount of so called web developers, SEO experts or Designers who are totally incapable of securing their own website, let alone build & commission a safe, secure customer’s site. Safety and Security comes first. Then you build the functionality around that, making sure you don’t introduce any security fails while doing so, Then the final step is the look and image you want …Continue reading →
Every now and again we see a phishing scam that stops you in your tracks and you think WTF. this is one of them. It starts with a fake Docusign email that contains a link to a bit.ly short url. What makes this one so bad is that the bit.ly short url has been live since 20 August 2019 and as of the time of writing has had 1801 clicks. Now to make it even worse the bit.ly redirect is to a lawyers office http://stevensandgoldwyn.com that probably has been compromised for the same length of time or even longer. …Continue reading →
We see lots of phishing attempts for email credentials. This one is quite strange and weird, It pretends to be a message from Barclays Bank to update card details. I don’t know what is happening but several times I tried, I get redirected to the genuine Barclays Bank website. But from anyrun using MITM and sometimes from my home IP address in UK I can get sometimes get to the phishing site. https://barclays-form.icu/ This is a very complicated chain of events, I ran this through anyrun using several different settings and got different results many times. Anyrun reports:   …Continue reading →
It looks like we are seeing a few changes to the Remcos RAT install & persistence method. Over the last couple of weeks I have noticed a few tweaks to the persistence & auto start of several Remcos Rat versions. Today it has changed again to try to bypass protections. This all starts with the usual spam email, today’s ( or rather last night’s) was a fake invoice in a .iso / .img container. As you c an see from the virustotal reports .img containers are generally pretty poorly detected so are more likely to bypass perimeter defences. Once the …Continue reading →
We don’t see a lot of malware at weekends in UK, so it was a bit of a surprise to get a whole swathe on emails overnight pretending to be an invoice from indofuels. The keylogger and info / credential stealer the criminals are using this weekend is Keybase,. I personally haven’t seen keybase for a couple of years, although reports of sporadic campaigns & infected computers are seen occasionally with a slight resurgence over the last week or so. I thought keybase had effectively stopped being distributed or used a couple of years ago, when the original developer stopped …Continue reading →
It seems to be the week for harder to analyse & dodgy delivery systems that more carefully target specific countries / regions or even specific isps. Yesterday we saw a fake e-fax notification in German language that eventually led to a Buran ransomware. I couldn’t analyse that one properly or get the full payload, but with lots of help from many Twitter contacts, the ransomware payload was soon discovered, downloaded and submitted. Today I have received a fake TNT delivery / collection notice that has a link in the email body that downloads a zip file. Inside the zip is …Continue reading →
This is a strange & slightly more difficult than usual to analyse malware, mainly because the bad actor appears to have made a total mess of the distribution. I do not know if this will actually run on a proper computer, it obviously doesn’t like a sandbox / VM . The email was received with a .dat extension, which is what Outlook or the mail server often changes unknown extensions to. This dat file is actually a zip file. It does extract to a .pif and a jpg image file of an invoice. The pif is not a windows shortcut …Continue reading →
It looks like Friday the 13th is unlucky for this malware bad actor, trying to deliver yet another AgentTesla keylogger / info-stealer because as far as I can tell this malware chain is broken so the victim should not get the payload. WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. Today is no exception with quite a few so far. I don’t always post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies & most times …Continue reading →
WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. Today is no exception with quite a few so far. I don’t always post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies & most times tweet the details to other security researchers. Today’s other versions are tweeted Here & Here This version today is more noticeable and worth mentioning for several reasons. The alleged sender pricolcargo.com has appeared in the lists of spoofed companies for literally ages, …Continue reading →