SE Labs

Posts tagged 'ransomware'

Email ransom attack without the malware

Do You Do Any of These Embarrassing Things?

Email ransom attack

Email ransom attacks are easy and common. It’s like ransomware, but without the clever coding. Not every hacking attack has to be sophisticated. Sometimes hackers simply demand money, with the threat of making life worse if you don’t pay.

Your Device Was Hacked

The following is an example of a non-targeted, completely opportunistic email ransom attack that threatens to expose embarrassing personal details. A ransom of $1,650 will ensure the details stay private.

Read more >

Ransomware evolved – Persistent Ransomware Attack

A set of backups may no longer be enough

Ransomware infecting backup tape

A journalist asked us if we felt that ransomware attackers had evolved. But the truth of the matter is, there’s no need for them to do so judging by the large number of publicised cases in which they are able to achieve success without being too creative.

Read more >

Big Time Crooks: A Fake Sense of Security

Fake sense of security

When an online scam becomes too successful, the results can be farcical. And bring a fake sense of security…

In the movie Small Time Crooks, Woody Allen leads an inept gang of would-be robbers who rent a store next to a bank. They plan to tunnel into the vault. As a cover, Allen’s girlfriend (played by Tracey Ullman) sets up a cookie business in the store. Ullman’s business takes off and, to maintain the cover, the gang must work hard. They set up production facilities, hire staff, find distributors and so on.

Why is this relevant? Well, rewind to 2002. The internet had already taken off in a big way. People were pouring online as new opportunities exploded into the public consciousness. Cybercrime was also exploding. The internet presented a new breed of tech savvy crooks with their own set of opportunities. For one gang, an Allenesque adventure was about to begin, bringing people a fake sense of security.

Humble Beginnings

How many times have you browsed a web page that suddenly throws up an alarming warning that your computer is infected? And the only thing that can save you is to immediately buy a special program or call a special number? If you’re up to date with system patches and use a reputable anti-virus solution, you’re rarely in danger from such sites these days.

It was not always so.

For millions of internet users who were running without protection the apparent authority of such “scareware” sites made them act. They downloaded free “anti-virus” software that gave a fake sense of security and infected them with real malware. They parted with real cash and many also paid again to have their computers cleaned by professionals.

Look through the history of scareware, and one company repeatedly appears: Innovative Marketing Inc. This was the name used in US Federal Trade Commission paperwork but the organisation also known by a wide range of other names. Innovative was registered in Belize in 2002.

Despite the appearance of being a legitimate business, its initial products were dodgy. They included pirated music, porn and illicit Viagra, along with sales of “grey” versions of real anti-virus products.

Innovative security

After Symantec and McAfee both put pressure on the company to stop those software sales in 2003, Innovative tried to write its own. The resulting Computershield wasn’t effective as anti-virus protection, but the company sold it anyway as a defence against the MyDoom worm. Innovative aggressively marketed its new product, and according to press reports, it was soon raking in $1 million per month. As the threat from MyDoom receded, so too did profits.

The company initially turned to adware as a new revenue source. This enabled so-called “affiliates” to use malicious web sites to silently install the adware on vulnerable Windows computers. Getting victims to visit those sites was achieved by placing what looked like legitimate adverts on real sites. Click them, and you became infected. The affiliates then pocketed a fee of 10 cents per infection, but it’s through that Innovative made between $2 and $5 from sales of the advertised products.

Fake sense of security

Meanwhile, development of completely fake anti-virus software snowballed at the company’s Kiev office. A classic example is “XP Antivirus 2008”. This also went by a large number of pseudonyms and evolved through many versions. A video of it trashing an XP machine can be found here. Its other major names include Winfixer, WinAntivirus, Drivecleaner, and SystemDoctor.

xp2bantivirus2b2008-7843602

In many ways, Innovative’s scareware was, well, innovative. It disabled any legitimate protection and told you the machine was heavily infected, even going to the trouble of creating fake blue screens of death. At the time, some antivirus companies had trouble keeping up with the rate of development.

Attempts to access Windows internet or security settings were blocked. The only way of “cleaning” the machine was to register the software and pay the fee. Millions of people did just that. The FTC estimates that between 2004 and 2008, the company and its subsidiaries raked in $163 million.

In 2008, a hacker with the handle NeoN found a database belonging to one of the developers. This revealed that in a single week one affiliate made over $158,000 from infections.

The Problem of Success

Initially, Innovative used banks in Canada to process the credit card transactions of its victims, but problems quickly mounted as disgruntled cardholders began raising chargebacks. These are claims made to credit card companies about shoddy goods or services.

With Canadian banks beginning to refuse Innovative’s business, it created subsidiary companies to hide its true identity, and approached the Bank of Kuwait and Bahrain. Trouble followed, and in 2005 this bank also stopped handling Innovative’s business due to the high number of chargebacks. Eventually, the company found a Singaporean bank called DBS Bank to handle the mounting backlog of credit card transactions.

The only solution to the chargeback problem was to keep customers happy. So, in true Allenesque style, Innovative began to invest in call centres to help customers through their difficulties. It quickly opened facilities in Ukraine, India and the USA. Operatives would talk the customers through the steps needed for the software to miraculously declare their systems free of malware. It seems that enough customers were satisfied with a fake sense of security to allow the company to keep on raking in the cash.

Official complaints

shaileshkumar-p-jain-3887344

But people did complain, not to the company but to the authorities. The FTC received over 3,000 complaints in all and launched an investigation. Marc D’Souza has been convicted of his role in the company and ordered to pay £8.2 million, along with his father who received some of the money. The case of Kristy Ross for her part in the scam is still going through the US courts. Lawyers are arguing that she was merely an employee.

Several others, including Shaileshkumar “Sam” Jain and Bjorn Daniel Sundin, are still at large, and have had a $163 million judgement entered against them in their absence. Jain and Sundin remain on the FBI’s Most Wanted Cyber Criminal list with rewards for their arrests totalling $40,000.

bjorn-daniel-sundin-8778038

An Evergreen Scam

Scareware is a business model that rewards creativity while skirting the bounds of legality. Unlike ransomware, where criminal gangs must cover their tracks with a web of bank accounts and Bitcoin wallets, scareware can operate quite openly from countries with under-developed law enforcement and rife corruption. However, the gap between scareware and ransomware is rapidly closing.

Take the case of Latvian hacker Peteris Sahurovs, AKA “Piotrek” AKA “Sagade”. He was arrested on an international arrest warrant in Latvia in 2011 for his part in a scareware scam. Sahurovs then fled to Poland, where he was subsequently detained in 2016.

The hacker was extradited to the US and pled guilty in February this year to making $150,000 – $200,000.  US authorities claim the total made by Sahurovs’ gang was closer to $2 million. He’s due to be sentenced in June.

Fake advertising

According to the Department of Justice, the Sahurovs gang set up a fake advertising agency that claimed to represent a US hotel chain. Once adverts were purchased on the Minneapolis Star Tribune’s website, they were quickly swapped out for ones that infected vulnerable visitors with their malware. This made computers freeze and produce pop-ups explaining that victims needed to purchase special antivirus software to restore proper functionality. This case is interesting as it shows a clear cross over from scareware to ransomware. All data on the machines was scrambled until the software was purchased.

The level of sophistication and ingenuity displayed by scareware gangs is increasing, as is their boldness. You have probably been called by someone from India claiming to be from Microsoft, expressing concern that your computer is badly infected and offering to fix it. Or they may have posed as someone from your phone company telling you that they need to take certain steps to restore your internet connection to full health. There are many variations on the theme. Generally, they want you to download software that confirms their diagnosis. Once done, you must pay them to fix the problem. This has led to a plethora of amusing examples of playing the attackers at their own game.

False sense of safety

It’s easy to see the people who call you as victims of poverty with no choice but to scam, but string them along for a while and the insults soon fly. They know exactly what they’re doing, and from the background chatter on such calls, so do hundreds of others. Scareware in all its forms is a crime that continues to bring in a lot of money for its perpetrators and will remain a threat for years to come.

See all blog posts relating to analysis.

Predictably Evil

Does AI really work?

A common criticism of computer security products is that they can only protect against known threats. When new attacks are detected and analysed security companies produce updates based on this new knowledge. It’s a reactive approach that can provide attackers with a significant window of opportunity. Some use special technology to predict the future, but does AI really work?

AV is dead (again)

It’s why anti-virus has been declared dead on more than one occasion.

Latest report now online.

Security companies have, for some years, developed advanced detection systems, often labelled as using ‘AI’, ‘machine learning’ or some other technical-sounding term. The basic idea is that past threats are analysed in deep ways to identify what future threats might look like. Ideally the result will be a product that can detect potentially bad files or behaviour before the attack is successful.

(We wrote a basic primer to understanding machine learning a couple of years ago.)

Does AI really work?

Annual Report 2020

So does this AI stuff really work? Is it possible to predict new types of evil software? Certainly investors in tech companies believe so, piling hundreds of millions of funding dollars into new start-ups in the cyber defence field.

We prefer lab work to Silicon Valley speculation, though, and built a test designed to challenge the often magical claims made by ‘next-gen’ anti-malware companies.

With support from Cylance, we took four of its AI models and exposed them to threats that were seen in well-publicised attacks (e.g. WannaCry; Petya) months and even years later than the training that created the models.

It’s the equivalent of sending an old product forward in time and seeing how well it works with future threats. To find out how the Cylance AI models fared, and to discover more about how we tested, please download our report for free from our website.

Follow us on Twitter and/ or Facebook to receive updates and future reports.

Find out more

Our latest reports, for enterprise, small business and home users are now available for free. Please download them and follow us on Twitter and/or LinkedIn to receive news, comment, updates and future reports.

Sign up to our monthly business and personal security newsletters.

See all blog posts relating to test results.

Brexit and Cybersecurity

brexit

Is the UK headed for a cybersecurity disaster? With Brexit looming and cybercrime booming, the UK can’t afford major IT disasters, but history says they’re inevitable.

The recent WannaCry ransomware tsunami was big news in the UK. However, it was incorrectly reported that the government had scrapped a deal with Microsoft to provide extended support for Windows XP that would have protected ageing NHS computers. The truth is far more mundane.

Read more >

Testing anti-malware’s protection layers

endpoint security

Endpoint security is an important component of computer security, whether you are a home user, a small business or running a massive company. But it’s just one layer. Our first set of anti-malware test results for 2017 are now available.

Latest reports now online

Using multiple layers of security, including a firewall, anti-exploit technologies built into the operating system and virtual private networks (VPNs) when using third-party WiFi is very important too.

What many people don’t realise is that anti-malware software often actually contains its own different layers of protection. Threats can come at you from many different angles, which is why security vendors try to block and stop them using a whole chain of approaches.

A fun video we created to show how anti-malware tries to stop threats in different ways

How layered protection works

For example, let’s consider a malicious website that will infect victims automatically when they visit the site. Such ‘drive-by’ threats are common and make up about one third of this test’s set of attacks. You visit the site with your web browser and it exploits some vulnerable software on your computer, before installing malware – possibly ransomware, a type of malware that also features prominently in this test.

browser-8901457

Here’s how the layers of endpoint security can work. The URL (web link) filter might block you from visiting the dangerous website. If that works you are safe and nothing else need be done.

But let’s say this layer of security crumbles, and the system is exposed to the exploit.

toaster-9827773Maybe the product’s anti-exploit technology prevents the exploit from running or, at least, running fully? If so, great. If not, the threat will likely download the ransomware and try to run it.

At this stage file signatures may come into play. Additionally, the malware’s behaviour can be analysed. Maybe it is tested in a virtual sandbox first. Different vendors use different approaches.

Ultimately the threat has to move down through a series of layers of protection in all but the most basic of ‘anti-virus’ products.

Testing all layers

The way we test endpoint security is realistic and allows all layers of its protection to be tested.

Our latest reports, for enterprisesmall business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.

See all blog posts relating to test results.

Infected websites, back from the dead

Forgotten, infected websites can haunt users with malware.

infected websites

Last night, I received a malicious email. The problem is, it was sent to an account I use to register for websites and nothing else.

Over the years, I’ve signed up for hundreds of sites using this account, from news to garden centres. One of them has been compromised. The mere act of receiving the email immediately marked it out as dodgy.

Read more >

17 Things Spammers Get Wrong


No one publishes successful phishing and ransomware emails. Jon Thompson thinks he knows why.

ransomware-8145580The headlines say phishing scams are at an all-time high, and ransomware is growing exponentially, but conspicuous by their absence are examples of the emails behind successful attacks. It’s becoming the cliché in the room, but there may be a reason: embarrassment.

Running an email honeypot network, you receive a flood of malicious email every day. Most is littered with glaring errors that point to lazy, inarticulate crooks trying to make the quickest buck from the least effort. When you do come across a rare, well though-out campaign, it shines like a jewel in a sea of criminal mediocrity.

To the average spammer, however, it’s all just a numbers game. He cranks the handle on the botnet, so to speak, and money comes out.

This poses an important question: why, given the quality of most malicious spam, are new ransomware infections and high profile phishing attacks still making headlines almost every single day? Clearly, we’re massively overestimating the amount of effort and intelligence invested by spammers.

With that in mind, what follows is a short list of 17 mistakes I routinely see, all of which immediately guarantee that an email is malicious. There are others, but these are the main ones. If this list reflects the mistakes found in the spam behind the headlines, then the size yet lack of sophistication of the problem should become apparent.

1.    No Subject Header

This error is particularly prevalent in ransomware campaigns. Messages whose payloads have very low VirusTotal scores are being sent with no subject header. Maybe the sender thinks it’ll pique the curiosity of the recipient, but it should also alert spam filters even before they examine the attachment.

2.    No Set Dressing

tesco-6478043

Look at any real communication from a bank, PayPal, a store, etc. It is well formatted, the HTML is clean, the language is clear, and the branding is obvious. Legitimate companies and banks don’t tend to send important messages in plain text.

3.    Generic Companies

generic-1081819

Generic companies are rare but I do occasionally see them. Who is “the other financial institution” and why has it refused my transaction? Vague, instantiated company names like this, with an accompanying attachment, are clear indicators of spam.

4.    Multiple Recipients

This is another example of laziness on the part of spammers. OK, they may have found an open relay to willingly spread messages rather than buy extra time on a botnet, but anything other than a one-to-one sender to recipient ratio should be an instant red flag.

5.    Poor Salutation

Much apparently personalised spam doesn’t use a competent salutation, or uses a salutation that is simply the user name part of the email address (i.e.: “Dear fred.smith”). It would take effort to code a script that personalises the messages by stripping off the first name and capitalising the initial. Effort is the enemy of the fast buck.

6.    No Body Text

Sending an email with a tantalizing subject header such as “Overdue – Please Respond!” but no body text explaining what or why it’s overdue is as common in commodity ransomware as having no subject header. The attack again relies entirely on the natural curiosity of the recipient, who can and should simply ignore it. Spam filters should also take a keen interest.

7.    Auto-translated Body Text

paypal2-9354648

Machine translation has the amusing habit of mapping the grammar of one language onto another, resulting in errors that no native speaker would ever make. Manual translation by a highly fluent speaker is far superior to machine translation, but the translator must also have knowledge of the subject matter for his text to appear convincing. Again, this is effort.

8.    The Third Person

This is a great example of a spam writer trying to distance himself from his crime. “PayPal has detected an anomaly in your account” and “they require you to log in to verify your account” just look weird in the context of a security challenge. This is supposed to be from PayPal, isn’t it?

9.    Finger Trouble

apple2bicloud2b2-6952704

I’m fast concluding that some cybercriminals really do wear thick leather gloves while typing, just like in the pictures. Either that or they’re blind drunk. Random punctuation marks and extra characters that look like they’ve been hit at the same time as the correct ones don’t make a good impression. Simply rejecting emails that have more than a certain percentage of spelling mistakes might prevent many of these messages from getting through.

10.    Unexpected Plurals and Tenses

Using “informations” instead of “information” is a dead giveaway for spam and should be blocked when in combination with other indicators. Phrases such as “we detect a problem” instead of “we detected a problem” also stick out a mile.

11.    Missing Definite Article

Many spam emails stand out as somehow “wrong” because they miss out the definite article. One recent example I saw read: “Access is blocked because we detect credit card linked to your PayPal account has expired.” An associated Yandex.ru return address gave the whole thing a distinct whiff of vodka.

12.    The Wrong Word

“Please review the document and revert back to us immediately”. Revert? Really? Surely, you mean “get back”, not “revert back”. It may be difficult for spam filters to weed out this kind of error, but humans should spot it without difficulty.

13.    Misplaced Emphasis

paypal-1531640

Unusually capitalised phrases such as “You must update Your details to prevent Your Account from being Suspended” look weird. Initial capitalisation isn’t used for emphasis in English sentences, and hints at someone trying to make the message sound more official and urgent than it is.

14.    Tautological Terrors

cps-7972121

“It is extremely mandatory that you respond immediately”. Not just mandatory but extremely mandatory? Wow, I’d better click that link right away! Urgent calls to action like this overplay the importance of the message in ways that mark them out as fake.

15.    Grandiosity

splayer-6973270

Using grand words where normal ones should appear to make a message sound more authoritative are a dead giveaway.  Here’s an example from last September when a gang famously tried to distribute malware on the back of a new media player release: “To solemnise the release of our new software”. Solemnise means to mark with a formal ceremony.

What they really meant was: “To mark the release of our new software”.  The whole message was also riddled with the most outrageous auto-translate errors that it made difficult reading.

16.    Overly-grand Titles

Why would the Microsoft Chief Support Manager be contacting me personally all the way from the US to give me a refund? Wouldn’t he delegate this important work to a local minion? Similarly, the head of the IMF doesn’t usually spend their days emailing strangers about ATM cards stacked high with cash.

17.    Obfuscated URLs

If the collar doesn’t match the cuffs, it’s a lie. In other words, if the message contains the name of a high-street bank (for example) and a URL from a shortening service such as bit.ly, spam filters should be blocking the message without question, regardless of the rest of the content.

Predictions for 2017

golden-2017-new-year-text-with-glowing-glitter-effect-and-fireworksStill dazed from the year that was, Jon Thompson dons his Nostradamus hat, dusts off his crystal ball
and stares horrified into 2017.

Prediction is difficult. Who would have thought a year ago that ransomware would now come with customer care, or that Russia would be openly accused of hacking a bombastic businessman into the Whitehouse. Who even dreamed Yahoo would admit to a billion-account compromise?

So, with that in mind, it’s time to gaze into the abyss and despair…

Let’s get the obvious stuff out of the way first. Mega credential breaches won’t go away. With so many acres of forgotten code handling access to back end databases, it’s inevitable that the record currently held by Yahoo for the largest account breach will be beaten.

Similarly, ransomware is only just beginning. Already a billion-dollar industry, it’s cheap to buy into and easy to profit from. New techniques are already emerging as gangs become more sophisticated. First came the audacious concept of customer service desks to help victims through the process of forking over the ransom. By the end of 2016, the Popcorn Time ransomware gang was offering decryption for your data if you infect two of your friends who subsequently pay up. With this depth of innovation already in place, 2017 will hold even greater horrors for those who naively click attachments.

Targeted social engineering and phishing attacks will also continue to thrive, with innovative

campaigns succeeding in relieving companies of their revenues. Though most untargeted bulk phishing attempts will continue to show a low return, phishers will inevitably get wise and start to make their attacks more believable. At SE Labs, we’ve already seen evidence of this.

It’s also obvious that the Internet of Things will continue to be outrageously insecure, leading to DDoS attacks that will make the 1.1Tbps attack on hosting company OVH look trivial. The IoT will also make ransomware delivery even more efficient, as increasing armies of compromised devices pump out the pink stuff. By the end of 2017, I predict hacking groups (government-backed or otherwise) will have amassed enough IoT firepower to knock small nations offline. November’s test of a Mirai botnet against Liberia was a prelude to the carnage to come.

Bitcoin  btc-mono-ring-orange-6370546recently passed the $1,000 mark for the first time in three years, which means criminals will want even more than ever to steal the anonymous cryptocurrency. However, a flash crash in value is also likely as investors take profits and the market panics in response to a sudden fall. It’s happened before, most noticeably at the end of 2013. There’s also the distinct possibility that the growth in value is due to ransomware, in which case the underlying rally will continue regardless of profit takers.

The state-sponsored use of third party hacking groups brings with it plausible deniability, but proof cannot stay hidden forever. One infiltration, one defection, one prick of conscience, and someone will spill the beans regardless of the personal cost. It’s highly likely that 2017 will include major revelations of widespread state-sponsored hacking.

This leads me neatly on to Donald Trump and his mercurial grasp of “the cyber”. We’ve already delved into what he may do as president, and much of what we know comes straight from the man himself. For example, we already know he skips his daily security briefings because they are “repetitive”, and prefers to ask people around him what’s going on because “You know, I’m, like, a smart person.

Trump’s insistence on cracking down on foreign workers will have a direct impact on the ability of the US to defend itself in cyberspace. The shift from filling jobs with overseas expertise to training homegrown talent has no discernible transition plan. This will leave a growing skills gap for several years as new college graduates find their way to the workplace. This shortfall will be exploited by foreign threat actors.

Then there’s Trump’s pompous and wildly indiscreet Twitter feed. Does the world really need to know when secret security briefings are postponed, or what he thinks of the intelligence presented in those meetings? In espionage circles, everything is information, and Trump needs to understand that. I predict that his continued use of social media will lead to internal conflict and resignations this year, as those charged with national cybersecurity finally run out of patience.

donald-trump-spars-with-univision-journalist-jorge-ramos-6442066

It’s not all doom and gloom, however. The steady development of intelligent anti-spam and anti-malware technologies will see a trickledown from advanced corporate products into the hotly contested consumer market. The first AV vendor to produce an overtly next gen consumer product will change the game – especially if a free version is made available.

There’s also a huge hole in “fake news” just begging to be filled. I predict that 2017 will see the establishment of an infosec satire site. Just as The Onion has unwittingly duped lazy journalists in the past, there’s scope for the same level of hilarity in the cybersecurity community.

However, by far the biggest threat to life online in 2017 will continue to be the end user. Without serious primetime TV and radio campaigns explicitly showing exactly what to look for, users will continue to casually infect themselves and the companies they work for with ransomware, and to give up their credentials to phishing sites. When challenged, I also predict that governments will insist the problem is being addressed.

So, all in all, it’s business as usual.

Happy 2017!

What is Machine Learning?

Machine Learning

… and how do we know it works?

What’s the difference between artificial intelligence and machine learning? Put simply, artificial intelligence is the area of study dedicated to making machines solve problems that humans find easy, but digital computers find hard. Examples include driving cars, playing chess or recognising sarcasm.

Read more >

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press