Saturday, April 14, 2018

Fake 'Virus Detected' Scam

So, anyway, I get a lot of these scam pitches each day. The email looks something like this ...



Sometimes the email purports to be from Fedex, and sometimes it tells me I have broken pictures, but however it comes, it tells me to "Click here".

If you do, you are taken to a fake "virus detected" screen, that looks a lot like this ...



This kind of thing has been around for ages, and the idea is that they try to get you to call the 888 number, where they try to convince you to give them remote access to your computer, so that the nice technician can "help" you.

It's not exploitive, per se, but it would be a significant nuisance to a non-techie, because it hijacks the browser enough that you can't close the browser, and get rid of it. It must work a bit, because they keep trying it.

This is the sort of thing I took great pleasure in blocking, when I had a suitable product in a previous life, so I thought I'd see who was blocking it today.

It only serves that page the first time you go to it, and after that, either takes you to a (probably) fake Canadian Pharmacy (usually somewhere in Russia), or a Diet Pills site, so in order to test against a number of products, I used a thing called HttpReplay, to capture the initial sockets, and then to replay it against the eight products I had readily to hand.

I made sure that each product was able to update itself, and declare itself "current",and then I opened the socket trace, and pretended to cruise to the website. Pretty much doing what a regular user might have done. All products are the consumer versions, and are installed with default options, just as a normal end-user might. Here are the scores

McAfee Miss
Sophos Block
Eset Miss
Avast Miss
Symantec Block
Kaspersky Miss
Panda Miss
Avira Miss

Obviously, I'm not saying that this proves anything much, except that I reckon everyone should be blocking this sort of thing, because if I'm seeing it every day, chances are that lots of people are.

Thursday, April 12, 2018

The Privacy Revolution in Action

As a practical example of the Privacy Revolution, I have a little story.

In 2008, I was in London, staying at the excellent Royal Trafalgar hotel. I ordered a cab, and went downstairs to pay my bill. They ran my card, and said, "I'm sorry, sir. Your card has been declined. Do you have another?"

I said something to the effect of, "Wait ... what??? I know there's money in that account. There must be some mistake!"

They said, "I'm sorry, but you'll have to call the bank."

I sighed, and sent the cab away, and got on the phone to my bank. I fought my way through the voice prompts (never easy, when you have an accent), and finally got to speak to a human. They said, "Did you tell us you were traveling overseas?"

I felt like saying a great many things, some even unkind, but I thought better of it, and simply said, "No. I didn't know I had to."

They said, "You'll have to talk to our fraud department to get the card unblocked."

I got a human pretty quickly this time, and he asked me all the obvious questions, such as, "Last four of social, how many accounts do you have, what sort of accounts are they, and who's on the accounts with you,", all of which I answered successfully.

He then said, "And now, sir, just a couple more questions, based on publicly available information... What age-range would best describe this person... 25-30, 30-35, 35-40... Laura ************."

They used the maiden name of one of my daughters-in-law.

I was stunned.

This young lady had been married to my son for eight years at that point, and had not used her maiden name since she got married.

I stammered out the correct answer, and they asked me a different age range, and then used my wife's name, which was not a shock, and I answered that one. Correctly, thankfully.

They unblocked my card, and I got another cab to the airport, and home, but all the way, my mind was racing...Laura had never lived at the same address as me ... There was no obvious connection ... I well understood that if someone googled for a couple of days, someone could figure it out, but _at their fingertips_, they knew that I should know who this person, with a different name, was, and how old she was.

Finally, I thought... "It must be FaceBook, because on there, she calls herself Laura *MaidenName* Thompson. That must be it!", and I smacked them a little bit in my blog.

A couple of days later, a friend who worked at RSA called me, and said, "Uh ... Rog ... that blog you did. It wasn't FaceBook. It was us. We have a product called Knowledge Based Authentication (KBA), that we sell to banks."

Again, I was stunned. Then I was relieved, because I consider RSA to be Good Guys, and then I was stunned again, because the realization hit me, that if Good Guys like Google and RSA were collecting all this information, it was a given that Bad Guys were too, and we have no idea just who is.

Now, this was ten years ago, and lots of things have changed. RSA (who wasn't doing anything wrong with KBA) has sold KBA to someone else (Google knows who), and they aren't doing anything wrong with it either, but we may be confident that the race to collect information continues unabated, and probably accelerates.

It's bad enough that leaked personal data can be used in obvious things, like directed malware attacks, and common fraud, but recent events have shown us that one unexpected consequence of this is Mass Psychological Profiling, and the even scarier, Mass Psychological _Persuasion_.

This is the Privacy Revolution, folks. In the fullness of time, we will come to understand that the effect on humanity will be just as massive as the agricultural and industrial revolutions.

Wednesday, April 11, 2018

The Privacy Revolution is the fourth Great Revolution (Part 2)

So, the next interesting thing to happen was that at the end of 2007, I sold my company, Exploit Prevention Labs (XPL) to AVG. XPL watched for exploits coming off the web, because I'd figured out in 2005 that the Web was the next attack surface. (Windows XP Service Pack 2 had been released in 2004, and for the first time, the firewall was on by default, and I knew that this would be an extinction level event for the malware of the day, network worms, like Code Red, but I also knew that the Bad Guys would not give up, and the web was the obvious attack point... but I digress...)

Because of AVGs huge client base, I suddenly had a hundred million pairs of eyes helping to watch what was going on, and one day, I noticed some interesting stuff coming through FaceBook from Russia, and I thought, "I wonder why it's all coming from Russia?", so I tweaked the detection a bit, and did a release, and suddenly the main source shifted to the USA. Still FaceBook, but the USA.

Now, to be perfectly clear, upon further examination, the triggering code was not exploitive, or malicious. It was just obfuscated enough that it looked suspicious at first glance, and it was interesting, because it was coming through FaceBook. And, again, FaceBook was not doing anything wrong... it's just how things worked. People linked to their own websites, outside of FaceBook.

The triggering application turned out to be a Pink Ribbon Breast Cancer Support app. The idea was that you could access the app, and that would show your support for a clearly worthy cause. In using the app, however, you quite clearly said that you allowed the app to access all your contacts, and presumably your information. A couple of hundred thousand women had allowed that at the time I noticed.

Further examination showed that the information was going back to a website called Pebly.com, and this was the website...


No "About us" or "Contact us". Just that block graphic. Searching google a bit, revealed that they made "social applications". For example, they had a "Do it yourself survey" app, that anyone could tweak, and release. Again, I am not suggesting there was anything malicious here, but presumably anyone using any of the apps would provide all their information to that app, and google revealed they had a lot of apps.

Ownership was hidden behind a privacy protector.

Again, this implies no wrongdoing, and it is not uncommon to hide website ownership, but it does mean that we have no idea who was collecting the data, or what they were doing with the data.

By 2010, the site had morphed into a much more normal looking website...



It morphed a few more times, and then seemed to disappear entirely sometime in 2015.

Again, I am not suggesting that they were doing anything malicious. They just collected a whole lot of data, and we don't know who they were, and why they wanted the data. There doesn't seem to be any connection to any of the players in the current Cambridge Analytica saga, so the burning question is ...

Just how many organizations are out there collecting data, and what are they doing with it?

Part 3 tomorrow, folks.

Tuesday, April 10, 2018

The Privacy Revolution is the fourth Great Revolution. (part 1)

Everybody knows that there have been two great revolutions. The first was the Agricultural Revolution, where people stopped being nomads, and began farming. It took thousands of years to have its full effect, but the effect on humanity was massive.

The second was the Industrial Revolution, where people (more or less) stopped being farmers, and factories and towns became the norm. It took about a hundred and fifty years to have its effect, but again, the impact on humanity was massive.

Some people understand that there was a third great revolution, the Computer Revolution, which basically started at the end of World War II. The timeframe is even more compressed, but again, the effect on humanity is massive.

I contend that there is a fourth great revolution that I call the Privacy Revolution. It started with the advent of the World Wide Web, and continues now. In the fulness of time, we will come to understand that the effect on humanity has been just as massive as the first three.

In press interviews in 2002, Eric Schmidt, the then-CEO of Google supposedly said two very interesting things. The first was something like "We pretty much know who everyone is, and what they are interested in.", and the second was something like, "The total amount of human recorded history can be stored in five exabytes, and since some time in 2002, Google has been indexing five exabytes every two days."

The next "interesting thing" is that in 2007, I was out in Mountain View, trying to sell my company, Exploit Prevention Labs to Google. I was in a room full of engineers, and I casually asked one of them, "So, how often do you purge your search logs?", and the guy did a visible double take, and looked at me like I'd said something stupid, and said, "Never!"

Now, some of that might well have changed in the last eleven years, and I consider Google to be Good Guys, and trustworthy, but that's a lot of data.

And they ain't the only ones collecting... think about all the other search engines, not to mention the social media engines that are so in the news right now.

I'll get to the next part of the story tomorrow...

Thursday, March 15, 2018

That was a bit creepy...

So, anyway, for a variety of reasons which are not terribly important now, I decided to start using google calendar today.

First thing it did was ask if it could access my contacts. I generally say no to that sort of request, but, on this occasion, I thought, "What harm could it do?", so I clicked the OK button.

A couple of seconds later, I was shocked to find that it had populated my calendar with a couple of hundred birthdays.

Now I'm not opposed to wishing my friends a happy birthday on their special day, but some of the people in my contacts list are just business acquaintances, rather than "friends", and I would not think it appropriate to know things like that, let alone to wish them a happy birthday.

I thought, "How the heck did google know that just from a phone number or an email address? And what else do they know???"

I mean, I like google, and I consider them Good Guys, but I am concerned about the Privacy Revolution (more about that later), so with a rising sense of anxiety, I figured I'd better look at my contacts, to see if anything obvious was being leaked incorrectly.

Imagine my surprise when the first guy I looked at was not in my address book. Nor the second. Nor the third. None were in my address book. Wait ... what...???

Then I thought, "If it didn't get them from my address book, where did they come from?", and I thought... "FaceBook!!!", but then I poked around a bit, and realized that lots of them weren't friends on FaceBook either... and then, it dawned on me...

Ages ago, I'd joined google plus, but hadn't used it much, and had forgotten about it.

Yup. That's where they came from.

I was a dummy. I don't often admit it, but I was wrong.

Google calendar seems very nice.

As long as it doesn't start laughing at me...

Tuesday, February 27, 2018

Pretty good Apple phish

So, anyway, I've noticed a lot of Apple phishes coming into my email honeypots, and they're convincing enough to catch the unwary, so I thought I'd document it here a little bit. The initial email looks something like this ...
If you click the link, it takes you to this screen ...
which looks pretty convincing, unless you actually parse out the URL in the address bar, at which time you realize it ain't Apple.com. If, however, you are unwise enough to put your AppleID and password in,(or, as I did, just a bogus pair), you are taken to this screen ...
Followed by this one, which is really the point of the whole thing .... they want your credit card.
The screens, unfortunately, are convincing enough that they'll probably catch a few folk. Be cautious out there. Www stands for World War Web.

Thursday, December 21, 2017

AV products do work, folks.

I see a lot of criticism of anti virus products... they can't keep up... they miss nation-state malware... people need magical new solutions... etc. Yesterday, I tested the day's ransomware against ten products that I had readily to hand, namely, Webroot, Sophos, Avast, Symantec, Windows Defender, Panda, Avira, MalwareBytes, FProt, and Eset.

I try to do what I call Real World testing. I install products with their default options, just like an average user might. I don't specifically update the signature databases. If they update, fine. If they don't, oh well. I only use the malware of the day, rather than stuff that is a few days old (and probably extinct). I execute the malware, just as the attackers would like their victim to do, and see who detects it.

Simple, really.

Yesterday's ransomware was spread via an email, with a vbs attached. The pitch in the email is to get you to open the attachment, which executes the vbs, which then goes out to a website, and downloads and executes the ransomware.

In my testing, I simulated that by executing the vbs, and ... wait for it... nine out of the ten products nailed it, either with a generic sig, or by blocking access to the website!

This is a Good Thing (tm), and well done guys and gals.

Of course, this still doesn't answer the vexatious question of what happens when they don't have a sig, but, in the fullness of time, we will find out. I can't do this every day, but I will try to add more products to the mix, and see what happens.

Stay tuned, and keep safe.