Scam E-Mails: How To Tell

 

Recently PCMDX received a call from a business who’s bank account had been compromised.  Someone, using legitimate information, was able to gain access to the account and make transfers from the account to another account, and also made wire transfers to a third party.

The business had been told by the bank that their network had been hacked and that they should seek some help in securing their network, which is why they contacted PCMDX.  We focus providing network support for small businesses that have less than 15 computers, and one of our specialties is cybersecurity and compliance.

Although how the actors (the term used for the “bad guys” since they are “acting” as a legitimate party) were able to get the necessary information is still under investigation, it’s likely that it was given to them by one of the company officers via e-mail.

 

We recently received a scam e-mail and we’d like to share it with you so that you can learn how to determine if it’s a legitimate e-mail or not.  Please note:  If you’re not sure if the e-mail is legitimate, call the sender and ask them if they sent it, even if it passes all of the tests.  It’s better to be safe and verify authenticity than take a chance.

Here’s a screenshot of the e-mail we received, along with some notes (Click on the image for a full size view).  We blurred out information that is not relevant.

 

Let’s begin at the top.  The subject line “Please Read! (Final Warning) | 06/05/2017” sounds pretty threatening and will get your attention right away.  But it doesn’t indicate who it’s from or what it’s about.

If you look at Blue Arrow 1, you’ll see that it’s from “ACME account team”, followed by the e-mail address of “admin@MAIL.HAMILTONTN.GOV”.  (We’re going to use ACME as the alias for the name of the company).  So here you have two major clues that this is a scam.  First, the words ACME account team.  Any legitimate company will list themselves as ACME Account Team, with all words capitalized.  This is a major clue that this e-mail did not originate in the US (most scam e-mails are from overseas, where grammar is poor).

Our next clue is the e-mail address.  Although “admin” is legitimate, MAIL.HAMILTONTN.GOV is not.  That’s an e-mail server for the city of Hamilton, Tennessee.  It has a .gov domain ending, which can only be assigned to government entities, such as cities, counties, states and the federal government.  Why would ACME have this domain?  If it were a legitimate e-mail from ACME, it would end with something like ACME.com or ACME.net, not a .gov domain.

The body of the e-mail is actually very good, at least when it comes to scam e-mails.  It’s convincing, it has information in it that the typical person would consider to be legitimate.  However, as we get to the bottom, some red flags appear.

When you hover over a link (and the Blue Arrow 2 is pointing to two links, “Visit Help and Support” and “Login to My Account”), the bottom part of your browser, known as the status bar, will display the link that it’s pointing to, which we’re using the red arrow to point to.  In other words, when you click on the link, it’s taking you to the web site that is showing in the status bar.

This particular link is pointing to baltoo.com/ACME/index.php .   This should immediately sound an alarm with the person reading the e-mail.  The company that is sending this is ACME, but the domain it’s pointing to (the first part of the web address is always the domain) is baltoo.com .  Anything after the domain name is irrelevant, since that’s just the directory and folder inside the server it’s pointing to, and you can name that anything you want.  When you hover over the link, it should point to the company you’re trying to go to.  So it should read acme.com/Acme/index.php.

Once you click on the link, one of two things will happen.  Either you will be shown a very convincing site that is asking for your user name and password, or you will end up on poisoned site that will infect your computer with malware, such as a virus, a Trojan, or ransomware.  If it’s the former, you’ll enter the user name and password, and within minutes the actors will have gained access to your site (as they wanted to in this case), or perhaps gained information such as name, address, social security number, date of birth, etc. (under the guise of “verifying your identity”).

Recent studies have shown that firewalls, anti-virus programs, and other security software and hardware, although still crucial in preventing attacks, need to be supplemented by training of staff so they know what they should look for.  (That page also has a quiz you can take to see how much you know about phishing attacks – we scored 10/10.  How’s your score?).

Our companion site, Don’t Become Another Target lists dozens of examples of how companies, some billion dollar plus companies, were compromised not by technology, but by social engineering.  In other words, a con job either via e-mail or via phone.  Adequate training would have prevented many of the attacks.

If you’re a small business that doesn’t have an IT department, but would like IT level support, contact PCMDX today.  We’ll take care of your computer network and cybersecurity needs so you can take care of your business.  And don’t wait until you’ve been compromised.  The cleanup is much costlier than the prevention.

The Art of the Trojan

“Hi, I think my computer has been hacked.  Can you help me?”

This is probably the most common call we receive from PC clients on a weekly basis.  The correct term is most likely not “hacked”, but “infected” with some sort of malware, or malicious software.

Malware comes in many different varieties, including viruses, worms, and Trojans.  The main difference between these is that a Trojan needs your help in doing its job.  Without you doing something, like clicking on a link or opening an e-mail, the Trojan is completely harmless.

Here’s a great article detailing what a Trojan is, and how it works.

Now, how do you stop a Trojan?  The easiest way is to NOT DO WHAT IT WANTS YOU TO DO.  Over the past few days a Google Chrome Trojan has been making the rounds.  If you’re using Chrome, you’ll go to a web site and a second window will open displaying the Chrome logo along with “Urgent Chrome Update”, and a download button.

Chrome_scam_8-1-2016 1-43-21 PM_half

Chrome won’t update this way, however, the bad guys are hoping you don’t know that and will simply click on the blue button.  Before clicking on any link, look at the address bar, or hover over the link to see where it takes you.  If you’ll look at the red arrow, you’ll see that it’s on a site called ahtaeeredidit (dot) org.  Does that sound like Chrome or Google (owners of Chrome)?  So what do you do?  First, don’t click on it.  Second, close the window or tab.

If you do click on it, the result will be that you’ll get infected with the Trojan, which can be something that you won’t even realize is happening (your computer becomes a surrogate sender of Spam), to all of your important files becoming encrypted and, unless you pay a ransom to the sender of the Trojan, losing your files.  This is called Ransomware.  As always, we recommend a good backup of your system.

Remember, by hovering over a link you can see where it wants to take you before you click on it.  If it looks garbled, confusing, or simply suspicious, DON’T CLICK ON IT!

PCMDX specializes in both malware removal or, even better, malware prevention.  Using the right software, we can prevent most malware from even happening, including Trojans.  We say “most” because there are new attacks being developed daily, so the second thing we highly recommend is doing a good backup.

We recommend two types of backup.  First, an image backup, and second a off-site cloud backup of your files.  Ask yourself this question:  “Is there anything on your computer that you absolutely, positively cannot live without?”  If the answer is yes and you don’t have a backup plan, contact us today.  It’s cheaper than you think and far less costly than if you lose your files to computer failure or malware attack.

 

 

Ransomware: Time to Pay Attention or Pay Big Bucks

This post is a very long one, but it’s important you read every word if your data is important.

If you follow us on Facebook.com/pcmdx you know we’ve posted twice over the past month about ransomware attacks that we’ve been called to.

The attacks usually use the same method.  The user will receive an e-mail from an unknown sender and it will have the subject line of “Invoice Attached” or something similar.  The word invoice is the common denominator.

The user will look at the e-mail and see that it asks them to open the attached Word document, which is the “invoice”.  When they open the document, the ransomware attack begins, however, it is not noticeable to the user.

These particular attacks encrypted all of the users Office files (Excel, Word, Powerpoint, Access, Outlook PST) files.  It did not encrypt any PDF files or any image files, which usually would have been encrypted as well.

The user will notice that the attack has taken place when they attempt to open one of the files and the Windows program selector launches.  This is the Windows feature that comes up when you attempt to open a file and no program is associated with it, meaning it doesn’t know what program to use to open the file and it asks you to choose one.  In this case, there’s no program to launch an encrypted file.

We were called to attempt to recover the files and to remove the malware that encrypted the files.

The ransomware senders (we’ll call them the “bad guys”), usually have the ransomware program generate a text file that it leaves in each directory that has files that were encrypted.  We found this text file in all of the directories with Office files, as well as the Desktop.

The text file is the “ransom note”.  It explains what happened to the user’s files, and details how the files can be decrypted back to a usable state.

In a nutshell, the bad guys want a payment made via Bitcoin, usually ranging from a few hundred dollars to several thousand.

Although not always the case, once the ransom is paid, the decryption code is sent via e-mail.  Once the code is entered, the files are decrypted and are usable again.  It should be noted that this is some of the time, not all of the time.

In two of the cases, the ransom was not paid and the users accepted the fact that the files were gone.

In one of the cases the user felt that they needed the files, there was no backup, so they agreed to pay the ransom, although we recommended against doing so.  The payment process took about three hours to complete.

It included opening a Bitcoin wallet, which is a software based wallet.  Once the wallet was created, Bitcoin needed to be purchased.  We found a seller in Tennessee who would sell the amount of Bitcoin needed (B 0.74, which was about $350, the amount of the ransom).  Since there’s a trust issue between seller and buyer, the only way to pay the seller was to go to a Western Union type facility and wire the money.  In this particular case, the Walmart 2 Walmart method was chosen.  For those of you who don’t know what that is (and we didn’t know until this episode), you go to Walmart, fill out a form with the recipient’s name, address and phone number, give Walmart the cash amount, they then wire it to the Walmart closest to the recipient, who then picks it up.

Once the seller has been paid, he places the Bitcoin in an electronic escrow account, which the Bitcoin buyer then accesses and sends to his electronic wallet.  Once this has been completed, he sends the ransom Bitcoin amount to the wallet of the bad guys, which is given to him in the ransom note.  Once the bad guys confirm receipt, they provide a program to decrypt the files.  If this sounds complicated, it is.  Very complicated.

With this client, we received the decrypt program, ran it and it responded that the ransom had not been paid, therefore it shut down, without decrypting any files.

As odd as this may sound, the bad guys did have a “support” form on their web site where one could ask for help if the files didn’t decrypt.  We used this form and they responded by asking that we submit five of the encrypted files to them and they would send a new decrypt program.  Based on the timestamp of the response, we determined that they were in western Europe.

They provided a web site address to send the files to, but it required their e-mail address in order to send, which they refused to give, so we were unable to send the files.  After a back and forth requesting their e-mail address, they blocked any further conversation, so the episode was closed.

The client lost his files.  The client lost his ransom money.  The moral of the story is DON’T PAY THE RANSOM AND MAKE SURE YOUR FILES ARE BACKED UP! (PCMDX had recommended that they do not pay the ransom, however the client insisted).

The latest type of ransomware goes a step further.  It doesn’t encrypt the files.  It encrypts the entire hard drive, so nothing is usable.  Unless you have an backup image of your hard drive, you won’t even be able to log into Windows.

So what can you do to prevent ransomware from ruining your day, or your year?

First, ask yourself one simple question:  “Is there anything on my computer that I cannot absolutely, positively live without?”  If the answer is “Yes”, then you need to take steps to protect yourself against malware (including viruses, ransomware, Trojans, worms, rootkits, etc), hardware failures,  data theft, and other data losing issues.

The very first thing you need to do is to make sure you have a backup of your system.  PCMDX uses and installs two backup strategies, an image based backup and a file based backup.

An image based backup consists of an image, or “picture”, of you hard drive.  The backup software makes an exact replica of your hard drive.  In the event of failure or loss, the backup software recreates the hard drive onto another hard drive.  Think of it like cloning your hard drive.

PCMDX believes this to be a better system for one main reason:  time savings.

A conventional backup copies only the data from a hard drive.  Let’s say there’s a failure of the hard drive.  Here’s the recovery steps:  reinstall the hard drive, reinstall the operating system, reinstall the updates and patches,  reinstall the programs,  copy the data from the backup.  This could take hours, perhaps days until completed.

If there’s a hardware failure on a computer with an imaged backup, here’s the recovery steps:  reinstall the hard drive, insert rescue disk, point to image location, begin restoration.  45-60 minutes later it’s like nothing happened to the computer in the first place.  Everything is as it was when the image was created.

Depending on the software used, individual files can also be recovered from an image.  This is great if a user accidentally deletes a file.

The cost of setting up a backup system is less than what would be paid if there’s a ransomware attack.

We cannot emphasize the two following points enough:

  1.  Have a backup plan in place.  If you don’t know how to implement one, call PCMDX today.  We’re not talking about backing up one or two files on a thumbdrive (although that’s better than nothing).  We’re talking about backing up your system, and other systems in your network in case of disaster.  Again, if you answer the question “Is there anything on this computer that I cannot live without” with a “yes” answer, and you don’t have a backup plan in place, you need to create one today.
  2. NEVER open any attachments from senders you don’t know, from senders you’re not expecting anything from, from e-mails that are vague in nature or have spelling and/or grammar errors in the body of the e-mail.  If in doubt, call the sender and ask them if they sent you an attachment.
  3. If you’re hit, DON’T PAY THE RANSOM.  Our latest experience proves that even after you pay it, you’re dealing with people who have no ethics, no morals, no sense of right and wrong, and very poor command of the English language.  Your files are lost and paying the ransom simply adds to the cost of fixing the problem without recovering your data.

One other bit of information:  If your PC is on a business network, and you have networked drives (places on a server where you can access your files), including Dropbox, OneDrive, and Google Drive, those files can be encrypted as well.  Make sure they are also part of the backup plan.

Feel free to share this with your friends.