Advanced Technology Group and
Emerald Coast Internet
Invoice DOINV32142 from Tip Top Delivery
DO NOT EVER OPEN ANY EMAIL YOUR ARE SUSPICIOUS OF
An email with the subject of Invoice DOINV32142 from Tip Top Delivery
( random characters) pretending to come from random email addresses with a malicious word doc RTF attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky, cryptolocker or Teslacrypt. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Update 18 March 2016: a new run of this malspam ( VirusTotal) with a slightly changed email which now has a body content like this . They are using random company names in the body. Neither MALWR nor HYbrid analysis are showing any actual download of Dridex by the malicious word doc, but that might be due to limitations of these analysis systems. Of course it could be that the RTF files were corrupt in the first place
1. If you didn't request it, don't click it!
This is the golden rule. If you didn't request something from a person or company, there's no reason for them to email you instructions or, worse, attached files. Why?Companies and organizations only use email to keep you informed, unless you've specifically asked them for something like a new PIN or a transaction that requires a confirmation email or a copy of a transaction.
If you receive an email that doesn't ring a bell from a previous conversation with the person or company sending it, be on your guard. Ask yourself the following questions:
- Why would this be relevant to me?
- Why would they email me now?
- Is there a good reason why they are asking me these questions?
If you can't answer these questions, don't click on any links in the email or open any files, at least until you have found out a little more. To see how to do this, read on....
2. Suspicious email? Look for the text on Google.
Mails related to scams and malware tend to use the same texts, sometimes with tiny changes. They are easy to recognize, especially if you compare them to communication from a real company. Keep an eye out for:
- Nonsensical phrases and strange words stemming from automatic translations
- Spelling errors and textual inconsistencies, like the email was cut and paste badly. Most criminals are in a hurry, and don't have the time or desire to make their letters more sophisticated!
- Badly-placed or low-quality images. They've used images to make their emails seem more legit, but they've had to steal the images from other places in the internet!
- No personal references: these emails don't usually address you by name or mention other information that a real company probably does know, like your address. The emails might look a little like forms that haven't been filled out
- A sense of urgency. These emails are always alarmist, appealing to your most basic sense - fear. The often mention terrible consequences, fines and charges.
Copy and paste the strangest phrases into a search engine and take a good look at the results. It will be clear if the words come from a well-known scam.
3. Is there a file attached? Don't even THINK of clicking!
In itself, email text can't be dangerous. The real danger lies in the links and attachments. In fact, people clicking on attachments is probably the biggest cause of email infections.
Have a look at the extension of the attached file. If you see the following, be on guard:
- The classic executables: EXE, COM, BAT, PIF
- Documents that could contain code: PDF, DOC, XLS, PPT
- Executable system files: DLL, CPL, MSC, CMD
- Installers and compressed files: MSI, ZIP, CAB, RAR
- Screensavers: SCR (Yup, they're programs!)
- Files with double extensions (for example: FILE.DOC.EXE)
The safest, most modern browsers and mail clients usually monitor this for you - Gmail does, for example - but there's nothing wrong with having a look at the file with a good antivirus app.
4. Links? Analyze them in a click
Another way cyber-criminals look for victims is by using false or disguised links. If you have any doubt at all, just run the mouse over the link to see what the real address is:
5. Never reply or resend
Replying to a suspicious email provides the criminal with valuable information. For a start, it lets him know that your address is real, and that somebody monitors it, information that can fetch a good price on the email address black market.
6. In case of doubt, make contact through other means
Do you still have doubts about that mail? Resist the urge to click and instead think about other ways of contacting the supposed sender of the message.
- If it's a person, call, message, or SMS them (but don't mail them)
- Of it's a company, go to their website and contact them through their official contact form (or call them)
If it turns out a friend is sending suspicious mail, don't get mad at them! They probably didn't even know it was happening, and it's very possible that his or her inbox or email address has been hijacked in order to send more fraudulent mail.
7. Use a safe browser and read your mail online
Classic email clients, like Microsoft Outlook, are very vulnerable to email attack. The only line of defense against malicious messages that arrive via Outlook or Thunderbird is a good antivirus with real time protection.
A new version of the CryptoWall ransomware has been released titled CryptoWall 2.0 that includes numerous "enhancements" by the malware developer that resolve issues in the previous version. CryptoWall has been a huge threat for computer users and network administrators since it has been released as it will encrypt all local data and data found on network shares. CryptoWall 2.0 now includes changes that make it better for the malware developer and harder for a victim to recover their files for free. These changes include unique wallet IDs to send ransom payments, secure deletion of original unencrypted files, and the use of their own TOR gateway. These changes are further discussed below.
A change that will benefit victims who wish to pay the ransom are the addition of unique bitcoin payment addresses for each victim. The original version of CryptoWall did not create a unique bitcoin payment address for each victim. This made it possible for people to steal other victim's payment transactions and apply them towards their own ransom. With unique payment addresses for all victims this is no longer possible.
Another change is that CryptoWall will now securely delete your original data files. Originally, CryptoWall would encrypt your data files and then just delete the original. It would then be possible to use data recovery tools to try and recover your data. Now that CryptoWall is securely deleting your data, this method will no longer work and you will need to restore from backups or pay the ransom.
The last change is that CryptoWall 2.0 now uses its own TOR gateways. CryptoWall's ransom payment servers are located on TOR, which allows the malware developers to stay hidden from the authorities. In order to connect to the server you would need access to the TOR network and for most people installing TOR was a confusing and difficult process. To solve this, CryptoWall used a Web-to-TOR gateway that would allow victims to easily access the payment server. When the Web-to-TOR gateway providers discovered that CryptoWall was using their gateways they started to blacklist their payment servers so that they could not be reached. Now that CryptoWall 2.0 uses its own TOR gateway servers they do not have to worry about being blacklisted. The current Web-to-TOR gateways operated by the CryptoWall developers are tor4pay.com, pay2tor.com, tor2pay.com, and pay4tor.com.
Back up your iPhone’s data right now: Huge iOS ransomware scam hits the U.S.
Now is a good time to make sure all the data on youriPhone is backed up in the cloud. CBS Los Angelesreports that the huge iOS ransomware scam that first popped up in Australia on Tuesday has now made its way to the United States. Hackers have figured out a way to exploit the Find My iPhone feature in iOS to lock up users’ iPhones and iPads and demand a ransom from them if they ever want to use their devices again
An Apple store employee tells CBS Los Angeles that anyone who’s affected by this malicious attack ought to bring their iPhone into an Apple store so that it can be unlocked. The problem, though, is that doing this will wipe out all of the data that you have on your iPhone, which is why it’s important to make sure everything you have is backed up on iCloud.
Apple issued a statement earlier on Wednesday that denied the reported ransomware attacks had anything to do with a recent iCloud hack and it said that “impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services.” The company still hasn’t given an explanation for what exactly caused this potentially massive security breach.
From Yahoo News
CrptoLocker Virus (The Most Distructive Virus We have Ever Seen)
How did you become infected by Cryptlocker
CryptoLocker currently has three infection vectors:
- This infection was originally spread via sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain an attachment that when opened would infect the computer.
- Via exploit kits located on hacked web sites that exploit vulnerabilities on your computer to install the infection.
- Through Trojans that pretend to be programs required to view online videos. These are typically encountered through Porn sites.
Once the infection is active on your computer it will scan your drives (local & network) and encrypt the following types of files with a mix of RSA & AES encryption: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7cThe
For each file that is encrypted, a resulting registry value will be created under this key: HKCU\Software\CryptoLocker\Files
After a while, typically as long as it takes to encrypt the detected data files, you will be shown a screen titled CryptoLocker that contains a ransom note on how to decrypt your files. Depending on the version of Cryptolocker that is installed, the ransom may be for $100 or $300 USD/EUR. This payment can be made via Bitcoin, MoneyPak, Ukash, or cashU. You will also be shown a countdown that states that you need to pay the ransom with 72 hours. Failure to do so will cause the decryption tool to be deleted from your computer.
Are there any tools that can be used to decrypt your files?
Unfortunately at this time there is no way to retrieve the key used to encrypt your files. Brute forcing the encryption key is realistically not possibly due to the length of time required to break the key. Any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup.
Conficker Virus - Alert!
Win32/Conficker is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Depending on the specific variant, it may also spread via removable drives and by exploiting weak passwords. It disables several important system services and security products and downloads arbitrary files.
This link provides instructions and tools to prevent and/or remove the virus from your system.
Important Security Update for Internet Explorer
Internet Explore has a vunerablity that hackers have been exploiting to install viruses and
spyware on your computer. It is critical to update your computer as soon as possible. Without the
new patch spyware can be installed on your computer by just viewing a webpage with the virus.
Go here to download the patch for you version of Internet Explorer.
Or you can update it by going to windows update under the start menu on your computer.
Apple Macintosh Certified
ATG can repair your Apple Macintosh computers.
Point to Point Encryption has Been added to all Enterprise Accounts.
New Mail Server
Click to login in to new mail server.
All user will be migrated to the new mail server over the next few weeks.
Partners In 17 States
ATG now has partners in 17 states.