Category: News

CRITICAL WARNING – Help Desk Phishing and Trojan Emails circulating

Posted on by Mark Pace

NOTE: Even after sending 2 warnings in the last 2 weeks, we have had a large number of people click through the speeding fine email and get infected. All files got encrypted and lost (recovered with backups). Some people who received our email didn’t have an offsite backup strategy either. From $9 a month, protect your personal and business files, at home or at the office.

Again the golden rule is don’t open emails you are not expecting, hover over the link and see if genuine, call the sender and confirm they sent it otherwise contact us and we can assist.

The next wave of fake emails are coming from IT HELP DESK. Ensure your staff do not open any HELP DESK emails unless they come from a known person in your company or through our alert system, like this email.
Phishing attacks posing as emails from your company’s IT helpdesk are becoming increasingly common. These attacks attempt to gather your information for identity theft purposes and can also spread malware.

You should ensure that emails claiming to be from your IT helpdesk are legitimate before responding with information about your identity or your computer.

Indicators of IT helpdesk phishing emails

Signs of potentially fake emails include:

  • the sender address of the email should be from an expected or known IT helpdesk address in your company
  • emails that do not specify your company’s name, instead use generic terms such as ‘IT helpdesk’
  • incorrect company branding, for example, the wrong text, font or colour
  • a sense of urgency, using language such as ‘immediate downtime’ or ‘act immediately’
  • requests to install software onto your computer
  • requests for a password.

Poor use of language, spelling mistakes or incorrect grammar can also indicate the email is phishing.  The following is an example of a recent IT helpdesk phishing email:

Good morning,
We will be performing emergency maintenance on our network equipment.
Anticipated downtime will be approximately 60 minutes. This will affect both internet access and phone service.
Click on the below link and follow the instructions
 CLICK HERE:
We apologize for the inconvenience.
Thank you,
Help Desk
All Rights Reserved © 2014

This message attempts to send you to a website where identifying information is requested. Such information can be used to steal your identity or target your computer.

Other examples of phishing attacks such as these have attempted to spread malware in two possible ways.

The email could ask you to install software on your computer. Any requests such as this, to install software from the internet, should be considered suspicious. Most IT helpdesks will have systems in place for installing software on users computers.

The email could direct you to a website and attempt to install software without your knowledge. This is known as a drive-by-download and can happen simply by clicking the link in the email and visiting the website.

To stay safe, it is important that you do not click links in phishing emails or reply to the sender if you do not know them.

Information for IT helpdesks

IT helpdesks can also help stop users in their company from being attacked in this way. IT departments should ensure that clear procedures for safe communication with staff are in place and being used. These procedures may include:

  • updating email filters to stop phishing emails from being delivered to people’s inboxes
  • using a standardised format for sending helpdesk requests
  • employing a system to allow people to verify requests from outside their email. A commonly used example is the helpdesk ticketing system
  • including basic company information in helpdesk requests, such as the name of the company
  • sending all helpdesk requests from a single email address, such as helpdesk@company.com.au
  • ensure that staff are aware of IT requirements with plenty of notice. Limit the number of urgent requests made of staff
  • do not ask for unnecessary information in emails, and never require the user to provide their password.

It is important to ensure that staff are aware of basic rules for helpdesk requests. This allows staff to spot fake IT Helpdesk emails more easily.

Source : Stay Smart Online , a Government initiative.

————————————————————————————————————–

Advice for prevention
  • Do not open attachments if you are unsure of the contents or the email was unexpected.
  • Look for clues in the email content, usually most legitimate emails will address you by name and not something generic like ‘customer’ with vague wording.
  • Do not click on website links in emails until you have viewed the link location (do this by hovering over the link, this will display the link right at the bottom of Outlook). Instead of clicking the link, you are best to manually browse to the website via your web browser.
  • Make sure your anti-virus is updated regularly
  • Make sure your backups are current and working and backing up ALL critical data
If you get a virus, malware or Trojan.
  • Stop work
  • Immediately disconnect any network drives
  • Contact us

Please do forward this email on to your staff, friends and associates.

If in doubt or have any questions, please contact Sterling IT.

Regards,
Mark and the team at Sterling IT.
1300 763 699 (or 02 9756 6866)

Beware Apple iOS attacks using ‘Masque Attack’ techniques from uncertified apps

Posted on by Mark Pace

Researchers have discovered a technique that may enable attackers to substitute malware for a legitimate app on Apple iOS devices such as iPhones and iPads.

Although the risk of being subjected to a Masque Attack is low, it is another reminder not to download pirated apps or software from untrusted sources. It is also a reminder that Apple products are increasingly being targeted by attackers.

As many people believe you cannot get a virus/trojans/malware on Apple devices (more so on OSX), this is not true and Apple devices, due to their numbers, will and currently are being targeted. Sterling IT use and recommend Webroot and/or Trend Micro Antivirus to protect Apple Mac.

About Masque Attack

A Masque Attack can occur if a user downloads an app from a rogue source such as a link embedded in a phishing email or from an unofficial app site hosting fake ‘uncertified’ apps.

The Masque Attack takes advantage of a weakness in iOS security which can enable malware to be installed.

If a malicious app can be crafted to use the same ‘bundle identifier’ (an ID Apple uses to identify individual apps) as a legitimate app on your phone, Apple will not check its security certificate. It means that a malicious app can replace a legitimate app on your device.

A criminal using the Masque Attack technique will typically disguise their malware as a popular game or program for you to install. Only install via the APP STORE via your device.

Once installed it may be able to steal information from your device such as passwords or internet banking details and send them to a remote server controlled by criminals. Possible impacts include the malware being able to steal logon credentials; access sensitive data; avoid detection and steal Apple IDs and passwords.

Staying safe

  1. Do not download software or apps from untrusted sources. Sticking with Apple’s AppStore helps protect against downloading malicious software
  2. Do not click ‘install’ from pop ups when viewing a web page. Even if it tells you , that you have a virus. Most of these are traps.
    Sterling IT has posted MANY emails recently with relation to this and unfortunately we are still getting clients infected, even with prior warning.
  3. If your iOS device shows an ‘Untrusted App Developer’ alert when you open an app, click on ‘Don’t Trust’ and uninstall the app immediately.
  4. Use security software for all your computer and mobile devices.
  5. Keep your system up-to-date by downloading software updates as they are released.
  6. Do not connect or ‘pair’ your device with untrusted computers.

For FREE advice or any questions regards to this, please contact Sterling IT. You are better asking as prevention is better than cure!!

 

Are you travelling staying in a hotel or using public wifi? – ‘Darkhotel’ downloads information-stealing malware.

Posted on by Mark Pace

There are a number of articles and warnings about Executives being hacked in shared wi-fi including Luxury Hotels , especially in the APAC regions.

Dubbed ‘Darkhotel’ by Kaspersky, the attackers infiltrate luxury hotels’ wi-fi to steal sensitive corporate data from travelling executives.

Targeted businesspeople connect to the hotel wi-fi and are prompted to download fake updates from programs such as Google Toolbar, Adobe Flash and Windows Messenger. Once downloaded, the backdoor installs an advanced keylogger, an information-stealing module and the Trojan ‘Karba’.

Once these applications are installed, it starts looking for private information, cached passwords and login credentials, the attackers delete these hacking tools and avoid suspicion.

A representative from Kaspersky said the attackers have “operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision”.

This malware can also be spread through peer to peer or file sharing networks. It’s estimated that Darkhotel has been downloaded over 30,000 times in the last six months.

To date, the majority of these infections were identified in Japan, Taiwan, Russia, China and Hong Kong.

Kaspersky principal security researcher, Kurt Baumgartner, said these attacks are becoming more common: “Targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools.”

To avoid attacks,

1. Never install or accept software you are not sure about. If you are in doubt, call Sterling IT and we will quickly confirm the legitimacy of the application or pop up.

2. Use a phone company internet connection such as Vodafone, Telstra or Optus 3G/4G USB or Pocket wifi cards instead of shared services.

3. Ensure your antivirus is up to date.

4. NEVER open emails that you are not expecting with links or attachments.

 

Storm Season, Power Surges and UPS protection.

Posted on by Mark Pace

 

Are you protected against storms? (Sterling IT)
Are you protected against storms?

Electronic and computer based equipment need high quality, uninterrupted power supplies.

In Australia, particularly during summer months, excess strain is placed on our aging electrical infrastructure.  Adding to this is the unpredictable weather patterns associated with summer storms which can cause electrical surges and power outages for extended periods of time.

The best form of PC protection is at all times to be plugged into a quality UPS (Uninterruptible Power Supply). This is a surge protector and voltage regulator with a back up battery. The better ones actually talk to your PC via USB, so when power drops out, the UPS instructs the PC to close all programs safely and then shut down all under battery power. For Laptop users, this is not such great concern, however, plugging into a surge protector may just save your power adapter and in some severe cases your laptop.

With no UPS, if lucky enough to be home before a storm hits, you should power down your PC and unplug it from the wall. BUT, that isn’t all; the most vulnerable route for a voltage spike is through your telephone line. We have seen some pretty severe cases where a Lightening strike has merely passed a telephone pole, to completely render every device useless connected to the router by wire (Ethernet). EMF will surge down a phone line and through your equipment like an electrical Tsunami… It takes out everything in it’s path. The safest way of protecting your equipment during an electrical storm is to firstly disconnect your telephone line from the wall (this is your source of ADSL as well as telephone), and then shut down your computers and disconnect from the power. Unfortunately, even a moderate UPS is no protection against a huge EMF spike.

We also strongly recommend you have insurance to protect your for business interruption as well (Liaise with your broker or insurance company for this) as even with recovery of systems, the loss of income could be claimed.

Even with a UPS, we have found equipment to be affected. This can be due to massive spikes or phase drops as well as the surge coming from phone lines rather than electricity lines.

Some of the more sophisticated UPS’s on the market come with software which monitors the power usage and demand on a computer or server, if the power is off for any period of time, this software will log the users off, and close the programs, then shut down the server safely.

Size matters, having the correct UPS installed will ensure that the power requirements for the business are met and the key hardware protected.

It is also worth checking your UPS from time to time, to make sure that it is doing what it is supposed to. If you’re not sure what your needs are, please request that we check next time we are onsite or book in a health check.

If you do suffer a computer failure after a storm, contact us at  Sterling IT on (02) 9756 6866  and we’ll do our best to get you back on line.

“Sterling IT also provide insurance reports, quotation estimates and repairs or replacements.”

 

 

How to decrypt, unlock and restore Cryptolocker malware for free

Posted on by Mark Pace

Cryptolocker is a particularly nasty type of ransomware that criminals have used to encrypt files on a victim’s computer before demanding a ransom for the encryption key to unlock the files.  Without the key, the encryption renders the victim’s files useless so many people lost files or paid the ransom.

Two security firms, Fireeye and Fox IT have partnered to provide a solution which may help many people. The website Decrypt Cryptolocker can now be used to try and unlock files encrypted by the Cryptolocker malware.

Use of the Decrypt Cryptolocker service is free and simply requires you to upload a sample encrypted file to the website.  If the website is able to decrypt your files, you can then download its recovery program and receive the unlocking master key by email.

Please note that this tool may not be able to decrypt some affected files.

Synology® Continues to Encourage Users to Update – Synolocker attack on NAS

Posted on by Mark Pace

We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. Furthermore, to prevent spread of the issue we have only enabled QuickConnect and Synology DDNS service to secure versions of DSM. At present, we have not observed this vulnerability in DSM 5.0.

For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shutdown their system and contact our technical support team here: https://myds.synology.com/support/support_form.php

When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.

  • A process called “synosync” is running in Resource Monitor.
  • DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

  • For DSM 4.3, please install DSM 4.3-3827 or later
  • For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
  • For DSM 4.0, please install DSM 4.0-2259 or later
  • DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: https://www.synology.com/support/download.
  • If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.
  • We sincerely apologize for any problems or inconvenience this issue has caused our users. We will keep you updated with the latest information as we address this issue.