Nikdy neplaťte za půjčku předem. Čech zmapoval nový internetový podvod

26.12.2017 Novinky/Bezpečnost Podvod
Téměř každý už dnes zná podvodné e-maily z Nigérie, které lákají uživatele na pohádkové dědictví nebo provizi z velkého miliónového obchodu. Podvodníci ale nespí a vymýšlejí nové triky, jak vás připravit o peníze. Aktuálně jde o podvodné půjčky, jejichž jediným smyslem je z oběti vylákat falešný „poplatek“, který už nikdy neuvidí.

Podvodníci vymýšlejí nové triky, jak z lidí vylákat poslední peníze. Na snímku inzerát na podvodnou půjčku.

IT experta pana Mirka zaujal příběh jedné z obětí. „Narazil jsem na matku samoživitelku se dvěma dětmi. Po poslání ‚poplatku‘ neměla ani na jídlo,“ uvedl. Proto když narazil na podvodný inzerát s nigerijskou IP adresou, rozhodl se kvůli varování dalších potenciálních obětí poptat půjčku a zmapovat, jakým způsobem podvodníci fungují.

V průběhu několika týdnů pan Mirek podnikl několik pokusů, díky nimž se mu podařilo podrobně zmapovat, jak podvody fungují a jak podvodníci reagují v odlišných situacích. Cílem je vždy přimět oběť k zaslání „poplatku“ ve výši kolem sedmi tisíc korun přes služby Moneygram a Western Union, které umožňují při znalosti odpovědi na takzvanou testovací otázku anonymní výběr peněz.

Podvodníci chtějí tímto způsobem dosáhnout toho, že peníze rychle zmizí, aniž by bylo možné zpětně transakci dopátrat. Nelze totiž zjistit, kdo peníze skutečně vybral. Jakmile oběť platbu jednou odešle, peníze už nikdy neuvidí. „Zásadou je neposílat poplatek za zprostředkování úvěru nebo obchodu předem. To je totiž až na zákonem jmenované výjimky zakázáno,“ varuje mluvčí České národní banky (ČNB) Denisa Všetíčková.

Podvodníci trvají na identifikaci, aby mohli vydírat
Aby vůbec panu Mirkovi údajnou půjčku poskytli, všichni podvodníci trvali na zaslání kopie dokladu totožnosti.

Ve chvíli, kdy pan Mirek dal najevo, že poskytovatele „půjčky“ odhalil jako podvodníka a odmítl platbu provést, podvodník sáhl k vydírání. Právě k tomu slouží zmíněné kopie občanského průkazu, na jejichž zaslání podvodníci trvají.

%20

%20
Když jsou podvodníci odhaleni, sahají k výhrůžkám.
Podvodníci mají spolupracovníky v Česku
Když pan Mirek předstíral, že není možné platbu poslat přes Moneygram, pokud se mu podvodník neidentifikuje, kupodivu se mu podařilo svojí neoblomností dosáhnout uvedení českého účtu vedeného u Fio banky. Odhalil tak, že zahraniční podvodníci mají i české spolupracovníky. „Je však možné, že i tito lidé jsou obětmi, které netuší, že se podílejí na trestné činnosti,“ domnívá se. Banku na podezřelý účet okamžitě upozornil.

„Takový účet je podroben bližšímu monitoringu a individuálně vyhodnocujeme všechny transakce,” sdělil Novinkám tiskový mluvčí Fio banky Zdeněk Kovář. „V případech, kdy se jedná o takzvaného bílého koně žijícího trvale v České republice, je však šance na odškodnění v rámci trestního řízení větší než v situaci, kdy jsou peněžní prostředky odeslány mimo Českou republiku,” doplnil mluvčí Komerční banky Pavel Zúbek. Ten zároveň potvrdil, že se banka s tímto typem podvodů setkává. Totéž potvrdili i mluvčí ČSOB a Equa bank.

„Denně jsou evidovány stížnosti zákazníků ohledně podvodů, kdy přišli o peníze. Jedná se jak o menší finanční obnosy, tak i částky v řádech několika set tisíc korun. Zákazníci často zamlčují skutečný stav věci a uvádějí, že příjemce znají osobně, aniž by to tak bylo ve skutečnosti,“ sdělila Novinkám policejní mluvčí Ivana Nguyenová.

„Evidujeme za rok 2017 celkem 215 skutků obsahující řetězec Moneygram a Western Union a za rok 2016 207 skutků,“ doplnila.

Jak probíhá komunikace s podvodníky
Podvodníci komunikují česky, poněkud nezvyklou češtinou vzniklou překladem skrze internetové překladače. Ty se však stále zlepšují, takže v tomto směru nemusí komunikace působit tak podivně jako v minulosti.

Komunikaci zahajují zasláním dotazníku, který připomíná formulář, jaký by mohl obdržet i klient banky nebo nebankovní finanční instituce. Ať už oběť vyplní jakékoliv údaje, třeba takové, podle nichž by u seriózní finanční instituce úvěr získat nemohl, podvodníci zašlou další e-mail s podmínkami údajného úvěru. Oběť je musí odsouhlasit a zaslat kopii dokladu totožnosti.

V dalším kroku již přijde to, o co jediné podvodníkům celou dobu jde: „Z tohoto důvodu se doporučuje zaplatit částku (6870 kč) za registrační poplatek.“ Nejprve si však ještě vyžádají údaje o účtu, na který má být údajný úvěr zaslán:

%20
Podvodníci v rámci „schválení úvěru” poprvé odhalují, o co jim jde.
Odpověď pak obvykle přijde za několik málo minut: „Takže mi řekněte, kdy můžete poslat poplatek za registraci vašeho úvěru, abych mohl informovat banku o tom, že si půjčku připojíte okamžitě k převodu na svůj bankovní účet?“ Na poplatku pak podvodníci trvají i v případě, že oběť opakovaně deklaruje finanční problémy, které znamenají, že si i na „poplatek“ musí půjčit.

%20
Podvodníci se snaží vylákat falešný „poplatek”.
Podvodníci pak chtějí, aby oběť zaslala „poplatek“ přes služby Moneygram nebo Western Union. Ty umožňují při znalosti čísla transakce tyto peníze vybrat během několika minut kdekoli na světě. Obě služby jsou navíc zpoplatněné, takže pokud chce klient Moneygramu odeslat 6870 korun do Nigérie, musí zaplatit ještě poplatek 500 korun.

Pokud se oběti skutečně podaří peníze odeslat a podvodníkům vzápětí poskytne i požadované údaje, tak je celá komunikace u konce. Oběť byla okradena o tisíce korun, podvodníci jsou nadále nedostupní.
%20
Podvodníci používají falešnou identitu.
„Podvodníci takřka v 99 procentech případů používají falešné doklady totožnosti a jména, pod kterými se vydávají. I ta ve většině případů nejsou skutečná. Pro tyto případy mají výše uvedené společnosti zřízeny tzv. zelené linky, kde zákazníci mohou konzultovat veškerá zjištění a pochybnosti vyplývající z povahy věci,“ sdělila Novinkám mluvčí Policie ČR Ivana Nguyenová.

Podvodníci v našem případě používali falešnou identitu Osagie Junior, což je jméno nigerijského fotbalisty Hapoelu Jeruzalém Juniora Osagieho. Jindy šlo o jméno Sam Smith. Tak se jmenuje například britský popový zpěvák. Podezřelé obětem může být, že identita, kterou mají zadat na Moneygram nebo Western Union, se liší od podpisu podvodníka v e-mailu.


Na systém VŠE mířil hackerský útok, škola podala trestní oznámení
26.12.2017 Lupa.cz Hacking
Hackerský útok tuto neděli odstavil systém Vysoké školy ekonomické v Praze, informuje web Aktuálně.cz, který vychází ze studentského serveru iList. Šlo konkrétně o Integrovaný studijní informační systém (InSIS).

„Řada studentů FMV, kteří měli zapsané předměty s indentem 2SM, dostala oznámení o odebrání z termínů zkoušek, státnic nebo o zanesení výsledné známky z kurzu. O hodinu později začali studenti dostávat e-maily o chybě a útoku na systém,“ píše iList.

Škola napadení potvrdila s tím, že prozatím nechce zveřejňovat podrobnosti. VŠE také podala trestní oznámení na neznámého pachatele. Incident prý nemá vliv na probíhající zkouškové období. Útok se dotkl zejména Fakulty mezinárodních vztahů.

VŠE na webu vydala stručné informace, kde se píše, že se škola „stala terčem závažného kybernetického útoku“. Rozhodnuto bylo o mimořádných opatřeních, kdy do 27. prosince bude přístup do InSIS možný pouze ze školní sítě a uživatelé také mají povinnost okamžité změny hesla.

Na InSIS se útočilo už dříve. Útočník se snažil získat uživatelská jména a hesla studentů. Ve dvou textech to opět rozebíral iList.


Experts discovered a flaw in GoAhead that affects hundreds of thousands IoT devices
26.12.2017 securityaffairs IoT

Experts from Elttam discovered a flaw in GoAhead tiny web server that affects hundreds of thousands IoT devices, it could be exploited to remotely execute malicious code on affected devices.
A vulnerability in the GoAhead tiny web server package, tracked as CVE-2017-17562, affects hundreds of thousands of IoT devices. The GoAhead solution is widely adopted by tech giants, including Comcast, IBM, Boeing, Oracle, D-Link, ZTE, HP, Siemens, and Canon. It is easy to find the tiny web server in almost any IoT device, including printers and routers.

The vulnerability was discovered by experts from the security firm Elttam who devised a method to remotely execute malicious code on devices running the GoAhead web server package. The flaw affects all GoAhead versions before GoAhead 3.6.5.

“This blog post details CVE-2017-17562, a vulnerability which can be exploited to gain reliable remote code execution in all versions of the GoAhead web server < 3.6.5.” reads the analysis published by Elttam.

“The vulnerability is a result of Initialising the environment of forked CGI scripts using untrusted HTTP request parameters, and will affect all user’s who have CGI support enabled with dynamically linked executables (CGI scripts). This behavior, when combined with the glibc dynamic linker, can be abused for remote code execution using special variables such as LD_PRELOAD (commonly used to perform function hooking, see preeny).”

Attackers can exploit the vulnerability if the CGI support is enabled with dynamically linked CGI program. Unfortunately, this configuration is quite common.

Elttam reported the vulnerability to Embedthis, the company who developed the web server, that promptly released an update that addresses the flaw.

Now it is important that hardware manufacturers will include the patch in the instances of the GoAhead running into their products, but this process could take a lot of time.

To have an idea of the impact of such flaw it is possible to query the Shodan search engine, a number of devices between 500,000 and 700,000 could be affected.

GoAhead%20server


❄️🎄3ncr1ptmas🎄❄️
@3ncr1pt3d
CVE-2017-17562: Remote LD_PRELOAD exploitation of GoAhead web server.
So this runs a hell of a lot of things: printers, network gear, CC cameras. Users of telecoms hosting stuff. Convenience without proper configuration.

What I found on Shodan now:

6:07 AM - Dec 19, 2017
13 13 Replies 102 102 Retweets 157 157 likes
Twitter Ads info and privacy
Elttam also released a proof-of-concept code that could be used to test if IoT devices are vulnerable to the CVE-2017-17562 flaw.

Such kind of flaws are exploited by IoT malware like BrickerBot, Mirai, Hajime, and Persirai.

In March, the researcher Pierre Kim revealed that more than 185,000 vulnerable Wi-Fi-connected cameras are exposed to the Internet, due to a flaw in GoAhead server.


Schneider Electric Patches Flaws in Pelco VideoXpert Enterprise product
26.12.2017 securityaffairs Vulnerebility

Schneider Electric recently released a firmware update for its Pelco VideoXpert Enterprise product that addresses several vulnerabilities, including a high severity code execution flaw, tracked as CVE-2017-9966.
The Pelco VideoXpert solution is widely used in commercial facilities worldwide.

The security researcher Gjoko Krstic has found two directory traversal bugs and an improper access control flaw that can be exploited by an attacker to trigger an arbitrary code execution.

Both Schneider Electric and ICS-CERT published security advisories about the CVE-2017-9966, which could be exploited by an attacker to replace certain files and execute malicious code with system privileges.

“By replacing certain files, an authorized user can obtain system privileges and the inserted code would execute at an elevated privilege level.

CVE-2017-9966 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated;” reads the ICS-CERT.

“Successful exploitation of these vulnerabilities may allow an authorized user to gain system privileges or an unauthorized user to view files.”

pelco%20videoxpert

Both directory traversal vulnerabilities (tracked as CVE-2017-9964 and CVE-2017-9965) have been classified as medium severity. The first flaw could be exploited by an attacker to bypass authentication or hijack sessions by “sniffing communications.”

The second directory traversal vulnerability can be exploited by an unauthorized user to access web server files that could contain sensitive information.

These Pelco VideoXpert Enterprise vulnerabilities have been patched with the release of firmware version 2.1. All prior versions are affected.


Experts from Bleeping Computer spotted a new Cryptomix Ransomware variant
25.12.2017 securityaffairs Ransomware

Security experts spotted a new variant of the CryptoMix ransomware that uses a different extension (.FILE) and a new set of contact emails.
Security experts from BleepingComputer discovered a new variant of the CryptoMix ransomware that uses a different extension (.FILE) to append to the file names of the encrypted files and uses new contact emails.

For example, a file encrypted by this variant of ransomware has an encrypted file name of 0D0A516824060636C21EC8BC280FEA12.FILE.

Experts discovered that this variant uses the same encryption methods of previous ones, the ransomware uses the same ransom note is still named _HELP_INSTRUCTION.TXT, but the contact emails to receive the payment instructions are file1@keemail.me, file1@protonmail.com, file1m@yandex.com, file1n@yandex.com, and file1@techie.com.

CryptoMix%C2%A0ransomware

Further details and the IoCs are included in the post published on Bleeping Computer.

“As we are always looking for weaknesses, if you are a victim of this variant and decide to pay the ransom, please send us the decryptor so we can take a look at it. You can also discuss or receive support for Cryptomix ransomware infections in our dedicated Cryptomix Help & Support Topic.” wrote Lawrence Abrams.

Below the list of recommendations provided by the experts to protect your system from ransomware attacks.

Backup, Backup, Backup!
Do not open attachments if you do not know who sent them.
Do not open attachments until you confirm that the person actually sent you them.
Enable the showing of file extensions.
If an attachment ends with .js, .vbs, .exe, .scr, or .bat, do not open them for any reason.
Scan attachments with tools like VirusTotal.
Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
Use hard passwords and never reuse the same password at multiple sites.
If you are interested in Indicators of Compromise give a look at the blog post.


Financially motivated attacks reveal the interests of the Lazarus APT Group
25.12.2017 securityaffairs APT

Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies, the group’s arsenal of tools, implants, and exploits is extensive and under constant development.
Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies. The North Korea-Linked hackers launched several multistage attacks that use cryptocurrency-related lures to infect victims with malware.

The malicious code aims to steal credentials for cryptocurrency wallets and exchanges, but there is much more.

“Proofpoint researchers have uncovered a number of multistage attacks that use cryptocurrency-related lures to infect victims with sophisticated backdoors and reconnaissance malware that we attribute to the Lazarus Group.” reads the analysis published by Proofpoint. “Victims of interest are then infected with additional malware including Gh0st RAT to steal credentials for cryptocurrency wallets and exchanges, enabling the Lazarus Group to conduct lucrative operations stealing Bitcoin and other cryptocurrencies.”

The Lazarus APT group has increasingly focused on financially motivated attacks in the attempt to exploit the media interest in the skyrocketing prices for cryptocurrencies.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

Lazarus is believed to be the first nation state attacker that is targeting a point-of-sale using a framework to steal payment card data.

The timing is perfect, the hackers are intensifying their operation around Christmas shopping season.

The arsenal of the Lazarus APT group includes sophisticated custom-made malware, DDoS botnets, and wiper malware.

The research paper published by the experts detail a new implant dubbed PowerRatankba, a PowerShell-based malware variant that closely resembles the original Ratankba implant.

Experts also documented a new and emerging threat dubbed RatankbaPOS targeting the point-of-sale systems.

Lazarus%20APT%20group%20attacks

“The Lazarus Group is a sophisticated, state-sponsored APT group with a long history of successful destructive, disruptive, and costly attacks on worldwide targets. State-sponsored groups are generally focused on espionage and disruption. However, our findings on their recent activities relate to the financially motivated arm of Lazarus, the operations of which are peculiar to the North Korean group.” said Patrick Wheeler, director of threat intelligence, Proofpoint.

“These actions, including the targeting of cryptocurrency exchange credentials and point-of-sale infrastructure, are significant for a number of reasons:

This appears to be the first publicly documented instance of a state-sponsored actor attacking point-of-sale infrastructure for financial gain.

Cryptocurrencies are nothing new to threat actors, state-sponsored or otherwise. However, in this case we were able to extensively document the custom-built tools and procedures that Lazarus group is using to perform cryptocurrency theft.

This group now appears to be targeting individuals rather than just organisations: individuals are softer targets, often lacking resources and knowledge to defend themselves and providing new avenues of monetisation for a state-sponsored threat actor’s toolkit. Bringing the tools and resources of a state-sponsored attack group to bear against individuals and infrastructure used by large numbers of private citizens raises the stakes considerably when assessing potential impact.

We were able to differentiate the actions of the financially motivated team within Lazarus from those of their espionage and disruption groups that have recently grabbed headlines, providing better insight into their operations and the worldwide threat represented by Lazarus.”


Facebook’s photo tagging system now looks for users in photos they’re not tagged in
24.12.2017 securityaffairs Social

Facebook’s is rolling out a new feature for its photo tagging mechanism, it now looks for users in photos they’re not tagged in.
Facebook is rolling out a new feature for its photo tagging mechanism that will now scan newly uploaded photos and alert all the users it recognizes in that photo. The feature aims to detect if others might be attempting to abuse your image.

“Powered by the same technology we’ve used to suggest friends you may want to tag in photos or videos, these new features help you find photos that you’re not tagged in and help you detect when others might be attempting to use your image as their profile picture,” explained Joaquin Quiñonero Candela, Director, Applied Machine Learning at Facebook.

The photo tagging system analyzes every image Facebook users upload scanning for human faces, then it associates each face with a template composed of a string of numbers computed by the platform.

The photo tagging system compares this template to the face templates of other Facebook users included in any newly uploaded image, then it will send them a notification.

Facebook photo tagging

“Now, if you’re in a photo and are part of the audience for that post, we’ll notify you, even if you haven’t been tagged. You’re in control of your image on Facebook and can make choices such as whether to tag yourself, leave yourself untagged, or reach out to the person who posted the photo if you have concerns about it.” added Candela.

The new feature aims to curb any abuse of the social media platform.

Facebook announced new Tools for people with visual impairments, the social network platform will detect people not tagged in an image and inform the user who’s in the photo.

The updates to the photo tagging mechanism will not roll out in Canada and the EU due to local user privacy laws.

Users can disable photo tagging notifications if he won’t receive notifications when others upload photos of the user.


Russian Fancy Bear APT Group improves its weapons in ongoing campaigns
24.12.2017 securityaffairs APT

Fancy Bear APT group refactored its backdoor and improved encryption to make it stealthier and harder to stop.
The operations conducted by Russian Fancy Bear APT group (aka Sednit, APT28, and Sofacy, Pawn Storm, and Strontium) are even more sophisticated and hard to detect due to.
According to a new report published by experts from security firm ESET, the APT group recently refurbished one of its most popular backdoor, Xagent, that was significantly improved by implementing new functionalities that make it more stealthier and harder to stop.
Vxers have redesigned the architecture of the malware so it has become harder to recognize previously discovered infection patterns.
The X-Agent backdoor (aka Sofacy) was associated with several espionage campaigns attributed to the APT group Fancy Bear, across the years, experts observed several strains of the X-Agent specifically designed to compromise Windows, Linux, iOS and Android OSs, and early 2017 researchers at Bitdefender spotted the first version of the X-Agent that was developed to compromise MAC OS systems.

The latest version of the X-Agent backdoor, the fourth one, implements new techniques for obfuscating strings and all run-time type information. Cyberspies upgraded some of the code used for C&C purposes and added a new domain generation algorithm (DGA) feature in the WinHttp channel for quickly creating fallback C&C domains.

ESET observed a significant improvement in the encryption algorithm and DGA implementation that makes domain takeover more difficult.

Fancy Bear also implemented internal improvements, including new commands that can be used for hiding malware configuration data and other data on an infected system.

The attack chain remained largely unchanged, the APT group Fancy Bear still relies heavily on “very cleverly crafted phishing emails.”

“The attack usually starts with an email containing either a malicious link or malicious attachment. We have seen a shift in the methods they use ‘in the course of the year’, though. Sedkit was their preferred attack vector in the past, but that exploit kit has completely disappeared since late 2016.” reads the report published by ESET. “The DealersChoice exploit platform has been their preferred method since the publication of our white paper, but we saw other methods being used by this group, such as macros or the use of Microsoft Word Dynamic Data Exchange.”

Fancy Bear mail_merrychristmas

The group stopped using Sedkit exploit kit and has increasingly begun using a platform called DealersChoice, a Flash exploit framework also used by the group against Montenegro.

DealersChoice generates documents with embedded Adobe Flash Player exploits based on the target’ s configuration.

Fancy Bear’s operations are still focused on government departments and embassies all over the world.


Chinese authorities have sentenced a man to 5 years in prison for selling a VPN service without the authorization
24.12.2017 securityaffairs BigBrothers

The Chinese authorities have sentenced a man to five-and-a-half years in prison for selling a VPN service without the authorization.
China continues to intensify the monitoring of the cyberspace applying, the authorities always fight any services that could be used to bypass its censorship system known as the Great Firewall.

The Great Firewall project already blocked access to more hundreds of the world’s 1,000 top websites, including Google, Facebook, Twitter, and Dropbox.

The Chinese authorities have sentenced a man to five-and-a-half years in prison for selling a VPN service without the authorization.

Since early this year, the Chinese authorities started banning “unauthorized” VPN services, any company offering such type of service in the country must obtain an appropriate license from the government.

People resident in the country make use of VPN and Proxy services to bypass the censorship implemented by the Great Firewall and access website prohibited by the Government without revealing their actual identity.

A Chinese court in the southern region of Guangxi sentenced Wu Xiangyang, a Chinese citizen from the Guangxi Zhuang autonomous region, for offering a non-licensed VPN service since 2013 until June 2017.

According to an announcement from China’s Procuratorate Daily on Wednesday, the man was also fined 500,000 yuan ($76,000).

“From 2013 to June 2017, Wu Xiangyang, the suspect Wu Xiang Yang, illegally profited without obtaining the relevant business license, set up his own VPN server on the Internet and provided a member account and login software which allows him to browse foreign websites ;” states the announcement .

“In addition the suspect Wu Xiangyang also some VPN member account password written to the hardware router, making the modified router can log in directly to the VPN, to achieve the ability to listen to foreign websites audio and video programs.”

Prosecutors said the man was convicted of collecting “illegal revenue” of 792,638 yuan ($120,500) from his unauthorized activity.

Wu Xiangyang set up his “Where Dog VPN” website on a shop created on the shopping site “Taobao” and advertised it on social media sites.

It was a successful business for the Chinese man, in March 2016 the company claimed on Twitter to have 8,000 foreigners and 5,000 businesses using the VPN service to bypass censorship in the country.

In July, in compliance with Chinese Internet monitoring law, Apple has started removing all IOS VPN apps from it App Store in China.


Experts uncovered a new GlobeImposter Ransomware malspam campaign
24.12.2017 securityaffairs Ransomware

Experts observed cybercriminals are conducting a new malspam campaign to distribute a new variant of the GlobeImposter ransomware
According to Lawrence Abrams from BleepingComputer, crooks are conducting a new malspam campaign to distribute a new variant of the GlobeImposter ransomware that appends the “..doc” extension to encrypted files.

The malicious messages pretend to have attached photos being sent to the recipient and have a subject line similar to “Emailing: IMG_20171221_”.

GlobeImposter ransomware

The messages include 7zip (.7z) archive attachments that are named after a camera photo’s filename such as IMG_[date]_[number]. The archive contains an obfuscated .js file, when victims double-click on will trigger the downloading of GlobeImposter ransomware from a remote server and execute it.

“After the executable is downloaded, it will be executed and the GlobeImposter ransomware will begin to encrypt the computer. When encrypting files on the computer it will append the ..doc extension to encrypted file’s name. For example, a file called 1.doc would be renamed to 1.doc..doc.” states the analysis published by Abrams.

Once encrypted the files, the GlobeImposter ransomware create a ransom note named Read___ME.html in each folder a file is encrypted. Victims are instructed to visit the http://n224ezvhg4sgyamb.onion/sup.php onion site that provides an email address to contact (server5@mailfence.com) to receive payment instructions and to decrypt one file for free. The note also includes a link to a support website that can be used by victims to send messages to the cyber criminals.

Lawrence confirmed that file encrypted by the GlobeImposter ransomware cannot be decrypted for free.
Below the list of recommendations provided by the experts to protect your system from ransomware attacks.

Backup, Backup, Backup!
Do not open attachments if you do not know who sent them.
Do not open attachments until you confirm that the person actually sent you them.
Enable the showing of file extensions.
If an attachment ends with .js, .vbs, .exe, .scr, or .bat, do not open them for any reason.
Scan attachments with tools like VirusTotal.
Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
Use hard passwords and never reuse the same password at multiple sites.
If you are interested in Indicators of Compromise give a look at the blog post.


US Intel Chiefs Sound Alarm on Overseas Web Spying Law
23.12.2017 securityweek BigBrothers
US intelligence chiefs on Thursday sounded the alarm about the imminent expiration of a law that allows them to spy on overseas web users, and called on Congress to renew it immediately.

"If Congress fails to reauthorize this authority, the Intelligence Community will lose valuable foreign intelligence information, and the resulting intelligence gaps will make it easier for terrorists, weapons proliferators, malicious cyber actors, and other foreign adversaries to plan attacks against our citizens and allies without detection," the intelligence chiefs said in an open letter to Congress.

The letter was signed by Director of National Intelligence Dan Coats, CIA Director Mike Pompeo, Attorney General Jeff Sessions, FBI chief Christopher Wray and the director of the National Security Agency (NSA) Michael Rogers.

The law they want extended, known as Article 702 of the Foreign Intelligence Surveillance Act (FISA), is set to expire at the end of the year, and Congress is preparing a temporary extension until January 19 as part of a short-term budget bill which will fund the federal government.

The House of Representatives was due to vote on the budget later Thursday, with a deadline to pass it by midnight Friday. The Senate will vote on it after that.

The law allows US intel agencies to spy on internet users abroad, including on platforms like Facebook and Skype. Congress initially passed the law in 2008 and renewed it in 2012, for five years.

"Short-term extensions are not the long-term answer either, as they fail to provide certainty, and will create needless and wasteful operational complications," said the intelligence heads in their statement.

Most members of Congress support renewing the law on the grounds of combating terrorism, but some on the far right and left have joined forces to try to restrict it, citing concerns that US citizens could be caught up in the overseas spying program.

By law, communications by US citizens cannot be legally intercepted and used except with a judge's warrant, unlike foreigners living overseas who do not benefit from the same constitutional protections as Americans.