Author Archives: Gupta Vijaya

spotting a scam

How to spot a scam

Recognise the signs someone is trying to scam you, and learn how to check if a message you have received is genuine.

Recognising online scams

Cyber criminals may contact you via email, text, phone call or via social media. They will often pretend to be someone (or an organisation) you trust.

It used to be easier to spot scams. They might contain bad spelling or grammar, come from an unusual email address, or feature imagery or design that feels ‘off’. But scams are getting smarter and some even fool the experts.

How to spot scam messages or calls

Scammers try to quickly gain your trust. They aim to pressure you into acting without thinking.

If a message or call makes you suspicious, stop, break the contact, and consider the language it uses. Scams often feature one or more of these tell-tale signs.

Authority

Is the message claiming to be from someone official? For example, your bank, doctor, a solicitor, or a government department. Criminals often pretend to be important people or organisations to trick you into doing what they want.

Urgency

Are you told you have a limited time to respond (such as ‘within 24 hours’ or ‘immediately’)? Criminals often threaten you with fines or other negative consequences.

Emotion

Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.

Scarcity

Is the message offering something in short supply, like concert tickets, money or a cure for medical conditions? Fear of missing out on a good deal or opportunity can make you respond quickly.

Current events

Are you expecting to see a message like this? Criminals often exploit current news stories, big events or specific times of year (like tax reporting) to make their scam seem more relevant to you.

How to check if a message is genuine

If you have any doubts about a message, contact the organisation directly. Don’t use the numbers or address in the message – use the details from their official website.

Remember, your bank (or any other official source) will never ask you to supply personal information via email, or call and ask you to confirm your bank account details. If you suspect someone is not who they claim to be, hang up and contact the organisation directly. If you have paper statements or a credit card from the organisation, official contact details are often written on them.

Make yourself a hard target

Criminals use information about you that’s available online (including on social media sites) to make their phishing messages more convincing.

You can reduce the likelihood of being phished by thinking about what personal information you (and others) post about you, and by reviewing your privacy settings within your social media accounts.

How to report suspicious communications

If you have received a suspicious message or call, or visited a suspicious website you should report it.

Report a scam email; text message; website; phone call; advert

Avoid online poker scams

How to avoid online poker scams?

If you want to know how to avoid an online poker scam, you have to start from the premise that there is no single way to do it. Given the diversity of this type of bad practices, detecting poker scams becomes a complicated task.

Prevention will always be the best ally when it comes to avoiding online poker scams. To do so, follow these tips and minimize the risks of suffering cheating and scams in your poker games.

Choose licensed networks

Make sure that the online poker network in which you are going to register has the respective seals and certifications that guarantee the security and integrity of the platform.

In the case of Indonesia, BMM Testlabs has certified the Random Number Generator (RNG) of IDN Poker as truly legitimate. Internationally, we would find seals such as Malta Gaming Authority or Curacao Gaming, which issue licenses of great prestige and reputation.

Choose the most popular payment methods

Pay special attention to the payment methods at the time of making transactions of your funds. Avoid those that you are not familiar with or even seem insecure.

Also, remember that online poker rooms that have several payment methods are the most reliable. Bank cards, transfers, e-wallets, payment through coupons or cryptocurrencies are just some of the most common methods among the most relevant poker rooms.

It is also advisable to check how to make withdrawals and deposits, as well as to be aware of the waiting times for the arrival of funds to your account. Never provide your bank details without prior research on payment methods.

Report suspicious behavior

The poker rooms have customer services that you can contact in case you detect suspicious behavior.

In this regard, it should be noted: a player who always bets chip amounts of identical size or who always spends the same amount of time answering is most likely a bot.

Prevent them from accessing our hardware

Never leave our devices, computers, cell phones, etc. on the road, and never leave them alone with anyone you trust.

Lack of customer service

Be wary of platforms that do not provide sufficient contact options. Trustworthy operators provide their users with various means of contacting them, helping to create a positive image.

Here are the new Emotet spam campaigns hitting mailboxes worldwide

The Emotet malware kicked into action yesterday after a ten-month hiatus with multiple spam campaigns delivering malicious documents to mailboxes worldwide.

Emotet is a malware infection that is distributed through spam campaigns with malicious attachments. If a user opens the attachment, malicious macros or JavaScript will download the Emotet DLL and load it into memory using PowerShell.

Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as TrickBot or Qbot that commonly lead to ransomware infections.

Emotet spamming begins again

Last night, cybersecurity researcher Brad Duncan published a SANS Handler Diary on how the Emotet botnet had begun spamming multiple email campaigns to infect devices with the Emotet malware.

According to Duncan, the spam campaigns use replay-chain emails to lure the recipient into opening attached malicious Word, Excel, and password-protected ZIP files.

Reply-chain phishing emails are when previously stolen email threads are used with spoofed replies to distribute malware to other users.

In the samples shared by Duncan, we can see Emotet using reply-chains related to a “missing wallet,” a CyberMonday sale, canceled meetings, political donation drives, and the termination of dental insurance.

Attached to these emails are Excel or Word documents with malicious macros or a password-protected ZIP file attachment containing a malicious Word document, with examples shown below.

Excel Email

Emotet email with Excel attachment Source: Brad Duncan

Missing Wallet

There are currently two different malicious documents being distributed in the new Emotet spam campaigns.

The first is an Excel document template that states that the document will only work on desktops or laptops and that the user needs to click on ‘Enable Content’ to view the contents properly.

Excel Attachment

The malicious Word attachment is using the ‘Red Dawn’ template and says that as the document is in “Protected” mode, users must enable content and editing to view it properly.

How Emotet attachments infect devices

When you open Emotet attachments, the document template will state that previewing is not available and that you need to click on ‘Enable Editing’ and ‘Enable Content’ to view the content properly.

However, once you click on these buttons, malicious macros will be enabled that launch a PowerShell command to download the Emotet loader DLL from a compromised WordPress site and save it to the C:\ProgramData folder.

Powershell command

Once downloaded, the DLL will be launched using C:\Windows\SysWo64\rundll32.exe, which will copy the DLL to a random folder under %LocalAppData% and then reruns the DLL from that folder.

DLL folder

After some time, Emotet will configure a startup value under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run to launch the malware when Windows starts.

Registry Editor

The Emotet malware will now silently remain running in the background while waiting for commands to execute from its command and control server.

These commands could be to search for email to steal, spread to other computers, or install additional payloads, such as the TrickBot or Qbot trojans.

Emotet attack flow

At this time, BleepingComputer has not seen any additional payloads dropped by Emotet, which has also been confirmed by Duncan’s tests.

“I have only seen spambot activity from my recent Emotet-infected hosts,” Duncan told BleepingComputer. “I think Emotet is just getting re-established this week.”

“Maybe we’ll see some additional malware payloads in the coming weeks,” the researcher added.

Defending against Emotet

Malware and botnet monitoring org Abuse.ch has released a list of 245 command and control servers that perimeter firewalls can block to prevent communication with command and control servers.

Blocking communication to C2s will also prevent Emotet from dropping further payloads on compromised devices.

An international law enforcement operation took down the Emotet botnet in January 2021, and for ten months, the malware has not been active.

However, starting Sunday night, active TrickBot infections began dropping the Emotet loader on already infected devices, rebuilding the botnet for spamming activity.

The return of Emotet is a significant event that all network admins, security professionals, and Windows admins must monitor for new developments.

In the past, Emotet was considered the most widely distributed malware and has a good chance of regaining its previous ranking.

Football Fraud

Belgium football transfer: Two arrested in fraud inquiry

Two people have been detained in an inquiry in Belgium into alleged fraud involving the transfer of football players, prosecutors say.

One, players’ agent Christophe Henrotay, was held in Monaco. The other is said to be an associate in Belgium.

They were detained during raids on Tuesday and Wednesday.

Prosecutors said the arrests stem from an ongoing inquiry into the £13m (€18m) transfer of striker Aleksandar Mitrovic from Anderlecht to Newcastle United in 2015.

“The facts involve notably money-laundering operations and private corruption in the context of football player transfers,” they said on Wednesday.

A search was also carried out in London, where a Metropolitan Police spokesman said they were assisting the Belgian investigation.

It is understood that Newcastle believe they are not directly connected to the inquiry.

In April, Anderlecht premises were searched. No-one was detained at the time.

A separate inquiry into suspected fraud involving transfers during the 2017-2018 season led to raids on premises linked to Anderlecht, Club Bruges and Standard Liège last October.

Help stopping spam

You Can Help To Stop Spam Emails

Not all spam email is illegal. But there are steps you can take to help stop receiving spam emails.

Laws Regulating SPAM

State and federal laws regulate and protect you from spammers.

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is a federal law that sets standards that email marketers must follow. The Federal Trade Commission and Office of the Attorney General are responsible for enforcing and penalizing violations of this act.

The CAN-SPAM Act requires that unsolicited commercial emails:

  • Be identified as advertisements
  • Use clear, accurate, non-misleading subject lines and header information
  • Provide a functioning return email address and the legitimate physical address of the mailer
  • Include a way for people to opt out of future mailings
  • Learn more about CAN-SPAM Act standards, enforcement and penalties on the Federal Trade Commission website.

Limit the Spam You Receive

You can take steps to reduce and manage the flow of unwanted email into your inbox.

Use an email filter. Take advantage of all spam filtering tools offered by your email service and/or Internet Service Provider. If spam messages get through the filter and reach your inbox, mark them as spam to help improve the filters.

Avoid Posting Your Email Address on Websites. Spammers regularly “harvest” email addresses from websites, so never post your email address on a public website, including on blog posts, in chat rooms, on social networking sites, or in online classified ads.

Protect your personal email address. Consider using two email addresses – one for personal messages and one for shopping, newsletters, chat rooms, and other services.

Review privacy policies and opt out of mailing lists. Before you submit your email address to a website, check their privacy policy to see if it allows them to share it with others, and then think twice before providing them your information. Also look for pre-checked boxes that sign you up for email updates from the company and its partners. You may be able to opt out of receiving these emails.

Reduce Spam for Everyone

Spammers search the internet looking for computers that are not protected by up-to-date security software. When they find unprotected computers, they try to install malware on the computer so that they can control the computers.

Spammers use a network of many thousands of these infected computers – called a botnet – to send millions of emails at once. Millions of home computers are part of botnets, and most spam is sent through these botnets.

Don’t let spammers use your computer

You can take these steps to reduce the chances that your computer is infected and used to send spam:

  • Update your software. Keep all of your software – including your operating system, Internet browser and other software programs – up to date to protect against the latest threats. It is a good idea to set your software to retrieve updates automatically.
  • Use a good antivirus software. Make sure you have good antivirus software installed on your computer, and regularly receiving updates.
  • Use caution opening email attachments. Do not open an email attachment – even if it is from a friend or relative – unless you are expecting it or know what it is.
  • Download software only from sites you know and trust. It can be tempting to download free software, but keep in mind that such software may contain malware.

Let’s fight spam with Spam Poison Community

Beware of Bitcoin Investment Emails Pushing Clipboard Hijackers

A new malspam campaign is under that contains an attachment that when executed will install a Windows clipboard hijacker that attempts to steal Bitcoins from its victims.

This new campaign was discovered by security site My Online Security who received a series of Bitcoin investment related emails. These emails had subject line that included “FW: Review BTC” or “FW: Review Your New Bitcoin International Investment Update 2019” and contained a archive attachment.

Spam Email

This archive includes a JSE file, which is a JavaScript file, that contains a Base64 encoded executable stored in the file as shown below. When the JSE file is executed, it will decode the Base64 encoded file, save it to %Temp%\rewjavaef.exe, and then execute it.

Script

Once executed, a file called Task.exe will be saved to the %AppData%\svchost.exe\ folder as shown below. This file will then be executed as well.

Task.exe

To make sure that the Task.exe is started every time a victim logs into Windows, a startup file called svchost.exe.vbs will be created in the user’s Startup folder.

Startup folder script

The Task.exe program is actually a clipboard hijacker malware that is based off the open source BitPing program created by a security researcher named A Shadow.

A cryptocurrency clipboard hijacker is malware that monitors the Windows Clipboard for certain data, and when detected, swaps it with different data that the attacker wants. In this particular case, Task.exe will monitor the Clipboard for bitcoin addresses, and if one is detected, will swap it for the 3MSghqkGW8QhHs6HD3UxNVp9SRpGvPkk5W address, which is owned by the attacker.

Source Code

As cryptocurrency addresses are typically long and hard to remember, attackers understand that when sending bitcoins, most people will copy an address from another page, site, or program. This malware will detect the copied address in the clipboard and replace it with their own in the hopes the victim won’t notice the swap. Then when the bitcoins are sent, they would be sent to the address under the attacker’s control rather than the intended recipient.

The best way to avoid malware like this is to not open attachments that you receive from strangers or that you are not expecting. Furthermore, you should never run attachments that could execute commands on the computer. This includes JSE, JS, VBS, CMD, PS1, .EXE, or BAT file extensions.

If Windows is not configured to display file extensions, it is strongly suggested that you enable the display of extensions so you do not open malicious documents or executables by mistake.

Phone Scams

Almost £13,000 scammed from Armagh and Tyrone victims

Two people were scammed out of almost £13,000 last weekend, the PSNI has said.

One of the victims had nearly £10,000 taken from their bank account after they gave their bank details over the phone, while the other lost £2,500.

Both of them were scammed by people claiming to be from BT within a day of each other.

The scams happened on Friday and Saturday in counties Armagh and Tyrone.

The second victim was kept on the phone for about three hours and persuaded to download software, which resulted in the victim being swindled out their money.

Scammers will use any tactic

Chief Superintendent Simon Walls has called on families to stay alert and for people not to give out financial details over the phone.

“I want to appeal to family members to do all they can to let their loved ones know, especially those who are older and vulnerable, never to give out any kind of financial details over the phone or to download software during a call unless they are 110% sure it is safe to do so,” he said.

“Scammers are creative and will do whatever they can to con people out of money. They don’t care who their victim is, they just want the money and will employ whatever tactic is necessary.”

SPAM!

India and South Korea top sources of spam in Asia

India and South Korea were the top Asian sources of global junk mail in the first quarter of the year, while China has pulled itself out of the “dirty dozen” list, a study revealed on Thursday.

The United States remained the number one source of junk, or spam, emails accounting for 13.1 percent of the total sent during the three-month period, the survey by computer security firm Sophos said.

India was number two in the global rankings, accounting for 7.3 percent of junk messages.

Brazil was third with 6.8 percent, followed by South Korea (4.48 percent), Vietnam (3.4 percent) and Germany (3.2 percent).

Rounding up the so-called “dirty dozen” list globally were Britain (3.1 percent), Russia (3.1 percent), Italy (3.1 percent), France (3.0 percent), Romania (2.5 percent) and Poland (2.4 percent).

China came in 15th, with just 1.9 percent of the world’s spam, according to Sophos.

“All eyes aren’t so much on which countries are on the list, but the one which isn’t,” said Graham Cluley, senior technology consultant at Sophos.

“China has earned itself a bad reputation in many countries’ eyes for being the launchpad of targeted attacks against foreign companies and government networks,” he said.

“But at least in the last 12 months they can demonstrate that the proportion of spam relayed by their computers has steadily reduced.”

The US, South Korea, Brazil and India together account for over 30 percent of all the spam emails relayed by hacked computers worldwide, added Cluley.

Despite China’s improved rankings, Asia accounted for 33.7 percent of spam sent in the first quarter, larger than Europe’s 31.2 percent, North America’s 16.9 percent and 14.7 percent for Latin America.

Spam accounts for 97 percent of all messages received by business email servers, many of them selling counterfeit or illicit goods, Sophos said.

Virtually all spam comes from malware-infected computers and cause a huge strain on company resources and leads to lost productivity, it added.