Obvious Scam but..

[Destination]

I called my Nan before work yesterday and mid call she got upset and explained she thought she had been scammed / manipulated by an email into calling a number and giving her bank details. Absolute *******s

Has she contacted her bank and cancelled the cards?

 

[FishFluff]

I can't quite make out what's going on in that tiny screenshot

 

[Outcast]

I can't quite make out what's going on in that tiny screenshot

Well I'm running a 4k monitor so if you download the pic I'm confident it'll retain enough pic info if you double the resolution !

 

[Outcast]

It's probably not advisable to open in VMs anymore there's been a couple that "break out" normally via the network as the host is connected. Can't imagine ransomware is too far away from utilising such a feature to slow down AV vendors testing it.

Thanks for that Heads Up.

I actually made the mistake of not cloning the Win7 image before I tested out that scr. I realised my Boo boo when I deleted the image afterwards so ultimately I've still got to "Clean Install" Win 7 back into VB

And update..

And Reboot

And Update...

And Reboot.......

Doh !

 

[Rroff]

You can check to see if your email has been in any data breaches in the last couple of years.

https://haveibeenpwned.com/

Most excellent website, you can sign up and it'll automatically email you if your email (or even domain if you have one) is ever in any future data breach.

It's run by Troy Hunt a security professional and Microsoft MVP for several years... so you don't need to worry about it being a dodge site too

Read a few of Troy's blog posts to see how easy it really is for someone (any one) to get hold of your details if you're ever unlucky enough to be signed up to a hacked site.

One thing I think has gone under the radar is the implications of the heartbleed bug - from what I've seen it looks like hackers and the likes were harvesting data via that for about a year before it was addressed but due to the fragmented nature of the data collected the fallout could go on for a very long time i.e. 90% of the data dumped from it might be largely garbage but in amongst it could be say login details that get them into somewhere that then lets them exploit something else, etc.

 

[Mynight]

One thing I think has gone under the radar is the implications of the heartbleed bug - from what I've seen it looks like hackers and the likes were harvesting data via that for about a year before it was addressed but due to the fragmented nature of the data collected the fallout could go on for a very long time i.e. 90% of the data dumped from it might be largely garbage but in amongst it could be say login details that get them into somewhere that then lets them exploit something else, etc.

One thing I always wondered about heartbleed was what percentage of users changed their private keys after patching it. As I understand it it was possible to extract the private key in some instances. Therefore if the key remained after patch it was still comprimised.

 

[CREATIVE!11]

I've had ransomware a couple times, and no before you say it not browsing pron...


It's seriously so lame... you can bet people pay it too.

 

[BDEE]

You can check to see if your email has been in any data breaches in the last couple of years.

https://haveibeenpwned.com/

Most excellent website, you can sign up and it'll automatically email you if your email (or even domain if you have one) is ever in any future data breach.

It's run by Troy Hunt a security professional and Microsoft MVP for several years... so you don't need to worry about it being a dodge site too

Read a few of Troy's blog posts to see how easy it really is for someone (any one) to get hold of your details if you're ever unlucky enough to be signed up to a hacked site.

Thanks for that.

Just check me and the missus and we are both OK, but found my old mans email to be "pwned" with Adobe being the source.

It doesn't actually state what it means by it being "pwned" - What are the implications for the old man?

 

[CREATIVE!11]

You can check to see if your email has been in any data breaches in the last couple of years.

https://haveibeenpwned.com/

Most excellent website, you can sign up and it'll automatically email you if your email (or even domain if you have one) is ever in any future data breach.

It's run by Troy Hunt a security professional and Microsoft MVP for several years... so you don't need to worry about it being a dodge site too

Read a few of Troy's blog posts to see how easy it really is for someone (any one) to get hold of your details if you're ever unlucky enough to be signed up to a hacked site.

Yep I've been pwned...... twice. All my passwords are different at least.

Edit: 3 times.

 

[Outcast]

Well that's good news but it changes focus to....

Who got all my details !!

 

[Pawnless Endgame]

My generic [email protected] is squeaky clean too

 

[Chuk_Chuk]

Doesn't encrypting a drive take time?
So how are these ransom ware software able to encrypt the drive without the user noticing especially the C drive?

 

[Mynight]

Doesn't encrypting a drive take time?
So how are these ransom ware software able to encrypt the drive without the user noticing especially the C drive?

Depends on what it is. It would most likely start with text files, then pictures then move to the more time intensive file formats like videos/backups.

Most likely set to only use the spare CPU power so most people wouldn't even notice it's too late unless running some kind of monitoring widget.

 

[Nitefly]

Has she contacted her bank and cancelled the cards?

She has done yes - thank you for the concern!

 

[Destination]

She has done yes - thank you for the concern!

Horrible thing.
I constantly warn, both in work, and to my folks regarding this sort of thing.

 

[MadFruit]

Thanks for that.

Just check me and the missus and we are both OK, but found my old mans email to be "pwned" with Adobe being the source.

It doesn't actually state what it means by it being "pwned" - What are the implications for the old man?

It basically means that (depending on the breach) his details have been stolen and are probably being sold on the black market - or depending on the age of the breach being freely passed around.

So based on the Adobe one - it's not worst case scenario but it was a big breach so lots of people were affected:

The big one. In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.

It's quite old, so most damage from password re-use has probably already been done; but if he re-uses passwords and he hasn't reset them since the breach I would certainly recommend it. Other that that, there is diddly that can be done. Just be pleased it wasn't a source that held more user info like names, addresses and credit card info.

Also, keep in mind that haveibeenpwned only contains the known breaches where Troy is able to get hold of the stolen data. It isn't a definitive "if it's not there I'm safe" conclusion, but Troy is pretty good at finding out and getting hold of the breaches since he started that site.

 

[mysticsniper]

Doesn't encrypting a drive take time?
So how are these ransom ware software able to encrypt the drive without the user noticing especially the C drive?

I investigate these on a regular basis, and provide Forensic support.

Ransomware will inject itself into Explorer.exe and disable System Restore, delete all Shadow Volume Copies, and use bcdedit to turn off Windows Start-up Repair. It will then inject itself into svchost.exe and encrypt the data on all local drives, removable drives, and mapped network drives

Unfortunately, most users do not realize Ransomware is on their computer until it displays the ransom note and your files have already been encrypted. Some of the files where associated malware have been found are:

%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%

 

[Nate75]

I investigate these on a regular basis, and provide Forensic support.

Ransomware will inject itself into Explorer.exe and disable System Restore, delete all Shadow Volume Copies, and use bcdedit to turn off Windows Start-up Repair. It will then inject itself into svchost.exe and encrypt the data on all local drives, removable drives, and mapped network drives

Unfortunately, most users do not realize Ransomware is on their computer until it displays the ransom note and your files have already been encrypted. Some of the files where associated malware have been found are:

%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%

Nasty...

 

[Moley]

It's probably not advisable to open in VMs anymore there's been a couple that "break out" normally via the network as the host is connected. Can't imagine ransomware is too far away from utilising such a feature to slow down AV vendors testing it.

Most modern Ransomware already has sandbox evasion techniques built in - some of them quite sophisticated.

VirtualBox can be detected by looking at the drivers is uses (McAfee/Intel's sandbox is detected this way).
FireEye sandboxes can be evaded by checking on the number of CPU cores you are running - their appliances use 1 core per VM whereas most laptops have multiple cores, so malware just decided not to run in a single core environment.

Below is an example of activities discovered in a piece of malware that was considered zeroday on Friday just gone:
-----------------------------------------------------------------------------------------------------------------------------------------
Evasion: Potential detection of analysis tools (dbghelp.dll)
Evasion: Potential detection of virtual environment (Sandboxie)
Evasion: Potential detection of virtual environment (Sunbelt)
Evasion: Trying to detect analysis virtual environment (HDD detection)
File: Modifying executable in suspicious location of application data directory
File: Modifying executable in user-shared data directory
File: Searching for files iterating over directories
Packer: Overwriting Image Header (malicious packer)
Search: Enumerates running processes
Search: Enumerating keys related to FTP clients
Search: Retrieving the user account name
Search: Searching for FireFox Security Certificates
Search: Searching for FireFox Security module database
Search: Searching for Firefox Key Database
Steal: Password brute-forcing capabilities
Steal: Potentially malicious application/program (FTP Credentials Stealer)
Steal: Reading FTP client credentials
Steal: Reading browser stored credentials (Internet Explorer)
Steal: Reading browser stored credentials (Opera)
Steal: Reading system license information
Steal: Targeting Mozilla stored passwords

The MD5 of that malware is 0ac902c6c71dd2372ecf6d4b8717c72c for the curious.

 

[BDEE]

It basically means that (depending on the breach) his details have been stolen and are probably being sold on the black market - or depending on the age of the breach being freely passed around.

So based on the Adobe one - it's not worst case scenario but it was a big breach so lots of people were affected:


It's quite old, so most damage from password re-use has probably already been done; but if he re-uses passwords and he hasn't reset them since the breach I would certainly recommend it. Other that that, there is diddly that can be done. Just be pleased it wasn't a source that held more user info like names, addresses and credit card info.

Also, keep in mind that haveibeenpwned only contains the known breaches where Troy is able to get hold of the stolen data. It isn't a definitive "if it's not there I'm safe" conclusion, but Troy is pretty good at finding out and getting hold of the breaches since he started that site.

Useful, thanks