Protecting your identity at school

The school season is right around the corner. Young people are targeted for data theft at 35 times the rate of adults – they are considered an easy target for both digital and physical theft. You can make going back to school an easier transition by ensuring your data and devices are secure both at school and at home. Even if you’ll be using the computers provided by your school’s libraries or labs, there are plenty of steps you can take to make your data safer.

Protecting Your Devices at School

If you’re using your own desktop, laptop or smartphone, there are two things to be concerned with: Physical and information theft. There are a few things you can do to minimize the odds of both types of theft, and mitigate the damage if either does occur.

  • Minimize the target
    Don’t leave your laptop or phone unlocked and unattended, whether you’re at home or in public – these items are easily grabbed when you’re not looking. And when you take your laptop with you in public, it’s best to carry it in a bag that doesn’t advertise what’s inside; laptop sleeves or carriers let people know exactly what you’re carrying.
  • Minimize the damage
    Installing a Tracker App will help you track down your device, should it be lost or stolen. And if the files on your device are encrypted, even if someone gets access to your computer, they won’t be able to profit from your information.
  • Beef up your security
    Physical loss and thefts are not the only ways to lose information on your phone. Malware and phishing are becoming increasingly common on mobile devices, so be sure to protect yourself. To protect yourself from phishing, make sure you’re using different passwords for all your different accounts, and pick a strong password for each. Using a password manager can help make this an easier task. Once you’ve got a good password, protect it: Don’t share it with others and don’t enter your password into sites you’ve visited via links in email or IM. To protect yourself from malware, install apps only from reputable apps stores, and scan those files with an anti-malware product before installing.
  • Be cautious on public Wi-Fi
    You can never be entirely sure who’s sharing the network with you on public Wi-Fi, so be extra careful when you use public Wi-Fi, like at school or at your local coffee shop. Use VPN software so that your web traffic will all be encrypted – it’ll help keep people from electronically eavesdropping on you.

Securing Your Data When Using Communal Machines

There may be times when you may need to use the computers that are provided by the school. You really have no idea who was using that computer last, or what they were doing before you got there, so you should probably assume the worst. It’s best to act as if anything you type or see on the screen can be recorded and act accordingly:

  • Do not use public machines to log into accounts, especially accounts that store financial information (e.g., bank accounts or credit cards).
  • Avoid online shopping, as someone could get not just your login credentials, but your credit card number.
  • If for some reason you do need to log into an account on a public machine, it is essential to change any passwords you may have used, when you get back to your own machine.
  • Browse in Privacy Mode if you can – if not, be sure to clear your browser history and all cookies.

Younger people may feel that their information is of lesser value than more established adults, because they may have smaller bank accounts or less-juicy data, and may not take security as seriously. Ultimately, it doesn’t matter how young you are – your data and identity are valuable to cybercriminals and correcting the problems caused by loss and theft is a pain, no matter your age. Protecting your data now will help you avoid those headaches.

by Lysa Myers, ESET We Live Security

Scam alert: Tesco will not pay you €120 for filling out a survey!

ESET Ireland warns of a scam abusing Tesco’s name, which promises €120 for filling out a survey, but steals credit card details instead.

Irish mailboxes are bombarded by various phishing scams every week. We usually point out the most alluring of them, so that Irish computer users would know how to recognise and avoid them. This week’s winner would have to be a fake email purporting to come from Tesco, titled “YOU GET PAYD FOR YOUR FEEDBACK” (trademark phishing spelling error included) and with the following content:

tesco0

Who would say no to some free cash, right? Upon clicking the link, you’re taken to a very Tesco-looking fake website that actually does include a survey asking standard consumer questions about customer satisfaction, shopping habits, etc, to be filled out. But the scam part comes at the end.

tesco1

The fake “survey” page ends with “Thank you for taking the time to respond to this survey. In return, we will add 120 € credit to your account just for your time. Please enter your account details to credit your 120 € reward” but you have to enter all your personal and credit card details there. Full name, address, date of birth, card number, expiration date, verification code and all other relevant details for making purchases in your name are handed over to the cybercriminals.

tesco2

Don’t fall for it! Ignore this and similar emails and stay safe online.

by Urban Schrott, ESET Ireland

New sick Facebook scam exploits Robin Williams’ suicide

ESET Ireland is issuing a warning about a widespread Facebook scam, this time exploiting the tragic suicide of comic actor Robin Williams.

The scam, which has spread widely on Facebook, claims to show a “goodbye” video made by Robin Williams before he committed suicide last week. However, when Facebook users click on the link they are told to share it with their online friends and complete a survey before they can watch the promised video. Each completed survey earns the scammers a small amount of money.

How the Robin Williams Facebook scam works:

The first thing you see is a post shared by one of your Facebook contacts, entitled, “ROBIN WILLIAMS SAYS GOODBYE WITH HIS PHONE VIDEO BEFORE SUICIDE”. Here is an example of how it might look in your Facebook newsfeed:

robin-williams-1

Clicking the Facebook link takes you to a third-party website, which claims to have a video that was purportedly filmed on Williams’ mobile phone in the minutes before his death.

If you click to watch the video, you are informed that you first need to share the link on your Facebook wall. The scammers do this to encourage as many people as possible to go through the same process.

robin-williams-scam-2

EXCLUSIVE VIDEO: ROBIN WILLIAMS SAYS GOODBYE WITH HIS CELL PHONE BEFORE HANGING HIMSELF WITH A BELT AND CUTTING HIMSELF WITH A POCKET KNIFE. HE CAN STILL MAKE EVERYONE LAUGH WITH THIS VIDEO BUT IT WILL MAKE EVERYONE CRY A RIVER AT THE END.

Instead of being shown the video, you are presented with a survey, from which the scammers behind this Facebook scam are making money.

“The point of the scam is that each time someone fills in the survey, they are paid an unknown sum,” said Peter Stancik, security expert at ESET.This is not the first time that a celebrity death is used as click bait on Facebook. The more victims that complete the survey, the more money the scammers make. And, in case you were wondering: no video is shown after completing this Facebook scam.

robin-williams-3

ESET Ireland’s advice:

The best thing to do is not to share or click on this scam, and report any sightings of it to Facebook. “It is a good idea to first check the links you click on social networks, and never Share or Like something before you have seen it yourself. Putting this in other people’s feeds is a surefire way to upset your friends” added Stancik.

Read more about this scam on ESET’s security blog, We Live Security: http://www.welivesecurity.com/2014/08/15/robin-williams-suicide-phone-call-scam/

Attention gamers: You’re targets for crime!

Video games have gone since the late 1970s and early 1980s from being a small offshoot of the “traditional” computing industry to becoming a full-fledged multi-billion dollar industry in themselves. Today, companies like Microsoft, Nintendo and SONY generate billions of dollars from sales of games and gaming consoles.

To get an idea of just how pervasive computer gaming is, let’s look at these successful games and consoles, and match them up with some other real-world numbers:

ITEM
NUMBER
EQUIVALENT TO
The Sims 175 000 000
(copies sold over 15 years)
Combined population of Austria, Belgium, Denmark, Germany, Liechtenstein, Luxembourg, Netherlands, Poland, Slovakia and Switzerland
World of Warcraft 7 600 000
(avg. # players over
last 4 quarters)
Cost of 2014 upgrades (in
USD) to Kensington Palace,
United Kingdom
8th generation console units 18 680 000
(PS4+Wii+XBONE units shipped/sold)
Average number of viewers per
episode of Big Bang Theory
during its 2012-2013 season

Computer gaming is a huge and a wildly successful market, and as in any system that works at scale, there are going to be so-called businessmen or entrepreneurs who “seek to optimize their return on investment through whatever means possible” or, to put it more succinctly, criminals who abuse the ecosystem.  But in virtual worlds, can real crimes occur?

The sale of virtual goods (including virtual currencies) is an important part of in-game economies, but also presents criminals with some unique opportunities as well, such as theft of in-game goods, counterfeiting items and gold farming. But computer criminals don’t just target gamers:  Gaming companies themselves can be targeted as well.  Probably the most well-known example of this is the April 2011 breach of the SONY PlayStation Network gaming and Qriocity music streaming service, which resulted in the compromise of the names, addresses and credit card details of 77 million user accounts. ESET provided extensive coverage of the SONY data breach in our blog, starting from the initial report of the breach in April 2011 all the way up to the proposed settlement of a week ago.

For the most part, computer gaming poses no additional risks beyond any other activities you might perform on the Internet.  You may, however, wish to take a few extra precautions, as outlined in the previous two articles from We Live Security:

This is a shortened version of Aryeh Goretsky’s article on We Live Security. Go here for the full story.

Was the »1.2 billion passwords stolen« story just a publicity stunt?

Last week the media was buzzing with the story that supposedly a Russian gang stole 1.2 billion passwords. But several experts, including ESET’s, have raised questions whether the »news« wasn’t just a publicity scam.

At ESET Ireland, we have ourselves noticed that the media love bombastic headlines. If known names get hacked, if governmental institutions lose data, or if many passwords are compromised, the security company revealing this will get a good share of publicity. This is why last week’s media frenzy about “1.2 billion passwords getting hacked by a Russian gang” raised many eyebrows.

What did the “report” say? Somewhere south central Russia, a group of men in their twenties dubbed “CyberVor” gang (“vor” means “thief” in Russian), is thought to be in possession of the largest known haul of stolen internet credentials – 1.2 billion usernames and passwords, together with 542 million email addresses stolen from some 420,000 different websites.

We’re not saying such a thing is impossible, as cybercriminal groups do collect such information via SQL breaches as was hinted in this case, as well as trade data on their own black market. So a gang intent on hoarding the largest database, could through time amass the said amount of passwords. “Russian hackers” is always a welcome topic that gets attention, even if the statistics sometimes contradict this, so the story got massive global coverage.

And this is where the eyebrow raising begins. The company that revealed the info is called Hold Security, a company very few people heard about before this story and that doesn’t offer an address or phone number on their website. It did however get their story about this “massive hack” published in the New York Times just when the Black Hat and Def Con conferences with many of the world’s top security experts attending were taking place in Las Vegas.

However, Hold Security did not reveal in any way how they have discovered this, what exactly they have discovered, what they have obtained and how they have disclosed this to the affected websites so the webmasters can take pro- or reactive measurements. Cybersecurity expert Graham Cluley was among the first to express his concerns.

But what followed the shocking announcement left us even more baffled. Hold Security offered a service where they charge money for webmasters to find out if their websites were affected by the hack in a form, that is reminiscent of phishing websites, where they ask users to enter their passwords and email addresses for them to “check” if they’ve been hacked! Tony Bradley of Minimal Risk commented in his blog, that the disclosure of Russian password hack seems like fake antivirus scam.

hold

Kashmir Hill of Forbes made the connection between panic-mongering and making a profit in her article Firm That Exposed Breach Of ‘Billion Passwords’ Quickly Offered $120 Service To Find Out If You’re Affected that “the Internet predictably panicked as the story of yet another massive password breach went viral” but that “you can pay ‘as low as $120’ to Hold Security monthly to find out if your site is affected by the breach.”

At ESET Ireland we agree it would be unwise to dismiss the possibility of such a hack and website developers, for instance, should ensure that they have reviewed their code for SQL injection vulnerabilities, as well as other commonly found flaws, but the scarcity (or refusal to present it) of evidence or additional info, as well as the shady business offer following it, leaves us all with a very strange aftertaste.

What’s scamming this week? FBI, Tesco and Bank of Ireland

FBI1

ESET Ireland warns of FBI, Tesco and Bank of Ireland names abused by scammers in phishing emails sent to Irish mailboxes.

Another week, another variation of the old phishing scams hitting Irish mailboxes. This week the scammers are telling us Bank of Ireland wants us to update our account, Tesco wants to add €120 to our cards and FBI wants to pay us $5.9 million. Wow!

Dear customer,
We wish to inform you that access to your online account will soon expire. In order for this service to continue without any interruption, You are require to fill and confirm your details via the following link below:
Update Your Bank Of Ireland online account:- click here to update
After which your online account will then be automatically restored and you will be contacted by one of our bank employees.
With online banking , you have everything at your fingertips with a click .
With online banking , you have quick and easy access to your checking account. You can easily do transfers and standing orders with one click.
We are very pleased to be at your service
Sincerely,
Bank Of Ireland Customer Service.

 

So says the first phishing email. They’re basically telling us to go to their page and give them our online banking log in details, so they can do whatever they want with them. Bank of Ireland warns of these scams on their website, saying “Never respond to any unsolicited e-mail that asks you to validate your login / payment credentials no matter how reasonable the request looks.”

You have been selected to access the Tesco Survey and win a 120€ direct to your card.
Please click here and complete the form to receive your reward. Thank you.

 

The “Tesco” spam is even more straightforward, but like the one above just leads to a site that harvests people’s personal details and financial info. Tesco also offers some advice on staying safe online on their website, adding “Please remember we will never ask for your bank or security details.”

But my personal favourite this week is the FBI one. The gist of it is, that FBI is warning us “that you are among one of the individuals and organizations who are yet to receive their overdue payment from overseas which includes those of Lottery / Gambling, Contract and Inheritance. Through our Fraud Monitory Unit we have noticed that you have been transacting with some impostors and fraudsters” and that “The Cyber Crime Division of the FBI gathered information from the Internet Fraud Complaint Center (IFCC) on how some people have lost outrageous sums of money to these impostors”, and because those wicked fraudsters are out to get us, we should contact barrister James Henry of the Central Bank of Nigeria directly, with all our banking details, so he can transfer us $5.9 million that we are “owed”. Scammers trying to scam us by warning us of scammers. Cute, isn’t it?

Well, now you know. Don’t fall for their tricks and stay safe online.

Monthly Threat Report: July 2014

Top_10_ELG_julio_14_1200x627eng-01

The Top Ten Threats

 

1. Win32/Bundpil

Previous Ranking: 1
Percentage Detected: 2.3%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

 

2. JS/Kryptik.I

Previous Ranking: 2
Percentage Detected: 1.82%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

 

3. Win32/RiskWare.NetFilter

Previous Ranking: n/a
Percentage Detected: 1.73%

Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infeted computers to engage in unwanted behaviour. It allows an attacker to remotely connect to the infected system and control it in order to steal sensitive information or install other malware.

 

4. LNK/Agent.AK

Previous Ranking: 3
Percentage Detected: 1.55%

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed.

 

5. Win32/Sality

Previous Ranking: 4
Percentage Detected: 1.38%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_a

 

6. HTML/ScrInject

Previous Ranking: 8
Percentage Detected: 1.37%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

 

7. Win32/Adware.MultiPlug

Previous Ranking: n/a
Percentage Detected: 1.28%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.

 

8. INF/Autorun

Previous Ranking: 5
Percentage Detected: 1.24%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

 

9. Win32/Conficker

Previous Ranking: 6
Percentage Detected: 1.15%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This treat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145.

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

 

10. Win32/TrojanDownloader.Zurgop

Previous Ranking: n/a
Percentage Detected: 1.14%

Win32/TrojanDownloader.Zurgop it a family of malicious codes that once they infect a vulnerable system will downloder other malware from the Internet. Variants of this family use different techniques to avoid detection such as run-time compressed packers like PEncrypt or PECompact.

Follow

Get every new post delivered to your Inbox.

Join 72 other followers