Beware: Ransomware!

Hackers demanded US$3.6 million to unlock the hospital’s files

In February 2016, a staff member at the Hollywood Presbyterian Medical Centre (HPMC) in Los Angeles opened an invoice in an emailed Word document and accidentally activated Locky, a nasty piece of ransomware that spread rapidly across the hospital’s systems, encrypting files as it went. Within hours, doctor’s were unable to access patients’ records or share x-rays, scans or medical test results. Admin staff had to resort to pen and paper to do admissions. According to some reports, the hackers initially demanded US$3.6 million to unlock the hospital’s files. In the end, HPMC paid US$17,000 in untraceable bitcoins, and ten days after that fateful click their systems were back on line.

A decade ago, computer viruses were system-crashing, file-deleting monsters that threatened to trash your PC. They don’t get much press these days, but they’re still around, working quietly in the background, encrypting files, stealing signons, or linking to botnets to send out spam and further propagate themselves. Within a fortnight of the HPMC attack, Symantec had deleted more the five million emails containing Locky, and at its peak it was reckoned to be infecting five thousand machines an hour in Germany alone.

Once defence forces mustered, the attacks declined, then resurfaced briefly in August and November as new vectors were discovered: JavaScript attachments on bogus emails and code hidden in downloadable image files on Facebook and LinkedIn.

Viruses hidden in Word macros are one of the oldest tricks in the book, dating all the way back to the notorious “I Love You” virus that infected one-tenth of all internet-connected computers in the year 2000. But there are plenty of other ways you can be caught out.

 

A special note about Windows XP
I’ll say this as quietly as I can: Aaaarrgghh!

If you still have a machine running Windows XP, disconnect it from the internet immediately and make plans to replace it, today! Support for XP ran out in April 2014 (extended from its original planned phase-out in 2009) and the operating system is remotely exploitable via numerous security holes discovered in the last three years, none of which have been patched. Despite this, a mid-2016 survey found that around 7% of all desktops were still running XP.

 

Phishing, like its sporty-sounding equivalent, involves throwing out a baited line in the hope that an unwary victim will snap at it. The lure in this case is an email, typically from your bank, warning of a security problem and asking you to click a link to confirm your details. That link will take you to a perfect copy of your bank’s web site where you attempt to sign in – and fail. (It is a fake site, after all.) You’ll be prompted to try again, and this time be redirected to the bank’s genuine site where your second attempt will succeed. Most people will blame the initial failure on a typing error, not realising they’ve just given away their login details to hackers.

There are three main types of phishing. Spear phishing uses personal information to improve an email’s apparent legitimacy. (Social media’s a great source of information.) Clone phishing updates a previously sent legitimate message with new links, while whaling is targeted at businesses and senior executives, typically taking the form of a legal document or a customer complaint.

They’re all after one of two things…

All phishing is a numbers game. Send out a million emails, and even if only 0.01% of people click your link, you’ve got a hundred hits. It also takes a huge variety of forms. You may have won a lottery you never entered, inherited money from a relative you didn’t know you had, be offered an incredible investment opportunity or asked to help “liberate” funds from a third-world country in exchange for a percentage. It may be an invoice, a tax refund, or – in a local variant of Locky that surfaced here last September – a message from CourierPost about re-delivering a package. There are scams involving tech support, employment offers, visas to work in other countries, cheap holidays or tickets to major events. They’re all after one of two things: money up front and/or personal information such as bank account and credit card details or usernames and passwords.

Sometimes it’s hard to see where the catch is. Clever scammers may string you along for weeks or even months, establishing trust before asking for assistance in the form of a bank transfer. Online dating scams work this way. Suddenly your new friend is robbed, or stuck in a foreign country. Please help!

How to protect yourself

If the possibilities seem daunting, prevention is a matter of caution and common sense.

  • If the concept of computer security leaves you cold (or even just lukewarm) get professional advice! Threats change on a daily basis – sometimes hourly – and every site uses different hardware and has a different risk profile. You may need a firewall, better antivirus software, or that old router may require an update. Security isn’t something you set and forget. It’s more like a pet: it needs regular attention.

  • Treat any and every email with suspicion – especially if it contains attachments or convenient links to fix a problem you didn’t know you had. One quick way to check a link is to hold your cursor over it and look at the address that pops up. A second way is to look for the green padlock in your browser. All banks and financial institutions use certificates that verify they are who they claim to be. Hackers don’t. A trusted connection will look like this;

  • Keep your software up to date. Windows is way more secure than it used to be (even without antivirus software) and OS X remains streets ahead. And don’t forget third-party browsers. Firefox and Chrome blacklist hazardous add-ons and warn users of the latest suspect sites and potential phishing attacks, but can only can only do so if they’re up to date.

  • Do backups. Regularly. You don’t need to backup the whole machine, only the stuff you can’t buy, like personal documents and photos. And it needn’t be an onerous process. Once set up, even a huge backup will usually only take a few seconds because the software will only backup the files that have changed.

  • Keep an off-site backup. If your house burns down, that backup in the top drawer of your desk will probably go with it. Off-site could be a shed at the bottom of the garden, your desk at work or “in the cloud” via Dropbox, Google Drive or OneDrive.

 

What to do if you’re hit by ransomware
If you receive a message saying your files have been encrypted and that you can only recover them by paying a fee – typically US$200-400 – switch off immediately and call your IT support person. Encrypting files takes a while so you may have only lost a handful. And anyway, you’ve got backups, right?

A new, even more cunning variation is simply a message saying that your files have been encrypted when they haven’t even been touched. Some people panic and pay up anyway.

 

Business Considerations

For businesses – small or large – all of the above applies to each and every one of your users, and there are some extra considerations too. By far the biggest threat comes, not from without, but from within: disgruntled employees. In over a thousand incidents documented by the Computer Emergency Response Team in the States, employees were found to have deliberately deleted data, blocked access to it, or copied, modified or disclosed it to third-parties. In one case, a former employee continued to reek havoc four months after he was dismissed because his access to the company’s systems hadn’t been revoked.

Add to this accidents, careless or uninformed staff and the Bring Your Own Device hazard – where unpatched or vulnerable personal devices like laptops, phones, tablets and USB drives may be connected to your network – and you’re probably already starting to get a headache.

Identify and manage your “privileged data”

The only reasonable way to manage all this is to have a security policy. Think of it as health and safety for your data. What can and can’t be connected to your system? Who’s the go-to person for problems or questions? What’s allowed and not allowed? (Playing games? Probably not. What about social media …?) Above all, you need to identify and manage what’s known as “privileged data” – the stuff critical to your business – and control who has access to what parts of it. Individual signons are better than global ones. If Joe in Accounts quits tomorrow, you need to be able to shut off his access right away. What’s more, individual signons can be logged, providing details of who did what and when.

Some other considerations:

  • Do backups, do backup, do backups! And keep a set off site.

  • Test your backups regularly. Are you really saving everything you’d need in the event of a disaster?

  • Restrict access to critical hardware. Keep the server room locked or put routers, servers and backup drives in a lockable cabinet.

  • Don’t forget hardware updates. Though less frequent, routers, servers and disc stations also fall foul of security bugs so it’s important to keep them up to date too.

  • Consider taking out cyber-insurance. (See below.)

The HPMC ransomware attack highlighted two key failures: the hospital had a no real security policy and they had insufficient backups. The latter alone would have mitigated the attack. Instead of being down for days and having to pay a ransom to recover their data, they could have been back up within hours. Make sure you don’t get caught out!

 

The insurance option
Data is critical to modern businesses, perhaps even more so than your premises or equipment, so why not consider insuring it too?

Cyber-insurance can cover you for the obvious things like business interruption, third-party liabilities, theft and the cost of restoring data after an attack, and the better policies also cover less obvious things like legal expenses, data forensic costs and even provide assistance with public relations to manage the muddle.

 

This article first appeared in the Autumn 2017 issue of On MAS, the magazine
for members of the Medical Assurance Society.
© Geoff Palmer 2017

Share this ...
Share on FacebookTweet about this on TwitterPin on PinterestShare on Google+Share on TumblrShare on LinkedInDigg thisShare on RedditShare on StumbleUponEmail this to someonePrint this page

Watch out for this sneaky domain name con!

 

If you own a domain name – something like www.yourdomain.com – your registrant details are a matter of public record, which is where this sneaky con comes in.

Nearing the time you’re next due to update your website registration, (also a matter of public record), you may receive and email like this:

From:    Your Website
Subject: Domain Notification: YOUR NAME This is your Final Notice of Domain Listing – YOURDOMAIN.COM
To:      YOU@YOURDOMAIN.COM
Attention: Important Notice , DOMAIN SERVICE NOTICE
Domain Name: YOURDOMAIN.COM
Call: 1-716-805-3253
ATT:
Domain Owner YOUR NAME
ADMINISTRATIVE CONTACT
-
YOU@YOURDOMAIN.COM
STREET ADDRESS OF ADMINISTRATIVE CONTACT
YOURDOMAIN.COM
Requested Reply Before
April 18,2017
PART I: REVIEW SOLICITATION
Attn: Domain Owner YOUR NAME

As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration.This letter is to inform you that it's time to send in your registration and save.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.

Privatization allows the consumer a choice when registering. Search engine subscription includes domain name search engine submission.

You are under no obligation to pay the amounts stated below unless you accept this offer. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.

This Notice for: WWW.YOURDOMAIN.COM will expire on April 18, 2017 Act today!

[ ] 1 year 04/18/2017 - 04/18/2018 $75.00
[ ] 2 year 04/18/2017 - 04/18/2019 $119.00
[ ] 5 year 04/18/2017 - 04/18/2022 $199.00
[ ] 10 year -Most Recommended- 04/18/2017 - 04/18/2027 $295.00
[ ] Lifetime (NEW!) Limited time offer - Best value! Lifetime $499.00

Payment by Credit Card or Check
Call our New York main office: (716)805-3253

 

If you read it closely, you’ll see that they’re asking you to register for “Domain name search engine registration”, an utterly meaningless “service”. Search engines like Google search the entire web. Automatically. For free!

The real gotcha comes after some dotted lines at the bottom of the email in what looks like standard legal boilerplate. I’ve highlighted the bits you may have overlooked:

---------------------------------------------------------------------
By accepting this offer, you agree not to hold DS liable for any part. Note that THIS IS NOT A BILL. This is a solicitation. You are under no obligation to pay the amounts stated unless you accept this offer. The information in this letter contains confidential and/or legally privileged information from the notification processing department of the DS 3501 Jack Northrop Ave. Suite #F9238 Hawthorne, CA 90250 USA, This information is intended only for the use of the individual(s) named above. There is no pre-existing relationship between DS and the domain mentioned above. This notice is not in any part associated with a continuation of services for domain registration. Search engine submission is an optional service that you can use as a part of your website optimization and alone may not increase the traffic to your site. If you do not wish to receive further updates from DS reply with Remove to unsubscribe. If you are not the intended recipient, you are hereby notified that disclosur
And that’s where the message cuts off. At “disclosur”.

In short, the whole thing is a con. From a bunch of scumbags trying to make a fast buck out of the busy or unwary. Avoid!!

Share this ...
Share on FacebookTweet about this on TwitterPin on PinterestShare on Google+Share on TumblrShare on LinkedInDigg thisShare on RedditShare on StumbleUponEmail this to someonePrint this page

Watch out for this sneaky Gmail attack

Wordfence have highlighted a particularly sneaky Gmail phishing attack. Here’s what to look out for …

You receive an email – possibly from a friend or a legitimate contact – with an attachment, like this:

Although it looks genuine, it’s NOT a real attachment. It’s actually an embedded image crafted to look like a PDF, and when you click it, the embedded link in the image takes you to a fake Google login page …

… that also looks like the real thing. The only clue is in the browser’s address bar:

But that looks genuine too, doesn’t it? It says https://accounts.google.com, etc. The only oddity is that  data:text/html preface. And that’s the gotcha. It’s actually what’s known as a ‘data URI’ and what it’s telling the browser is that what follows isn’t a web address but a string of text, in this case a particularly long one. After a lot of whitespace to push what follows off the screen, you’ll find this …

… the start of a script that opens in a new tab and creates a functional but fake Gmail login page. A page that sends your user name and password to the attacker.

According to a comment on Hacker News,

“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.”

Share this ...
Share on FacebookTweet about this on TwitterPin on PinterestShare on Google+Share on TumblrShare on LinkedInDigg thisShare on RedditShare on StumbleUponEmail this to someonePrint this page