Get Free Milk And Free Malware Too

Everyone likes to get free stuff. Admittedly it’s better if it’s a free vacation or free money. However, researchers at Palo Alto Networks have found a way you can get FreeMilk. Hey, free is free! There is bad news, of course. It comes in the form of malware. The schemers have figured out a way to intercept ongoing email “conversations” to distribute malware around the world. It exploits either a Microsoft Office or WordPad vulnerability and involves two steps.

It uses a decoy document in an email message that uses specific information about the recipient in hopes it’ll make him or her think it’s an authentic message, as part one. That’s what they put together when they intercept the email conversation. This is the PoohMilk part of this. Then comes Freenki. This does the damage. It collects information such as user name, computer name, active processes on the computer, and can take screenshots of the device. The information is then sent to the attackers who can use it for other attacks.

In spearphishing, attackers gather information about the intended targets. This could be acquired from social media profiles and posts, such as from Facebook or LinkedIn, but could also be a result of a phishing phone call (vishing). Then they use it to craft the email. Since the recipients see all the specific information, they are more likely to click a link or attachment.

Just because the information may be accurate and specific, doesn’t make any attachment free of harm. Question why a document may be coming in the middle of a conversation before clicking it. Call the sender on the phone and ask about it first. You can even send a text. Just don’t reply to the message and in this case, it’s better if you don’t send email at all.

There are literally no attachments that are safe these days. Malware can come in the form of documents, spreadsheets, executable files, text files, images, and anything else you can come up with. If you are not expecting an attachment or link, don’t click it.

This is fortunately, a limited spearphishing campaign discovered by the researchers in May of this year. But that doesn’t mean it won’t come across your inbox. Always be on the lookout for these scams.

© Copyright 2017 Stickley on Security

ATMs Are Becoming The Preferred Method For Stealing Cash

While stealing via payment card and identity theft is still popular, visits to ATMs are starting to be a preferred method of stealing cold hard cash by gangs of cyberthieves. Called jackpotting or cashing out, recent attacks were carried out in Taiwan, Russia, the UK, The Netherlands, Spain, Belarus, Estonia, Armenia, and other countries throughout Europe and Asia, according to Europol and Trend Micro. These groups use malware that is installed on a financial institution’s network, eventually making it to the ATMs allowing them to empty the machines of cash.

Unsurprisingly, the malware gets there via spear-phishing. Typically, the thieves send a malicious attachment to prescreened employees of the financial institution. If it’s opened, the malware executes and makes its way through the network. This method allows it to bypass perimeter security tools such as firewalls and intrusion detection systems.

Once the malware is on the ATMs, a low-level group member (a money mule) enters a sequence of numbers onto the keypad and relieves the machine of all the cash inside. Sometimes debit and credit card information is also retrieved from the ATMs.

Ripper malware was used in such an attack in Thailand in 2016. Thieves stole roughly $363,000 worth of baht. In Taiwan, a more sophisticated technique was used, where the thieves stole administrator credentials by accessing a bank’s voice recording system. They then mapped the network, locating the ATMs updating system, ultimately “updating” the system and loading malware that instructed the machines to dispense the maximum number of banknotes. They ended up with $2.7 million.

These types of attacks are becoming more popular because it’s less risky than walking into a bank with a note and a firearm demanding all the cash from the drawers or vaults. In fact, it’s unlikely the criminals in a remote attack using the money mules will ever be identified or caught.

© Copyright 2017 Stickley on Security

TrickBot Trojan Evolves To Steal Email Messages And Cryptocurrency

The infamous TrickBot financial Trojan is a very active and ever-changing one that continues to make its way around the globe. IBM X Force Research has recently discovered that it not only is targeting major banks, but now can also empty crypto-wallets of all the accumulated currency. It doesn’t stop there, however. It can now steal Outlook email messages and information from browsers as well. This version is being propagated through phishing email messages as well as through websites.


Earlier this summer, this Trojan was being sent in spam campaigns at the rate of 75,000 in a mere 25 minutes. It tricked customers of the UK’s Lloyds Bank out of login credentials by using legitimate security certificates and website addresses that were so close to the actual ones, that it was nearly impossible to identify them as imposters.

Regardless of where email messages originate, always pay attention to where any links may be taking you. If you need to check something in any of your online accounts, log into them directly from the websites and verify there. Don’t click links or attachments or panic because an email claims you will be locked out of your account or poses some other threat.

If you don’t know the sender, it’s good practice to never click links or attachments anyway. And if you get an email from Aunt Martha that has a short “Hey, look at this” type of message with just a link, it should be deleted right away. It’s unlikely Aunt Martha would send such an obscure note. If you want to be sure not to offend her by trashing it without looking, pick up the phone and call her first to confirm she did intend to send it to you.

This malware is also now being delivered via fake websites. So, pay close attention when typing addresses into browsers so you don’t set it loose that way either. TrickBot is being sent at a rate of 40 million email messages per week and is targeting financial institutions in over 40 countries.

© Copyright 2017 Stickley on Security

Popups in Apple Apps Steal iCloud Credentials

Scammers truly don’t give up. That’s because once they find something that works, it works really well, and it can result in a significant payoff. Recently, some of them have figured out how to trick Apple iOS users into giving up their iCloud passwords. And it is a surprisingly simplistic attack. It pays to take a few seconds to read and analyze why you’re being asked for credentials to anything. That’s because this one is so good, it can fool anyone.

Felix Krause, a software expert explained in a blog how scammers are taking advantage of our conditioning of just entering our Apple credentials whenever we are asked, without so much as a pause to consider what we are doing.

The scammers are building popups requesting credentials inside apps. He didn’t get into the gory details or publish the code, although he did say anyone who can program for iOS would be able to do it very easily. Krause created a fake popup that is identical to the actual one that Apple sends.

Take some time when installing apps and updates to make sure the request for any credentials is a legitimate one. There are some ways to avoid falling into this trap:

– If you see a popup, hit the home button on your device. If the app and the popup both disappear, it’s phishing. If they don’t, it’s a genuine request.

– Get into the habit of entering your password manually, rather than putting it into any popup. That means going into the settings and enter it in the app there.
Clear the fields of all text you may have entered and cancel the request.

– In addition, when you are looking for an app to install on any device, do some research first to make sure it isn’t riddled with malware. Read the reviews and if there is something wrong with it, it’ll show there. If there aren’t many reviews and the ones that are showing are all glowing, they may have been planted by whoever put the app up.

Also, avoid sideloading any apps (downloading from sites other than the official app stores). While getting them from the official app stores does not guarantee they are safe, the risk of downloading malware is significantly lower when doing this.

© Copyright 2017 Stickley on Security

Netflix Update Steals Your Login Credentials And More

Netflix customers are once again being targeted in a recent scam. The scammers are posing as an employee of the streaming website in an attempt to steal Netflix login credentials and payment card information. They will use the payment card details to make purchases themselves or sell the information on the Dark Web. What do they do with the login credentials? They try the login combination on other sites, hoping to get to your bank account or into some other site that has very sensitive information that they can also steal and sell.

Researchers at PhishMe discovered this most recent scam. Emails purport to be from the Netflix support team asking users to update their accounts.

Any time you are asked to update account details, don’t click links in email messages. Instead, go directly into your account using a previously bookmarked link you are confident is safe. Otherwise, carefully type the website URL into the address bar. Do a quick check to make sure you see that “https://” before putting in any details. If all is clear, go ahead and login and change your account details that way. This goes for any site; not just Netflix.

The email is addressed as “Dear Valued Customer,” rather than personalized. This suggests it is a mass campaign and should certainly be considered suspect. There is a link in the message where you can click to “update” easily, but that link is malicious and will direct you to a fake webpage.

In this attack, the hackers hope you use the same login credentials on multiple sites. They will try to reuse the passwords in an attempt to get into your financial accounts or healthcare accounts, for example. That’s why you should always use unique passwords for each account you have.

A couple of months ago, another Netflix scam was going around asking users to update payment details to avoid having their accounts deactivated. If you see that one, the same advice applies.

© Copyright 2017 Stickley on Security

Don’t Get Hooked Unsubscribing

Clicking the ‘Unsubscribe” button in a harmless looking spam email brings a new level of security threat. Phishers have come up with a way to take advantage of us by combining our curiosity and frustration with spam emails. It’s created a new cyber gnat determined to get your valuable information. Always looking to take advantage of human nature, cyberthieves have a variety of tried and true scams at their fingertips. It’s time to think twice before hastily unsubscribing to spam emails.

One effective tactic has information phishers sending a phony but legitimate looking spam email from your bank. It claims you owe a negligible amount for an obscure bank fee. To avoid any future charges to your account, you’re instructed to simply click the “Unsubscribe” button and all future fees will be removed. Surprise! It’s a fake button redirecting you to a bogus bank web page. Maybe it’s a combination of a legitimate looking website and the desire to put this annoying little financial fiasco behind you…but you cave. Never would you suspect that you just unleashed malware on your device and put your sensitive info up for grabs with one little click.

The Identity Theft Resource Center (ITRC), a US non-profit news website provides identity theft education and information to consumers. The ITRC states “Phishing attempts are another form of spam email that tries to entice you or coerce you into complying with the scammer’s intentions.” The organization suggests a few ways to reduce the risk of your information getting into the wrong hands.

-Delete the email without opening it. Opening spam alerts the sender to you being an active reader, possibly increasing their spam efforts.

-Mark it as spam. It alerts your email provider to the sender and IP address as unsolicited, blocking the sender from future email spam. Usually there is an icon somewhere in your email client to click to accomplish this.

-Actively report the spammers directly to the email service provider being used and/or report the scam to the company he or she claims to be representing.

© Copyright 2017 Stickley on Security