PC PORTAL

Experienced. Trusted. Solutions.

Featured Posts

By

Cyber Monday: Big Savings, Big Risks

Reading Time: ~3 min.

What business owners and MSPs should know about the year’s biggest online retail holiday

It’s no secret that Black Friday and Cyber Monday are marked by an uptick in online shopping. Cyber Monday 2017 marked the single largest day of online sales to date, with reported sales figures upwards of $6.5 billion. Data from Webroot charted a 58 percent increase in traffic to shopping sites on that day. And while Black Friday originated as a day to tussle with your neighbors for deals in person, online retailers like Amazon and eBay wouldn’t be left out and have begun offering their own deals.

What’s less often discussed is the corresponding rise in cybercrime that accompanies these online retail holidays. Webroot noted a surge in phishing and fraud sites of 203 percent between November 19 and December 5, with the number of such sites peaking on Cyber Monday. Instances of spyware and adware also rose 57 percent during the busy holiday shopping period, again peaking on Cyber Monday.

The Problem with Cyber Monday

For business owners and those in IT, Cyber Monday likely means lost productivity as employees bargain hunt at work rather than actually work. (It’s interesting to note that, according to CNET, the first Cyber Monday in 2005 was intentionally made to fall on a weekday so workers could browse shopping sites on faster computers.) As our data shows, more than just a few hours of lost productivity are at stake.

Employees expose business owners to greater risks of phishing scams, ransomware, and other types of attack that could significantly lengthen downtimes for all employees, or even shutter a business completely. According to a Better Business Bureau study on cybercrime, more than half of businesses would cease to be profitable within a month if a ransomware attack were to lock them out of essential data.

What’s a Business Owner to Do about Cyber Monday?

Whether you’re a business owner or provide IT services, you’re likely to see employees or clients indulging in deals this Cyber Monday. But there are strategies for limiting your risk on November 26. As with much of cybersecurity, you can manage your policy for online shopping based on what you consider acceptable levels of risk.

With network-level protection it’s possible to block access to any sites categorized as “shopping,” while still whitelisting trusted domains. Our research shows Amazon, the Apple iTunes Store, and Walmart rounded out the top three most visited shopping sites last Cyber Monday, so employers may want to consider whitelisting those sites specifically, while still blocking less reputable ones. Webroot offers DNS protection with the ability to filter according to more than 80 categories, including gambling, adult content, and weapons, as well as shopping. Set a policy to block the shopping category this Cyber Monday, with your own tailored exceptions and presto, problem solved.

There are also other, less prohibitive strategies for protecting employees and clients, too. Tools like Webroot’s Web Classification and Reputation services forecast the risks of visiting more than 27 billion URLs, which can help user determine if that deal really is a little too good to be true. IP Reputation Services make a similar determination based on an IP’s risk score.

Real-Time phishing protection and hands-on phishing simulations can go a long way toward improving security, too. The surge in these types of attacks represents cybercriminals focus on the weakest element of a company’s IT security: the end users themselves. Catching phishing attacks before they’re clicked and teaching users to be vigilant about threats by using custom phishing templates are paramount to your business’s security posture.

So there are a variety of methods for limiting disruption from online shopping in the workplace, so business owners and managed service providers shouldn’t let Cyber Monday come and go without preparation. Employees will almost certainly be on an online hunt for deals and cybercriminals know it.

Focus on security now, before a user’s big savings end up costing you.

The post Cyber Monday: Big Savings, Big Risks appeared first on Webroot Blog.

By

Cyber News Rundown: Botnet Targets Brazil’s Banks

Reading Time: ~2 min.

Brazilian Bank Traffic Rerouted by Massive Botnet

A botnet containing more than 100,000 routers and other devices was recently spotted hijacking traffic destined for several Brazilian banks. The hijacking victims are then sent to one of at least 50 confirmed phishing sites that will attempt to steal any information the user will provide. Backing this ever-growing botnet are a small collection of tools used to brute-force weak passwords and continue to search for other devices with poor security.

Cyber Attack Shuts Down Canadian Restaurants

A major Canadian restaurant chain announced several of their restaurant brands had suffered a ransomware attack that affected nearly 1,400 stores in recent days. While many of the IT systems were quickly taken offline to prevent further spread of the infection, customers were met with non-functioning payment systems or just closed doors. Fortunately, the company keeps regular backups and was able to restore their systems without paying a ransom.

High-Profile Instagram Accounts Being Hacked

Several high-profile Instagram accounts were hacked and held hostage recently, with some accounts being deleted even after a payment was sent. Though many victims have contacted Instagram multiple times regarding access to their accounts, some were sent automated responses while others regained control of their accounts without hearing from the company.

Google Chrome Cracks Down on Extensions

With dozens of new extensions being added to Google’s Chrome Web Store every day, it has become increasingly difficult for Google to police for malicious apps. That’s why, accompanying the release of Chrome 70, will be the ability for users to restrict browser extensions to a single site and limit the amount of permissions the extension has over the pages viewed. Additionally, Chrome has implemented 2-step verification for all developer accounts to curb the volume of hacked apps made available.

Port of San Diego Hit by Ransomware

It was revealed last week that the Port of San Diego, which controls over 34 miles of coastline, suffered a ransomware attack that temporarily knocked out their computer systems. Fortunately, most routine port operations remained able to function normally while systems were offline. There is still no information on whether the ransom has been paid or how the infection occurred.

The post Cyber News Rundown: Botnet Targets Brazil’s Banks appeared first on Webroot Blog.

By

Unsecure RDP Connections are a Widespread Security Failure

Reading Time: ~3 min.

While ransomware, last year’s dominant threat, has taken a backseat to cryptomining attacks in 2018, it has by no means disappeared. Instead, ransomware has become a more targeted business model for cybercriminals, with unsecured remote desktop protocol (RDP) connections becoming the favorite port of entry for ransomware campaigns.

RDP connections first gained popularity as attack vectors back in 2016, and early success has translated into further adoption by cybercriminals. The SamSam ransomware group has made millions of dollars by exploiting the RDP attack vector, earning the group headlines when they shut down government sectors of Atlanta and Colorado, along with the medical testing giant LabCorp this year.

Think of unsecure RDP like the thermal exhaust port on the Death Star—an unfortunate security gap that can quickly lead to catastrophe if properly exploited. Organizations are inadequately setting up remote desktop solutions, leaving their environment wide open for criminals to penetrate with brute force tools. Cybercriminals can easily find and target these organizations by scanning for open RPD connections using engines like Shodan. Even lesser-skilled criminals can simply buy RDP access to already-hacked machines on the dark web.

Once a criminal has desktop access to a corporate computer or server, it’s essentially game over from a security standpoint. An attacker with access can then easily disable endpoint protection or leverage exploits to verify their malicious payloads will execute. There are a variety of payload options available to the criminal for extracting profit from the victim as well.

Common RDP-enabled threats

Ransomware is the most obvious choice, since it’s business model is proven and allows the perpetrator to “case the joint” by browsing all data on system or shared drives to determine how valuable it is and, by extension, how large of a ransom can be requested.

Cryptominers are another payload option, emerging more recently, criminals use via the RDP attack vector. When criminals breach a system, they can see all hardware installed and, if substantial CPU and GPU hardware are available, they can use it mine cryptocurrencies such as Monero on the hardware. This often leads to instant profitability that doesn’t require any payment action from the victim, and can therefore go by undetected indefinitely.

Source: https://knowyourmeme.com/photos/1379666-cheeto-lock

Solving the RDP Problem

The underlying problem that opens up RDP to exploitation is poor education. If more IT professionals were aware of this attack vector (and the severity of damage it could lead to), the proper precautions could be followed to secure the gap. Beyond the tips mentioned in my tweet above, one of the best solutions we recommend is simply restricting RDP to a whitelisted IP range.

However, the reality is that too many IT departments are leaving default ports open, maintaining lax password policies, or not training their employees on how to avoid phishing attacks that could compromise their system’s credentials. Security awareness education should be paramount as employees are often the weakest link, but can also be a powerful defense in preventing your organization from compromise.

You can learn more about the benefits of security awareness training in IT security here.

The post Unsecure RDP Connections are a Widespread Security Failure appeared first on Webroot Blog.

By

Cyber News Rundown: Big Data Mismanagement

Reading Time: ~2 min.

Massive Customer Database Left Exposed by Data Management Firm

A security researcher recently found a database containing customer information for nearly half a billion users of Veeam software on an unsecured AWS server. Most of the data was contact information spanning from 2013 to 2017 and was likely used by the Veeam marketing team’s automated customer contact functions. Fortunately, the database was taken offline within a week of the researcher contacting Veeam about the server.

Hacker Group Breaches British Airways

After last week’s reveal of the data breach affecting nearly 380,000 of the airline’s customers, it was discovered that the injection methods used were the work of known hacker group MageCart. By compromising third-party actors, the group can access hundreds of sites and begin passing any customer payment information back to their own systems. Even more toublesome, this particular attack appeared to be tailored for the British Airways systems specifically, but could very likely be readjusted for other applications.

Chinese Hackers Using Digitally Signed Drivers for Attacks

A long-active hacker group likely based in China has expanded their tactics to include a seemingly innocent network filtering driver (NDISProxy) to start their latest malware campaign. The driver itself has a signed digital certificate from a Chinese-based security software company, which was likely unaware their certificate was being misused. By injecting itself silently across the infected network, the fully functioning remote access Trojan can be used to execute malicious tasks with ease.

Scam Calls Causing Mobile Traffic Jam

The number of scam calls recoreded by the call management firm First Orion rose nearly 1000% over the past year, from 3.7% of total calls last year to 29% so far in 2018. The projections for the coming year project that number to rise to half of all mobile calls received in the U.S. Unfortunately, service providers have few options for slowing down the bombardment of phony calls facing their customers.

Latest MongoDB Attacks are Ransoming Empty Databases

While MongoDB attacks are nothing new, Mongo Lock has stepped up the game by identifying unprotected databases, exporting the data to their servers, wiping them clean, and leaving behind a ransom note instructing the victim to reach out via email rather than sending a Bitcoin payment directly to a crypto-wallet. Mongo Lock appears to operate via an automation script, though it has been known to fail, leaving the victim with both the ransom note and their original data.

The post Cyber News Rundown: Big Data Mismanagement appeared first on Webroot Blog.

By

EICAR – The Most Common False Positive in the World

Reading Time: ~4 min.

If you saw a file called eicar.com on your computer, you might think it was malware. But, you would be wrong. Readers, if you haven’t yet met the EICAR test file, allow me to introduce you to it. If you have used the EICAR test file, let’s get a bit cozier with it.

If you ran this file through VirusTotal, 61 out of 62 antimalware scanners currently would detect the EICAR test file as if it were malicious. That’s because the EICAR file is actually a tool that was designed to help users verify their antimalware scanner is functioning properly. The EICAR test file is a harmless piece of code that most vendors have agreed to flag as if it was malicious. Essentially, it’s a false positive—by design—for your benefit. Some scanners detect it, some do not; neither outcome indicates that any scanner is better or worse than another.

If you have heard of EICAR, you may have seen it referred to as a “test virus,” but that’s inaccurate. Think of it more like the test button on a smoke detector in your home. The test button doesn’t simulate fire or smoke; it simply lets you know that the smoke detector is functional. The test button certainly doesn’t tell you anything about the quality of the smoke detector. Similarly, the EICAR test file does not simulate malware, it just causes a scanner to demonstrate how it would handle a threat it detected (assuming the vendor has chosen to recognize the file as malicious, that is.)

Using the EICAR Test File

Now that you know more about EICAR, let’s talk about why, how, and when you might want to use it.

  1. Curiosity. The first time I used the test file, it was purely out of curiosity. What if I zipped the file up or changed its extension from .com to .xyz, and so on. Because the file itself is harmless, I could simulate any number of scenarios without risk to my computer or my data.
  2. Smoke test.The intended purpose of the test file was always to verify that your scanner was properly installed and that the scan engine was functional. Any time you install a new antimalware product, you can give it a quick test with the EICAR file to make sure it is functioning as designed (if the vendor support the file, that is.)
  3. Forensics. Malware writers often try to disable a scanner as soon as their malicious code gains a foothold on a given computer. If you periodically test your scanner and, one day, it fails to detect the test file, that couldindicate of an infection. Keep in mind, it could also indicate that another layer of security blocked the file before it got to your scanner. The test itself is not conclusive and should only be considered as part of a bigger picture.
  4. Behavioral information.Between 1997 and 2004, I ensured that none of their software releases were infected. I used 11 different virus scanners on each of my test machines (don’t try this at home). The testing was not about the quality of the scanners, but rather how they’d react in different situations to help me make decisions and gain greater knowledge. For example, antivirus scanners have default configurations that I needed to test and potentially modify. Back then, not all scanners scanned all extension types by default. A directory with EICAR test files that each had different extensions would allow me to determine if my scanner’s default configuration for file types needed to be adjusted. Once I made modifications, I had to test those as well. There were a variety of tests I could run involving filenames with punctuation or foreign language characters, too. Basically, I could test virus handling without needing am actual virus.

Note: At the Virus Bulletin conference in 1999 I presented the paper, “Giving the EICAR Test File Some Teeth.” If you’re interested in the breadth of test scenarios I explored, you can read the paper on the Virus Bulletin website.

Where to Find EICAR

You’d think the easiest way to get your hands on this file would be to download it straight from www.eicar.org, except that your antimalware scanner might block the download. To get around that, you’d likely have to temporarily disable your web protection—WHICH I DO NOT RECOMMEND. Instead, I’ll show you how to create the file yourself.

Here are the step by step instructions.

  1. Open Notepad.
  2. Copy the following string and paste it into Notepad:
    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
  3. Save the file and cross your fingers that your scanner doesn’t detect it on close.

Note: You could create the file in Microsoft® Word, but you’d have to save it as plain text. The test file must begin with the test string, and Word includes additional information in .doc and .docx files.

The file eicar.com, will run on older operating systems, but not on a 64-bit OS. When you run it on a compatible OS, the file will display this text.

eicar1

You can change the display message to anything you like. In the following example, I’ve replaced the word EICAR with my name.

eicar2

However, if you change it as I did above, it will no longer be a valid test file and should not be detected by your antimalware program.

At the 1999 Virus Bulletin conference, I asked researchers for EICAR-like test files to test script and macro detection. Although we still don’t have that, the Anti-Malware Testing Standards Organization (AMTSO) provides a set of security feature checks at www.amtso.org/security-features-check. Just be sure to remember that the security feature checks, like the EICAR test file, don’t indicate the quality of the product, but they can be used to ensure that certain features are functioning.

Questions? Comments? Let’s talk on the Webroot community forum.

The post EICAR – The Most Common False Positive in the World appeared first on Webroot Blog.