Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Wednesday, November 27, 2013

Employee Manual to Prevent Cryptolocker and More

A common way computers are infected or compromised has always been a simple yet well thought out deception. It can happen to anyone and the use of social trickery is nothing new. Understanding the victim is all that’s needed to receive their cooperation. 

If you’re thinking it could never happen to me this refreshed couldn’t hurt. You might want to share the examples here with your friends, family and especially your employees. Social engineering has come a long way since the possibility of seeing Anna Kournikova naked.

Here’s a common example that has been used to infect computers with the crippling Cryptolocker extortion attack.


This one and variations are going to get more popular as Santa starts shipping his presents. In this example the “From” email isn’t even disguised which means these guys were really lazy. Don’t bother replying because the Email address belongs to someone who has already been hacked and was probably shut down by the time you receive your Email.

Any Email “bait” like this will appear to be a legitimate message. The attacker linked to text and a graphic located at FedEx. The simple line of code below is all that’s needed to display the FedEx logo

<img src= “https://">

This Email from fake UPS is also tempting because you certainly wouldn’t want to miss anything. We all love packages.

Human Resources Needs You

Here’s one directed at employees designed to be a standard employment request. In this case, it’s to use the company car. It’s very common to see attachments that appear to come from Human Resources.

The “From” address and even filename has been doctored to make it appear to be from within the company. If the company is large or you’re a new employee downloading and filling in this form may not seem suspicious. It’s not unusual for an attack to be targeted since information on officers and HR managers is easy to find.

You’ve Been Reported

I’ve received a few claiming to be from Dun & Bradstreet trying to scare companies into thinking they need to clear their good name.


It’s also common to see fake Emails from the Better Business Bureau. In the U.K. there’s Companies House which registers and keeps track of companies for the Department for Business, Innovation and Skills.


Question Every Email

These phishing expeditions are common and effective in all countries. I generally question every Email even when it comes from someone I know. How many times have you received Email from friends saying they’ve been hacked? If you have any doubts just contact the sender or an official with the company sending the message. My bank has always thanked me for calling. They love to impress customers with their knowledge of security trends.

Curiosity Killed Your Job
It’s not unusual to receive messages which appear to be meant for someone else. More than a few attacks succeed because of human curiosity.



Speaking of curiosity, I’ll end with a newer version of a classic bait and steal scheme.


I’ve worked for companies where discussion of salaries could be cause for immediate termination. An ancient method for infiltrating a company involved dropping an infected floppy disks labeled something like “Employee Salaries” in public places. This “Baiting” is still used but relies on DVD’s, USB Flash drive or SD cards labeled as personal or secure data. Visitors often have access to rest rooms in secure areas. What they leave on top of a towel rack could be more dangerous than high explosives.

I’m sure what I’ve discussed isn’t anything new but you may know someone who would benefit from this lesson. Share these examples along with  a healthy dose of paranoia.  The data you save may be your own.

In the News:
The Windows Club shares how you monitor changes to ANY registry value in Real-time.

Share on Facebook

Saturday, November 16, 2013

My First State-Sponsored Attack

I thought I’d seen it all but today I was stunned by a warning from our friends at Google. This month I’m celebrating the 16th anniversary of my battle against spyware, adware, malware, viruses, Trojans, root kits, zero-day vulnerabilities and more. I’ve had my share of password surfers, phishing emails, denial of service attacks and cease and desist orders but today was a first.

The warning from Google said “We believe state-sponsored attackers may be attempting to compromise your account or computer.

It started with an Email to a GMail account I rarely use but is connected to many Google tools that I use. The subject line said
Suspicious sign in prevented


I normally may have ignored this Email. I tend to be cautious of any official looking Email with links. When moving my over the links they appeared to be legitimate from Google but I still manually entered on another computer to change my password. That’s when Google displayed the banner warning me about a state-sponsored attack. 


Apparently this happens so often that Google has a help page just for this situation. Clicking on the “Protect yourself now” link opened up a page with additional recommendations.

Click to view web page

This attack has been identified as “state-sponsored” but I doubt it’s really my first and probably won’t be my last.

I’ve taken appropriate steps to protect my account but I’m still curious about a few things. What in particular identifies this attack as state-sponsored? Even more important, which state is attacking me?

Share on Facebook