Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Wednesday, November 27, 2013

Employee Manual to Prevent Cryptolocker and More

A common way computers are infected or compromised has always been a simple yet well thought out deception. It can happen to anyone and the use of social trickery is nothing new. Understanding the victim is all that’s needed to receive their cooperation. 

If you’re thinking it could never happen to me this refreshed couldn’t hurt. You might want to share the examples here with your friends, family and especially your employees. Social engineering has come a long way since the possibility of seeing Anna Kournikova naked.

Here’s a common example that has been used to infect computers with the crippling Cryptolocker extortion attack.


This one and variations are going to get more popular as Santa starts shipping his presents. In this example the “From” email isn’t even disguised which means these guys were really lazy. Don’t bother replying because the Email address belongs to someone who has already been hacked and was probably shut down by the time you receive your Email.

Any Email “bait” like this will appear to be a legitimate message. The attacker linked to text and a graphic located at FedEx. The simple line of code below is all that’s needed to display the FedEx logo

<img src= “https://">

This Email from fake UPS is also tempting because you certainly wouldn’t want to miss anything. We all love packages.

Human Resources Needs You

Here’s one directed at employees designed to be a standard employment request. In this case, it’s to use the company car. It’s very common to see attachments that appear to come from Human Resources.

The “From” address and even filename has been doctored to make it appear to be from within the company. If the company is large or you’re a new employee downloading and filling in this form may not seem suspicious. It’s not unusual for an attack to be targeted since information on officers and HR managers is easy to find.

You’ve Been Reported

I’ve received a few claiming to be from Dun & Bradstreet trying to scare companies into thinking they need to clear their good name.


It’s also common to see fake Emails from the Better Business Bureau. In the U.K. there’s Companies House which registers and keeps track of companies for the Department for Business, Innovation and Skills.


Question Every Email

These phishing expeditions are common and effective in all countries. I generally question every Email even when it comes from someone I know. How many times have you received Email from friends saying they’ve been hacked? If you have any doubts just contact the sender or an official with the company sending the message. My bank has always thanked me for calling. They love to impress customers with their knowledge of security trends.

Curiosity Killed Your Job
It’s not unusual to receive messages which appear to be meant for someone else. More than a few attacks succeed because of human curiosity.



Speaking of curiosity, I’ll end with a newer version of a classic bait and steal scheme.


I’ve worked for companies where discussion of salaries could be cause for immediate termination. An ancient method for infiltrating a company involved dropping an infected floppy disks labeled something like “Employee Salaries” in public places. This “Baiting” is still used but relies on DVD’s, USB Flash drive or SD cards labeled as personal or secure data. Visitors often have access to rest rooms in secure areas. What they leave on top of a towel rack could be more dangerous than high explosives.

I’m sure what I’ve discussed isn’t anything new but you may know someone who would benefit from this lesson. Share these examples along with  a healthy dose of paranoia.  The data you save may be your own.

In the News:
The Windows Club shares how you monitor changes to ANY registry value in Real-time.

Share on Facebook


Blogger Unknown said...

Bill, you might have pointed out that in all examples, the culprit was the ATTCHMENT!! You might have displayed the filename inside of the zip file....
Sandy Brown

2:38 PM  
Blogger pt said...

Uh, yes. I agree with the first post. even as I was reading the article, I was waiting for you, Bill, to note the obvious - that the zip files were the delivery method - and then tell your readers to simply refrain from opening zip files of any sort in e-mails or whatever advice you deem best for this situation. But, as I came to the end of the article, I was actually shocked and amazed that there was no mention or advice of any sort. So, Bill, perhaps an addendum to your article is in order? Thanks!

5:36 PM  
Blogger BobbyB said...

While it is true the article does not mention the method of delivery, there are clues...

1) note the grammar used: "attached there is (are) 'contracts' agreement." "You may 'pickup' the parcel at our post office." (not "pick up")(relying on the end reader's lack of proper English grammar);

2) note the number of intended email addressees, more than one is a BIG indicator;

3) actual number of emails. The "newest" trick is to follow-on to the first email from someone you know (which email had correct information), but the second one comes almost immediately afterward with a slight change in the subject line, such as "Oops, I just sent the wrong link/file/attachment, etc."

4) Zip files and attachments are so passe now...hackers and others now use links with misleading link text. For ex. in #3 above ("Oops"), the link has the same highlighted text as the original, first email ("click here for the latest financial news") but the link instead brings one to the errant website where one automatically downloads the virus--and you can't escape it no matter how hard you try;

5) new ransomware invades your BIOS and startup functions, such that one cannot start in SAFE mode, use uninstall, or any other "exe" "cmd" or "bat" programs. It attaches itself to each and every file after a week without you knowing (some weird ads do start to appear for "protect your computer, buy our program"--you know the drill...). Let me repeat this: it attaches itself to each and every file on your system...and can't be undone<----very stressful. Don't keep trying to erase it, it will only drive deeper. No current program erases it.

Make sure you have a safe OS backup disk to reformat the drive if need be.

Best thing to do is INSIST ON BEING PARANOID. Update malware, antivirus programs on a DAILY basis, automatic is best. Pause or stop any syncing to cloud storage while doing so.

Scan all local files completely. "Bleach" (wipe clean) the free or vacant areas of the remaining area of the hard drive.

Then--and only then--restart syncing or backup all files to the "cloud", DropBox, or similar. Best is an external hard drive!!

Doublecheck your cloud storage periodically for virus and trojans.

Always, always, always doublecheck for virus on all storage devices.

Dedicate one day per week to conduct computer and network analysis, including smart tv's and mobile devices (I use Saturday mornings).

Have at least two, if not three virus and malware checkers in startup and realtime mode, in your system tray. Ensure router firewall and security capability.

I got caught with #3 above, took me two days to revert to normal--once I found it after a week, and read up on it here...I also had the benefit of having another laptop alongside, so I could read up and maintain my business. Always have a Plan B and Plan C.

Just my two cents...

8:14 PM  
Blogger J.G.M. said...

How about the SAFEST malware avoidance solution? Anytime and every time I go online for any purpose, but especially for email, banking, and shopping, I boot from a Linux live CD! I like Slacko Puppy, but there are several others that work well too (e.g. Slax). Try a bunch of 'em, then choose what works best for you! They all have various levels of hardware support, but most all of them have an up to date web browser and a word processor. Just "google" "linux live CD".

8:08 AM  
Blogger Unknown said...

One way that these emails try to trick people out is with the links. As well as spoofing the email address they will post an edited hyperlink so that is actually the text and edited to go to

I find the best way is to ignore any emails and if they appear genuine open a new tab and go to the actual proper website (not via the email) and contact them, by phone if possible.

Bad spelling sometimes is a tell sign and the missing of names e.g. dear customer instead of dear (customers name) but as the criminals are getting clever I wouldn't rely on just those methods

11:20 AM  

Post a Comment

<< Home