 The newest method of infecting your computer is remarkably old-fashioned: It uses a telephone call. Online researchers are documenting a new malware campaign they've dubbed "BazarCall." One of its primary malware "payloads" is the BazarLoader remote-access Trojan, which can give a hacker full control over your PC and be used to install more malware. The attack starts with an email notifying you that a free trial subscription for a medical service that you've supposedly signed up for is about to run out, and your credit card will be charged in a few days — at $90 a month or some other ridiculous rate. The subject line may read "Thank you for using your free trial," "Do you want to extend your free period," or something similar, according to The Record and Bleeping Computer. Naturally, you're wondering what the hell this email is, but you're pretty sure you don't want to be paying for something you never agreed to. Fortunately, the message provides a phone number you can call to cancel the subscription, plus a subscriber ID number that you can refer to during the call. You've heard of, and maybe even seen, phishing emails that want you to click on a link, but then take you a site that asks for your password or tries to install something on your computer. But there's no link in this email. It seems safe. And what harm can come from calling a phone number? So you call. You're placed on hold. You wait for a couple of minutes. And then a helpful call-center operator — he or she sounds suspiciously like someone who'd be part of a tech-support scam — comes on the line and listens to your questions about the email. The operator asks for the subscriber ID mentioned in the email. Now here's the key thing. That subscriber ID is very important because it lets the crooks know who you are — and many of their targets are people who work in specific companies. "They will be able to identify the company that got that email when you give them a valid customer [ID] number on the phone," Binary Defense security expert Randy Pargman told Bleeping Computer. "But if you give them a wrong number they will just tell you that they canceled your order and it’s all good without sending you to the website." Here's a YouTube video illustrating the entire process. The interaction with the call-center operator starts about 2 minutes and 45 seconds in. Anyway, the customer-service rep puts you back on hold for a bit to check your subscriber ID, then comes back to tell you who signed up and provided a credit card for this subscription — and it's someone who's not you. There must be a mistake. The friendly customer-support person tells you that because this concerns a medical service, you've got to fill out some forms online to cancel the subscription. He sends you to a professional-looking website, where you can continue the cancellation process. There are at least five possible websites, again listed here. The one we saw all looked the same, but someone took a lot of effort to make each site look decent. The websites have FAQs, privacy statements, terms of use and even contact information listing street addresses of Los Angeles office towers and southern California phone numbers. We called a couple of the listed phone numbers but got nowhere. We also discovered that all five websites we visited have domains that were registered last week using the same alias and the same Russian email address. Back on the customer-support call, the rep directs you to the site's signup page, where you can click Unsubscribe. However, the Unsubscribe field doesn't ask for your name or your email address. Instead, it again asks for the subscription ID number found in the original email notification you received. Click Submit on the Unsubscribe dialogue box, and your browser prompts you to allow download of a Microsoft Excel spreadsheet or Word document. The customer-support rep says you must download, open and digitally "sign" this document to cancel the subscription. Now, Microsoft Office files downloaded from the internet are so dangerous that Windows itself "sandboxes" them so that they can't run macros — little mini-programs — without your permission. But the customer-support rep you have on the phone insists that you click the yellow bar that appears across the top of this Excel or Word file to enable macros so that you can "sign" the document. We have a lot more posted on OUR FORUM.  An upgraded variant of Purple Fox malware with worm capabilities is being deployed in an attack campaign that is rapidly expanding. Purple Fox, first discovered in 2018, is malware that used to rely on exploit kits and phishing emails to spread. However, a new campaign taking place over the past several weeks -- and which is ongoing -- has revealed a new propagation method leading to high infection numbers. In a blog post on Tuesday, Guardicore Labs said that Purple Fox is now being spread through "indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes." Based on Guardicore Global Sensors Network (GGSN) telemetry, Purple Fox activity began to climb in May 2020. While there was a lull between November 2020 and January 2021, the researchers say overall infection numbers have risen by roughly 600% and total attacks currently stand at 90,000. The malware targets Microsoft Windows machines and repurposes compromised systems to host malicious payloads. Guardicore Labs says a "hodge-podge of vulnerable and exploited servers" is hosting the initial malware payload, many of which are running older versions of Windows Server with Internet Information Services (IIS) version 7.5 and Microsoft FTP. Infection chains may begin through internet-facing services containing vulnerabilities, such as SMB, browser exploits sent via phishing, brute-force attacks, or deployment via rootkits including RIG. As of now, close to 2,000 servers have been hijacked by Purple Fox botnet operators. Guardicore Labs researchers say that once code execution has been achieved on a target machine, persistence is managed through the creation of a new service that loops commands and pulls Purple Fox payloads from malicious URLs. The malware's MSI installer disguises itself as a Windows Update package with different hashes, a feature the team calls a "cheap and simple" way to avoid the malware's installers being connected to one another during investigations. In total, three payloads are then extracted and decrypted. One tampers with Windows firewall capabilities and filters are created to block a number of ports -- potentially in a bid to stop the vulnerable server from being reinfected with other malware. An IPv6 interface is also installed for port scanning purposes and to "maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets," the team notes, before a rootkit is loaded and the target machine is restarted. Purple Fox is loaded into a system DLL for execution on boot. Purple Fox will then generate IP ranges and begin scans on port 445 to spread. "As the machine responds to the SMB probe that's being sent on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords or by trying to establish a null session," the researchers say. The Trojan/rootkit installer has adopted steganography to hide local privilege escalation (LPE) binaries in past attacks. To learn more visit OUR FORUM.
 Looking to use your phone in an emergency? Modern smartphones and smartwatches allow you to set certain features that will ping your last known location to emergency contacts in a situation where you’re unable to talk on the phone. Both Apple and Google have baked these features into the respective iOS and Android platforms, and we’re seeing more and more wearable manufacturers include the features too. Why would you want to set up emergency SOS location tracking? There’s a variety of scenarios where you may not be able to talk on a phone, but you will be able to find a way to send your location to trusted individuals. You can also have an easy way to directly call the emergency services through these features too, so they’re worth setting up for when you may need them in the future. This guide will teach you how to set up the equivalent features on your iPhone, Android phone, or an alternative such as wearables from Garmin and Apple. Not all fitness trackers or wearables sport these features, but most smartphones do. Emergency SOS is already available when you take an iPhone out of the box, but there are some ways you can set it up to work better. It works in all countries, but in some places, you may only be able to choose one particular emergency service. First off, making an emergency services call is simple from an iPhone, but the way it works differs depending on the model of iPhone you have. If you own an iPhone 8 or later (that’s if your phone came out after 2017) you can hold down the side button and the volume buttons. Then, you’ll find a slider on the screen that says “Emergency SOS”. If you drag this across, it’ll make an immediate call to the emergency services. If you can’t slide this across, continue to hold down the buttons and you’ll find your phone makes an alert noise with a countdown. That countdown will finish with the phone calling the emergency services, so this is particularly useful if you can’t take your phone out of a pocket. We would encourage you to set up emergency contacts (more on that below) as it will then message your contacts immediately afterward with your location information and more. Why would you want an emergency contact? First off, it can help emergency services identify who to contact, and on Apple devices, these people will immediately receive a message of your location after your call with the emergency services. To set this up, click on the Health app and press on the profile picture. In here, you’ll find an option called Medical ID and at the bottom of the page, you’ll find an option called emergency contacts. Here is where you can enter the information of the contact, a relationship, and their phone number as well. Tap on done afterward, and you’ve set up your emergency contact. You can have several of these on your iPhone at one time. On Android phones, these features differ depending on the manufacturer. You can often find the information you need by searching in your phone’s Settings for phrases such as SOS messages or simply the word emergency. For example, Samsung phones have a feature called Send SOS Messages that allows you to press the side key three times to automatically message someone with your location. It will automatically attach pictures using your rear and front camera, as well as an audio recording of the moments before the message was sent. For more detailed instructions on various devices visit OUR FORUM. |
Latest Articles
|