Stop Phishing Attacks from Giving You Agita

by Leave a Comment

If you look at the number of security alerts sent to my Inbox, cybercrime seems to always be on the rise. I certainly know it is here to stay, and near the top of the list of malicious activities are phishing scams. Most believe that only dumb people fall victim to these types of attacks. That is not true. Anyone can fall victim to a phishing scam, making it more critical than ever for me to protect you.

According to the Federal Bureau of Investigation’s (FBI) 2020 Internet Crime Report, phishing was among the top three cybercrimes reported in 2020. Phishing incidents more than doubled between 2019 and 2020. More frightening than that is 90% of incidents that end with a data breach started with a phishing attempt. That FBI report shows US businesses lost more than $1.8 billion last year because of business email compromise (BEC) or spear phishing.

Email is one of the primary vectors by which cyber criminals distribute ransomware. And they often depend on phishing and social engineering to infiltrate an unsuspecting company. Traditional anti-virus software products cannot protect you from these cyber-attacks. Too often, small business owners fail to properly secure their environments because they don’t know any better or because they don’t want to spend money on something they can’t “see.”

One way to mitigate this problem is to increase security awareness. Simply training staff to be alert to what constitutes phishing emails can reduce a business’ chances of having a cybersecurity incident by up to 70%.

Let me give you a theoretical example. Assume there is a dental practice with 15 employees. How many dental practices are willing to pay every three months to certify every employee on security awareness training (which they view as “don’t click on links”)? In real life, the most common response I hear is, “Ah, it’s a pain. I don’t want to do it. No one’s going to come after us. We’re a dental practice.” Well, again, that is not true.

The bad guys know the dental practice is the one that’s probably going to react if threatened, so they’ll ransom them for $10,000 or $20,000. And what makes it hard for someone like me to get that message through to this dentist? I mean, they are probably a wonderful dentist. They’re great at fixing teeth. But they’re like, “Why would these Russians, or these North Koreans, or these people in Silicon Valley who are bad – why would they want to get me?”

The reality is the bad actors are brilliant and relentless. They know if they ransom, or if they attack, a dentist in Fort Lee, New Jersey, for $10,000 or $20,000, no one – other than the local police – is going to investigate. So now, small businesses are being targeted at a much faster rate than large companies. If the bad guys try to ransom ExxonMobil, Walmart, or some other large company, the FBI and Homeland Security will get called in. And they have serious capabilities, and they’re going to get the bad guys. But there are not enough resources to protect small companies down the road who get hit. What I am finding is more small business owners are starting to say, “Oh, maybe I should listen to my IT guy because they’re on to something.” And that thinking helps safeguard their business.

Small business owners must be cautious because cybercriminals constantly adapt their techniques to find a way in. It is an unfortunate way of life in 2022, but maintaining a heightened level of security awareness while reading each email is a requirement of using email to communicate with staff and clients. There is no escaping the threats, so you must remain vigilant and stay alert. Security awareness training can go a long way to ensure your safety.

Thanks, and safe computing!

What You Should Know About Crypto Miners

by Leave a Comment

Let’s start with some basic facts. A crypto miner is a malicious software that uses the resources of your computer to generate cryptocurrency for someone other than yourself. It is, at its most basic level, theft of services.

In 2018, crypto jacking (the practice of using browser-based programs to mine cryptocurrency without your knowledge or consent) and crypto mining (malware that usurps your computer’s CPU to mine cryptocurrency) grew to be major threats. The only way you’d know something was amiss was when you realized your internet browsing was very slow and, after a while, your computer stopped working until you restarted it. After a few days, the malware would cause you to “lather, rinse, repeat.” The biggest player in this arena was Coinhive.

Why did Coinhive target browsers? Because it was relatively easy to slip in as an add-on since the code appeared to be innocuous. It was, until you restarted your browser. At that point, the program would run any time your browser was open, using up electricity and processing power to generate minuscule amounts of the cryptocurrency called Monero.

In February 2019, Coinhive publicly announced it was ceasing operations the following month. The service stated that it wasn’t “economically viable anymore” and that the “crash” (of Bitcoin) had severely adversely affected the business. That pretty much sent a death knell to browser-based crypto coin mining.

So why am I bringing this up at the start of 2022? I recently read two articles and learned that crypto mining is alive and well. And it is not being used solely by cybercriminals. Nope, no, siree. Given the pandemic, it seems marketing types have prevailed at Norton, the eponymous Security 360 product maker. A new feature is the inclusion of crypto mining. Avast, a European maker of security software, has announced it is doing the same.

Apparently we live in an upside-down world when security companies allow their crypto miners but claim they can keep out everyone else’s crypto miners. But what does this mean? Well, for one, you have to opt-in to use this feature; Norton doesn’t install it indiscriminately. Also, your computer has to meet some stringent hardware requirements before you’d even see the option. The critical condition is that your computer has an advanced video card (where the computing will take place) so that you can mine Ethereum.

And then comes the kicker: Norton is going to take a good percentage of the money generated. They get 85% while you get 15%. And if you want to obtain your portion — having donated your computing resources — you are faced with additional fees (one a transaction fee and the other a processing fee to cash it in), which reduce your overall take. But suppose that’s not enough to dissuade you. In that case, this money is considered extra income by the Internal Revenue Service, so you will be responsible for including it on your annual tax return.

But the biggest question (and complaint) from security-conscious netizens is: Why would any security company think of doing this? The answer is simple: They want more money from consumers than they get from the annual subscription to their products. Consumers have learned that when subscribing to Norton 360 for the first year, they get a terrific discount. Norton sets the subscription to auto-renew and keeps your credit card on file. Savvy users realize they can turn off the auto-renewal and remove the saved credit card. The day after the current subscription expires, they can purchase a new discounted subscription with a different email address (e.g., larry2022@gmail.com for the current year because it was larry2021@gmail.com for last year’s subscription). It seems Norton is simply fighting back in a very unusual manner.

Do I think this is a good idea? Absolutely not! Is it well-intentioned? Undeniably no. Should all consumers be extremely wary about this? Resoundingly yes! Are you (my clients) affected by this? Not at all, because your computer is running SentinelOne Vigilance, part of your SPF+ or SHADE subscription. But if you know of someone who thinks Norton has a terrific security product, I would urge you to let them know that’s not necessarily the case.

Thanks, and safe computing!

Internet Explorer 11 and the June 15, 2022 Deadline

by Leave a Comment

Microsoft will end support for Internet Explorer 11 (IE) on June 15, 2022, as announced in May 2021.

Starting with Windows 10 version 20H2, which Microsoft released in October 2020, if you attempt to use IE, Windows will prompt you to use the Microsoft Edge browser.  You must make an explicit choice to deny that to continue to use the Internet Explorer browser.

Note: If you want to know what version of Windows you have, type the word winver in the Windows Search box (next to the Start button in the lower left-hand corner). The resulting “About Windows” window contains the version and build information.

The critical point to all of this is that Microsoft will jettison some outdated, still risk-prone software in favor of its new Edge browser, built on the same base as Google’s Chrome.

What does that mean for you? If you have an Internet Explorer icon on your desktop, it is time to delete it. Similarly, if you use IE to browse the web, you should transfer your Favorites (bookmarked websites) and your saved user IDs and passwords over to Edge or Chrome.

While Microsoft will provide a hybrid form of IE under Edge’s covers, the rest of the world has moved on. According to W3Schools, the internet’s most extensive tutor of web-based material, Chrome held the lead in usage with a commanding 81% of the market. Edge came in second with 6.6%, and Firefox held on with 5.5%. I am, and probably always will be, a stalwart fan of Firefox (at least until Mozilla stops supporting it).

In the upcoming months, I am hopeful that companies whose websites contain code explicitly built for Internet Explorer will remove that code to strengthen the security of their website. However, if they don’t, your browser should automatically switch to IE mode in Edge. But I won’t be surprised if bad actors make multiple attempts to figure out how to take over those websites to try to introduce malware to the unsuspecting.

Thanks, and safe computing!

Stay Cyber Safe This Holiday Season!

by Leave a Comment

Cyber Monday 2020 set a record for e-commerce spending in one day, totaling $10.8 billion. With the pandemic raging on, many customers took to online stores to do their holiday shopping. While New Jersey COVID-19 cases have declined in recent weeks and vaccinations continue, I expect many people will choose to conduct their shopping online and potentially start shopping earlier than usual, given concerns for supply chain issues and shipping delays. Some predict that online shopping spending will total over $200 billion for the first time by the end of the holiday season.

Given that volume of e-commerce shopping, cybercriminals will continue to target online shoppers and marketplaces for financial gain. Therefore, it is vital to maintain awareness of the many cyber threats posed by these individuals and groups. Threat actors may target victims through various methods, including compromised or spoofed websites, phishing emails, social media ads and messages, or unsecured Wi-Fi networks. I’m going to present a list of common attack vectors, along with some tips and best practices that will help you to combat cybercriminals’ threats during this holiday season.

Magecart and Other Online Skimming Attacks

Magecart attacks are a type of web-based data skimming operation used to capture customer payment card data from the checkout pages of online stores. These attacks are accomplished by gaining access to the targeted website (either directly or through a supply chain attack), injecting malicious JavaScript code into the checkout page to skim the desired data, and sending the information back to a threat actor-controlled server. Magecart attacks are conducted by many threat actors and are not specific to one group.

Once they steal payment card data, they can make fraudulent purchases or sell it on the dark web or other marketplaces. Cybercriminals are likely to continue to target online marketplaces this year. As such, I encourage you to use credit cards rather than debit cards because they often have better consumer fraud protections. Also, if you are especially concerned about fraudulent attempts on your card, you can consider enabling charge notifications for every card transaction. Enabling these notifications may make it easier for you to identify a fraudulent transaction as soon as it occurs. If you discover fraudulent activity on your account, lock the affected card, notify your bank immediately, and request a new payment card.

Be Wary of Links and Attachments in Unsolicited Emails

Around the holidays, you will likely receive emails from known retailers regarding sales and coupons, order confirmations, and shipping notices. Cybercriminals can create spoofed emails by stealing retailer branding to make fraudulent emails appear legitimate and may contain links or attachments that install malware or lead you to spoofed websites that steal your credentials. These emails may attempt to convey a sense of urgency — “Limited Time Offer!” — to prevent you from thoroughly inspecting the email for red flags. I urge you to avoid these schemes and go directly to retailer websites by typing the legitimate URL in your browser instead of clicking on links in emails. And please refrain from entering your login credentials on websites if you clicked on a link in an email that looks even slightly suspicious!

Take Caution with Social Media Ads

Everyone is blasted with ads as you scroll social media platforms. While many of these ads link to known, legitimate vendor websites, you may also be confronted with ads that link to malicious or otherwise suspicious sites that could be used to install malware, steal credentials, or sell counterfeit goods. Cybercriminals frequently employ URL shortening to trick people on social media sites and other outlets by hiding the true destination of a link. I suggest you use a URL expander (e.g., https://urlexpander.net) to reveal the true destination of shortened URLs before you visit any website and verify it is a legitimate vendor before making any purchases.

Look Out for Holiday-Themed eCards and Messages Meant to Install Malware

In the past, people have reported being targeted with various Thanksgiving Day-related scams. In some cases, spoofed emails were sent appearing to originate from legitimate organizations and contained the subject line “Thanksgiving eCard.” Last year, an Emotet banking trojan campaign was observed using Thanksgiving lures, with the subject lines “Happy Thanksgiving Day Greeting Message” and “Thanksgiving Day Card.” As malicious actors commonly leverage public interest and current events to conduct financial fraud and disseminate malware, I want to remind you to exercise caution with unsolicited emails, especially those with a holiday theme.

Do Your Online Shopping at Home

Avoid using public computers, such as those at a library or hotel, or public Wi-Fi connections to log in to your accounts or conduct online shopping. Miscreants could infect public computers with malware designed to steal your information, and hackers can intercept network traffic traveling over unencrypted Wi-Fi signals. If you must connect to public Wi-Fi, use a virtual private network (VPN) to secure information transmitted between your device and the internet. Additionally, I advise you to refrain from using your office (or work) computer to make online purchases as cyberthreats could endanger company and customer information.

Beware of ‘Secret Sister’ Gift Exchange Scam

Many people enjoy participating in group gift exchanges this time of year; however, beware of potential scams. Social media posts promoting a “Secret Sister” gift exchange promise between 6 and 36 gifts in exchange for sending one gift. While this type of chain letter appears innocent, it is illegal and considered a pyramid scheme. The scam, detailed by the Better Business Bureau, begins by requesting the name and address of the recipient and their friends. This holiday season, only participate in gift exchanges with individuals you know personally and refrain from sharing too much (or any) personal information online.

Verify Charities Before Donating

It is common around the holidays to donate to charities, particularly those that provide goods or services to those individuals and families in need. You may be prompted to donate via solicitations received through email or social media; however, these could be promoting fake charities or impersonating legitimate charities. Prior to donating, research the charity through a nonprofit site such as https://charitywatch.org or https://charitynavigator.org for information on charity legitimacy and other details, such as the percentage of donations that go directly to the associated cause.

Be cautious with your online activities, think before responding to emails, and call me if you have any questions.

Thanks, and safe computing!

I Screwed Up, Then I Learned a Lot, and My Clients Benefit — So That’s Good!

by Leave a Comment

An inside look at Heliotropic Systems’ operations.


I spend a significant amount of time every month learning about new and improved technology and products from the vendors with which I partner. These vendors include familiar names such as Lenovo, SonicWall, Xerox, APC by Schneider Electric, SentinelOne, and Microsoft. Most of the solutions I obtain from these vendors are designed to help keep you secure while using your computers and network devices.

In the middle of September, I took a mere moment to look up an existing part number. I ended up spending more than 12 hours consuming a ton of new information to offer a more secure business solution. Let me explain.

I keep extensive lists of all hardware components for each of my small business clients. One of those components is a Network Management Card (NMC) found in higher-end APC UPS battery backup devices. NMCs manage, maintain, and report on the condition of the UPS device to which they are connected. I program NMCs to send email alerts when conditions differ from normal (e.g., electrical issues, or battery problems). I also use them to update the device’s firmware with security enhancements.

I was adding new equipment to one client’s Excel spreadsheet, and in doing so, pulled up the corresponding page in another client’s spreadsheet to copy over as a template. I noticed I had not filled in one attribute on the existing spreadsheet, so I logged into that client’s server, pulled up the component in a browser, and highlighted the attribute to copy it to the clipboard. As I did, I noticed that I had not rebooted the network device for more than one year.

That was very strange because I thought I had an Outlook reminder to update the firmware of these devices annually. It should have kicked off at the start of June. But after I looked through Outlook and confirmed the calendar entry, I reviewed my daily activity logbook and discovered I had not done the work. Several issues interrupted my day, and I lost track of the task. (Yes, I admit, that was very sloppy, and I’m pretty embarrassed about it.)

Read More →

Recent Cyber Scam Attack Adopts Hollywood’s Reboot Concept

by Leave a Comment

Imagine receiving an email, delivered to your business email address, offering a “Partnership Affiliate Offer.” Would you open it? Oh, come on, of course you would! Your curiosity invariably gets the better of you all the time. But when you read this email, you pause and then shudder. What the heck? Here’s the offer:

If you can install and launch our Demonware Ransomware in any computer, company main Windows Server, physically or remotely, (there’s) 40 percent for you, a million dollars for you in Bitcoin.

A researcher at Abnormal Security engaged with the bad actor behind this poorly written email offer for several days. The researcher documented how he tied the email back to a young man in Nigeria who acknowledged he was trying to save up money to help fund a new social network he was building.

Funny, right? Unfortunately, Business Email Compromise (BEC) or CEO Scams in which crooks, mainly based in Africa and Southeast Asia, spoof communications from executives at the target firm in a bid to initiate unauthorized international wire transfers are bigger business than the blitz of ransomware attacks that have made headlines recently.

The FBI’s Internet Crime Complaint Center (IC3) reports that BEC scams increased to more than $1.8 billion in 2020. These extortion attempts have proven to be highly profitable for cybercriminals.

And, of course, it is incredibly humorous that this latest cyber scam is authored by a Nigerian because the classic email scams began decades ago. Referred to as the “419 scam” (because of the area code), the “Nigerian prince” emails requested your assistance because of a will or lottery win. If you were willing to engage in helping the email author obtain the funds, you’d be rewarded with a percentage of the total amount.

What I found amazing while researching this article is that these 419 emails continue in only slightly modified formats to this very day. That someone has taken the initiative (albeit warped) to reboot this for the Bitcoin era is not surprising — but enterprising.

Bottom line: Be extremely careful of unsolicited email offers!

In the Aftermath of the Kaseya Incident

by Leave a Comment

Kaseya had a bad July. The vendor, who sells solutions to Managed Services Providers (MSPs), learned over the July 4th holiday weekend that some servers running their software were taken over and distributing ransomware to the clients that were being managed. Kaseya has two offerings, on-premises (server-based) and cloud-based. Usually, MSPs who have the resources to run their own data centers employ server-based solutions. So that means the clients will be of high value to bad actors, which was precisely the case.

As I wrote in an email shortly after the attack became public knowledge, Heliotropic Systems does not use any Kaseya products (server- or cloud-based). We use products from ConnectWise for monitoring your computers and remotely accessing them. These are both cloud-based offerings, and ConnectWise has been very transparent in letting partners know what flaws have been identified and when they are corrected.

No software is exempt from bugs. After all, people code the programs and do not necessarily consider everything when designing and developing those programs. Yes, there are Quality Assurance teams that are supposed to test the programs — but they are only as good as the instructions they receive in terms of what the test cases should be. And not all possibilities are (or can be) tested.

The news is now filled with stories that malicious actors are targeting more and more small businesses because they think the “work from home” population is getting lax with their security consciousness. There is a movement within my industry to implement what’s called the “Zero Trust Initiative.” (Note, Marvel fans, this is not another Avengers movie). Zero Trust is not a product but a concept, and what it means is this: Every object in a network is identified, and every person with access to anything is identified. Then, rules are established to define what access level each person has to those objects — and when those rules are to be invoked.

Here is a simple example. Madeline and Roland are employees at Total Prepared Foods. She is an inside salesperson who is responsible for calling on existing clients. Her computer accesses the cloud-based Customer Relationship Management (CRM) system to perform her daily tasks. He is an accountant who works with the payroll system and handles the firm’s online banking.

In a Zero Trust environment, the hours that both employees work are known. The CRM software Madeline accesses has rules regarding what aspects of the program she’s allowed to see (e.g., client information but not payroll). Roland can access the payroll system but has no access to the CRM system. The network knows who logs in to which computer. It also knows which external Internet address is supposed to be used when she remotely connects from home. If someone — or something — tries to access her computer in hours when she is not authorized to use it, an alert is sent. More importantly, because Madeline’s computer requires two-factor authentication, a bad actor would not have access to the token on that device. Similarly, Roland does not have access to the payroll system except from his office computer, which is not authorized for remote access.

Previously, most believed that protecting a business had to occur from the outside in. Now, it is becoming evident that companies must be protected from the inside out. I am going to take two actions before the end of September to begin a journey toward zero trust. The first will be to ensure that no computer user at any client site has administrator privileges (meaning they can install programs). The second will be to add a new product to the SPF+ and SHADE subscriptions. This new product is a browser extension that should stop anyone from getting to a fake website if someone inadvertently clicks on a link in a phishing email. Combining a limited user desktop experience and a program to thwart potential problems, will make you much safer.

Managing Your Own Security With 2FA and Passwords

by Leave a Comment

I received an email from a client requesting help regarding a form his bank sent him to fill out because his bank detected a fraudulent attempt to access his account. They explained that the IP address of the failed attempt, which used his actual username, was located in Miami, Florida. My client lives in a town in Nassau County on Long Island.

It took a while before my client realized he had been locked out of his account for safety’s sake because of the fraudulent attempt. I get that. In a “normal world,” you’d ask that the password for the account be reset, you’d provide a new password, and you’d be back to online banking. But not with this bank. Nope, they wanted more — much more! They asked my client to acknowledge having taken one of the following options:

The hard drive of each computer was wiped clean and the operating system, as well as any software the Client utilizes was reinstalled. Thereafter, a scan utilizing proven effective anti-malware/anti-virus software was run on each of Client’s computers and no virus or other malicious software was found. [or]

Each computer was replaced with a cleaned computer. A scan utilizing proven effective anti-malware/anti-virus software was run on each of Client’s replacement computers and no virus or other malicious software was found. [or]

Client will access [bank name redacted] from a different computer/device and a scan utilizing proven effective anti-malware/anti-virus software was run on the computer and no virus or other malicious software was found.

The paragraph appearing before these options contained jargon that implied the computer itself had been compromised, thus warranting these extreme measures. But here’s the thing: that wasn’t the case here, and there isn’t any way to accurately determine when – or even if – this computer was the reason someone attempted to access the account.

I’ve written for years that name, email, and password information is readily available to anyone who wants it for nefarious means. Vast troves of data are inexpensive and they can pay off significantly if used maliciously. Anyone can go to https://haveibeenpwned.com to see if their email address is out in the wild. I found this client’s email address was in six data breaches.

With billions (yes with a “b”) of email addresses and passwords that can easily be cracked, less than honorable people miscreants then try to see if they can find other accounts that use the same credentials. Because, after all, most of us are creatures of habit (i.e., lazy) and don’t want to keep track of lots of different passwords.

After several discussions, I learned that my client used a specific construct for a username and password on different sites. It was an easy construct, something like joebob1823. While easily remembered, it is an awful security measure. How many sites was this used as a username? I didn’t ask. How many sites was this used as a password? Again, I don’t know. But if it was more than one, it was way too many.

Why? Because his email is associated with joebob1823, and joebob1823 is associated with a password for one of the compromised websites. Now, go to LinkedIn and see if this works to gain access to his account. Then go to Instagram, and Facebook, and all the social media sites. Next, try some common banks, like Citibank, Chase, or Wells Fargo. Then go after brokerage accounts, like Charles Schwab or Fidelity Investments. You see where this is heading. To a group of bad actors with nearly unlimited computing resources, this is child’s play. They set up scripts to run multiple iterations at various sites until they either gain access or the site stops them because of repeated violations.

What could help this client the most? That would be if his bank offered two-factor authentication (commonly referred to as 2FA). I explained it to him as follows:

You go to your bank’s website, supply your credentials, your username, and password, and click Enter or Next. Then, you must enter a code to continue. The bank can generate that code in several ways. For example, the back will call the phone number associated with your account, and an automated voice recites the numbers, one at a time. Or you can get an email sent to the email address associated with your account. You can then copy and paste that number into the field. Or you can use an app on your phone, such as the Google Authenticator. This app generates a series of random numbers every 45 seconds. Enter that number into the field, and you gain access to your account. The primary reason as to why this is a reasonably successful security measure is that this second form of confirmation is yours and yours alone.
Now there are known ways of spoofing every single one of those 2FA mechanisms. But they require more effort than most bad actors will use to hack an individual’s account. And using 2FA is much better than not having it. Surprisingly, my client’s bank does use 2FA, but it is not required. I am particularly livid about that when you consider what they want him to do to his computer because of the fraud attempt.

What else could help this client? The use of more sophisticated passwords. joebob1823 is not a rigorous or strong password. Using the University of Illinois at Chicago’s Password strength test (https://www.uic.edu/apps/strong-password/), it merits a complexity score of “Good” (although I disagree with that). There are many indicators on the results list that are red or yellow.

I suggested that he use a more complex formula to create a password, essentially using a phrase. For example, he has an adorable dog whose name is Lizzy. So, he could make a more complex password from the words, “Lizzy is a cute dog.” With minimal effort, this becomes Li##yI$@Cut3D06. Checking the complexity score, this received a “Very Strong” rating, and it only picks up some nits for repeating characters and numbers. But a simple dictionary attack is not going to discover this. And if it is used at only one website, then the likelihood of its being compromised is lowered exponentially.

Oh, and before you ask, yes, you can write these down if you are at home. Some of you may ask why I don’t recommend using a third-party product to keep track of passwords. That’s because I have yet to find one that has a sure-fire mechanism of preventing access to your account information if their database is breached.

Takeaway: Ask your financial institutions how to set up 2FA on your accounts, and start to use more sophisticated passwords everywhere.

Thanks, and safe computing!

Adobe Lays Flash to Rest

by Leave a Comment

On December 8, 2020, Adobe announced the following: “Adobe will no longer support Flash Player after December 31, 2020, and Adobe will block Flash content from running in Flash Player beginning January 12, 2021.”

So, that’s “all she wrote” for an application that lasted 24 years. But the end was not unexpected. In mid-2017, Adobe announced it would retire Flash from support and halt distribution of the application by the end of 2020.

The primary browser makers — Apple, Google, Microsoft, and Mozilla — also embarked on their own roadmaps for Flash Player’s end. Because the vast bulk of Flash content was created for websites and run in web browsers, those four developers’ plans carry enormous weight.

Here are how those browser makers will wrap up Flash — if they haven’t already done so — in the coming weeks.

Google Chrome

Google has stated that as of January 2021, “Flash Player will be marked as out of date and will be blocked from loading” in Chrome.

Edge and Internet Explorer

Because Microsoft’s Edge now relies on the same base code as Chrome, and Internet Explorer (IE) is maintained only as a legacy last resort for businesses, the Redmond developer’s path toward Flash finality is complicated.

Microsoft plans to purge Flash from Windows and will offer the uninstall-Flash update via Windows Update as an “optional” download in early 2021. The status will change to “recommended” a few months later.

During the summer of 2021, Microsoft will eliminate the remaining evidence of Flash support from the original version of Edge and IE.

Firefox

Mozilla has taken a straight-forward approach to vanquish Flash. Firefox 84, which was due to be shipped on December 15, 2020, will be the final version to support Flash. Firefox 85, slated for release on January 26, 2021, will arrive without Flash support.

Safari

Safari 14, the 2020 refresh that was bundled with the macOS 11 (“Big Sur”) upgrade in November, and offered in late September as an update to users running the earlier Catalina and Mojave versions of macOS, lacks any capability to run Flash content.

What Does This Mean For You?

With the Adobe Flash Player removed from your browser, you can expect some ads not to function properly, some games will not operate as you expect, and some websites will not display content (either properly or at all).

Please note: There is nothing you can do about it.

Every website owner has known for years this change was coming. It was their responsibility to create an alternative method of providing their advertising, games, and web content. If one of your favorite websites is not displaying content — or otherwise not appearing properly, you can locate their Contact Us section and send them a note. How responsive website owners will be after the fact is questionable. I have a feeling several will be scurrying to learn how to code in HTML5, the replacement method that has been available for almost six years.

Anatomy of a Ransomware Attack

by Leave a Comment

I don’t know how technologically inclined you are, so I will ask this simple, rhetorical question: What is ransomware?

The answer is: Ransomware is a form of cyber-attack in which criminals take control of your computer’s files and block access to them until you pay a fee to release them.

Cybercriminals gain control of your files by placing malicious software on your computer. They can accomplish this goal in several ways; however, these are the two most common methods:

  • You open an attachment in an email, either a Microsoft Word document or an Adobe PDF file that contains a worm or a Trojan.
  • You click on a link in an email.

Here’s a summary of what happens next.

Once the malicious software is downloaded to your computer, one element will contact a “command and control” server on the internet to obtain a unique key. Another element then executes and uses that key to encrypt your files. To accomplish that task, it takes the contents of your files and turns each one into a mass of numbers and letters that your computer’s programs cannot read. After all that mayhem is complete, one of the rogue software elements sends a confirmation to the cybercriminal.

In some cases, before your files are encrypted, the cybercriminals will copy them to the internet. Part of the extortion message you receive may include a statement that they will release your confidential information to the public. This message is designed to be an added incentive to make you pay “full freight” to get the decryption key. In some reported instances, victims have been known to bargain for a lower fee and have successfully reduced the amount of the ransom.

How Does All This Happen?

Two of the main components that allow ransomware to run wild are Emotet and Trickbot.

Emotet is malicious software that is categorized as a Trojan, which means it appears as something innocuous; however, it carries an undesirable harmful payload. Initially, it was designed to steal banking credentials. Later iterations added features including money transfer and evasive functions.

Emotet arrives primarily in phishing attacks via emails that contain malicious links or Microsoft Word files that contain macros.

Once Emotet is on a computer, it attempts to establish persistence on the computer and then propagates through the local network via spreader modules. When it is activated, it will connect to the command and control server to report a new infection. It receives configuration data, downloads and runs files, receives instructions, and then uploads the requested data to the command and control server. The instructions it receives can launch other forms of malware based on the criminals’ intent and goals.

The fact that Emotet is easily released on an unsuspecting victim makes it a very serious threat. Bad actors can send a phishing email to millions of email accounts. Probability theory dictates that someone, somewhere, will click on the link or download the file and thus become infected. For any business – large or small – all it takes is one email to reach its target, and all the computers in the company could become compromised.

The Cybersecurity & Infrastructure Security Agency (CISA) reports that Emotet “can evade typical signature-based detection.” It is virtual machine aware and “can generate false indicators if in a virtual environment.” This means that the typical “sandbox” features used by some advanced security software may not be able to identify it.

Trickbot is another Trojan that uses various modules to attack a computer. These attacks include obtaining banking credentials and exfiltrating data.
The primary way in which Trickbot establishes persistence is by creating a scheduled task that runs with System privileges. The task is set to run at startup and repeatedly after that. The malware extracts and executes its code before contacting the command and control server. Trickbot’s program contains an initial encrypted list of servers to contact. Once a connection is established, it receives an updated list, and those servers have various modules and configuration files.

After it has started, Trickbot will steal passwords, steal email information, deploy web injections, and spread to other devices on the network.

What Does This Mean To You?

By now, I’m sure your eyes are glazing over, and you are wondering why I am subjecting you to this discourse.

We live in a world of coronavirus now, and unfortunately, the threat and associated risk of COVID-19 is everywhere — and equally, unfortunately, it is not going away any time soon. Cybercriminals will soon be counting on the turmoil and rampant misinformation about vaccines to lure the unwary into dangerous territory.

Wearing a mask, keeping your distance, and washing your hands will help lower your risk of getting the virus. For similar reasons, if you receive an email with an attachment, especially from someone you don’t know, you must always exercise caution!

The steps these malicious programs take on your computer occur extraordinarily fast — usually in less than a minute. You may not know that something terrible has happened until you see the ransom demand on your desktop.

It is because of programs like Emotet and Trickbot, along with others, that you must make sure you use next-generation advanced endpoint solutions to protect your computers and networks.