Phishing and other fraud

Post Reply
User avatar
mike
Lieutenant Colonel
Posts: 652
Joined: Thu Oct 25, 2012 7:47 pm

Re: Phishing and other fraud

Unread post by mike »

I'm sure you reported, right? (like I need to ask ;) )

Spot it, understand it, know it.

The scammers are sneaky.

Thanks for the heads-up, Vrede.

I received one of those myself, a while ago, and immediately reported it.
PayPal (verified) sent me a reply thanking me.
Image

User avatar
rstrong
Captain
Posts: 5889
Joined: Thu Oct 25, 2012 9:32 am
Location: Winnipeg, MB

Re: Phishing and other fraud

Unread post by rstrong »

We just had what seems more like a lame Denial of Service attack than a hacking attempt on our mail server.

Everything slowed down on our server this morning. The mail server software was using a lot of resources. A look at the connection log showed thousands of connections in a short period of time.

According to the logs someone was repeatedly trying to log into our server as "emily" a few other names - with no email address or password. The mail server would lock an email account after so many login attempts, but they weren't trying a valid email acount.

Worse, they were opening email connections - your email client needs to open one before attempting to log in - and not doing anything. The connection would time out ten minutes later. But since they were doing this about once a second, the mail server had a LOT of connections open, was using up resources, which in turn was causing problems for other programs.

The attacks came from a single IP address in Luxembourg - but that's probably an infected machine controlled from elsewhere. I blocked the address and things have returned to normal. But it could happen again from another address. I may need to fiddle with the intrusion detection stuff on the firewall.

User avatar
rstrong
Captain
Posts: 5889
Joined: Thu Oct 25, 2012 9:32 am
Location: Winnipeg, MB

Re: Phishing and other fraud

Unread post by rstrong »

Vrede wrote:Without revealing any secrets is there a reason you would be a DDoS target or do you think you just drew the short straw?
No reason. No doubt we were just chosen at random.

Luckily it was a, um, UDoS (Undistributed) attack. The attacks came from just one IP address.

Any time I've checked out web server and email server logs out of curiosity I've seen lots of hacking attempts - dictionary, SQL injection and other attacks. This is a rare one that made me pay attention.

User avatar
bannination
Captain
Posts: 5502
Joined: Sun Sep 16, 2012 7:58 am
Location: Hendersonville
Contact:

Re: Phishing and other fraud

Unread post by bannination »

rstrong wrote:We just had what seems more like a lame Denial of Service attack than a hacking attempt on our mail server.

Everything slowed down on our server this morning. The mail server software was using a lot of resources. A look at the connection log showed thousands of connections in a short period of time.

According to the logs someone was repeatedly trying to log into our server as "emily" a few other names - with no email address or password. The mail server would lock an email account after so many login attempts, but they weren't trying a valid email acount.

Worse, they were opening email connections - your email client needs to open one before attempting to log in - and not doing anything. The connection would time out ten minutes later. But since they were doing this about once a second, the mail server had a LOT of connections open, was using up resources, which in turn was causing problems for other programs.

The attacks came from a single IP address in Luxembourg - but that's probably an infected machine controlled from elsewhere. I blocked the address and things have returned to normal. But it could happen again from another address. I may need to fiddle with the intrusion detection stuff on the firewall.

Luckily as small as this forum is I can just block China and Russia all together! I've also had a couple from Canada that I've been mindful about. :mrgreen:

JTA
Commander
Posts: 3898
Joined: Sat Oct 13, 2012 4:04 pm

Re: Phishing and other fraud

Unread post by JTA »

rstrong wrote:We just had what seems more like a lame Denial of Service attack than a hacking attempt on our mail server.

Everything slowed down on our server this morning. The mail server software was using a lot of resources. A look at the connection log showed thousands of connections in a short period of time.

According to the logs someone was repeatedly trying to log into our server as "emily" a few other names - with no email address or password. The mail server would lock an email account after so many login attempts, but they weren't trying a valid email acount.

Worse, they were opening email connections - your email client needs to open one before attempting to log in - and not doing anything. The connection would time out ten minutes later. But since they were doing this about once a second, the mail server had a LOT of connections open, was using up resources, which in turn was causing problems for other programs.

The attacks came from a single IP address in Luxembourg - but that's probably an infected machine controlled from elsewhere. I blocked the address and things have returned to normal. But it could happen again from another address. I may need to fiddle with the intrusion detection stuff on the firewall.
Should have just unplugged the wires connecting your machines to Luxembourg.
You aren't doing it wrong if no one knows what you are doing.

User avatar
bannination
Captain
Posts: 5502
Joined: Sun Sep 16, 2012 7:58 am
Location: Hendersonville
Contact:

Re: Phishing and other fraud

Unread post by bannination »

JTA wrote:
rstrong wrote:We just had what seems more like a lame Denial of Service attack than a hacking attempt on our mail server.

Everything slowed down on our server this morning. The mail server software was using a lot of resources. A look at the connection log showed thousands of connections in a short period of time.

According to the logs someone was repeatedly trying to log into our server as "emily" a few other names - with no email address or password. The mail server would lock an email account after so many login attempts, but they weren't trying a valid email acount.

Worse, they were opening email connections - your email client needs to open one before attempting to log in - and not doing anything. The connection would time out ten minutes later. But since they were doing this about once a second, the mail server had a LOT of connections open, was using up resources, which in turn was causing problems for other programs.

The attacks came from a single IP address in Luxembourg - but that's probably an infected machine controlled from elsewhere. I blocked the address and things have returned to normal. But it could happen again from another address. I may need to fiddle with the intrusion detection stuff on the firewall.
Should have just unplugged the wires connecting your machines to Luxembourg.
Tubes, they're tubes!!!

JTA
Commander
Posts: 3898
Joined: Sat Oct 13, 2012 4:04 pm

Re: Phishing and other fraud

Unread post by JTA »

bannination wrote:
JTA wrote:
rstrong wrote:We just had what seems more like a lame Denial of Service attack than a hacking attempt on our mail server.

Everything slowed down on our server this morning. The mail server software was using a lot of resources. A look at the connection log showed thousands of connections in a short period of time.

According to the logs someone was repeatedly trying to log into our server as "emily" a few other names - with no email address or password. The mail server would lock an email account after so many login attempts, but they weren't trying a valid email acount.

Worse, they were opening email connections - your email client needs to open one before attempting to log in - and not doing anything. The connection would time out ten minutes later. But since they were doing this about once a second, the mail server had a LOT of connections open, was using up resources, which in turn was causing problems for other programs.

The attacks came from a single IP address in Luxembourg - but that's probably an infected machine controlled from elsewhere. I blocked the address and things have returned to normal. But it could happen again from another address. I may need to fiddle with the intrusion detection stuff on the firewall.
Should have just unplugged the wires connecting your machines to Luxembourg.
Tubes, they're tubes!!!
Only wires can connect to sockets:

Image

QED.

But if I'm wrong, and the internet is in fact connected via a series of tubes, then rstrong should have called a plumber.
You aren't doing it wrong if no one knows what you are doing.

User avatar
bannination
Captain
Posts: 5502
Joined: Sun Sep 16, 2012 7:58 am
Location: Hendersonville
Contact:

Re: Phishing and other fraud

Unread post by bannination »

Sounds like a job for Homerphobe.


:mrgreen:

User avatar
rstrong
Captain
Posts: 5889
Joined: Thu Oct 25, 2012 9:32 am
Location: Winnipeg, MB

Re: Phishing and other fraud

Unread post by rstrong »

JTA wrote:But if I'm wrong, and the internet is in fact connected via a series of tubes, then rstrong should have called a plumber.
A meteorologist, actually. Everything I'm doing these days is in the cloud.

I have an HP ProLiant ML110 Generation 7 arriving in my livingroom this week. I'll be loading it with VMware.

On top of that I'll add two virtual machines running Windows Server 2012 - one as a web server and one as a file and email server - used to test my software on Server 2012 before replacing the company servers with 2012. I'll add a Windows 8 VM for more testing.

And I'm going to import/convert my Windows 7 PC into a VM on the server before wiping and reloading the PC.

Asking which Linux distribution to use is like asking which is the One True Religion, but I'll add a Linux VM or two for experimenting. Eventually. I did tech support on NCR Tower Unix machines for a few years, and sometimes I still wake up screaming. (Microsoft's Unix wasn't so bad.)

If I'm not around much the next couple weeks, this is what I'm doing.

JTA
Commander
Posts: 3898
Joined: Sat Oct 13, 2012 4:04 pm

Re: Phishing and other fraud

Unread post by JTA »

rstrong wrote:tech support
People get really mad when they can't download the internet.

Fun times when working in IT:

Every once in a while a scammer would send a mass email out to everyone at our organization trying to get our employees to send them their credentials. In response to this, we'd send out an email reminding our employees to NOT RESPOND TO THE BELOW EMAIL and to NEVER EMAIL ANYONE YOUR CREDENTIALS UNDER ANY CIRCUMSTANCES!

Usually immediately after sending out the warning email we would receive at least 15 replies with credentials.
You aren't doing it wrong if no one knows what you are doing.

User avatar
Vrede too
Superstar Cultmaster
Posts: 50656
Joined: Fri Apr 03, 2015 11:46 am
Location: Hendersonville, NC

Re: Phishing and other fraud

Unread post by Vrede too »

My workplace:
Overview
Security Threat – Ransomware Virus

Impact
Do no open personal email.
Do not open any links or attachments in email from outside of _________.

Status
IT is investigating and taking measures to protect our systems from vulnerability.
All desktop devices and servers will be shut down, patched and rebooted.
Reviewing threat to clinical equipment and course of action to protect that equipment.
There may be intermittent application interruptions while patches are applied.
Ugh.
Always be yourself! Unless you can be a goat, then always be a goat.
-- the interweb, paraphrased
1312. ETTD.

User avatar
rstrong
Captain
Posts: 5889
Joined: Thu Oct 25, 2012 9:32 am
Location: Winnipeg, MB

Re: Phishing and other fraud

Unread post by rstrong »

Adobe continues to make Adobe Reader the preferred tool for ransomware attacks.

Earlier they added the ability to put scripting programs INSIDE a PDF.... encrypted PDFs so your email server or client can't scan them for viruses. We automatically remove all password-protected PDF attachments received by our mail server unless they're from a VERY small white-list of senders.

But a new attack vector involves hiding a malicious macro inside a Word document embedded in a PDF file.
 
You’re sent a spam email with a PDF attachment which looks safe and clear with most antivirus apps. 
But it has an attached document that Acrobat Reader tries to open when you open the PDF.
 
The document gets opened by Microsoft Word, then asks you to enable editing. But it’s actually a social engineering attack trying to get you to enable a VBA macro.
 
When you say yes to enable editing, the VBA macro runs, then downloads and runs the ransomware.  Your hard drive and network drives get encrypted.
 
By hiding the actual attack inside an attached document within another safe-looking document, ransomware attackers can get around most antivirus filters.
 
Presumably this would also work with Excel and PowerPoint documents.

User avatar
Vrede too
Superstar Cultmaster
Posts: 50656
Joined: Fri Apr 03, 2015 11:46 am
Location: Hendersonville, NC

Re: Phishing and other fraud

Unread post by Vrede too »

Thanks.
Global cyberattack disrupts shipper FedEx, UK health system

A global cyberattack leveraging hacking tools widely believed by researchers to have been developed by the U.S. National Security Agency hit international shipper FedEx, disrupted Britain's health system and infected computers in dozens of other countries on Friday....
Thanks NSA.

My workplace:
Overview
UPDATE: Security Threat – Ransomware Virus

Impact
Due to the current IT incident around the Security Threat - Ransomware, ALL COMPUTERS SHOULD BE LEFT ON AND LEFT AT WORK OVER THE WEEKEND.
Do not open personal email.
Do not open any links or attachments in email from outside of _________.

Status
You will see information about this world-wide event on local and national news and social media.
IT is investigating and taking measures to protect our systems from vulnerability.
All desktop devices and servers will be shut down, patched and rebooted.
Reviewing threat to clinical equipment and course of action to protect that equipment.
There may be intermittent application interruptions while patches are applied.
Then, there are "instructions to update your computer with a protective patch against this virus" immediately. It will be automatically be done system wide starting this evening.
Always be yourself! Unless you can be a goat, then always be a goat.
-- the interweb, paraphrased
1312. ETTD.

User avatar
homerfobe
Ensign
Posts: 1565
Joined: Sun Oct 14, 2012 9:37 am
Location: All over more than anywhere else.

Re: Phishing and other fraud

Unread post by homerfobe »

rstrong wrote:Adobe continues to make Adobe Reader the preferred tool for ransomware attacks.
Adobe Flash Player continues to be problematic as well, and seems to openly vulnerable to virus attachments.
I keep Flash updated, but I regularly see notices that I have to update my flash player to view this video. By heeding the notice, you open yourself to a virus or some other form of useless horseshit.
Proudly Telling It Like It Is: In Your Face! Whether You Like It Or Not!

User avatar
Vrede too
Superstar Cultmaster
Posts: 50656
Joined: Fri Apr 03, 2015 11:46 am
Location: Hendersonville, NC

Re: Phishing and other fraud

Unread post by Vrede too »

rstrong or whoever, If I'm not running Windows OS can this ransomware hurt me? TV made it sound like that is the only vulnerability.
Always be yourself! Unless you can be a goat, then always be a goat.
-- the interweb, paraphrased
1312. ETTD.

User avatar
rstrong
Captain
Posts: 5889
Joined: Thu Oct 25, 2012 9:32 am
Location: Winnipeg, MB

Re: Phishing and other fraud

Unread post by rstrong »

homerfobe wrote:
rstrong wrote:Adobe continues to make Adobe Reader the preferred tool for ransomware attacks.
Adobe Flash Player continues to be problematic as well, and seems to openly vulnerable to virus attachments.
I keep Flash updated, but I regularly see notices that I have to update my flash player to view this video. By heeding the notice, you open yourself to a virus or some other form of useless horseshit.
Yup. Flash is essentially dead, living on as a crawling abomination from the darkest pits of hell. It should be removed from any computer.

If absolutely needed, Edge and Internet Explorer both let you switch it off when not needed. But you need to remember to do so.

User avatar
rstrong
Captain
Posts: 5889
Joined: Thu Oct 25, 2012 9:32 am
Location: Winnipeg, MB

Re: Phishing and other fraud

Unread post by rstrong »

Vrede too wrote:rstrong or whoever, If I'm not running Windows OS can this ransomware hurt me? TV made it sound like that is the only vulnerability.
I've yet to see a good description of how it works. Just that a Word document downloads a program - but no word on whether its a Windows-specific executable or a cross-platform scripting language. But there are viruses for Macs and Linux, so if this one doesn't the next one might.

There are encryption libraries for JavaScript. And as JavaScript becomes more common - and things like PDF files add the ability for JavaScript programming - running outside your browser's sandbox - we're entering the age of truly cross-platform viruses.

User avatar
bannination
Captain
Posts: 5502
Joined: Sun Sep 16, 2012 7:58 am
Location: Hendersonville
Contact:

Re: Phishing and other fraud

Unread post by bannination »

Vrede too wrote:rstrong or whoever, If I'm not running Windows OS can this ransomware hurt me? TV made it sound like that is the only vulnerability.
It spreads by using a Microsoft SMB protocol v1. You're safe as far as it just automatically being able to infect your computer.

User avatar
Vrede too
Superstar Cultmaster
Posts: 50656
Joined: Fri Apr 03, 2015 11:46 am
Location: Hendersonville, NC

Re: Phishing and other fraud

Unread post by Vrede too »

Cool, I won't freak out over attachments from trusted sources. I suspect my IP has updated by now anyhow, though they haven't told me.
Always be yourself! Unless you can be a goat, then always be a goat.
-- the interweb, paraphrased
1312. ETTD.

User avatar
Vrede too
Superstar Cultmaster
Posts: 50656
Joined: Fri Apr 03, 2015 11:46 am
Location: Hendersonville, NC

Re: Phishing and other fraud

Unread post by Vrede too »

The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack

... Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them....


-- Microsoft’s president and chief legal officer Brad Smith
Always be yourself! Unless you can be a goat, then always be a goat.
-- the interweb, paraphrased
1312. ETTD.

Post Reply