Ransomware crooks launch customer service website

Now here’s a first — crooks who realize the importance of customer service.

It’s the latest twist in the global CryptoLocker ransomware attack. This diabolically nasty malware locks up all of the victim’s personal files — and in some cases, backup files, too — with state-of-the-art encryption. The bad guys have the only decryption key and they demand $300 or two Bitcoins to get it.

“It’s been a disaster for many of the people hit with it,” said Lawrence Abrams who has been tracking the spread of this infection on BleepingComputer.com

Within the past few days, the criminal gang behind CryptoLocker created a site for victims who need help making their required extortion payments.

“These guys have some big cojones,” said security expert Brian Krebs, who writes the blog KrebsOnSecurity.

The CryptoLocker Decryption Service allows victims to check the status of their “order” (the ransom payment) and complete the transaction. I am not making this up!

Those who paid the ransom (with either Green Dot cards or Bitcoins), but did not get the decryption key — or got one that didn’t work — can download it again.

Those who missed the 72-hour deadline can also get their key, but the price jumps from two Bitcoins to 10. At today’s market value, that’s nearly $4,000. And Green Dot is not accepted with this extended-deadline service.

Why are the CryptoLocker crooks doing this?


Posted in: Fraud & Scams, Microsoft/Windows, Security, Vulnerabilities by Zac Comments Off on Ransomware crooks launch customer service website , , , , ,

NCA ALERT – Mass ransomware spamming event targeting UK computer users

NCA logo




The NCA’s National Cyber Crime Unit are aware of a mass email spamming event that is ongoing, where people are receiving emails that appear to be from banks and other financial institutions.

The emails may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular. This spamming event is assessed as a significant risk.

The emails carry an attachment that appears to be correspondence linked to the email message (for example, a voicemail, fax, details of a suspicious transaction or invoices for payment). This file is in fact a malware that can install Cryptolocker – which is a piece of ransomware

Cryptolocker works by encrypting the user’s files on the infected machine and the local network it is attached to.

Once encrypted, the computer will display a splash screen with a count down timer and a demand for the payment of 2 Bitcoins in ransom (Approx £536 as at 15/11/2013) for the decryption key.

The NCA would never endorse the payment of a ransom to criminals and there is no guarantee that they would honour the payments in any event.

Lee Miles, Deputy Head of the NCCU says “The NCA are actively pursuing organised crime groups committing this type of crime. We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public.”

An NCCU investigation is ongoing to identify the source of the email addresses used. Anyone who is infected with this malware should report it via Action Fraud

Sound advice can be found at GetSafeOnline

Advice: This is a case where prevention is better than cure.

  • The public should be aware not to click on any such attachment.
  • Antivirus software should be updated, as should operating systems.
  • User created files should be backed up routinely and preserved off the network.
  • Where a computer becomes infected it should be disconnected from the network, and professional assistance should be sought to clean the computer.
  • Various antivirus companies offer remedial software solutions (though they will not restore encrypted files).

The original post from the NCA and any relevant updates can be found here.

Posted in: Education & Training, Fraud & Scams, Law Enforcement, Microsoft/Windows, Security, Vulnerabilities by Zac Comments Off on NCA ALERT – Mass ransomware spamming event targeting UK computer users

A-Doh!-Be hit by ‘sophisticated’ Cyber Attack

Adobe’s systems have been hit by numerous “sophisticated attacks” that have compromised the information of 2.9 million customers, and accessed the source code of Adobe products.

The company said on Thursday that it has been the victim of a major cyberattack and said hackers had accessed those millions of customer IDs and encrypted passwords.

“We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders,” the company said.

It does not believe decrypted credit or debit card numbers were accessed.


A ‘must read’ – The Mandiant APT report

If you haven’t already read it, your homework for this week is the Mandiant APT1 Report.  Don’t read someone else’s interpretation until you’ve read the report yourself, in full.  Don’t read the analysis of others and consider it good.  Read the entire report yourself, read and watch the appendices and draw your own conclusions, then read what other people have to say.  READ IT!




RFC – Digital Forensics within IaaS Environments

Request for comments – I would be interested in knowing your thoughts and opinions on the topic of “Digital Forensics within Infrastructure-as-a-Service (IaaS) Environments.

For my sins I have chosen this as the subject for my dissertation and although I could happily write thousands upon thousands of words (Plenty of practice writing forensic reports…) of my own opinion and citing quotes from the many articles, journals and papers I am reading I would like to offer some enrichment to the reader (My poor lecturer) and provide some knowledgeable and experienced primary and secondary sources from those who have gone beyond the text book.

So, I would be very grateful if you do have any thoughts (ideally experience) on this subject to get in touch. I will of course cite all contributions to the individual(s) and/or organisations (Opportunity for free publicity) however, likewise should you or your organisations wish to remain anonymous, this too can be arranged.

I’d be happy to arrange a face to face interview or (What is likely to be easier for everyone) for you to contact me via email at info@forhacsec.com and we can hopefully engage in conversation on the subject.

Current trains of thought on the subject include –


Female hackers need apply

Even when I was starting to study my degree just some 4 years ago in Digital Forensics and IT Security there appeared to be very little interest in the subject of IT as a whole, let alone Digital Forensics and Ethical Hacking from women.

Some three women appeared in the lecture hall on the first day of the course in the September  all of which had left by that Christmas as did around 25% of the male students.

This was due to various reasons including, ability, expectations of the course, motivation as well as a couple realising that they weren’t going to be learning how to ‘Hack’ bank accounts and chip and pin machines in the first week! If ever!

As an industry we need to be welcoming talent and expertise from all areas. Getting down to the basic differences of male and female gender diversity can offer so much more to subject and an industry. Not forgetting of course the experience, background, abilities and cultural enrichment both genders can offer.

So for me and as an industry it’s nice to see the University of Abertay welcoming and encouraging Female students in to the subjects of IT Security.



BCC’d or not BCC’d – Wordfence

I received the below email with nice friendly information and updates regarding the popular WordPress plugin Wordfence, a very popular and familiar to some, Security oriented plug-in for WordPress. However, this email had a nasty bite to it. In the form of having been sent to a mailing list of 5000+ recipients without using the ‘BCC’ field. There really isn’t enough spam in the world already!

From: <NAME REMOVED> <?????@wordfence.com>
Date: 13 December 2012 11:24
Subject: Wordfence mailing list

Hi All,

Just a quick note that I’ve created a Wordfence mailing list which I’ll use to let our members know about WordPress security alerts, product updates, announcements re the coming licensing change and our affiliate program which should be ready soon.


I’m using Aweber to manage the list, so if you see that domain name on the confirm page, don’t think you’ve been taken somewhere you shouldn’t be.

I already sent an email inviting my personal contacts a few days ago and I’ve done my best to filter out those folks and existing members, but I do apologize if you have already received this or shouldn’t have received this. I’ve created the list so I can avoid sending out these “All Contacts” emails in future – so this will be the last one from my personal inbox.

I hope Wordfence is keeping your sites secure and you’re having a great week.

Kind regards,

Wordfence creator and Feedjit Inc. CEO.

This was very promptly followed 9 minutes later by –


Oracle releases out of the blue out of cycle fixes for Java

Out of nowhere Oracle has released an emergency update to address the zero-day vulnerabilities being exploited by many different criminal groups.

Surprisingly they included some previously unknown vulnerabilities that we can only assume may also have been in use in the wild.

The good news is customers who require Java in their environments can now deploy an official fix and proceed with less risk, the bad news is one of the fixes they shipped out affects Java 6, so everyone needs to patch not just those who were running Java 7.

Oracle officially fixed four CVEs, presumably covering five vulnerabilities. It appears that CVE 2012-4681 was actually two vulnerabilities, so it is difficult to tell for sure if they patched four or five flaws.

The first three only affect Java 7 and all have a CVSS score of 10, meaning they are remotely exploitable and result in code execution. That’s as bad as it gets folks.

The fourth affects both Java 6 and Java 7, but in and of itself does not result in code execution. Oracle have not stated precisely what kind of flaw it is, but based on its description it sounds like a privilege escalation vulnerability.


Double Trouble: Critical Java zero-day exploits TWO bugs

A potent Java security vulnerability that first appeared earlier this week actually leverages two zero-day flaws. The revelation comes as it emerged Oracle knew about the holes as early as April.

Windows, Mac OS X and Linux desktops running multiple browser platforms are all vulnerable to attacks. Exploit code already in circulation first uses a vulnerability to gain access the restricted sun.awt.SunToolkit class before a second bug is used to disable the SecurityManager, and ultimately to break out of the Java sandbox.

“The beauty of this bug class is that it provides 100 per cent reliability and is multi-platform,” Esteban Guillardoy, a researcher at Argentina-based security outfit Immunity explains in a technically detailed blog post here. “Hence this will shortly become the penetration test Swiss knife for the next couple of years.”

Unpatched vulnerabilities to the so-called Gondvv exploit were introduced in Java 7.0, released in July 2011. All versions of Java 7 are vulnerable but older Java 6 versions appear to be immune. This factor means that Mac OS X users who follow best practice and apply the latest version of software applications are more at risk of attack.


Oracle knew about critical Java flaws since April 2012

The critical Java vulnerabilities that have security experts cautioning users to disable Java in their browsers are not new discoveries, a security firm claims. On the contrary, Oracle has known about them for months, and it has probably had a patch ready since before an exploit was discovered in the wild.

Security Explorations, a startup based in Poland, says it disclosed details of a total of 31 Java security issues to Oracle in April of this year, including the ones currently under attack. Of that list, only two issues were fixed in the last Java Critical Patch Update (CPU), which was issued on June 12.

“We … expected that the most serious of them would be fixed by June 2012 Java CPU,” Security Explorations CEO and founder Adam Gowdiak stated, “But it didn’t happen and Oracle left many issues unpatched with plans to address them in the next Java CPUs.”

Ordinarily, Oracle only issues CPUs three times a year, which means the next one isn’t due to arrive until October 16.