Monday, March 30, 2015

Tech Support "pop-ups"

There is a new trap on the Internet that seems to be growing in popularity in the form of a Tech Support pop-up Window.  The first of these I saw was last Tuesday, March 24, 2015.

Norton Scam


While reviewing some pharmaceutical spam web pages, we were suddenly forwarded to the page:

alert.norton.com.pctechhelpforyou.com/index-15mac.html

Immediately after this page rendering, a pop-up window is repeatedly displayed insisting that we need to call the telephone number 1-888-884-7058, ringing a bell each time the window is displayed.  The pop-up is so insistent that it is very difficult to get past the pop-up to close the browser.

Despite the fact that this pop-up is warning me about my APPLE COMPUTER, the original trigger that we encountered was in a Windows 7 Virtual Machine.

Looking at the source code for the page we see that we are dealing with JavaScript that has several tricks, including "right-click disable" and an annoying command "window.onbeforeunload = PopIt".  Actions such as "document.onmouseup" and "document.captureEvents(event.MOUSEDOWN)" help to keep control of the window, making it nearly impossible to close the browser, which also sets itself to appear in the Center of the screen, obscuring other opportunities to deal with the warning.

iPad / Mac Pop-ups


This weekend, I found myself looking at a very similar variant, this time on an iPad, where it was even more difficult to get rid of the pop-up!

Because of the lack of mouse or keyboard on the iPad, this version of the browser pop-up was especially hard to deal with.  The pop-up prevented me from being able to exit Safari!  In the end, it was necessary to power off the iPad, power back on, and then use the "Settings" tab to clear my history and settings.  By default an iPad Safari browser returns you to the most recently visited page, which unfortunately was this pop-up!

As I explored this version, I found that the current domain was hosted on the IP address 198.143.166.36.   This same IP address was also hosting a great number of other suspicious domain names,which began to show up on March 9, 2015, according to the Passive DNS service from Internet Identity.  Checking several of these domains on the Apple forums indicates that victims are charged between $150 and $399 to clean-up an imaginary malware attack.

  • mac-issue-online.com -- https://discussions.apple.com/thread/6684596 (800 680 4131)
  • apple-alert-online.com -- https://discussions.apple.com/thread/6850245
  • safarisecurityissue.com -- https://discussions.apple.com/thread/6516787
  • mac-security-alerts.com -- https://discussions.apple.com/thread/6897787
  • online-window-security.com -- (Windows - see below)
  • window-system-error.com -- suspended (why only this one??)
  • mac-pc-alerts.com -
  • safarisystemalert.com
  • online-system-alerts.com
  • safarialerts.com
  • window-security-issues.com
  • instantcomputerfix.com -- https://discussions.apple.com/thread/6669786
  • techcarelive.com -- https://discussions.apple.com/thread/6527487
  • safarisystemissue.com
  • online-warning-support.com
  • quickbo0ks.com
  • iexpertstech.com
  • ixperts.net
  • joinremote.me
  • i-xperts.us
 The last several of the links on that page appear to belong to a company that does support for Intuit Quickbooks, however "JoinRemote.me" is a remote control tool.  When the telephone number is called, the tech support person walks the customer through entering a tech support code by visiting "JoinRemote.me":
When that is done, the customer service technician is provided remote control access to the computer to "clean it up."

A friend from MalwareBytes has documented similar scammy behavior where a tax-season Intuit helper website ends up charging for a malware removal.  See Jerome's blog here:  https://blog.malwarebytes.org/fraud-scam/2014/03/the-tax-season-tech-support-scam/


By reviewing the Apple Discussion boards, we also saw evidence that several other people were struggling with these pop-up messages:

 


 Continuing to explore through the Apple discussion forums, we found evidence that this was also discussed back on September 2, 2014 in this post by Carlton Chin:

The September file had a different domain name, and a different telephone number, but could it be shown to be the same scammers?  Was applesecurityalert.com on 1-866-782-9808 related to safarisystemissue.com on 1-800-632-9078?

Back to Passive DNS to try to find out.

According to the Internet Identity Passive DNS system, AppleSecurityAlert.com was hosted on the IP address 50.87.153.101 beginning on August 8, 2014.

That IP address ALSO hosted i-xperts.us, ixperts.net, joinremote.me, and quickbo0ks.com, all of which were also found on both the August/September IP (50.87.153.101) and the March 2015 IP (198.143.166.36).

Several of the attack sites that share these IP addresses are Microsoft imitators rather than Apple.  One example is "online-window-security.com" pictured below:

Imitating Microsoft Security Essentials

Bottom line - anyone seeing one of these pop-ups suggesting that a telephone number be called for support is DEFINITELY dealing with a scammer and should terminate the session immediately.
















Tuesday, February 24, 2015

Connected World Conference 2015

This week I've been attending the Connected World Conference 2015, hosted here in Birmingham,  Alabama.  Connected World's editor-in-chief, Peggy Smedley, hosts a weekly radio program that focuses on the Internet of Things (IoT) which their industry has called M2M for many years before the IoT tag came along.   Peggy's website has a great tutorial on the Machine To Machine networking technologies and the many ways in which they communicate, but I think nothing really brought the point home to me until I attended the Connected World Awards dinner last night.

If you are thinking about Cyber Security and the Internet of Things, here are quite a few interesting applications I learned about in the dinner last night.  The full range of Connected World Award winners are listed here, but these were a few that really caught my attention.

AT&T Drive Studio - The AT&T Drive Studio in Atlanta, Georgia - The AT&T Drive Studio™ is the first connected car innovation center in the U.S. to be opened by a wireless carrier. And AT&T is inviting the world's most innovative companies and developers to come create the future of connected cars.

ApartmentGuardian, powered by RacoWireless, won the Gold award in the PERS category.  Property managers can use the technology in many ways, from protecting their Lone Workers with a personal safety button (reminiscent of the "I've Fallen and I Can't Get Up!" button that you might buy for your grandmother) to a system for identifying guests to the property in a combined ID card and biometrics solution for visitors to the property, and innovative Security Panels.  The use of low-power radio technology as a backup to "wall power" for keeping your building security and alarm systems online and active during power failures.

Two companies won awards in the Lighting/Manufacturing category.  In both situations the recipients, Atlantic States and Clow Water Systems, were able to achieve amazing savings in both energy and true financial savings by putting in intelligent lighting systems.  Synapse Wireless allows the light fixtures in both organizations to be controlled remotely and through connecting all of the lights in a "Mesh" system - a cloud of lighting services that are in constant communications with one another.

SNAP LightSense from Synapse Wireless

Mesh Systems was the IoT-enabler for BUNN who received an award in the Remote Equipment Management category.   You have heard of the IoT refrigerator, but BUNN has created the IoT Coffee pot!

One of the most interesting M2M applications was SOLARKIOSK, which is using Gemalto's Cinterion modules to deliver remote connectivity and a web-interface for monitoring power production to a mobile unit about the size of a food truck that can be deployed in remote areas, including extremely rural Africa, to provide power and cellular connectivity to areas that lack reliable power.  The first such unit was featured in this story "First SolarKiosk opened in Ethiopia."  The creator, Lars Kr├╝ckeberg, was featured in a TED talk about the technology as well.

The IoT enables some interesting Fleet Management capabilities as well.  CalAmp and the City of Dayton received an award for their system for monitoring and protecting their fleet of 210 snow removal vehicles.  The system, called GovOutlook, turns itself on when a key is inserted into a vehicle, and requires a City of Dayton employee id badge to be scanned to prevent lockdown and alarming.  The system also provides safety for the drivers, who are out on the roads, often in the middle of the night, plowing the 1800 lane miles of snow-covered roads in the city of Dayton.


The focus of our Connected World Conference this year has been on Cyber Security ... speakers including myself and John Grimes from UAB, JD Sherry from Trend Micro, Seth Danberry from Grid32, Jonathan Ratner from Sixgill, Brian Zaugg from Authentic8 and others joined to share our thoughts on Cyber Security to those who have come from the Internet of Things / Machine 2 Machine world.  I was glad I participated and learned much more about the IoT world!

Thanks, Peggy!

To learn more about the IoT, please do check out Connected World Magazine and check in with the Peggy Smedley Radio show.







Friday, February 06, 2015

DIA Cyber Warrior delivers first Worldwide Threat Assessment

Vincent R. Stewart, Lieutenant General, U.S. Marine Corps was promoted into the position of Director of the Defense Intelligence Agency. While our friend and colleague Lt. General Ronald Burgess (ret.), now at Auburn University here in Alabama, certainly understood and respected the importance of the cyber domain, General Stewart represents the first time we have a true cyber warrior at the helm of the DIA.  Immediately prior to his appointment as Director of the DIA, General Stewart served as the commander of the Marine Force Cyber Command (described at the end of this blog post.)  General Stewart was director of Marine Intelligence from 2009 to 2013, rising through the ranks in a long and distinguished career that began with humble beginnings in Jamaica and includes many decorations for valor and leadership.


Worldwide Threat Assessment - Cyber

On February 3, 2015, Lt. General Stewart delivered his first Worldwide Threat Assessment to the Senate Armed Services Committee. (Transcript here). So what did our new DIA Cyber Warrior leader have to say about Cyber threats?

The briefing began, appropriately, with a status of Iraq and Afghanistan, focusing on terrorist threats from ISIL, al-Qa'ida, and the Taliban. After that he touched on certain other "violent extremist organizations" and concluded with a region-by-region and global threat summary.

In his discussion of ISIL, al-Qa'ida, and the Taliban, no technology or internet discussion was featured. Expanding beyond Iraq, AQAP (Al-Qa'ida in the Arabian Peninsula) was said to be focused on commercial aviation targeted with innovative explosions. AQIM (Al-Qa'ida in Lands of the Islamic Mahgreb) is mostly focused on kidnapping and attacks against allies. The Al-Nusrah Front and the Khorasan group were said to be focused on providing personnel and training in Syria, but with an interest in targeting western interests. IRGC-QF (Islamic Revolutionary Guard Corps-Quds Force) and Lebanese Hizballah were described a "instruments of Iran's foreign policy and its ability to project power in Iraq, Syria, and beyond." Boko Haram was described as having the potential to expand beyond Nigeria to become a "significan regional crisis."

Cyber Operations

The first mention of cyber comes with regard to Russia, mentioning that Russian actions against Kyiv included "the use of propaganda and information operations, cyberspace operations, covert agents, ..."While the other regional assessments did not include cyber individually, cyber was brought up in the concluding portion of the remarks in the section labeled "Global Threats."

General Stewart's points on the lack of consensus about the status of cyber attacks was especially telling. The "big bullets" from the cyber portion of the talk seem to be:

  • aggressive attacks against DoD and allied defense networks
  • increased cyber-espionage against DoD and Defense Contractor networks
  • concerns about supply chain vulnerabilities
  • increased use of cyber operations in regional conflicts
  • a lack of international "norms of behavior" in cyberspace
  • freedom of action, especially by Iran and North Korea, to conduct peacetime cyber offensive attacks on western interests without fear of reprisal
  • the use of the Internet by non-state actors for Communication, Propaganda, Fundraising, and Recruitment
Below I quote the General's remarks on cyber in full:
The global cyber threat environment presents numerous persistent challenges to the security and integrity of DoD networks and information. Threat actors now demonstrate an increased ability and willingness to conduct aggressive cyberspace operations -- including both service disruptions and espionage -- against U.S. and allied defense information networks. Similarly, we note with increasing concern recent destructive cyber actions against U.S. private-sector networks demonstrating capabilities that could hold U.S. government and defense networks at risk. For 2015, we expect espionage against U.S government defense and defense contractor networks to continue largely unabated, while destructive network attack capabilities continue to develop and proliferate worldwide. We are also concerned about the threat to the integrity of the U.S. defense procurement networks posed by supply chain vulnerabilities from counterfeit and sub-quality components.
Threat actors increasingly are willing to incorporate cyber options into regional and global power projection capabilities. The absence of universally accepted and enforceable norms of behavior in cyberspace contributes to this situation. In response, states worldwide are forming "cyber command" organizations and developing national capabilities. Similarly, cyberspace operations are playing increasingly important roles in regional conflicts -- for example, in eastern Ukraine -- where online network disruptions, espionage, disinformation and propaganda activities are now integral to the conflict.
Iran and North Korea now consider disruptive and destructive cyberspace operations a valid instrument of statecraft, including during what the U.S. considers peacetime. These states likely view cyberspace operations as an effective means of imposing costs on their adversaries while limiting the likelihood of damaging reprisals.
Non-state actors often express the desire to conduct malicious cyber attacks, but likely lack the capability to conduct high-level cyber operations. However, non-state actors, such as Hizballah, AQAP, and ISIL will continue during the next year to effectively use the Internet for communication, propaganda, fundraising and recruitment.


MARFORCYBER background

In January, General Stewart passed control of the U.S. Marine Corps Forces Cyber Command (MARFORCYBER)to Major General Daniel J. O'Donohue.


(a somewhat dated biography of General O'Donohue is available from the Armed Services Committee)

The command, established in October 2009, was complemented by the Navy's U.S. Tenth Fleet Cyber Command. According to the Marine Corps' "Concepts and Programs" document, the mission of MARFORCYBER is to "plan, coordinate, integrate, synchronize, and direct full spectrum Marine Corps cyberspace operations. This includes Department of Defense (DoD) Global Information Grid (GIG) operations, defensive cyber operations, and when directed, planning and executing offensive cyberspace operations. These operations support the Marine Air Ground Task Force (MAGTF), joint, and combined cyberspace requirements that enable freedom of action across all warfighting domains and deny the same to adversarial forces."

MARFORCYBER has two sub-units, Marine Corps Network Operations and Security Center (MCNOSC), which defends the Marine's own network, and Company L, Marine Cryptologic Support Battalion (MCSB), which plans and executes offensive cyberspace operations.
(www.marines.mil/Portals/59/Publications/U.S. Marine Corps Concepts and Programs 2013_1.pdf, PDF page 42)