Attackers Embed Malware In Microsoft Office Documents To Bypass Browser Security

Chris Myers is a field service technician for Tech Experts.

Cyber attacks continue to increase at a rapid rate. In 2016, there were 6,447 software security vulnerabilities found or reported to authorities. In 2017, that number rose to 14,714, more than double the previous year. Halfway through 2018, we are at 8,177 with no signs of slowing.

One of the biggest avenues of attacks is Adobe Flash Player, which has been a leading source of vulnerabilities for over 20 years.

Modern browsers have been phasing out Adobe Flash over the past 5 years. In December 2016, Google Chrome completely disabled Flash Player by default.

Mozilla Firefox started to block the most vulnerable parts of Flash Player by default in 2016 and 2017.

The latest Flash Player vulnerability, designated CVE-2018-5002 by Adobe, aims to circumvent those browser changes by hiding the attack in a Microsoft Excel file, which is then distributed by targeted emails disguised as legitimate bulletins from hiring websites.

To hide this from anti-virus software, the hackers went another step further by not including the malicious code directly in the Excel file. Instead, they just embed a small snippet that tells the file to load a Flash module from somewhere else on the Internet. Due to this, the file appears to be a normal Excel document with Flash controls to anti-virus applications.

CVE-2018-5002 is what’s known as a Zero Day vulnerability, which means it was used by attackers before it was discovered and patched.

This particular vulnerability appears to have been used in the Middle East already.

In one instance, businesses in Qatar received an email that mimicked “bayt.com,” a Middle Eastern job search website. The attackers sent the email from “dohabayt.com.”

With Doha being the capitol of Qatar, it was easy to assume that dohabayt was simply an extension of the main website.

However, a true branch of bayt.com, known as a subdomain, would be separated by a period like so: doha.bayt.com. Once the target was tricked into opening the email, they were directed to download and open the attached Microsoft Excel file named “Salaries.”

This was a normal-looking table of average Middle Eastern job salaries, but in the background, the attack was already going to work.

How To Avoid Being Infected
The fake email scenario described above is known as phishing. Phishing is the attempt to disguise something as legitimate to gain sensitive information or compromise their computer.

The word phishing is a homophone of fishing, coined for the similarity of using bait in an attempt to catch a victim.

The attack described above was a type of phishing known as spear phishing, where the attacker tailored their methods specifically to the intended victim.

They disguised the email as a local site used for job or employee hiring, and the file as a desirable database of salary information.

Phishing emails are most easily identified by checking the sender’s email address. Look at the unbroken text just before the “.com”.

If this is not a website known to you or if it contains gibberish such as a random string of numbers and letters, then the email is almost always fake.

While the attack above was sophisticated, most phishing emails simply try to trick the user by saying things like “Your emails have been blocked, click here to unblock them” or “Click here to view your recent order” when you did not actually order anything.

Always be vigilant. When in doubt, forward the email to your IT department or provider for them to check the email for viruses or other threats.

How To Avoid Infections On Your Company’s Network

Luke Gruden is a help desk technician for Tech Experts.

Computers are just like people – they too can catch a virus and become infected. Your computer can potentially be infected from anything it connects or interacts with, so it’s important to watch what disk or USB device you insert into your computer or websites you go to.

What is a computer infection?
A computer infection is referring to malicious software that can harm your computer or even steal your information. There’s more than one variation of it. There is spyware that watches what you type and do on your computer to gather and steal information.

There is adware which will change your settings and hijack certain parts of your computer to promote its own products.

There is cryptoware which will lock your whole computer and make it unusable.
There are also many other types of infections or malware that your computer can come across.

Is my computer infected?
If your computer has been running slower recently and you are seeing strange pop-ups or odd programs, you are very possibly infected. At Tech Experts, we monitor many different computers, keeping track of any odd processes and programs that are installed. We also have managed anti-virus that further helps us identify when our client’s computers could be infected.

How can I clean an infected computer?
There are many tools and resources that can be used to clean an infected computer and no single tool is absolutely perfect. Usually when cleaning an infection, we run at least three to four different (reputable) programs, depending on what type of infection it is.

If it is a very deep infection, we could end up running seven or more different programs to clean out the infection. It is important to know which tools to use and how to use them, however.

Certain programs can cause damage to the computers’ registry if you don’t know exactly what you’re looking for.

How do you prevent an infection?
Understanding your computer habits are one of the biggest ways to prevent infections. If you find yourself web surfing to questionable sites or to sites you’ve never been to before, this is one of the biggest ways to catch an infection.

Downloaded programs you don’t remember installing are one of the biggest red flags of an infection. Opening up emails and attachments that you don’t know where they came from is a good way to become infected. Know the sites you visit are safe and be attentive to what emails and downloads you view.

Having a good anti-virus is very important for a clean computer protected from those threats that you cannot see normally. At Tech Experts, we provide AV for ourselves and clients that prevent most infections. No AV is 100% able to stop all infections. With hackers making new threats every day, there is no method to make sure all possible vulnerabilities are blocked.

However, having good software and good habits will prevent the great majority of infections of hopping onto your computer.

How To Identify And Handle Scareware Pop-ups

jared-stemeye

Jared Stemeye is a Help Desk Technician at Tech Experts.

Let’s say you’re reading the latest news articles on a webpage you visit regularly. In an instant, a new browser window flashes onto your screen, blinking with some sort of notice, a warning of virus infections, a legitimate looking logo, and a phone number to call.

Some of these even employ audio statements such as, “Your PC is infected. If you close this window you will lose all information stored on your hard drive.”

These tactics combined do a very good job of eliciting emotions of fear and anxiousness from their victims.

However, with the proper knowledge to identify the fraudulent practices of these groups, along with the proper steps to handle such occurrences, you will be able to avoid the hardship many others have encountered.

The first thing you should know is that it is quite simple for anyone to attach the Microsoft, or any name brand anti-virus’ insignia onto the page to make it appear convincingly genuine. The ‘official’ logos you see on these pop-ups are not legitimate, though it is very easy to think that they are.

The second, and probably the most important, thing to know is to never – under any circumstances – call the phone number provided by the pop-up.

The disreputable individuals on the other end of the phone are not meant to help you. Like the pop-ups, they too are proficient at inducing anxiety among their victims, urging those who call to allow permission for remote access to the targeted computer.

Once someone has access to your desktop, they have access to all your locally stored files and can make changes to them as well as plant malware or spyware.

Never allow remote access to your computer unless you, without any doubt, know who it is you’re allowing access.

Now, what you should do next? First, attempt to close the window as you would with any other window by clicking the X in the top right corner.

In many cases, a dialogue box will appear at the top of the screen, providing more anxiety-inducing phrases to make you think your actions are incorrect. Rest assured you are on your way to ridding yourself of the pop-up.

Browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox have an opportunity to prevent these boxes from reappearing after you exit out of them. In the pop-up box, click the check field next to the “prevent additional dialogues” option and click OK.

If the pop-up window has yet to close, retry exiting out of the window. No additional dialogue boxes should appear at this point, allowing you to regain control of your computer.

If the pop-up window does not close after these steps or if the issue persists after a short period, contact your trusted IT team to remove the issue.

Under any circumstance, remember, these pop-ups are not viruses themselves and, if you follow the advice given in this article, they will cause no harm to your computer.

However, it is still best practice to run a full virus scan if this does occur to ensure you are unaffected.

Is Your System’s Backup Plan Working?

Luke Gruden is a help desk technician for Tech Experts.

At any moment, anything can happen that can cause your computer to fail and lose months – if not, years – of company data. This is why it’s important to have some sort of system backup in place so that files can be retrieved in case anything ever does happen to your computer or network.

Without a backup, recovery often isn’t possible and when it is, it’s often more expensive than having a long-term backup solution in place.

Some believe that just because they have a backup solution, they’ve covered their bases. If a computer goes down, they’re still safe.

Well, what about a fire in the company building? What if both your backup device and your computer are gone? What if the cloud server goes down and your computer goes out around the same time? Seems unlikely, but it can happen.

Natural disasters like flooding or lightning storms, accidents such as fires or the destruction of physical property, human influence like a tampering ex-employee or a ransomware infection… these things typically don’t give you enough warning to move your files somewhere safe. No matter what single backup solution you might use, there is a situation where it can fail.

This is why redundancy of backups is important, such as the cloud or another device. With different backup plans utilizing different locations, you can make sure that no one natural disaster or ransomware infection can stop your business for long. If anything should happen, your data will be untouched somewhere.

It’s recommended that you have at least two different backup plans in different locations. However, the more, the better. Having three different backup plans in different locations like the cloud, an offsite backup, and onsite is optimal in making sure your data is safe.

If your company data is important (which it is), there should not be a second thought in backing it up.
Remember that the more redundancy you have with your backups, the chances of losing your data drop significantly. Also, check to make sure your backup services are working and up to date as often as possible.

That way, you will not have any surprises when you least expect it and when you most need your data. At Tech Experts, we offer backup solutions that include status notifications for every backup.

It seems like we talk about this issue a lot and it’s true. We bring it up so often because disasters do happen and there have been companies that have been crushed by not having a good backup plan. Don’t let your workplace be one of them.

Take a moment and really consider how much effort you would have to put in to bring your business back up to speed after a data disaster. As always, work with your IT department and figure out what plan is best for your company before committing to anything. Interested in learning which backup solutions would best suit your business? Contact Tech Experts at (734) 457-5000.

Yes, You Can Still Get Infected – Even With Anti-Virus

Scott Blake is a Senior Network Engineer with Tech Experts.

With the sudden release of a new variants of malware and ransomware such as CryptoWall, users are wondering why their anti-virus programs are not blocking the ransomware infection from infecting their computer.

As with many other forms of malware, the infection needs to exist before a cure or way to detect the threat can be created. This takes time and during this period of R&D, the malware spreads like wildfire.

While there are several forms and classifications of infections, there are basically only two different methods in which infections are released into your system: User Initiated and Self Extraction.

User Initiated infections are caused by a user clicking on a link within a webpage or email or by opening infected email attachment. Once opened, the malware is released and quickly spreads throughout your system.

Because the user manually clicked on or opened the link/document, most anti-virus programs receive this as an authorized override by the user and either internally whitelists the link/document or skips the scan.

CryptoWall is spread through this method, usually contained within an infected Word, Excel or PDF document. The creators of these programs take advantage of the programming of the document to hide the infection.

With the world becoming a paperless society, we are becoming more and more accepting of receiving and opening attachments sent to us through email. It has practically become second nature to just click and open anything we receive, regardless of any warning.

Self-Extracting infections are exactly what they’re named. These infections require no outside assistance to worm their way through your system, infecting as they go.

The number one method creators of this form use to place their software on your system is through “piggy back” downloads.

Red button on a dirty old panel, selective focus - virus

Piggy back downloads occur when you authorize the download and install of one program and other programs (related or unrelated to the original program) are automatically downloaded and installed with it. The most common way is by downloading programs promising to speed up your computer.

Infections can also exist on your system and lay dormant for long periods of time, waiting for the computer to reach a certain calendar day or time. These infections are called “time bomb” infections. Just like piggy back infections, they require no outside assistance to infect your system.

They are mostly found buried in the registry of the system or deep within the system folders. Because they are not active on the time of placement, most anti-virus programs will not detect them. Active reporting through toolbars is another means of becoming infected over time.

When a user downloads and installs a toolbar for their browser, they authorize at the time of install that it is okay to install and all of its actions are safe. However, most toolbars are actively scanning, recording, and reporting back to the creator. They also act have conduits for installations of other unwanted programs behind the scene.

If left unchecked, those additional programs can become gateways for hackers to gain access to your system and spread even more infections.

To help stop the spread of malware/ransomware such as CryptoWall and its variants, we need to become more vigilant in our actions when either surfing the Internet or opening email and attachments.

The best rule of thumb to follow for email is: if you don’t know the sender, or you didn’t ask for the attachment, delete it. As for websites, read carefully before you download anything and avoid adding toolbars.

The Three Scariest Threats To Small Business Networks

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

While spam, pop-ups, and hackers are a real threat to any small business network, there are three security measures that you should be focusing on first before you do anything else.

Worry About E-mail Attachments, Not Spam
Sure, spam is annoying and wastes your time, but the real danger with spam is in the attachments.

Viruses and worms are malicious programs that are spread primarily through cleverly disguised attachments to messages that trick you (or your employees) into opening them.

Another huge threat is phishing e-mails that trick the user by appearing to be legitimate e-mails from your bank, eBay, or other financial accounts.

Here are three things you must have in place to avoid this nightmare: [Read more…]

Beware The Fake Microsoft Cold Calls

Scott Blake is a Senior Network Engineer with Tech Experts.

The phone rings and you don’t recognize the number or name on the caller ID. You pick up anyway and the caller tells you that they work for Windows Support or Windows Service Center and they are a Microsoft Certified Technician.

They go on to say they have received log files or have determined that your computer is infected and causing corruption throughout your Windows operating system.

They ask if you’re at your computer now and, if not, to go there. Once there, they walk you through how to open your Event Viewer and show you the Administrative Events under the Custom Views folder.

They are quick to point out all of the red circles labeled “Error” are all Malware infections. They then ask you to look at the number of events listed and they go on to advise this is the total number of infections currently on your computer.

The caller then says they can clean your system of all infections, but they will need to have remote access to the computer.

At this point in the call, most people have been thoroughly convinced by the voice on the other end of the phone that their system is indeed infected and needs to be cleaned. After all, the caller knew where to look for the so-called infections and they do sound like they truly want to help.

The Microsoft “employee” will even tell you that if you don’t let them remove the infections, the “hackers” that placed the malware on your system will have complete access to all of your information.

They warn that your identity is in jeopardy of being stolen. You must give them remote access to your computer. They are your only hope and you must trust them. After all, they say they work for Microsoft.

The fact of the matter is that the caller does not work for Microsoft in any capacity. They don’t work for any of their third party vendors nor any security firm that has been retained by Microsoft.

They are in fact the “hackers” attempting to convince you to give them access to your computer to infect your system and steal your data.

If you allow them remote access, they will start to install malicious programs on your computer. They’ll copy all of your information and, in some cases, encrypt your data.

They will tell you that that the infection is too severe for a “standardized” cleaning and you will need to pay money to have them install removal programs to clean the system.

In mid-2013, NBC News Technology reporter Frank Catalano, reported on receiving one such phone call himself.

After his ordeal with the fake Microsoft, Mr. Catalano contacted the real Microsoft. He received the following reply:

“In 2010, Microsoft began receiving reports of scammers making phone calls or sending emails to people,” replied a spokesperson for Microsoft’s Digital Crimes Unit. They advised that they had referred the cases to the Federal Trade Commission.

One very important thing to remember is that Microsoft (or any of its partners) will never cold call you. They will never ask for remote assistance. They will never ask for usernames and passwords.

If you have fallen victim to such a scam, disconnect your network cable and take your computer to a trusted service center or repair facility and explain in detail what happened as soon as possible.

For questions or advice on what to do about cold call scammers, contact Tech Experts at (734) 457-5000, or by email at info@mytechexperts.com.

Does Your Company Need An Internet Usage Policy?

Scott Blake is a Senior Network Engineer with Tech Experts.

With the growth and expansion of the Internet, it is important to make sure that your business has a policy in place to protect its assets.

Depending on your business, an Internet Usage Policy (IUP) can be long and drawn out or short and to the point.

An IUP will provide your employees with guidelines on what is acceptable use of the Internet and company network. IUPs not only protect the company, but also the employee.

Employees are informed and aware of what is acceptable when it comes to websites and downloading files or programs from the Internet.

When employees know there will be serious consequences for breaking the IUP, such as suspension or termination of employment, companies tend to notice a decrease in security risks due to employee carelessness.

You will need to make sure your IUP covers not only company equipment and your network, but also employee-owned devices such as smart phones and tablets. You may be surprised at the number of employees that feel they do not have to follow the IUP because they are using their own device to surf or download from the Internet.

Make sure you address proper usage of company-owned mobile devices. Your business may have satellite employees or a traveling sales force. Even when they are away, they need to be aware they are still representatives of the business and must follow the business IUP.

After all, it would not go over well if your sales staff was giving a presentation to a prospective client and suddenly, “adult content” ads popped-up on the screen because one of your employees was careless in their web habits.

The downloading of files and programs is a security risk in itself. Private, internal company documents and correspondence downloaded from your company’s network can become public, causing unrepairable damage.

On the same thought, employees downloading from the Internet open your company’s network up to malware attacks and infections.

There are a lot of hackers that prey upon the absent-minded employee downloading a video or song file by hiding a piece of malware within the download. Once the malware makes it into your network, there’s no telling what damage it can cause.

As for non-work related use of the company network and Internet, make sure your employees know there is no expectation of personal privacy when using the company’s network and Internet connection.

Make it well-known that the network and Internet are in place to be used for work purposes only. Improper use of the network can reduce bandwidth throughout the company network.

This includes all mobile devices owned by the company. This way, your employees know that no matter where they are they still must follow the guidelines of the IUP.

Make sure all of your employees sign the IUP and fully understand what it is they are signing. Make sure you answer any and all questions they may have.

This will help clear up any confusion your employees may have. This way, there can be no excuses as to why the IUP was broken.

Whenever you update the IUP, make sure you have all of your employees sign and understand the new additions and/or changes to the IUP. It may seem like overkill, but you’ll be glad you did if you ever run into any violations of your company’s IUP.

For assistance in creating Internet Usage Policies or if you have any questions, call the experts at Tech Experts: (734) 457-5000.

Top Signs Your Computer May be Infected

Scott Blake is a Senior Network Engineer with Tech Experts.

Ranging from minor spyware and adware to complete system lock-outs courtesy of ransomware, infections have become a standard in today’s high-speed electronic age.

Even when using the latest state of the art detection software, the most modern systems are prone to infection.

Some basic low-level forms of adware and spyware are add-ons called toolbars. A toolbar is an add-on to a web browser, putting another bar at the top of your browser window below the address bar.

They can come in several different forms and functions. Some are helpful and pose no threat to your system. Others serve as a reporting tool for the toolbar’s designer.

They can collect data on surfing habits such as websites visited and search topics used. This data is then transmitted back to the designer and sold off to advertisers who, in turn, use the information to start spamming you with their client’s websites and ads.

Building off of the spam generated from the data collected from the adware and spyware, you will start to see more and more pop-ups on webpages and possibly even on your desktop.

Sometimes, these pop-ups are harmless and very easy to remove, but more often, they are the beginning stages of an invasion of malicious programs.

The pop-ups use false and misleading information to scare the user into believing they are already infected and they need to download “their” software to clean the infections.

What ends up happening is that you think you are downloading one program to clean your system, but you are really downloading and installing additional programs in the background.

I have seen instances where one so-called program install downloaded nine additional programs in the background. None of the additional programs had anything to do with “cleaning” or “speeding” up your system. They just wreak havoc on your operating system.

Through these malicious programs, more dangerous infections can occur. High-risk level malware, trojans, and viruses become residents on your system.

From this point forward, you will start to experience extreme slowness or even a complete inability to browse the Internet. You will start to see an increase in spam email and email messages containing attachments or web links to strange web addresses.

The attachments are what you need to be very cautious about. A very high-risk level malware called Crypto is primarily transmitted through these infected attachments. Once infected, the Malware spreads though your system, encrypting all of your data.

After that, there is little hope of recovering any of your data.

Viruses, malware, trojans and malicious programs are lurking on the web at every turn.

The most important thing to remember is “knowledge is power.” Don’t fall victim to the overwhelming number of companies advertising that their products can and will clean your computer of these nasty bugs and speed up the performance of your computer at the same time.

The truth is that the vast majority of these companies will install a ton of “freeware” programs on your system that will bog down your CPU and eat up your memory resources.

Once these programs are installed, get ready for Pop-Up City. It turns into a giant game of Whack-A-Mole just trying to close all the windows and pop-ups generated by these programs.

Several of these programs will also inject a proxy server into your Internet settings. This will severely limit your Internet browsing and even redirect you to predefined webpages in an attempt to lure you into purchasing additional programs to remove the programs you already installed.

For additional information or if you think you may have a virus or spyware infection, contact Tech Experts at (734) 457-5000.

CryptoWall 2.0: Ransomware Is Alive And Well

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

CryptoWall is the latest strain of ransomware to rise to prominence, extorting more than $1 million from victims and wreaking havoc on thousands of police departments, businesses, and individuals across the globe.

On the surface, CryptoWall is similar to its better-known predecessor Cryptolocker, another strain of crypto-ransomware. But there are many differences.

Victims are typically infected with CryptoWall by opening a malicious email attachment, though drive-by-downloads on websites are also possible. The email attachments are often zip files that contain executables disguised as PDFs.

Once infected, CryptoWall scans all mapped drives and encrypts important files. That’s an important distinction: CryptoWall will scan your local drives, but also any server mapped drives, such as an S: or N: drive. [Read more…]