Tuesday, November 15, 2022

CSharp Interop P/Invoke mechanism has change in .NET7 - LibraryImport replaces DLLImport

Major announcement at .NET CONF 2022 .NET7 which some of you many have missed,  replaces DLLImport() with LibraryImport(). 

Official documentation here - 
Use custom marshallers in source-generated P/Invokes | Microsoft Learn

Sampe Pseudo Code

// Import user32.dll (containing the function we need) and define
// the method corresponding to the native function.

[DllImport("user32.dll", EntryPoint = "MessageBoxW", CharSet = CharSet.Unicode, SetLastError = true)]

private static extern int MessageBoxW(IntPtr hWnd, wstring lpText, string lpCaption, uint uType);

//>>>>>>>>>>>> .NET7 New P/Invoke Method <<<<<<<<<<<<
[LibraryImport("user32.dll", EntryPoint = "MessageBoxW", SetLastError =true,
StringMarshalling = StringMarshalling.Utf16)]

internal static partial int MessageBoxW(IntPtr hWnd, string lpText, string lpCaption, uint uType);

Differences from DllImport

LibraryImportAttribute is intended to be a straightforward conversion from DllImportAttribute in most cases, but there are some intentional changes:

There are also differences in support for some settings on MarshalAsAttribute, default marshalling of certain types, and other interop-related attributes. For more details, see our documentation on compatibility differences.

.NET CONF 2022 Video Release



Monday, November 14, 2022

Fedex phishing email with subject Re: FEDEX

For the record, this is a Fedex phishing email attempt that is recently going around, with subject RE: Fedex

What to do?  Report them, goto bottom of page. 


From : Shipment Trackings <hetaarbetare.utskick@brandskyddsforeningen.se>
Subject : RE: FEDEX

                       




PHISHING LINKs;


1. 
http://investinmacedonia.shop/?xxx...

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and subsequently government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
  2. Report Phishing Sites | CISA
  3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Sunday, November 13, 2022

How do developers generate revenues - State of Nation Report from SlashData

How developers generate revenues

  • Contracted development is the revenue model of choice across all industry verticals, used by nearly a third (31%) of professional developers.
  • Less than one in ten (7%) professional developers are generating revenue from selling data.
  • Usage of the advertising revenue model declines as companies grow in size.
  • Developers working for large enterprises (5K+ employees) tend to use
    multiple revenue models less often than developers in smaller companies.

Below we have included a few graphs that illustrate some of the findings.

You can download the full report for free and access all data and insights within.

If you need additional information or looking to understand developer preferences’, please get in touch with us and we will dive into it together.



    Full Article :  https://www.slashdata.co/blog/state-of-the-developer-nation-coding-language-popularity-chinas-developer-market-how-developers-make-revenue-and-more

Saturday, November 12, 2022

Home Depot phishing email with subject FW: Exclusive Reward

For the record, this is a Home Depot phishing email attempt that is recently going around, with subject FW: Exclusive Reward!

What to do?  Report them, goto bottom of page. 


From : Home Depot Survey <noreply@storypark.com> via ibm591.wtrbs.heathfly.com
Subject : 
 FW: Exclusive Reward

                       








PHISHING LINKs;


1. 
http://ourloveplace.info/?xxxx...

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and subsequently government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
  2. Report Phishing Sites | CISA
  3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Sunday, November 6, 2022

Walgreens phishing email with subject Confirmation-xxxxxxxxxx

For the record, this is a Costco phishing email attempt that is recently going around, with subject Confirmation-xxxxxxxxxxxxx.

What to do?  Report them, goto bottom of page. 


From : Walgreens <info@news.qdcjfwnajqu.com.net> via ibm591.wtrbs.heathfly.com
Subject : 
 Confirmation-xxxxxxxxxxxxx

                           Re: 2nd Attempt for {your email}






PHISHING LINKs;


1. 
https://ci3.googleusercontent.com/proxy/xxxxxxxxxxxxxxxxxxxxxxxxxxxx#https://s3.amazonaws.com/chirrirXaXir/chirrirXaXir.png

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and subsequently government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
  2. Report Phishing Sites | CISA
  3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Friday, November 4, 2022

Costco phishing email with subject FW: Notice: Costco Survey Offer expiring soon!

For the record, this is a Costco phishing email attempt that is recently going around, with subject FW: Notice: Costco Survey Offer expiring soon! and enticement of $90 Promo offer.

What to do?  Report them, goto bottom of page. 


From : Thank-you <no-reply@nl.francetv.fr>
Subject : 
 FW: Notice: Costco Survey Offer expiring soon!




PHISHING LINKs;


1. 
http://coinbore.makeup/?xxx

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and subsequently government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
  2. Report Phishing Sites | CISA
  3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Wednesday, November 2, 2022

Geek Squad phishing email with subject We are processing your order 1-415-424-4760

For the record, this is a Best Buy's Geek Squad phishing email attempt that is recently going around, with subject "  We are processing your order

What to do?  Report them, goto bottom of page. 


From : Angel | Support Dept <xxxx@gmail.com>
Subject : 
 We are processing your order








PHISHING LINKs;


1. 
415 424-4780

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and subsequently government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
  2. Report Phishing Sites | CISA
  3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Wednesday, September 21, 2022

Transform Clipboard Contents Between Copy and Paste with tool

Clipboard PlainText PowerTool (CPPT) has advanced clipboard transformations, which have been accumulated since 2014.

You will not find in another tool or text editor, with these transformations features . Each of the power tools have been customized and are unique apps, you'll not find anywhere else. 

CPPT Version 5.1 - 138 productivity functions - 23 Major Power Tools/Apps

CPPT features 1st of its kind, on-the-fly media file metadata extraction

If you copy or move a any file type, CPPT will extract metadata for that file. For media files,  CPPT extracts enhanced metadata automatically and puts onto the clipboard history. Click it, to to copy it to system clipboard.

On-the-fly metadata information pulled from a .DOCX, .MP3 and .MPG file; 

Copied/Moved 
DOCX "Standard Release Form.docx"  2pgs 42.6KB Title:"Microsoft Word - Standard Release Form.doc" Author:"aaggarwa" Company:"John Wiley and Sons, Inc." Mon 04-Jan-21  11:30AM "H:\Downloads2021\Standard Release Form.docx"
	MP3 "01 Genesis.mp3"  5,512KB 44kHz 00:03:55 Title:"Genesis" Album:"Justice" Artist:"Justice" Year:2007 Sat 08-Mar-14  9:43PM "C:\Users\Markus\Music\iTunes\iTunes Media\Music\Justice\Justice\01 Genesis.mp3" - EXIF metadata detected MPG "ghost.MPG"  6.34Mb 00:00:18 [640wX480h] MPEG-PS(video/mpeg) 2.829Mbps 25.000FPS MPEG Video 8-bits(256bpp) MPEG Audio 1ch-32000kHz-64kbps Sun 28-Oct-12  1:22PM "C:\Users\Markus\Videos\ghost.MPG"
	3 items in 136ms 270µs 400ns with enhanced metadata extracted, if available. Enhanced metadata extraction set at <= 20 items.

Here's an example use of clipboard transformation 

Check it out Clipboard Plaintext PowerTool  - the most advanced clipboard tool on the market today!

Tuesday, September 13, 2022

UPS phishing email with subject You have (1) package awaiting information

For the record, this is a UPS phishing email attempt that is recently going around, with subject " Re: You’ve Been selected!" that made it through spam filters.

What to do?  Report them, goto bottom of page. 


From : UPSDelivrey.com <7-eleven@mail.7-eleven.com>
Subject : 
You have (1) package awaiting information






PHISHING LINKs;


1. 
http://julianol.com/xxx...

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and subsequently government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
  2. Report Phishing Sites | CISA
  3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Wednesday, August 31, 2022

Camp Lejeune exposed to contaminated water phishing email with subject Re: Confirmation_Receipt_306

For the record, this is a Camp Lejeune exposed to contaminated water phishing email attempt that is recently going around, with subject "Confirmation_Receipt_306". 

What to do?  Report them, goto bottom of page. 


From : Lejeune Lawsuits <info@botlibre.com>
Subject : 
 Confirmation_Receipt_306





PHISHING LINKs;


1. 
https://xxxxx.s3.us-east-2.amazonaws.com/xxxxx.HTM#qs=xxxxx

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and subsequently government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
  2. Report Phishing Sites | CISA
  3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Friday, August 26, 2022

Sams Club phishing email with subject Re: You’ve Been selected!

For the record, this is a Sam's Club phishing email attempt that is recently going around, with subject " Re: You’ve Been selected!" that made it through spam filters.

What to do?  Report them, goto bottom of page. 


From : samsClubstores <info@qiita.com>
Subject : 
Re: You’ve Been selected!







PHISHING LINKs;


1. https://ifqifiqsfiqsif.s3.us-east-2.amazonaws.com/vlds.html#
Xxxxxx...

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and subsequently government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
  2. Report Phishing Sites | CISA
  3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Monday, July 11, 2022

Fake Rogers Text Message Phishing Scam

For the record, this is a fake Rogers text message that has been going around, since the massive outage in Canada that started July 7th. 


From : 306-501-8123








Report SPAM

  1. What to do if I get mobile spam? (bell.ca)
  2. Report a spam message | TELUS Support

Saturday, July 9, 2022

UЅPS phishing email with subject UЅPS® Іssue Your Delivery оn June 27, 2022 arriving by 6:00pm

For the record, this is an UЅPS phishing email attempt that is recently going around, with subject "UЅPS® Іssue Your Delivery оn June 27, 2022 arriving by 6:00pm"

What to do?  Report them, goto bottom of page. 


From : Ρostal UЅPS <Office365@messaging.microsoft.com>
Subject : 
UЅPS® Іssue Your Delivery оn June 27, 2022 arriving by 6:00pm






PHISHING LINKs;

1. What's encryption?

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and subsequently government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
  2. Report Phishing Sites | CISA
  3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Monday, April 25, 2022

Right-to-Left Override RTLO Removal Tool for filenames #Windows #malware

Malware writers can trick you in 2 ways into thinking your file is a "PDF looking" file using the Right-to-Left Override (RTLO) technique.

“Right-to-Left Override” RTLO example

Firstly, maliciously constructed “.exe” can be built to display an PDF icon, so it looks like PDF default reader will open this file. If the filename is really long then, you can't see the extension (see image below). 

2ndly and may not be so obvious, malicious PDF filename is constructed as with a right-to-left override character is such a way that the file ends ".pdf" extension, but really is an ".exe".  


So in example below, the 2nd file looks like a ".txt" file, but is really a ".docx" file (the 1st file). The 1st file has been cleansed of the RTL Unicode character, and ends in ".docx". 

The PDF file is actually an ".exe" file, but looks like it will open with default PDF reader. 


Download RTLExample.7z ( it includes the above files with PDF ".exe" example. The files contain no viruses or malware. The PDF is safe ".exe", and just opens this page in Chrome). The "PDF" is safe ".exe", and just opens this page in Chrome. But GDrive marks these examples "Sorry, this file is infected with a virus", which good because they are detecting the RTL character and exe. But it a false positive, since there is no virus in the files. You can create you own examples by inserting the RTL character into the filename, see this video https://youtu.be/n2kV3Q2eTCY). 


Here's the same files as viewed from the command (cmd.exe) line. The box character represents the RTL character.


Note: Detection of malicious file is never done by a filename alone, so a good antivirus will flag the contents of this file, for known signatures. BUT you can remove the annoying RTL character with the free tool below! 

How is RTLO being abused by malware writers?

In apps that support Unicode like Window Explorer, the right-to-left override malware method uses  a RTL Unicode character, that will reverse the order of the characters that follow it. It's used mainly for Middle Eastern/Asian languages that you read right-to-left.

RTLO can be used to spoof fake extensions. To do this we need a hidden RTL Unicode character in the file name.

What is “Right-to-Left Override” RTLO?
The RTLO method is used to hide the true type of a file, so it might trick you into open text file (.txt) which really is a Word file (.docx) with malicious malware. More recently this file could hide a .wav file. Audio files such .wav file are being embedded with malware, is on the forefront of malware maliciousness. Read about that on my post here.
The method exploits a feature built into Windows Explorer. Since Microsoft Windows does a great job of supporting different languages from around the world, some of those languages that are written from right-to-left (RTL). 
Let’s say you want to use a right-to-left written language, like Hebrew or Arabic, on a site combined with a left-to-right written language like English or French. In this case, you would want bidirectional script support.
Bidirectional script support is the capability of a computer system to correctly display bi-directional text. In HTML we can use Unicode right-to-left marks and left-to-right marks to override the HTML bidirectional algorithm when it produces undesirable results:
left-to-right mark: ‎ (U+200E) Unicode character
right-to-left mark: ‏ (U+200F) Unicode character
How do you fix files that have the RTLO or other bad characters ? 

Here's a tool I built to clean up Right-to-Left Mark (and many others) and Unicode Control Characters from your files. It's super fast, small and written in native C++.

Updated Thu 21-Apr-22 - new build, fixed many recursive issues




Download
 touchRTL.7z (you need https://www.7-zip.org/ to unpack). For personal use only, will open this page for help. Copy into c:\windows to use from cmd.exe.


License : 

touchRTL.7z personal use only, for commercial use buy touchLTRPRO. Contact as validated today available for license request. 

touchRTLPRO.7z, has flags to remove Unicode spaces and punctuations (math symbols, currency, open closing braces, and accent marks).  

Just run this command and it will recursively rename filenames to remove those characters under the specified directory name. If directory name, contains spaces you need quotes.


touchRTL -v -R -l -y "directory name"

where


Usage: touchRTL [-aclmpRuvxy] [-r REFFILE | -d DATETIME] PATH...

UNIX touch mimic, updates files access, modification and creation times of file(s) in PATH to the current time,
If PATH argument does not exist, creates corresponding new empty file or directory (using -y), unless -c or --n
Supports directory recursion and time stamping!
Supports Right-to-Left (RTL) character removal for files.
PATH argument can represent a filename(s) or directory. Double quote if it contains spaces. eg "c:\as is.txt"

  -a, --access-time        change only the file access time
  -c, --no-create          do not create any new files - If the file exists, touch will update the access time,
  -l, --RTL                remove Unicode control & format characters (esp. infamous right-to-left) from filena
  -m, --modif-time         change only the file modification time
  -p, --pause-exit         pause on exit (non-GNU extra)
  -R, --recursive          recursively touch files in specified directory and all subdirectories (non-GNU extra
  -u, --unicntrl           remove Unicode control characters only - https://www.fileformat.info/info/unicode/ca
  -v, --verbose            output the result of every file processed (non-GNU extra)
  -x, --creation-time      change only the file creation time (non-GNU extra)
  -y, --directory          specify directory, instead of default file
  -r, --reference REFFILE  use this file's times instead of current time
  -s, --spaces (PRO edtn)  remove Unicode spaces from filename
  -!, --puncs  (PRO edtn)  remove Unicode punctuations & symbols (math & modifiers) from filename

  -d, --date DATETIME      use YYYY-MM-DDThh:mm:ss[.ms] instead of current time (non-GNU, does not parse string
                           accepted "2033-04-01T07:07:07", "2033-04-01 07:07:07"

  -h, --help               Display this help and exit.

      --version            Display version information and license information.

For personal use only. Commercial license required for business use and removes page open. See --version for al
Copyright © 2019-2022 M. Pahulje <metadataconsult@gmail.com> - https://http://metadataconsulting.blogspot.com/