Malware attack strikes, posing as Skype password change notification

If Skype users didn't have enough to worry about this week security-wise (with a worm spreading across the system), there's now another threat to warn about.
Emails have been spammed out by cyber-criminals, posing as messages from Skype, claiming that you have changed your password on the service.
Here's an example of one such email (click on it for a larger version):

If you look carefully, you may spot that the spammers made a clumsy spelling mistake:

Password successfully changed
Your new Skype password has been set.
You can now view your attached call history and inscturtions how to change your account settings.
If the changes described above are accurate, no further action is needed. If anything doesn't look right, follow the link below to make changes: Restore password
Talk soon,
The people at Skype

Perhaps surprisingly, the links really do point to the genuine Skype website at skype.com.
However, a file (Skype_Password_insctructions.zip) is attached to the email, and if you make the mistake of unzipping and executing its contents (Skype_Password_inscructions.pdf.exe) you run the risk of infecting your Windows computer.

The malware, which is detected by Sophos products as Troj/Backdr-HN, opens a backdoor onto your computer, giving remote hackers access to your system.

The danger is, of course, that users worried by the recent worm will be frightened that their Skype password has been changed without their consent, and open the attachment - and thus infect their PC.

As always, be on the lookout for unsolicited suspicious emails and always be wary of opening attachments which arrive out of the blue. In this case, the file is using the well-known "double extension trick" to dupe the unwary into believing that they might be clicking on a PDF rather than executable code.

Metropolitan Police malware warning issued - Beware the ransomware attack!

ComputerWorld today reports that the UK's Metropolitan Police has warned Windows users of a malware attack that poses as a message from the computer crime-fighting cops themselves.

The ransomware attack attempts to lock the computer, and posing as an unofficial notice from a law enforcement agency, claims that the victim's PC has been determined to have visited illegal websites.

Only payment for a fine, claims the message, will restore the computer's functionality.

Various versions of the alert messages have been seen - here's one example:


Part of the poorly-worded alert reads as follows:

Attention!!!
The process of illegal activity is deleted. According to UK law and Metropolitan Police Service and Strathclyde Police investigation your computer is locked!
The following violation is detected: You IP-address "[redacted]". Forbidden websites containing pornography, child pornography, Sodomy and called violence against children on, violent material toward people were visited from this IP-address!
Moreover and e-mail spam was sent you're your computer, emails containing terroristic materials. This locking serves to stop your illegal activity.
To release a lock your computer you should pay the fine in amount of £100. In the case of ignoring the payment, the program will remove illegal materials while keeping your personal information is not guaranteed.

Of course, it's very likely that you haven't been visiting extremist websites or viewing child abuse material. That may just be the hook used by the fraudsters to trick you into taking the warning seriously. Ransomware is nothing new. We've seen plenty of examples in the past where cybercriminals have duped users into coughing up cash in order to get their computer working properly again.

But the threat of legal action, and what - on first glance - might appear to some computer users to be a sign that they are in trouble with the police, could be enough to scare some into electronically transferring funds post haste.

The police recommend that anyone who is duped by the scam should contact their credit card company immediately, and underline that they would never use such tactics to make contact with the public or demand funds.

It's likely that the messages are appearing on computer users' screens because they have become infected whilst visiting compromised websites, or have been duped into installing malicious software onto their computer.

Sophos has linked Mal/Bredo-Q to some of the reports we have seen of this particular ransomware attack, but of course it's perfectly possible that malicious hackers could use other malware to display the same or similar messages posing as police warnings.

As always, keep your security patches and anti-virus solutions updated, and your wits about you.

Slate: Pay up or the hard drive gets it - ransomware malware

Malware

You’ve just opened a Web page or clicked a link in an email when your computer’s desktop goes gray. A browser window pops up with the FBI logo in the top left corner. Below it is a live webcam feed with a picture of someone’s face. You try to click away but find that your browser is locked. With a start, you recognize the face staring at you from the screen: It’s you.

This isn’t the plot of a Japanese horror film. It’s a frightening form of malware called “ransomware” that has been seen with increasing frequency in recent months. No one knows exactly how many people have been hit with it, but security firm McAfee reports that it recorded more than 120,000 new samples in the second quarter of 2012, a fourfold increase from the same quarter last year.

There are many variants of ransomware, all of which begin by locking you out of your own machine. The next phase: trying to blackmail, intimidate or otherwise spook you into forking over cash. You probably shouldn’t do it. But it’s easy to see why a lot of people do.

The version I described in the first paragraph is the product of a virus called Reveton, which you can contract either by clicking a malicious link or visiting an infected website, which triggers an automatic download. Beneath the video feed, which registers the surprise on your face as you recognize yourself, are your computer’s IP address and hostname and an urgent message: “Your computer has been locked!” Scroll further and you’ll find yourself accused of possessing illegally downloaded files in violation of federal copyright laws. (A new iteration claims that you’re in violation of SOPA, the Stop Online Piracy Act — which, as serious netizens know, never actually became law.)

The crime, you’re told, is punishable by a fine or up to three years in prison. There’s only one way to unlock your computer, according to the warning on your browser, and that’s to pay up. And if you don’t pay the specified “fine” within 48 or 72 hours — often by purchasing a prepaid cash card such as Green Dot’s Moneypak, which makes the transaction hard to trace — it claims that you’ll be locked out of your machine permanently and face criminal charges to boot.

The criminal charges are bogus, of course, but the threat of being permanently locked out of your files is real, says Chet Wisniewski, senior security adviser at the data-security firm Sophos. Some victims have reported that, after a certain amount of time passed, their files were in fact deleted. On the other hand, it’s unclear whether paying up actually helps, or if it just prompts the bad guys to try to squeeze more out of you. One thing security experts do know is that the scam appears to be automated. It would be a mistake to assume there’s an actual human on the other end whom you can persuade to take it easy on you because you really, really need those files.

So what should you do if you’re unwary and unlucky enough to contract a ransomware Trojan? First, instructs Sophos’ Paul Ducklin in a helpful video, don’t panic and don’t do anything rash. Once the malware has control of your machine, chances are that most of the damage has already been done. In theory the hackers could mine your files for private information, but in practice they rarely do. Too much effort for an uncertain reward.

And ignore those threats not to tell anyone about the attack. Unless you’re an expert yourself, it’s a good idea to enlist the help of a computer security expert to help you figure out how to handle it. The FBI — the real FBI — also recommends filing a complaint at www.ic3.gov.

As with most forms of malware, the best protection here is simply to avoid visiting compromised websites or clicking on any suspicious-looking links, whether on the Web or in emails, Twitter or Facebook messages, or even Skype messages. Keeping your operating system and apps updated with the latest security patches always helps, and anti-virus software can be an additional prophylactic. But this particular type of attack also reinforces the importance of backing up your files. Otherwise, you might never see them again.

It’s conceivable, some security types admit privately, that paying up could prompt the criminals to restore them. But the official advice is that you never should, and in most cases that’s the advice that makes the most sense.

Equation

BAD EYES - Can you read?

REALLY BAD EYES

Try to read on first attempt.