Jump to content

David H. Lipman

Experts
  • Content Count

    16,964
  • Joined

  • Last visited

  • Days Won

    9

Posts posted by David H. Lipman

  1. A Google Search on; 8004859316  shows that number is associated with an established Tech Support Scammer/Spammer.

    I don't know why you are showing picture of text on paper and I don't understand the history of the software purchase and installation.  It sounds like a version of Malwarebytes' software was repackaged with some remote access software.

    The best place to obtain Malwarebytes software is directly from Malwarebytes and a license or licenses from a reputable reseller.

    I suggest you have your PC checked out by a trained Malware Removal specialist.  Please read this;  I'm infected - What do I do now?  and then  create a Post in;  Windows Malware Removal Help & Support

     

    Reference:                                     
    US FBI PSA - Tech Support Fraud
    US FTC Consumer Information -  Tech Support Scams
    US FTC - Tech Support Operators Agree to Settle Charges by FTC and the State of Ohio
    US FTC - FTC and Federal, State and International Partners Announce Major Crackdown on Tech Support Scams
    Malwarebytes' Blog - Search on - "tech support scams"
    Malwarebytes' Blog - "Tech support scams: help and resource page"

     

     

  2. FBI Warns of Sextortion Attempts in Arizona

    Quote

    PHOENIX, AZ—The Federal Bureau of Investigation is warning the public about recent incidents in Arizona involving sextortion. The FBI is seeing cases that involve an adult coercing teenagers through social media into producing sexual images and videos online.

    Sextortion can start on any site where people meet and communicate. Through deception, manipulation, money and gifts, or threats, the predator convinces the young person to produce an explicit video or image. When the young person starts to resist requests to make more images, the criminal will use threats of harm or exposure of the early images to pressure the child to continue producing content.

    The FBI advises on these tips to help protect you online:

    1. Be selective about what you share online, especially your personal information and passwords. If your social media accounts are open to everyone, a predator may be able to figure out a lot of information about you.
    2. Be wary of anyone you encounter for the first time online. Block or ignore messages from strangers.
    3. Be aware that people can pretend to be anything or anyone online. Videos and photos are not proof that a person is who they claim to be.
    4. Be suspicious if you meet someone on one game or app and they ask you to start talking to them on a different platform.
    5. Be willing to ask for help. If you are getting messages or requests that don’t seem right, block the sender and report the behavior.

    If you believe someone you know has been a victim of sextortion, contact the FBI Phoenix Field office at (623)466-1999 or report the crime online at tips.fbi.gov.

    For more information about Sextortion, including resources for teens, schools, parents and caregivers click here: https://www.fbi.gov/news/stories/stop-sextortion-youth-face-risk-online-090319

     
     

     

  3. Clipping Silver Sparrow’s wings: Outing macOS malware before it takes flight

    Quote

    Earlier this month, Red Canary detection engineers Wes Hurd and Jason Killam came across a strain of macOS malware using a LaunchAgent to establish persistence. Nothing new there. However, our investigation almost immediately revealed that this malware, whatever it was, did not exhibit the behaviors that we’ve come to expect from the usual adware that so often targets macOS systems. The novelty of this downloader arises primarily from the way it uses JavaScript for execution—something we hadn’t previously encountered in other macOS malware—and the emergence of a related binary compiled for Apple’s new M1 ARM64 architecture.

    We’ve dubbed this activity cluster “Silver Sparrow.”

    Thanks to contributions from Erika Noerenberg and Thomas Reed from Malwarebytes and Jimmy Astle from VMware Carbon Black, we quickly realized that we were dealing with what appeared to be a previously undetected strain of malware.

    According to data provided by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany.

    Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice. Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later.

    The rest of this post will be organized into the following sections:

    • A technical analysis of two Silver Sparrow malware samples
    • An explanation of intelligence gaps and blindspots
    • Guidance on detection opportunities for Silver Sparrow
    • A list of indicators that we’ve encountered while investigating this threat

     

  4. No, not really.  That email address is only good if one finds a Web Site that is an Apple Phish or if if you if have a HTM or HTML email file attachment that, when rendered, becomes a Apple Phish and one discerns that it does a HTTP POST on harvested Apple related credentials.

    The email was not a Apple Phish.  As I wrote this is a variation of a Tech Support scam.  It wasn't even a scam in Apple's name as this was really in the name of Norton/LifeLock and Comcast/Xfinity.  It's not a scam on Apple. and we don't want to clog a Phishing email address with something like the above.

  5. Thank you.

    This is not a case of Phishing.  It is a variation of a Tech Support scam in the name of Norton™ LifeLock360 / Webroot® / Malwarebytes / McAfee® / Kaspersky .  Numerous forum members have posted about this type of scam.

    Please Reference:

    1. have received 3 scam emails about Malwarebytes account charges
    2. Fake Receipt?
    3. Your subscription for “Malware bytes Security” has been renewed.
    4. Phishing scam using malwarebytes subscription (cares@usorderreceipt02.co)

    Phishing is a process masquerading as a known entity where a web site, a PDF or other document uses content that emulates that entity and tries to get the victim to provide login credentials or Personally Identifiable Information (PII).  For example a compromised web Site may have content that looks like the legitimate Login for USAA.  However, it is all about harvesting a victims USAA account credentials.


    Reference:                                     
    US FBI PSA - Tech Support Fraud
    US FTC Consumer Information -  Tech Support Scams
    US FTC - Tech Support Operators Agree to Settle Charges by FTC and the State of Ohio
    US FTC - FTC and Federal, State and International Partners Announce Major Crackdown on Tech Support Scams
    Malwarebytes' Blog - Search on - "tech support scams"
    Malwarebytes' Blog - "Tech support scams: help and resource page"

     

     

    • Like 1
  6. New FTC Data Show Massive Increase in Romance Scams, $304M in Losses

    Quote

    More consumers than ever report falling prey to romance scammers, according to new Federal Trade Commission data that show consumers reported losing a record $304 million to the scams last year.

    A newly released data spotlight shows that the amount consumers reported losing to romance scammers is up about 50 percent since 2019, and has increased more than fourfold since 2016.

    Scammers draw people in using pictures stolen from around the internet, building false personas that seem just real enough to be true, but always having a reason never to meet in person. Eventually, the supposed suitor will ask for money from the unwitting consumer. The impact can be major, with the median loss reported to the FTC being $2,500—more than ten times higher than the median loss across all other frauds.

    The COVD-19 pandemic has resulted in people staying physically distant, providing ample reason for consumers to look for relationships online and providing a swath of new reasons for scammers to use to put off meeting in person. 

    The spotlight notes that while many people report the romance scam started on a dating site or app, even more report that the scam originated from contact through social media. While the asks for money sometimes begin with a story about a medical emergency, consumers reporting the largest losses often said they believed the scammer had actually sent them money. Many people reported that these instances turned out to be elaborate money laundering schemes, such as for fraudulently obtained unemployment benefits.

    According to the spotlight, consumers most often report sending money to romance scammers by wire transfer or in the form of gift cards. Reports of gift cards used to pay romance scammers were up by nearly 70 percent over 2019.

    The FTC provides tips for consumers on how to spot romance scams and protect themselves at ftc.gov/romancescams

     

    • Like 1
  7. To sum this up...

    To make a real determination upon any email, we would need to see the email in RAW Format.  That is the email full header and body of the message in its raw, uninterpreted and non-rendered, state.

    How one retrieves that depends on the email client or web browser.  For example in AOL Webmail you open the intended email choose; More ---> View Message Source

    Without examining the RAW Email contents, everything is all speculation.

    The following is an example of a redacted email's Full Header from a US House of Representative's email in RAW Format...

    Spoiler
    
    
    Received: from 10.196.194.208
     by atlas208.aol.mail.bf1.yahoo.com with HTTP; Thu, 18 Feb 2021 15:29:46 +0000
    Return-Path: <#########@mail.house.gov>
    Received: from 143.228.145.95 (EHLO serg-bulk3-h.house.gov)
     by 10.196.194.208 with SMTPs; Thu, 18 Feb 2021 15:29:46 +0000
    X-Originating-Ip: [143.228.145.95]
    Received-SPF: pass (domain of mail.house.gov designates 143.228.145.95 as permitted sender)
    Authentication-Results: atlas208.aol.mail.bf1.yahoo.com;
     dkim=pass header.i=@house.gov header.s=august2019-msgb-hg;
     spf=pass smtp.mailfrom=mail.house.gov;
     dmarc=pass(p=NONE) header.from=mail.house.gov;
    X-Apparently-To: <redacted>; Thu, 18 Feb 2021 15:29:46 +0000
    X-YMailISG: ik7g2gwWLDufalaLfVs38U9Od7cHkh8V9jx_hvtiGwH4csCj
     2yJa5obN2PNkuSDV58t6phmy2RZsH._UeugOsGQeQM1CG9Hb1SFdME5RDkBg
     032tvdx6wUIOV.LFCTotS8Qzyq4AfqX053qj5MJFH99LwfYORY8go.Cb_Qqa
     _IOhf2HBXLAAyZMVce3dORM_plTCDEQ9TZ3YS1Xhz.iBKdi35a6AILUMLMD5
     nhswo_kwHv3PUo3LUzFkv0dzFjMtQXhDjfvBW.rFLcglcuqVusgLCzptb7f_
     uaVLLmYvU9NepOk0xQs3R6p3NcQVVhFeFpIFfGYqIXU3Ppe.N8ThMLDpkBrr
     BgsO.t1K21JphACxFdq2IXEqrtAejlWjFUJoBnqvLaOGrxS0NMKAEiMiSokB
     RTkNVAJeTKyklAeyvgg6J3CnwzitkTYskepl4Y3t2Aw67OCR6bZeSQFvy5F.
     fi5nwQEMMvqeuyZUXS5GRROhW6RNeyhl5kIbE5q4_jAj72xYPSbreHaY2Wgl
     WDS5g8qrU9f5LGE28Bz_VloFYRPCpSIJCww0LAidZUag9UoA.A.O.yDBSk.L
     VQJxiJjYXlFFHfCt0QSonINo914Kyt8vUKIvd6mE_LjSqYe63Ef0EdyDWQZ5
     Lk0mtFELa3UbARGzHxzlsjdd8mdV0d9FRExnwdvtsznZCaUf59M4SxJChBAv
     nIShZsdBoD6xl8WPIx.QLfl6VN4vPM3wvoJYo3pdsJGC2kj7JY1Aym71Y08q
     QtqvSzn9GtBl_Ba3iRdowLafOpDNg4wr6L7NK0ujf7nfdnnBsLBArhlQiqWY
     qa9ekdhTYuUQOhbvYl7H2NqfXRolwQgADWV4rg.id2UYTNwcZlQ_JThSeS1j
     nSEhaVBaz9sdqnO_lGNoz0.Hzdo.wB8Z2fhnIw9O.m2V53b4Ej2PFYD.TT6J
     W2gYI7fI5M2CicZj1CEeCt9t81b5moTeXEGM3R8_fZ27hWK5qgKfKnsoXVyx
     cnxEeS2Fme.WbWhOaCofDvmDVzZqh45nE.CwHIWp0s.nJg914oR.6SkrDyCJ
     3s2TKupX.Rt7tKE3bNzeFhbQpYz3YNZJpTkstie7roeZlDByx4xrmQX5BVUi
     I0iueOwRV2J5Sf_dcWKpRlR_rupdAtSu5ngzpsnsw5cpK1clk5HXBQFttmf9
     wB_Ku.u9d5U7uaiGLkryIuetl_ZTT0BaWcyMou91SlZnk4Bt_kjlUfSk.Dwi
     IS4O4mVAriQ-
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=house.gov; h=message-id :
     list-unsubscribe : mime-version : from : to : date : subject :
     content-type; s=august2019-msgb-hg;
     bh=ULzfH/oGWrOG9uajrFth3+RUhDagW61O4cW5EfEhjpk=;
     b=BkzjmzGQaK6CCjyghHmHwxErJaA4Yr7VNZMVi4LeH1ivpOlw3rpAHMnvK9+DrjRqx8ox
     Ag2U4rNXSqzpaAZWBoVx3CH6O78d0d9XxMhkTyTtg7ssCg7x57VzD/NgpH97TzgDgpJ2
     MoVaZ1oZYUxZulLfgbQc+tAHUl1P/NSGLeITRhzAlBcERE4cBsGu4bfgRblnb9Mm5Xkc
     wdcWyplHhaicxBg/CWSNWXRayylTI4EAXA/sYN0CcfqDDMX9C2dC2U+/7A2Dwg7Mvi0J
     pPZBnB3AgWTBRuaUgnvdhu2wJx+XNcHdjn5UdTWaMVZRPVscZdaygHI9NiI+yr/ivAsY gA== 
    Received: from FIRESIDESERV03 (firesideserv03.us.house.gov [143.228.58.103])
    	by serg-bulk3-h.house.gov (8.16.0.27/8.16.0.27) with ESMTP id 11IFTkXv013631
    	for <redacted>; Thu, 18 Feb 2021 10:29:46 -0500
    envelope-from: ########@mail.house.gov
    Errors-To: bounce@emanager.house.gov
    X-Errors-To: bounce@emanager.house.gov
    Message-ID: <T4sraud6emUE4yrVFPOL+4nARk5aNJ2r800E1vp2NM84FLH4rhPErpqC5xtTWHbvBsDpgQFgfCHmxpIGlkDW2Hp7QO2Bgi5s/isgQuL28S2684AuPTNI8MDv/4JbLSbshnczS8yrjO4jPXApEVzfjXYPoSDp3HYMikKSgaWChuZxeXBTkvz4sErrzShm9rp+@fireside21.com>
    X-House-Vendor-Seg: unmanaged
    List-Unsubscribe: <https://#########.house.gov/forms/emailsignup/?Delete=true&MessageID=539&Email=<redacted>&Submit=true>
    Precedence: bulk
    MIME-Version: 1.0
    From: "Congressman #######" <##########@mail.house.gov>
    To: <redacted>
    Date: 18 Feb 2021 10:29:46 -0500
    Subject: Join me Friday for a virtual veterans roundtable	
    Content-Type: multipart/alternative;
     boundary=--boundary_1781796_eed9aab1-98c9-4025-9aa9-ec80837e9506
    X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.761
     definitions=2021-02-18_06:2021-02-18,2021-02-18 signatures=0
    Content-Length: 12316

     

     

  8. It was like a hidden dialogue.  A Ghost.  You could see a window but it was white with no content and the scan did not occur.  However, I can't remember if there was an actual error message.  I had to kill that Ghost window or something like that and then "Open Malwarebytes" from the tray icon at which point I saw the 30 day security summary pop-up and what happened became apparent.  Once that was closed I could perform the Right-Click context scan of the intended folder.

    • Thanks 1
  9. In regards to;

    Quote

     

    What’s New in 1.0.1173:

    • Onboarding wizard: Something went wrong page
    • Onboarding wizard: Forgot password
    • 30 day security summary pop-up
    • Improved detection and remediation     
    • Improved performance

     

     

    The 30 day security summary pop-up interferes with a Right-Click context scan of a file or folder.  MBAM generates errors while trying to conduct  scan until the dialogue is cleared.

     

    • Thanks 1
  10. The simple answer -- No.

    I'll compare it to having a bully in your neighbourhood.  You write poetry, sonnets and stories in notebooks.  That bully has gotten a hold of some of your writings.  Replacing the notebooks with new ones won't mitigate the issue.  You'd have to change your habits of how you store and move those notebooks around as well as any/all interactions with that bully.

    In your case understanding mitigating cyber threats and how you interact with technology is the key to your solution.  It begins with understanding what is a computer "virus" is and how it compares and is differentiated with trojans as well as Potentially Unwanted Programs (PUPs) and how one gets infected.  It will continue by understanding threats and having Situational awareness as well as understanding what constitutes "vulnerabilities" and exploitation of those vulnerabilities.

    In other words, the key to mitigating your problem is within you and not by simply changing hardware.

    • Like 1
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.