There is a particularly nasty bit of malware doing the rounds. It's called Cryptolocker.

From the tubes... "CryptoLocker is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted."

Some actually requested 2 Bitcoins, so if you were infected today it would cost you $1600 to get your files back.

Usually it will get in either through an infected attachment to an email or infected website.

Here's some know subject lines of the infected emails. Be aware that there will be others, these just give you an idea.


USPS - Your package is available for pickup ( Parcel 173145820507 )

USPS - Missed package delivery ("USPS Express Services" <service-notification@usps.com>)

USPS - Missed package delivery

FW: Invoice <random number>

ADP payroll: Account Charge Alert

ACH Notification ("ADP Payroll" <*@adp.com>)

ADP Reference #09903824430

Payroll Received by Intuit

Important - attached form

FW: Last Month Remit

McAfee Always On Protection Reactivation

Scanned Image from a Xerox WorkCentre

Scan from a Xerox WorkCentre

scanned from Xerox

Annual Form - Authorization to Use Privately Owned Vehicle on State Business

Fwd: IMG01041_6706015_m.zip

My resume

New Voicemail Message

Voice Message from Unknown (675-685-3476)

Voice Message from Unknown Caller (344-846-4458)

Important - New Outlook Settings

Scan Data

FW: Payment Advice - Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13]

Payment Advice - Advice Ref:[GB2198767]

New contract agreement.

Important Notice - Incoming Money Transfer

Notice of underreported income

Notice of unreported income - Last months reports

Payment Overdue - Please respond

FW: Check copy

Payroll Invoice

USBANK

Corporate eFax message from "random phone #" - 8 pages (random phone # & number of pages)

past due invoices

FW: Case FH74D23GST58NQS

Symantec Endpoint Protection: Important System Update - requires immediate action



What can you do?  Don't open suspicious emails, don't open attachments you aren't expecting and don't go roaming the interwebs on your work computer.

Unfortunately, if you find yourself infected with such a virus, there's nothing you can really do other than restoring from backups. So make sure you are keeping backups and using System Restore points on your Windows machines.

Enhanced by Zemanta
Be on the look out for Steam -spoofed e-mail.

STEAM is an online community that allows game players to access thousands of games: purchase, download and play from any computer.  Players can also chat online with other players while gaming with a microphone.

There is now an e-mail claiming to be from Steam Support stating that free games are now available and to claim such an offer, he/she just simply click on the provided link to activate.

The link points to a possibly hacked website: steampowered.countryplans.com

Registrant:
   CountryPlans LLC
   5010 Inglewood Dr.
   Langley, Washington 98260
   United States

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: COUNTRYPLANS.COM
      Created on: 02-Aug-97
      Expires on: 01-Aug-13
      Last Updated on: 26-Mar-10


steam_spoof_email_01.jpg

Enhanced by Zemanta
Logo of PayPal.

Image via Wikipedia

The e-mail is supposed to come from PayPal (updates-int@paypal.net) and is with an attachment "Restore_your_account_PayPal.html", it's about 10.3KB in size.  The e-mail itself originated from Korea (ne07.tt.co.kr [211.47.69.62]).

It states:

Dear PayPal account holder,

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We have recently determined that different computers have tried logging into your PayPal account,and multiple password failures were present before the logons.

Until we can collect secure information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Download and fill out the form to resolve
the problem and then log into your account.

Thanks ,
PayPal

If they have access to my account information, would it not have greeted using my name?  This is by far the weakest of spoofed e-mails involving PayPal.  It does not have the standard legal disclaimer, it does not have the security statement, everything that would make it more believable.


Enhanced by Zemanta
Image representing Facebook as depicted in Cru...

Image via CrunchBase

Be on the look out for fake Facebook e-mail notifications telling you that someone is looking for you.  The spoofers used the 'notoficationsfacebook' handle in the email address, notoficationsfacebook @ myfisrstphotoinc.com.  The mail item originated from illimail.com (75.126.156.14), a domain currently hosted on godaddy.com.

The e-mail boils down to you clicking on a link that's provided within the e-mail which points to:

http://facebook-rplymsgsimm.ahlamoontada.com/h7-page

Now ahlamoontada.com is a domain hosted on the same IP address by the same domain company.  There are two additional IP addresses that's associated with ahlamoontada.com (74.86.145.74 and 74.86.145.73).

facebookmailspoof.jpg
Enhanced by Zemanta
Beware of email claiming to come from American Express warning you that your information is not complete.

americanexpress-phish.jpg
The link provided in the e-mail actually points to a website (chinacdc.cn) own by the Chinese Domain Registry.
Enhanced by Zemanta
Be on the look out for "Password Successfully Changed" e-mails that claims to be coming from Skype.  Needless to say that it looks slightly authentic but there is one gotcha that makes everything so suspicious -- a salutation that missing your name.

skype-reset-password.png
All the links all point to a non-Skype IP address that's owned by HostDime.com, Inc. (72.29.83.6) and specifically points to an user account "~jasonmou".
Enhanced by Zemanta
A day after I've received my Distinguished Professionals Online invite e-mail, I get another invite from the National Alliance of Male Executives.  The click-through link points to http://www.newjobclassifieds.com/ but that website is the default CentOS Apache 2 Test Page.  This domain is registered with the same domain name registrar as http://www.careertipstoday.com, the one hosting the Distinguish Professionals Online.

Dear Wu, John,

We are excited to offer you an extraordinary opportunity to take part in a complimentary listing in N.A.M.E. --- National Alliance Of Male Executives.

N.A.M.E. is a unique on-line community providing a premium service and forum for business and social Networking, discounts on Activities, Marketing solutions and Entertainment services.

We recognize male executives who have achieved professional success as well as those looking to further their career, expand their business opportunities and enjoy the finer things in life.

Our mission is to make your life easier by providing business, recreational and personal services.

As a member you can look forward to being featured among other like-minded executives and professionals as well as us providing you with the quality service you deserve.

Why spend hours searching other websites when you can use ours in just minutes?

Please click here to get started.

We look forward to accommodating you in the near future.

Sincerely,
Michael Wahl
Vice President, Public Relations


N.A.M.E
P.O. Box 235
Oyster Bay, NY 11771
USA


Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please delete the communication and unsubscribe from the mailing using the options available in this email.

To remove yourself from future mailings, please visit here to use our automated removal system. You will be removed from our mailing database within seven (7) days. 

Thanks

Domain Name:     newjobclassifieds.com
Registrar:       Name.com LLC

Protected Domain Services Customer ID: NCR-2960246

Expiration Date: 2011-12-05 04:46:28
Creation Date:   2010-12-05 04:46:28

Name Servers:
        ns1.newjobclassifieds.com
        ns2.newjobclassifieds.com

REGISTRANT CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960246
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: newjobclassifieds.com@protecteddomainservices.com

ADMINISTRATIVE CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960246
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: newjobclassifieds.com@protecteddomainservices.com

TECHNICAL CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960246
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: newjobclassifieds.com@protecteddomainservices.com

BILLING CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960246
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: newjobclassifieds.com@protecteddomainservices.com


Enhanced by Zemanta
Apparently, all my time and efforts on the IntraWeb has gotten me chosen as a potential candidate to represent my professional community in the 2011 Edition of "Distinguished Professionals Online".  Okay, definitely not legit.  You have to send them money.

Dear John,

You were recently chosen as a potential candidate to represent your professional community in the 2011 Edition of Distinguished Professionals Online.

We are pleased to inform you that your candidacy was formally approved January 24th, 2011. Congratulations.

The Publishing Committee selected you as a potential candidate based not only upon your current standing, but focusing as well on criteria from executive and professional directories, associations, and trade journals. Given your background, the Director believes your profile makes a fitting addition to our publication and our online network.

There is no fee nor obligation to be listed. As we are working off of secondary sources, we must receive verification from you that your profile is accurate. After receiving verification, we will validate your online listing within 7 business days.

Once finalized, your listing will share prominent registry space with thousands of fellow accomplished individuals across the globe, each representing accomplishment within their own geographical area.

To verify your profile and accept the candidacy, please visit here. Our registration deadline for this year's candidates is February 20th, 2011. To ensure you are included, we must receive your verification on or before this date. On behalf of our Committee I salute your achievement and welcome you to our association.

Sincerely,
Robert Patterson
Vice President, Research Division

Distinguished Professionals Online
26 Bond Street
Westbury, NY 11542, USA


Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please delete the communication and unsubscribe from the mailing using the options available in this email.

To remove yourself from future mailings, please visit here to use our automated removal system. You will be removed from our mailing database within seven (7) days.

Thanks

Domain Name:     careertipstoday.com
Registrar:       Name.com LLC

Protected Domain Services Customer ID: NCR-2960243

Expiration Date: 2011-12-05 04:46:26
Creation Date:   2010-12-05 04:46:26

Name Servers:
        ns1.careertipstoday.com
        ns2.careertipstoday.com

REGISTRANT CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960243
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: careertipstoday.com@protecteddomainservices.com

ADMINISTRATIVE CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960243
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: careertipstoday.com@protecteddomainservices.com

TECHNICAL CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960243
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: careertipstoday.com@protecteddomainservices.com

BILLING CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960243
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: careertipstoday.com@protecteddomainservices.com


Enhanced by Zemanta
Image representing Netflix as depicted in Crun...

Image via CrunchBase

Socially sharing knowledge has proven to come back to bite users in the proverbial butt, well in this case, me.  It wasn't a total success in duping me but the fact that the information I shared has come back to me.  This one comes from sharing your Netflix movie rental with the public in trying to make friends with the same taste in movies.  Spoofers have taken this public information and fashioned an e-mail to take on the form of a 'reported missing movie disc' notification.  This would have been very convincing e-mail but there was some mistakes.

You should examine the various links embedded in the e-mail, this e-mail all points to http://kimian.net/1.html ... not http://www.netflix.com .  Never click on any of the links that's provided in the e-mail if you have any suspicion about the origin of the e-mail; always go to the site directly by manually typing the URL.

netflix_email_fake_01.png

Enhanced by Zemanta
YouSendIt

Image via Wikipedia

The popular file sharing, YouSendIt, has been spoofed by attackers looking for unsuspecting recipients to open the zip file that's sent as an attachment.  The file is named 'YouSendIt_reader.zip' and it's about 10.3KB in size.

<Some Name> has sent you the following via YouSendIt

File attached to this letter.

YouSendIt, Inc. | Privacy Policy
1919 S. Bascom Ave., Campbell, CA 95008

The service, YouSendIt, is the FTP alternative.  Rather than having someone download the file via FTP (username/password), the owner of the file would simply upload the file to the server and, from there, he or she can have the service simply email the file to one or more email recipients.

YouSendIt has close to 12 million users with more than 15 million transfers monthly across 220 countries and is the solution of choice for businesses and independent professionals alike -- the latter including creative designers, photographers, business consultants and media producers. Over 10,000 corporate users from companies including Levi's, Ritz Camera, Vmware, Salesforce, Reuters and Kelly-Moore Paints rely on YouSendIt for the secure delivery of their time sensitive data


Enhanced by Zemanta