Craig discusses a new Phishing Scam that is targeting Republicans with a legitimate email but that adds an attachment with a nasty trojan payload.
For more tech tips, news, and updates, visit – CraigPeterson.com
Automated Machine-Generated Transcript:
Craig Peterson: [00:00:00] Hi, everybody. We’re going to be talking about some new Trojan malware that targets Trump supporters. Some new tools that are out there. Ransomware being paid by one of the country’s biggest online providers right here.
Hey everybody. I’m Craig Peterson. Today we are going to with no exception, get into some of the things that you need to know. Some of the things that you might not really be aware of, you’ve always wanted to know, but I’m here to explain it to you. This is the sort of stuff I like to do, and I’ve done pretty well for many years.
So let’s get right into this malware. We’ve talked about phishing before and for a quick introduction for the rest of you guys, phishing is where someone is trying to get you to do something and they are just trying to trick you into it.
So you might be familiar with some of the old phishing staff, the Nigerian Prince scam nowadays, they’ve gotten much more sophisticated, try and get you to click on a link to do that something. So they might be phishing so they can put a Bitcoin miner on your computer.
They might be phishing to do something malicious, maybe. very malicious right now. There are some bad guys out there who are phishing Trump supporters. Here’s what they’re doing.
They’re taking legitimate emails that have been sent out by other Trump supporters. Some of these political action committees. That is really single focused on one thing or another, and they’ll be supporting a candidate that supports their, so there’s these PACs on both sides of the aisle and all the way in between. All right.
The biggest problem, if you ask me about DC is, that’s where the money goes and so that’s where all the attention goes.
So you’re online. You’re looking at your email and you see an email that has a subject line that starts with forward. I got to point out in case you weren’t aware of it, subject lines that start with forward, like FWD colon, or re R E colon, as in regards to. Those subject lines tend to attract a lot of attention. The only subject line that tracks more attention is if someone has your name in that subject line.
So these emails that are being sent out by, we’re not sure who yet have. Forward or re: up in the subject line and, we’ll talk a little bit more about what is in that subject line. So there are things like breaking President, Trump, suspends funding to the WHO that is one of the most common ones they’re using right now.
Of course, we’re looking at President Trump and he’s been calling the world health organization corrupt and seen an email like this would get you to open it. Wouldn’t it? You know what, frankly, between you and me, so would people on the other side of the aisle, right? Cause they want to hear what’s Trump doing this time.
So the idea, yeah, it is it’s political. Another one is an email with a subject line that says stand with Trump again, that’s definitely targeted at Republicans who want to open it because they want to stand with President Trump. And they’re also using something called display name spoofing.
If you look at emails, you receive, you’ll see, it says it’s from so and so. Well, that’s not necessarily who it’s actually from there’s some spoofing you can do there and a lot of these guys are doing it. There are ways to block phishing. Phishing, by the way, it’s used a lot by ransomware. That’s not what this is. We’ll get into what this is exactly a minute.
But you’ve got to have some really great stuff in place. Hey, if you’re interested in it. our friend of mine, Guy, he had sent me a thing on LinkedIn this week about that’s a really great little ransomware checklist. It goes through the basics of what you should be doing to protect yourself against ransomware.
And if you want me to. I’ll dig it up for you and send it off. Just email email@example.com and in the subject line put ransomware. I’ll notice that. I will, I’ll send it to you. Just send it to firstname.lastname@example.org. And it’s a great little checklist on ransomware, and it’s telling you should be doing things if you are a system administrator like looking for specially signed DNS records and other things that are going to help identify the reality of who they’re talking to. Very important. DMark is one of those types of tools.
Now they are also using hijacked legitimate, the email addresses, and they’ll use those to send out these emails. So they’ll take an email from a PAX, a legitimate email. They will forward it, quote-unquote to you. It looks like a foreword for all intents and purposes. It is, and it has all of the links in it that the original email had and all of those links, some, the original email will work and they’ll take you to the places that you expect to go to. The problem with this one is that they have a word document attached. Not that having a word document attached isn’t necessarily a huge problem. We’ve had problems in the past where it was effectively a drive-by download. Sometimes you did not even have to open the email in order to get the infection nowadays unless you have very out of date software nowadays, you do have to open it.
So if you get that email, you click on the attachment. You open the attachment. That’s when the real pain starts, because inside that attachment is a Microsoft word document that has something inside of it called the downloader. So you open up that document down comes EmoTet and once Emotet is on your system, that’s when it all hits the fan.
What happens with EmoTet is really nasty. It starts to try and spread within your network. It scans for open services. I’m looking at a whole chart here on EmoTet which is known as S zero three six seven. It’ll start to scan ports on all of the systems on your network, on your own system. It uses the most common ports that you might think of port 80, 80, 84, 43.
In one instance, it has used. port four, four, five, which is an SMB exploitation. SMB is windows file sharing. So it uses a number of different types of attacks here to go after services that are available on your network, on your computer, and on your network. And then it spreads laterally and it starts to scan other machines.
This is where EmoTet is different than some of the others. It acts like a worm. And that’s the very first piece of malware I had. That’s what got me going on cybersecurity. Cause back then, I’m pretty much, nobody had even heard of a worm before.
What a worm is for those that don’t know. Is it some piece of software that gets onto one computer and tries to crawl through other computers all the way out?
Now you can see where the problem comes in because it now will try using all of these different protocols, try and get onto another computer. Now we can get on another computer as simple as getting onto your file server.
Are you using the VPN in your business operation? A lot of our people are at home. This is one of the real dangers of VPNs. VPNs do not make you safer. Don’t think that they make you safer because in almost no cases, do they help with the safety. What’s gonna happen with the VPN, if you’re connected, is something like EmoTet or some of these others that spread like worms are going to try and crawl through your VPN to the other side.
You say, Oh, we’ve got a firewall quote, unquote, in the other side, We’ve got a SonicWall, we’ve got whatever it might be.
Is that configured to stop a worm from crawling through and getting into other machines? And you might say, Yes. Yes, of course, it is. We block out all other servers that user at home only has access to the file server and their own computer acting as a file server isn’t that just hunky Dory. The problem is it has access to the file server. Your typical ransomware even is going to start pulling files off of the file server, sending them over to Eastern Europe for examination to see if they can use it for extortion or to see if they want to use it for ransom, just hold the encrypted and hold your data ransom. All of that stuff can happen over your VPN. Just as if you’re sitting there locally at the office.
Remember that you’ve got to have all of your security, not just in the office, not just maybe at the edge of the firewall, but everywhere.
We’re setting up systems now, that one packet will be examined five times as it flows through different firewalls within the organization. So that someone who’s sitting there working on something is going to have to go in and out of firewalls just to get to that server.
It’s not just the packets that are examined nowadays. We’re talking about having the data examined, completely reassembling the streams, and looking at it and looking at it all very closely.
Hey, you’re listening to Craig Peterson stick around because we will be right back. We’re going to be talking about a new scanning tool release and what that’s all about. So stick around.
More stories and tech updates at:
Don’t miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: