We’re on a bit of an educational push here with the aim of helping Internet users become a bit more aware of the latest tricks that criminals are using to catch you out. Hopefully, this means you will be a bit safer online.

Today’s post takes a closer look at ‘malvertising’. This was covered in a bit of detail in our previous post on Exploit Kits, but as it presents a significant threat to everyday folks, so we wanted to dig into it in a bit more detail.

What is it?

Malvertising is the name we in the security industry give to criminally-controlled adverts which intentionally infect people and businesses. These can be any ad on any site – often ones which you use as part of your everyday Internet usage. It is a growing problem, as is evidenced by a recent US Senate report, and the establishment of bodies like Trust In Ads.

Whilst the technology being used in the background is very advanced, the way it presents to the person being infected is simple. To all intents and purposes, the advert looks the same as any other, but it has been placed by a criminal.

Without your knowledge a tiny piece of code hidden deep in the advert is making your computer go to criminal servers. These then catalogue details about your computer and it’s location, before choosing which piece of malware to send you. This doesn’t need a new browser window and you won’t know about it.

The first sign will often be when the malware is already installed and starts threatening money for menaces, logging your bank details or any number of despicable scams.

How do they get there?    

It’s common practice to outsource the advertising on websites to third-party specialists. These companies re-sell this space, and provide software which allows people to upload their own adverts, bidding a certain amount of money to ‘win’ the right for more people to see them.

This often provides a weak point, and cyber criminals have numerous clever ways of inserting their own malicious adverts into this self-service platform. Once loaded, all they have to do is set a price per advert, to compete with legitimate advertisers, and push it live.

Why is it a threat to me?

People nowadays are aware of practices that look or feel ‘wrong’ on the Internet, be it odd-looking links, requests to download strange programs or posts on social media which set the alarm bells ringing. The real danger with malvertising is that user judgement isn’t involved at all. People don’t have to click anything, visit a strange website or follow any links.

Rather, you go to a website you trust (like a news site or similar) and the adverts are secretly injecting criminal software onto your computer. This means infections can happen just by browsing the morning headlines, visiting your online dating profile or watching a video.

How do I stop it?

There are a few things which people can do to minimize the risk of being caught out by malvertising:

• Those reminders to update things like browsers, flash, Java etc? Don’t ignore them.
• Run a specialist anti-exploit technology (https://www.malwarebytes.org/antiexploit/)
• There are programs which block advertising that can help

Safe surfing and don’t get caught out!

Custom Computers inc. is the premier provider of computer repair services in the Wilkes Barre / Scranton area and has been serving both home and business users for 21 years now. We specialize in malware and virus removal in our Kingston, PA service center.

Crooks are making millions of dollars defrauding unsavvy users with fake online tech support. The scam is simple but yet effective and has gone through many variations over time.

Scammers can be very creative, simulating the Blue Screen Of Death (BSOD) or even stealing templates used by security companies.

In their latest iteration, the tech support scammers are going for maximum shock effect by locking people’s browser with a nasty collage of hardcore pornographic pictures in the background.

Figure 1: A disturbing set of hardcore pornographic pictures with a “System At Risk” warning.

The page at pc-care365.net/Alert.htm reads:

System At Risk!!
Due to Suspicious activity detected on the computer, Critical errors have been found. Error Code – S1L457.
Call customer technical support and share this code with the agent.
Customer support number- 1-844-709-0775
Call Customer Technical Support at 1-844-709-0775 and share this code with the agent.

These pages and pop-ups always seem to come out of the blue, as you simply browse the net. Then, getting rid of them via the conventional close button is nearly impossible.

Figure 2: The alert message abusing the ‘alert()’ method

Some users might just be frightened to see that their computers could have a bad virus and that they might lose all of their data. Others, desperate to close the page, will call the support number provided on the pop-ups.

Going for pornographic material is not entirely surprising. Traditional ransomware has done that long ago already in some cases going as far as displaying child pornography on the user’s device.

This tactic can be quite effective since anyone caught with this on their screen will most likely feel embarrassed enough not to reach out for help with a friend or IT guy, and instead follow the on-screen instructions which involve calling a toll-free number.

Unfortunately, the toll-free number will redirect to one of many boiler rooms filled with agents often pretending to be Microsoft Support. They will ask the victim to download a program that will allow them to remotely access and control the computer.

Figure 3: The remote technician does his sales pitch, not really bothered by what’s on screen

What follows next is the typical snake-oil sales pitch (your computer has viruses, infections, etc.) for a pricey and bogus online ‘Microsoft support service’. For the unlucky ones, identity theft and destruction of their data and computer can also happen.

These fake and scary pages all exploit the same design in JavaScript allowing long or infinite loops to prevent from closing the page. As long as it exists, more and more people are going to defrauded of their hard-earned money by these miscreants.

Google, working with researchers from the University of California, Berkeley, conducted a study that found 5 percent of users visiting Google sites were infected with Ad Injectors.

An Ad Injector is a type of adware that can put ads into pages you are viewing, replace existing ads with other ads, and block content you are trying to view. As a result of these annoying pop-ups, Google claimed it has received over 100,000 complaints from users of Google Chrome since the start of 2015.

Google said that this type of software brings a variety of problems for users, advertisers and publishers alike. The user side of the problem is easy to see, as most of us have experienced annoying ads that cover up content and seem to get in the way of our web browsing activities.

For publishers and advertisers, this type of malicious software is an even greater problem. Ad Injectors covering up content and bothering users can drive people away. Because most websites make their living off of advertising, this can drive profits down and cost sites a great deal of money.

Just some pointers this morning on how to avoid email phishing attempts. I received this message in my inbox this morning and wanted to share it with you. First thing you will notice is that the email says it it from americanexpress.gov. Now the .gov extension is reserved for government entities. This would not be available to a private company such as American Express. That should be your first tip off that it is not real.

Secondly as I put my mouse pointer over the word “login” which is linked to a website, Outlook gives me a little pop-up that tells me where that link is really gonna go. You will notice that this link is going to metflex.uk.com which certainly has nothing to do with Amercian Express so this is definately a Phishing Scam. Now Outlook does this with a little pop-up but if you are using some sort of web based email your web browser will usually show you in the bottom left corner where a link is really gonna go when you hover over it.

Thirdly, I don’t have an American Express account so obviously I wouldn’t even think of it being real but if 1 in 3 people do have an American Express card then their chances of getting someone to fall for this are pretty good.

I have had people tell me things over the years that just don’t make any sense to me. One in particular I remember a guy opened an email that said he had a voicemail message so he proceeded to open the attachment and got his computer infected. My first question was “Do you have some sort of service that would email you a voicemail?” and he responded with “No”. I replied “Why the heck would you open it then?”

You just have to use some basic common sense and most of these problems can be avoided easily. If someone knocked on your door and said he was from the gas company and he needed to check your basement, would you not look at his ID, his uniform, his truck to make sure he is who he says he is? We just need to do the same for people who knock on the door of our inboxes.

If you happen to fall for this sort of scam and get your computer infected do not fret as we can clean it up and provide some basic instruction on how to avoid this sort of thing in the future. Our silver virus cleaning package includes a set of tool and the instruction and directions on how to use them to keep your computer virus and spyware free. We take the time to sit with you and make sure you know how to use these simple free malware tools and know what to look for and what t avoid. Just the same as driving on Northeast Pennsylvania’s road we need to avoid some of the internet “potholes”.

Lastly the below image is what was at the bottom of the email. None of the apparent links to American Express or customer service actually work. They try to convince you they are the real deal by using americanexpress.com/phishing in the bottom portion. This appears to be a real link but it is simply blue text so it looks like it is real.

Malware is a term used to describe a broad category of damaging software that includes viruses, worms, trojan horses, rootkits, spyware, and adware. The effects of malware range from brief annoyance to computer crashes and identity theft. Malware is easier to avoid than it is to remove. Avoiding malware involves a two-part strategy. Follow these guidelines for staying safe.

Prevent Malware With Smart Online Behavior

The single biggest factor in preventing a malware infection on your PC is you. You don’t need expert knowledge or special training. You just need vigilance to avoid downloading and installing anything you do not understand or trust, no matter how tempting, from the following sources:

From a website: If you are unsure, leave the site and research the software you are being asked to install. If it is OK, you can always come back to site and install it. If it is not OK, you will avoid a malware headache.

From e-mail: Do not trust anything associated with a spam e-mail. Approach e-mail from people you know with caution when the message contains links or attachments. If you are suspicious of what you are being asked to view or install, don’t do it.

From physical media: Your friends, family, and associates may unknowingly give you a disc or flash drive with an infected file on it. Don’t blindly accept these files; scan them with security software. If you are still unsure, do not accept the files.

From a pop-up window: Some pop-up windows or boxes will attempt to corner you into downloading software or accepting a free “system scan” of some type. Often these pop-ups will employ scare tactics to make you believe you need what they are offering in order to be safe. Close the pop-up without clicking anything inside it (including the X in the corner). Close the window via Windows Task Manager (press Ctrl-Alt-Delete).

From another piece of software: Some programs attempt to install malware as a part of their own installation process. When installing software, pay close attention to the message boxes before clicking Next, OK, or I Agree. Scan the user agreement for anything that suggests malware may be a part of the installation. If you are unsure, cancel the installation, check up on the program, and run the installation again if you determine it is safe.

From illegal file-sharing services: You’re on your own if you enter this realm. There is little quality control in the world of illegal software, and it is easy for an attacker to name a piece of malware after a popular movie, album, or program to tempt you into downloading it.

Our Services

If you happen to miss something and end up with an infected computer, no worries as that is what we are here for. We provide professional virus and malware cleaning service to both home and business clients in the Kingston, Wilkes Barre, Forty Fort, Back Mountain areas and provide the instruction and tools needed to help you avoid the problem in the future so you can keep your own computer clean from that point forward.

We have several packages available when it comes to malware cleanups but we always recommend our SILVER package in which we not only perform the malware cleaning but we do all the security patched, updates and install our malware and system maintenance tools and show you how to use them to prevent future cleanings being required. We try to go the extra mile in teaching you what to do and what not to do so when you leave you have the tools and knowledge to continue the fight against malware on your own.

We also are constantly posting updates to both our website and our Facebook page to inform you of new threats and techniques to avoid them. Visit our Facebook page and don’t forget to LIKE it so you receive all our updates.

Custom Computers, inc. is the areas leading computer service and repair company with life-long skilled technicians that are fast and efficient and speak of technical matters in an easy to understand way. We service both home and business clients all over the Wyoming Valley including many small to medium business including schools, religious organizations, local mom and pop shops as well as the typical home user. We provide both onsite service in which we come out to your location to service your computers or in our Kingston, PA service center.

Our service areas range from Kingston, Wilkes Barre, Forty Fort, Swoyersville, Exeter, West Pittston, Pittson, Edwardsville, Larksville, Plymouth, Hanover, Scranton, Durea, Moosic and all the surrounding areas. We also do networking, servers, wireless setups, security audits, software installs, remote administration and tech support services.

Know the programs you have on your computer and what they look like so you can more readily spot a fake virus alert. When you already know what programs you have and what they look like then you will have an easier time spotting a fake alert if it does come up because it will look different then the programs you are already used to using.

Watch out for fake virus alerts

Rogue security software, also known as “scareware,” is software that appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.

How does rogue security software get on my computer?

Rogue security software designers create legitimate looking pop-up windows that advertise security update software. These windows might appear on your screen while you surf the web.

The “updates” or “alerts” in the pop-up windows call for you to take some sort of action, such as clicking to install the software, accept recommended updates, or remove unwanted viruses or spyware. When you click, the rogue security software downloads to your computer.

Rogue security software might also appear in the list of search results when you are searching for trustworthy antispyware software, so it is important to protect your computer.

What does rogue security software do?

Rogue security software might report a virus, even though your computer is actually clean. The software might also fail to report viruses when your computer is infected. Inversely, sometimes, when you download rogue security software, it will install a virus or other malicious software on your computer so that the software has something to detect.

Some rogue security software might also:

• Lure you into a fraudulent transaction (for example, upgrading to a non-existent paid version of a program).
• Use social engineering to steal your personal information.
• Install malware that can go undetected as it steals your data.
• Launch pop-up windows with false or misleading alerts.
• Slow your computer or corrupt files.
• Disable Windows updates or disable updates to legitimate antivirus software.
• Prevent you from visiting antivirus vendor websites.

Rogue security software might also attempt to spoof the Microsoft security update process. Here’s an example of rogue security software that’s disguised as a Microsoft alert but that doesn’t come from Microsoft.

Example of a warning from a rogue security program known as AntivirusXP.

For more information about this threat, including analysis, prevention and recovery, see the Trojan:Win32/Antivirusxp entry in the Microsoft Malware Protection Center encyclopedia.

To help protect yourself from rogue security software:

• Install a firewall and keep it turned on.
• Use automatic updating to keep your operating system and software up to date.
• Install antivirus and antispyware software and keep it updated. Windows 8 includes antivirus protection that’s turned on by default. If your computer isn’t running Windows 8, download Microsoft Security Essentials for free.
• Use caution when you click links in email or on social networking websites.
• Use a standard user account instead of an administrator account.
• Familiarize yourself with common phishing scams.

This article will discuss security issues and give advice how to secure your wired or wireless router. It is a little bit advanced and may not be suited for beginners but moderate and above computer users will find it very helpful so here we go.

Routers

Most gateway routers used by home customers are profoundly not secure, and some routers are so vulnerable to attack that they should be thrown out, a security expert said at the HOPE X hacker conference in New York earlier this month.

“If a router is sold at [an electronics chain], you don’t want to buy it,” independent computer consultant Michael Horowitz said in a presentation July 20. “If your router is given to you by your Internet service provider [ISP], you don’t want to use it either, because they give away millions of them, and that makes them a prime target both for spy agencies and bad guys.”

Horowitz recommended that security-conscious consumers instead upgrade to commercial routers, or at least separate their modems and routers into two separate devices. (Many “gateway” units, often supplied by ISPs, act as both.) Failing either of those options, he gave a list of precautions users could take.

Problems with consumer routers

Routers are the essential but unheralded workhorses of modern computer networking, yet few users realize they are computers, with their own operating systems, software and vulnerabilities

“A compromised router can spy on you,” Horowitz said, explaining that a router under an attacker’s control can stage a man-in-the-middle attack, alter unencrypted data or send the user to “evil twin” websites masquerading as often-used Webmail or online-banking portals.

Many consumer-grade home-gateway devices fail to notify users if and when firmware updates become available, even though those updates are essential to patch security holes, Horowitz noted. Others will not accept passwords longer than 16 characters.

Millions of routers throughout the world have the Universal Plug and Play (UPnP) networking protocol enabled on Internet-facing ports, which exposes them to external attack.

“UPnP was designed for LANs [local area networks], and as such, it has no security. In and of itself, it’s not such a big deal,” Horowitz said. But, he added, “UPnP on the Internet is like going in for surgery and having the doctor work on the wrong leg.”

Another problem is the Network Administration Protocol (HNAP), a management tool found on some consumer-grade routers that transmits sensitive information about the router over the Web at http://[router IP address]/HNAP1/, and grants full control to remote users who provide administrative usernames and passwords (which many users never change from the factory defaults).

Earlier this year, a router worm called TheMoon used the HNAP protocol to identify vulnerable Linksys-brand routers to which it could spread itself. Linksys quickly issued a firmware patch.

“As soon as you get home, this is something you want to do with all your routers,” Horowitz told the tech-savvy crowd. “Go to /HNAP1/, and, hopefully, you’ll get no response back, if that’s the only good thing. Frankly, if you get any response back, I would throw the router out.”

The WPS Threat

Worst of all is Wi-Fi Protected Setup (WPS), an ease-of-use feature that lets users bypass the network password and connect devices to a Wi-Fi network simply by entering an eight-digit PIN that’s printed on the router itself. Even if the network password or network name is changed, the PIN remains valid.

“This is a huge expletive-deleted security problem,” Horowitz said. “That eight-digit number will get you into the [router] no matter what. So a plumber comes over to your house, turns the router over, takes a picture of the bottom of it and he can now get on your network forever.”

That eight-digit PIN isn’t even eight digits, Horowitz explained. It’s actually seven digits, plus a final checksum digit. The first four digits are validated as one sequence and the last three as another, resulting in only 11,000 possible codes instead of 10 million.

“If WPS is active, you can get into the router,” Horowitz said. “You just need to make 11,000 guesses” — a trivial task for most modern computers and smartphone.

Then, there’s networking port 32764, which French security researcher Eloi Vanderbeken in late 2013 discovered had been quietly left open on gateway routers sold by several major brands. Using port 32764, anyone on a local network — which includes a user’s ISP — could take full administrative control of a router, and even perform a factory reset, without a password.

The port was closed on most affected devices following Vanderbeken’s disclosures, but he later found that it could easily be reopened with a specially designed data packet that could be sent from an ISP.

“This is so obviously done by a spy agency, it’s amazing,” Horowitz said. “It was deliberate, no doubt about it.”

How to lock down your home router

The first step toward home router security, Horowitz said, is to make sure the router and modem are not a single device. Many ISPs lease such devices to customers, but they’ll have little control over their own networks.

“If you were given a single box, which most people I think call a gateway,” he said, “you should be able to contact the ISP and have them dumb down the box so that it acts as just a modem. Then you can add your own router to it.”

Next, Horowitz recommended that customers buy a low-end commercial-grade Wi-Fi/Ethernet router, such as the Pepwave Surf SOHO, which retails for about $150, rather than a consumer-friendly router that costs half as much. Commercial-grade routers are unlikely to have UPnP or WPS enabled. The Pepwave, Horowitz noted, offers additional features, such as firmware rollbacks in case a firmware update goes wrong.

Regardless of whether a router is commercial- or consumer-grade, there are several things, varying from easy to difficult, that home-network administrators can do to make sure their routers are more secure:

Easy fixes

Change the administrative credentials from the default username and password. They’re the first things an attacker will try.

Change the network name, or SSID, from “Netgear,” “Linksys” or whatever the default is, to something unique — but don’t give it a name that identifies you.

“If you live in an apartment building in apartment 3G, don’t call your SSID ‘Apartment 3G,'” Horowitz quipped. “Call it ‘Apartment 5F.'”

Enable WPA2 wireless encryption so that only authorized users can hop on your network.

Disable Wi-Fi Protected Setup, if your router lets you.

Set up a guest Wi-Fi network and offer its use to visitors, if your router has such a feature. If possible, set the guest network to turn itself off after a set period of time.

“You can turn on your guest network, and set a timer, and three hours later, it turns itself off,” Horowitz said. “That’s a really nice security feature.”

Do not use cloud-based router management if your router’s manufacturer offers it. Instead, figure out if you can turn that feature off.

“This is a really bad idea,” Horowitz said. “If your router offers that, I would not do it, because now you’re trusting another person between you and your router.”

Moderately difficult 

Install new firmware when it becomes available. Log into your router’s administrative interface routinely to check. With some brands, you may have to check the manufacturer’s website for firmware upgrades. But have a backup router on hand if something goes wrong.

Set your router to use the 5-GHz band for Wi-Fi instead of the more standard 2.4-GHz band, if possible and if all your devices are compatible.

“The 5-GHz band does not travel as far as the 2.4-GHz band,” Horowitz said. “So if there is some bad guy in your neighborhood a block or two away, he might see your 2.4-GHz network, but he might not see your 5-GHz network.”

Disable remote administrative access, and disable administrative access over Wi-Fi. Administrators should connect to routers via wired Ethernet only.

Advanced tips for more tech-savvy users

Change the settings for the administrative Web interface, if your router permits it. Ideally, the interface should enforce a secure HTTPS connection over a non-standard port, so that the URL for administrative access would be something like, to use Horowitz’s example, “https://192.168.1.1:82” instead of the more standard “http://192.168.1.1”.

Use a browser’s incognito or private mode when accessing the administrative interface so that your new URL is not saved in the browser history.

Disable PING, Telnet, SSH, UPNP and HNAP, if possible. Instead of setting relevant ports to “closed,” set them to “stealth” so that no response is given to unsolicited external communications that may come from attackers probing your network.

“Every single router has an option not to respond to PING commands,” Horowitz said. “It’s absolutely something you want to turn on — a great security feature. It helps you hide. Of course, you’re not going to hide from your ISP, but you’re going to hide from some guy in Russia or China.”

Change the router’s Domain Name System (DNS) server from the ISP’s own server to one maintained by OpenDNS (208.67.220.220, 208.67.220.222, 208.67.222.220, 208.67.222.222) or Google Public DNS (8.8.8.8, 8.8.4.4).

Use a virtual private network (VPN) router to supplement or replace your existing router and encrypt all your network traffic.

“When I say VPN router, I mean a router that can be a VPN client,” Horowitz said. “Then, you sign up with some VPN company, and everything that you send through that router goes through their network. This is a great way to hide what you’re doing from your Internet service provider.”

Finally, use Gibson Research Corp.’s Shields Up port-scanning service at https://www.grc.com/shieldsup. It will test your router for hundreds of common vulnerabilities, most of which can be mitigated by the router’s administrator.

From time to time Avast will put out an update for their program but when they do so they typically present you with two options.

1. Try their Internet Security product for 20 days but after it expires many pops will start to annoy you.

2. Stay with Basic Protection

The proper choice here even though it is smaller and less prominent choice is to stay with basic protection to continue for free one year of Avast Antivirus so be sure to choose properly.

Once your free one year is up you can choose to purchase Avast and if it has worked well for you I would recommend you do buy into one of their yearly subscriptions.

If you are not currently using Avast and want to give it a try first uninstall your current antivirus then use the link below for my step-by-step installation instructions and the download link.

https://custom-computers.com/avast-antivirus-installation-instructions/

Avoid The Trial Version

Once in a while AVG will push out an update for their AntiVirus program and when they do you are usually provide with the option to try their Internet Security program for 28 days but once it expires you loose that protection and receive many annoying pop messages so it is best to avoid accepting the trial version all together.

When you receive a popup of the type shown above be certain to always select the “Basic Protection” option and not the “Internet Security Trial”.

Revert Back to The Free Version

If you have accidentally accepted AVG’s Internet Security trial version and it is now expired there is a simple process to revert back to the free version. Follow the instructions below to do this :

• Open Programs and Features by clicking the Start button , clicking Control Panel, clicking Programs, and then clicking Programs and Features.

• Select AVG from the list, and then click on Change. AVG will then provide you with a list of options. Choose to “Downgrade to Free Protection”

For all users of MalwareBytes you should be aware of this situation. Of course MalwareBytes offering a free version they do need to get paid somehow so they will try to upsell you in to paying for the Pro version of the program. Let me first say that if it is working well for you and you feel it is worth buying the pro version they please do so as they work hard at keeping up with new viruses and malware which are released 24x7x365.

If you want to keep the free version then be sure to follow the below instructions. Once in a while MalwareBytes will put an update to their program out and upon doing your normal update it pops up and says “The latest version of MalwareBytes has been downloaded.” and yes you want to update your program but you need to pay special attention to be sure that during the install process of the update you un-check the box that offers a free trial version of MalwareBytes Premium. If you do not un-check this box it will automatically install the trial version then after a set amount of days the trial will expire and you will then get messages constantly about it being expired so be sure to un-check the box when you get to the screen with the “FINISH” button as pictured below.

You’re installing Trial not the free version

One caveat here for the user is: if he download and installs free version, then actually Trial will install unless he observe and unchecks ‘Enable free trial of Malwarebytes Anti-Malware Premium’ during installation.

Note: When the evaluation period was over, you’ll  get a popup or notification conveying message ‘Trial expired, You are no longer protected because Malwarebytes Anti-Malware free Trial has expired’, you’ll be presented with options to ‘End Trial’ and ‘Buy Premium’ (check the screenshot below), then click on the former one.

Downgrading or reverting to Malwarebytes Free from Trial

If you’ve noticed you’ve installed the trial and want to get back to free one without uninstalling, here is how that can be simply done.

• Open Malwarebytes, and on the Dashboard, click on ‘End Free Trial’ link which, then will be instantly converted to the free version.