Understanding Search Results

I have noticed that my clients are getting “infected” by malware lately. They report that their computer is quite slow and they continually get “pop-ups.” These pop-ups are not in their browsers, they appear while they are simply using their computer.

I decided to try to figure out how my clients are downloading these nefarious programs. They all swear they did not download them but, of course, they did. I had one of my clients demonstrate how she had downloaded iTunes which she knew was the last thing she had tried to download (iTunes was not installed even though she had tried to download it). She typed “iTunes” into her browser search box. The first few results were NOT Apple.com websites. They were ads!
The link results of her search were similar to these:

The word “Download” was prominently displayed which drew her attention to the one she clicked on. I had my answer to how clients are installing these pesky programs. My client, and I suspect, the average computer user, did not understand the structure of a web address. And why would she?! Technology expects so much of the average user.

Her first mistake was to click on one of the “ad” links. Ads are displayed at the top of the search results. If you look closely, you will see “Ads related to: iTunes” and below that a few ads paid for by advertisers, of course. Below that will be the native search results.

The most important thing to pay close attention to in search results is the structure of the web address of the displayed links. The word just before “.com” should be “apple” (in this example). In her results it was “win-install” and “gufile” preceded by “itunes” or “itunes.apple.” These are NOT Apple websites. They are subdomains of win-install.com and gufile.com. These types of websites are not to be trusted. Their downloads will, at the very least, simultaneously download (and silently install) several programs which will start popping up every few minutes trying to get you to pay for them.

Other consequences of downloading from these types of websites are:
Search engine is changed to, for example: Conduit Search
PC Backup software pop-ups
Your Home page is changed

Email passwords – How strong is strong?

types of malware

You need a very strong password for your email and, especially, your bank accounts.

I have often heard my clients say, “It’s just my email. I don’t care if anyone reads them.” Having a strong email password isn’t just about privacy, it’s also security for the Internet in general. One of the main reasons that email account passwords get cracked in the first place is to allow spammers to send spam. Because it is getting harder and harder for spammers to send their much maligned messages, they are constantly having to find new ways to get the deed done.

Not only do spammers use your email account to send spam to everyone in your email address book, they also use viruses of all types to create botnets which send their spam. Botnets are collections of computers (mostly personal computers) that are infected with malware, programs installed without the owner’s consent or knowledge. Once infected the computers are used by the creator of the malware to send spam, make a unified attack on servers, find and infect other computers to add to the botnet and any number of undesirable activity.

As a responsible netizen, you should do your part to protect the general health and well-being of the Internet and do your part to suppress spam. There is another reason and it may inspire you to create a strong password—loosing control of your email account.

In my experience, Yahoo, SBC Global, ATT and AOL email accounts are cracked most frequently. SBC Global and ATT email accounts are hosted by Yahoo. I don’t know if there is something lacking in security at Yahoo and AOL or if they are simply targeted because of their size. Whatever the reason, if you have an email account with one of these providers you had better have a strong password!

If can’t log in to your account, your password has been cracked and you will have to reset your password after verifying that you are the account holder. This usually entails answering a security question that you set up when you opened the account. Sometimes, if your account was set up several years ago, these security questions weren’t set up or you skipped the step because of the annoying and tedious nature of the process. In this case, the process is much, much harder and it could take several days to regain access to your email.

Another verification technique employed by most email providers is using a mobile phone number to send a verification text message. If you are asked for a mobile number when setting up an email account, you should provide one; it is the simplest method of verification because…What IS my favorite restaurant??

WordPress hit by massive botnet | ZDNet

Summary: A massive botnet of tens of thousands of machines is attempting to hack in to weak password protected “admin” accounts of the popular blogging platform.

Blogging and website platform WordPress has been hit by a massive botnet of tens of thousands of computers, but it could be just the surface of a wider, larger attack.

The performance and security firm CloudFare warned in a blog post today that the unknown attacker is using a “relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” suggesting a calm before a heavier storm.

The botnet is attempting to “brute force” attack WordPress websites using the username “admin”, with thousands of different passwords. The botnet of machines — often individual machines infected with malware and subscribed to target servers and websites with vast amounts of data — is being used to hack web-based WordPress installations.

This botnet channels some bandwidth from individual computers infected with malware, which in mass and collectively can cause the overloading of servers. Typically, this kind of attack is either used by willing participants to cause a distributed denial-of-service (DDoS) attack against websites to force them offline, or by “slave” computers that can be used to carry out hacking attempts.

It comes only a week after WordPress enhanced user security by rolling out an optional two-factor authentication system.

WordPress founder Matt Mullenwag criticized those who were offering “solutions” to the problem, such as CloudFare, and instead suggested changing default usernames as an additional step to protect their WordPress accounts.

“If you still use ‘admin’ as a username on your blog, change it, use a strong password, if you’re on WordPress.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress,” he said.

“Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem.”

WordPress remains a large target for hackers, which has around 64 million individual blogs and websites, with more than 370 million readers each month. Alexa ranks the blogging network as the 21 most visited site in the world.

Fort Disco: The new brute-force botnet

Summary: There’s a new Windows-powered botnet, Fort Disco, slowly building up strength and cracking into PHP-based blog and content management system Web sites.

Internet security firm Arbor Networks reports that a new botnet, Fort Disco, is made up of over 25,000 Windows PCs and is targeting blog sites and content management systems (CMS)es. Once these are infected, they can then be used to spread the botnet’s malware and to attack other systems.

Matthew Bing, an Arbor Security Engineering & Response Team (ASERT) research analyst, wrote, “Arbor ASERT has been tracking a campaign we are calling Fort Disco which began in late May 2013 and is continuing. We’ve identified six related command-and-control (C&C) sites that control a botnet of over 25,000 infected Windows machines. To date, over 6,000 Joomla, WordPress, and Datalife Engine installations have been the victims of password guessing.”

Arbor Networks has determined that there are at least four variants of the Windows malware used by the Fort Disco botnet. These, in turn, appear to spring from what the security expert Brian Krebs calls a high-end, “malware-as-a-service” Styx Exploit kit. With this kit a wide-variety of attacks can be made on Windows PCs.

Fort Disco-infected Windows systems then use brute-force password guessing to break into blogs and CMSes that use PHP. The botnet has installed a variant of the all too common “FilesMan” PHP back-door on almost 800 PHP-powered sites.

All the infected systems, in turn, are controlled from the half-dozen Russian and Ukrainian C&C sites. So far Fort Disco has been used for little more than spreading itself to Windows PCs and vulnerable blogs and CMS Web sites. This won’t last.

Bing said, “Blogs and CMSes tend to be hosted in data centers with immense network bandwidth. Compromising multiple sites gives the attacker access to their combined bandwidth, much more powerful than a similarly sized botnet of home computers with limited network access by comparison. While we have no evidence the Fort Disco campaign is related to Brobot or denial-of-service (DoS) activity, we’ve experienced the threat that a large blog botnet can deliver.” Brobot has been used to attack U.S. Banks with distributed denial of service (DDoS) attacks.

In an e-mail, Bing expanded on this theme, “This is similar to the type of botnet being used on the ongoing attacks against financial services firms. Rather than tens of thousands of PCs making up a botnet, each throwing off a relatively small amount of bandwidth, Fort Disco accesses WordPress and Joomla servers, so they need far fewer machines to have much greater impact.”

That said, Bing continued, “Arbor does not have evidence that the Fort Disco attacks are related to the QCF/Brobot incidents or phishing campaigns that have been used against banks. The best evidence we have for the motivation of Fort Disco is to install drive-by exploit kits on compromised sites. But as the Brobot incidents demonstrated, WordPress/Joomla sites tend to be located in data centers with access to large network bandwidth. A botnet of these compromised sites can deliver a powerful denial of service attack. While we haven’t seen the Fort Disco campaign show any interest in denial of service, the risk is certainly present.”