Turning the tables on “Windows Support” scammers by compromising their PCs

Beware, scammer!
Aurich Lawson

Tech support scams are nothing new—we first went in-depth almost two years ago on "scareware scammers" who cold-call unsuspecting victims and try to talk them into compromising their computers by installing remote control applications and handing the keys over to the scammers.

We even managed to engage with one for a protracted length of time, with deputy editor Nate Anderson playing the role of a computer neophyte and recording the entire mess. But one developer has taken things a step further, producing a tool that will enable you to fight back if targeted—if you don’t mind a bit of bad acting yourself.

Matt Weeks is one of the developers who contributes code to the open source Metasploit Project, a sprawling and continually updated security framework that functions as a repository for software vulnerabilities and is frequently used as a Swiss Army Knife for penetration testing. Weeks has published a long report on his site detailing how he was able to reverse-engineer the encrypted communications protocol used by Ammyy Admin, one of the most popular remote control apps used by tech support scammers, and then use that knowledge to ferret out a vulnerability in the Ammyy Admin application.

Read 8 remaining paragraphs | Comments

Trust Guard and the False Security of Trust Seals

The recent massive credit card breach at Home Depot was yet another reminder that whether offline or online, IT security is often lacking. For consumers the question then is how can they know that their information is secure when they provide it to companies? Numerous security companies have created trust seals – that can be placed on websites if they meet certain requirements – that let the public know that a website is secure. The problem we have found with a number of these is that they are not doing basic security checks and therefore their assurances of security are false. Last week took a look at SiteLock’s and earlier this year we looked Norton’s, now we will look at another bad trust seal that we ran across recently.

While visiting the website of a client’s web host recently our Chrome extension Meta Generator Version Check provided an alert that website was running an outdated version of Joomla:

Hostica is Running Joomla 1.5

It obviously isn’t a great sign that web host is running outdated software on their website (especially when that version hasn’t been supported for two years), but what was more surprising was the Trust Guard security verified trust seal at the bottom of the website:

Hostica's Trust Guard Security Verified Trust Seal

In this case it is easy to detect that the website is running an outdated version of Joomla since there is a meta generator tag in the source code of the website’s pages that tells you exactly that:

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

With such an easy to detect security issue a trustworthy trust seal shouldn’t claim that the website is secure. We were curious to find out exactly what security checks Trust Guard was actually doing. Clicking the trust seal brought up a page that explained why they are claiming the website has verified security:

In order for www.hostica.com to qualify for the Trust Guard Security Verified Seal, we verify that their website is using at least 128-Bit SSL Encryption on pages where private information can be entered, such as credit cards, Social Security numbers, loan information, etc. and we monitor the SSL certificates expiration.

While using SSL encryption when sensitive information can be entered is important for security it doesn’t mean a website is secure, just that someone cannot snoop on the information as it sent to the website. For example, we have done plenty of cleanups of hacked websites in which the credit card information was compromised once it made its way to the website. Since a web browser’s user interface already provides notice when a secure SSL connection is in use, it isn’t clear what security value the trust seal is meant to provide, but it doesn’t seem that it out ways how misleading it is to claim that a website’s security is verified based only on the fact that it is using SSL encryption.

After e-mail takeover, copycats demand cash to expose Bitcoin’s creator

A screenshot used as proof that an unknown person has taken control of the e-mail address of bitcoin creator Satoshi Nakamoto.

Messages demanding payment in order to out details about mysterious Bitcoin creator "Satoshi Nakamoto" have proliferated in the few days since an unknown person took control of the e-mail address historically used by the reclusive cryptographer.

By Friday, at least seven messages on Pastebin threatened to release information, or "dox," taken from Satoshi Nakamoto's e-mail account on gmx.com, the address used in Nakamoto's original Bitcoin paper. The messages used at least five different Bitcoin addresses and demanded varying amounts of Bitcoin in order to reveal Nakamoto's true identity.

"Satoshis [sic] dox, passwords and IP addresses will be published when this address has reached 25 BTC," stated one demand.

Read 10 remaining paragraphs | Comments