Archive

Archive for the ‘spam’ Category

Enhancing Office 365 Advanced Threat Protection with detonation-based heuristics and machine learning

Email, coupled with reliable social engineering techniques, continues to be one of the primary entry points for credential phishing, targeted attacks, and commodity malware like ransomware and, increasingly in the last few months, cryptocurrency miners.

Office 365 Advanced Threat Protection (ATP) uses a comprehensive and multi-layered solution to protect mailboxes, files, online storage, and applications against a wide range of threats. Machine learning technologies, powered by expert input from security researchers, automated systems, and threat intelligence, enable us to build and scale defenses that protect customers against threats in real-time.

Modern email attacks combine sophisticated social engineering techniques with malicious links or non-portable executable (PE) attachments like HTML or document files to distribute malware or steal user credentials. Attackers use non-PE file formats because these can be easily modified, obfuscated, and made polymorphic. These file types allow attackers to constantly tweak email campaigns to try slipping past security defenses. Every month, Office 365 ATP blocks more than 500,000 email messages that use malicious HTML and document files that open a website with malicious content.

Figure 1. Typical email attack chain

Detonation-based heuristics and machine learning

Attackers employ several techniques to evade file-based detection of attachments and blocking of malicious URLs. These techniques include multiple redirections, large dynamic and obfuscated scripts, HTML for tag manipulation, and others.

Office 365 ATP protects customers from unknown email threats in real-time by using intelligent systems that inspect attachments and links for malicious content. These automated systems include a robust detonation platform, heuristics, and machine learning models.

Detonation in controlled environments exposes thousands of signals about a file, including behaviors like dropped and downloaded files, registry manipulation for persistence and storing stolen information, outbound network connections, etc. The volume of detonated threats translate to millions of signals that need to be inspected. To scale protection, we employ machine learning technologies to sort through this massive amount of information and determine a verdict for analyzed files.

Machine learning models examine detonation artifacts along with various signals from the following:

  • Static code analysis
  • File structure anomaly
  • Phish brand impersonation
  • Threat intelligence
  • Anomaly-based heuristic detections from security researchers

Figure 2. Classifying unknown threats using detonation, heuristics, and machine learning

Our machine learning models are trained to find malicious content using hundreds of thousands of samples. These models use raw signals as features with small modifications to allow for grouping signals even when they occur in slightly different contexts. To further enhance detection, some models are built using three-gram models that use raw signals sorted by timestamps recorded during detonation. The three-gram models tend to be more sparse than raw signals, but they can act as mini-signatures that can then be scored. These types of models fill in some of the gaps, resulting in better coverage, with little impact to false positives.

Machine learning can capture and expose even uncommon threat behavior by using several technologies and dynamic featurization. Features like image similarity matching, domain reputation, web content extraction, and others enable machine learning to effectively separate malicious or suspicious behavior from the benign.

Figure 3. Machine learning expands on traditional detection capabilities

Over time, as our systems automatically process and make a verdict on millions of threats, these machine learning models will continue to improve. In the succeeding sections, well describe some interesting malware and phishing campaigns detected recently by Office 365 ATP machine learning models.

Phishing campaigns: Online banking credentials

One of the most common types of phishing attacks use HTML and document files to steal online banking credentials. Gaining access to online bank accounts is one of the easiest ways that attackers can profit from illicit activities.

The email messages typically mimic official correspondence from banks. Phishers have become very good at crafting phishing emails. They can target global banks but also localize email content for local banks.
The HTML or document attachment are designed to look like legitimate sign-in pages or forms. Online banking credentials and other sensitive information entered into these files or websites are sent to attackers. Office 365s machine learning models detect this behavior, among other signals, to determine that such attachments are malicious and block offending email messages.

Figure 4. Sample HTML files that mimic online banking sign in pages. (Click to enlarge)

Phishing campaigns: Cloud storage accounts

Another popular example of phishing campaigns uses HTML or document attachments to steal cloud storage or email account details. The email messages imply that the recipient has received a document hosted in a cloud storage service. In order to supposedly open the said document, the recipient has to enter the cloud storage or email user name and password.

This type of phishing is very rampant because gaining access to either email or cloud storage opens a lot of opportunities for attackers to access sensitive documents or compromise the victims other accounts.

Figure 5. Sample HTML files that pose as cloud storage sign in pages. (Click to enlarge)

Tax-themed phishing and malware attacks

Tax-themed social engineering attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules. These campaigns use various messages related to tax filing to convincer users to click a link or open an attachment. The social engineering messages may say the recipient is eligible for tax refund, confirm that tax payment has been completed, or declare that payments are overdue, among others.

For example, one campaign intercepted by Office 365 ATP using machine learning implied that the recipient has not completed tax filing and is due for penalty. The campaign targeted taxpayers in Colombia, where tax filing ended in October. The email message aimed to alarm taxpayers by suggesting that they have not filed their taxes.

Figure 6. Tax-themed email campaign targeting taxpayers in Colombia. The subject line translates to: You have been fined for not filing your income tax returns

The attachment is a .rar file containing an HTML file. The HTML file contains the logo of Direccin de Impuestos y Aduanas Nacionales (DIAN), the Colombianes tax and customs organization, and a link to download a file.

Figure 7. Social engineering document with a malicious link

The link points to a shortened URL hxxps://bit[.]ly/2IuYkcv that redirects to hxxp://dianmuiscaingreso[.]com/css/sanci%C3%B3n%20declaracion%20de%20renta.doc, which downloads a malicious document.

Figure 8: Malicious URL information

The malicious document carries a downloader macro code. When opened, Microsoft Word issues a security warning. In the document are instructions to Enable content, which executes the embedded malicious VBA code.

Figure 9: Malicious document with malicious macro code

If the victim falls for this social engineering attack, the macro code downloads and executes a file from hxxp://dianmuiscaingreso.com/css/w.jpg. The downloaded executable file (despite the file name) is a file injector and password-stealing malware detected by Windows Defender AV as Trojan:Win32/Tiggre!rfn.

Because Office 365 ATP machine learning detects the malicious attachment and blocks the email, the rest of the attack chain is stopped, protecting customers at the onset.

Artificial intelligence in Office 365 ATP

As threats rapidly evolve and become increasingly complex, we continuously invest in expanding capabilities in Office 365 Advanced Threat Protection to secure mailboxes from attacks. Using artificial intelligence and machine learning, Office 365 ATP can constantly scale coverage for unknown and emerging threats in-real time.

Office 365 ATPs machine learning models leverage Microsofts wide network of threat intelligence, as well as seasoned threat experts who have deep understanding of malware, cyberattacks, and attacker motivation, to combat a wide range of attacks.

This enhanced protection from Office 365 ATP contributes to and enriches the integrated Microsoft 365 threat protection, which provides intelligent, integrated, and secure solution for the modern workplace. Microsoft 365 combines the benefits and security technologies of Office 365, Windows, and Enterprise Mobility Suite (EMS) platforms.

Office 365 ATP also shares threat signals to the Microsoft Intelligent Security Graph, which uses advanced analytics to link threat intelligence and security signals across Office 365, the Windows Defender ATP stack of defenses, and other sensors. For example, when a malicious file is detected by Office 365 ATP, that threat can also be blocked on endpoints protected by Windows Defender ATP and vice versa. Connecting security data and systems allows Microsoft security technologies like Office 365 ATP to continuously improve threat protection, detection, and response.

 

 

Office 365 Threat Research

Gamarue, Nemucod, and JavaScript

May 9th, 2016 No comments

JavaScript is now being used largely to download malware because it’s easy to obfuscate the code and it has a small size. Most recently, one of the most predominant JavaScript malware that has been spreading other malware is Nemucod.

This JavaScript trojan downloads additional malware (such as Win32/Tescrypt and Win32/Crowti – two pervasive ransomware trojans that have been doing the rounds for a few years[1] – and Win32/Fareit) and installs it on a victim’s system through spam email.

Recently, however, we’ve seen another version of Nemucod distributing Gamarue malware to users.

Gamarue, also known as “Andromeda bot”, has been known to arrive through exploit kits, other executable malware downloaders (including Win32/Dofoil and Win32/Beebone), removable drives, and through that old stand-by: spam campaigns.

The shift to a JavaScript-obfuscated downloader might be an attempt by the malware authors to evade the increasing detection capabilities and sophistication in antimalware products.

A quick look into the obfuscated JavaScript code shows us that, aside from the encrypted strings, it uses variables with random names to hide its real code.

Sample of an obfuscated JavaScript code

Figure 1: Obfuscated code

 

The decrypted code is shown in the following image:

Sample of a decrypted JavaScript previously-obfuscated code

Figure 2: De-obfuscated code

 

Nemucod is known to have different hashes for each variant. For this one particular hash, since the detection was written in early April, 2016, it reached in total of 982 distinct machines with 4,192 reports – which indicates the number of Gamarue installations that could have occurred if it was not detected.

Nemucod detection rate

Figure 3:  Nemucod detection rate

 

Gamarue has been observed stealing vital information from your PC. It can also accept commands from a command and control (C&C) server. Depending on the commands received, a malicious hacker can perform various actions on the machine. See our family description of Win32/Gamarue for more information.

 

 

Nemucod impact

Since the start of 2016, Nemucod has risen in prevalence.

Rising Nemucod prevalence trend

Figure 4:  Rising Nemucod prevalence trend shows that it peaked on April

 

For the top 10 countries for Nemucod detections, the US takes a third, followed by Italy and Japan. The spread of infections is quite widespread across the globe.

Nemucod geoloc distribution from January to April 2016

Figure 5: Majority of the Nemucod infections are seen in the United States

Overall, however, it still remains relatively low, especially when compared to Gamarue.

 

Gamarue impact

Unlike Nemucod, Gamarue detections started high and have remained high since late last year. Overall, numbers have dropped a small amount since the start of 2016. Interestingly, there are large troughs during every weekend, with a return to higher numbers on Monday. This can indicate that Gamarue is especially pervasive either in enterprises, or in spam email campaigns.

Gamarue prevalence chart shows steady pattern from January to April 2016

Figure 6: The Gamarue infection trend shows a steady pattern

 

For Gamarue, the top 10 countries see distribution largely through India, Asia, Mexico, and Pakistan.

Gamarue geoloc distribution from January to April 2016

Figure 7: Majority of the Gamarue infection hits third world countries

 

Mitigation and prevention

To help stay protected from Nemucod, Gamarue, and other threats, use Windows Defender for Windows 10, or other up-to-date real-time product as your antimalware scanner.

Use advanced threat and cloud protection

You can boost your protection by using Office 365 Advanced Threat Protection and enabling Microsoft Active Protection Service (MAPS).

Office 365 helps by blocking dangerous email threats; see Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.

MAPS uses cloud protection to help guard against the latest malware threats. You should check if MAPS is enabled on your PC.

Some additional preventive measures that you or your administrators can proactively do:

 

———————————————————————–

[1] We’ve published a number of blogs about Crowti, including:

It was also featured in the July 2015 version of the Malicious Software Removal Tool (MSRT):

 

Donna Sibangan

MMPC

 

 

JavaScript-toting spam emails: What should you know and how to avoid them?

We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware.

Some of the JavaScript downloaders that we’ve seen are:

The same JavaScript downloaders are also responsible for spreading the following ransomware:

The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript. The JavaScript attachment mostly has the following icon, depending on the system’s script software. The file names are either related to the spam campaign, or completely random:

JS1

Figure 1: Examples of JavaScript attachments from spam email campaigns

Not your favorite Java

Just like a typical email campaign, the JavaScript-toting spam finds its way in your PC after a successful social engineering trick. In bag of tricks are attachment file names intentionally crafted to pique any person’s curiosity (finance-related, etc.).

The JavaScript attachments are heavily-obfuscated to avoid antivirus software detections. It consists of a download and execute function paired with one or two URLs hosting the malware.

JS2

Figure 2: Sample code and URL

 

JS3

Figure 3: Another code sample

 

JS4

Figure 4: Another code sample

 

JS5

Figure 5: Another code sample

 

In some cases, the malicious JavaScript attachment is bundled with a dummy file to evade email rules.

JS6

Figure 6: An example of a JavaScript attachment and a dummy file

 

JS7

Figure 7: Another example of a JavaScript attachment and a dummy file

 

These URLs are mostly short-lived. But when successfully downloaded, the malware, in this case Ransom:Win32/Locky, enters the system and proceeds in its destructive mission.

It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document, and another click to enable the macros.

On the other hand, the JavaScript attachments only takes one or two clicks for it to start executing.

It is uncommon and quite suspicious for people to send legitimate applications in pure JavaScript file format (files with .js or .jse extension) via email. You should be wary of it and should not click or open it.

 

JS8

Figure 8: A screenshot of how the JavaScript attachment gets executed.

 

Same stuff, new package

It has been a common vector for malware to spread through email attachment. In the past months, we have seen Office file attachments that contains malicious macro. The code is simple and straightforward, it’s main objective is to download and execute other malware, such as password stealers, backdoors and ransomwares.

The JavaScript-toting email spam is no different.

These malicious email attachments are distributed through spam campaigns. Spam campaigns range from different social engineering areas that appeal to people’s curiosity – enough for them to take action and click what shouldn’t be clicked: from finance-related subjects like receipts, invoice and bank accounts, to resumes and shipment notifications.

 

JS9

Figure 9: A screenshot of a sample bank-related email spam.

 

JS10

Figure 10: A screenshot of a sample remittance-themed email spam.

 

JS11

Figure 11: A screenshot of a sample invoice-themed email spam.

 

JS12

Figure 12: A screenshot of a sample resume-themed email spam.

 

JS13

Figure 13: A screenshot of a shipment notification-themed email spam.

 

JS14

Figure 14: A screenshot of a sample debt case-themed email spam.

Mitigation and prevention

To avoid falling prey from those JavaScript-toting-emails’ social engineering tricks

See some of the related blogs and threat reports:

 

Alden Pornasdoro

MMPC

JavaScript-toting spam emails: What should you know and how to avoid them?

We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware.

Some of the JavaScript downloaders that we’ve seen are:

The same JavaScript downloaders are also responsible for spreading the following ransomware:

The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript. The JavaScript attachment mostly has the following icon, depending on the system’s script software. The file names are either related to the spam campaign, or completely random:

JS1

Figure 1: Examples of JavaScript attachments from spam email campaigns

Not your favorite Java

Just like a typical email campaign, the JavaScript-toting spam finds its way in your PC after a successful social engineering trick. In bag of tricks are attachment file names intentionally crafted to pique any person’s curiosity (finance-related, etc.).

The JavaScript attachments are heavily-obfuscated to avoid antivirus software detections. It consists of a download and execute function paired with one or two URLs hosting the malware.

JS2

Figure 2: Sample code and URL

 

JS3

Figure 3: Another code sample

 

JS4

Figure 4: Another code sample

 

JS5

Figure 5: Another code sample

 

In some cases, the malicious JavaScript attachment is bundled with a dummy file to evade email rules.

JS6

Figure 6: An example of a JavaScript attachment and a dummy file

 

JS7

Figure 7: Another example of a JavaScript attachment and a dummy file

 

These URLs are mostly short-lived. But when successfully downloaded, the malware, in this case Ransom:Win32/Locky, enters the system and proceeds in its destructive mission.

It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document, and another click to enable the macros.

On the other hand, the JavaScript attachments only takes one or two clicks for it to start executing.

It is uncommon and quite suspicious for people to send legitimate applications in pure JavaScript file format (files with .js or .jse extension) via email. You should be wary of it and should not click or open it.

 

JS8

Figure 8: A screenshot of how the JavaScript attachment gets executed.

 

Same stuff, new package

It has been a common vector for malware to spread through email attachment. In the past months, we have seen Office file attachments that contains malicious macro. The code is simple and straightforward, it’s main objective is to download and execute other malware, such as password stealers, backdoors and ransomwares.

The JavaScript-toting email spam is no different.

These malicious email attachments are distributed through spam campaigns. Spam campaigns range from different social engineering areas that appeal to people’s curiosity – enough for them to take action and click what shouldn’t be clicked: from finance-related subjects like receipts, invoice and bank accounts, to resumes and shipment notifications.

 

JS9

Figure 9: A screenshot of a sample bank-related email spam.

 

JS10

Figure 10: A screenshot of a sample remittance-themed email spam.

 

JS11

Figure 11: A screenshot of a sample invoice-themed email spam.

 

JS12

Figure 12: A screenshot of a sample resume-themed email spam.

 

JS13

Figure 13: A screenshot of a shipment notification-themed email spam.

 

JS14

Figure 14: A screenshot of a sample debt case-themed email spam.

Mitigation and prevention

To avoid falling prey from those JavaScript-toting-emails’ social engineering tricks

See some of the related blogs and threat reports:

 

Alden Pornasdoro

MMPC

New feature in Office 2016 can block macros and help prevent infection

March 22nd, 2016 No comments

Macro-based malware is on the rise and we understand it is a frustrating experience for everyone. To help counter this threat, we are releasing a new feature in Office 2016 that blocks macros from loading in certain high-risk scenarios.

 

Macro-based malware infection is still increasing

Macro-based malware continues its rise. We featured macro-based malware in our Threat Intelligence report last year, but infections are still increasing.

Despite periodic lulls, infections for the top 20 most detected macro-based malware were high over the past three months.

 

In the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros.

Note these are detections and not necessarily successful infections. To learn more about Advanced Threat Protection and other security features in Office 365, check out this blog and video.

The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros. Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected.

 

Block the macro, block the threat

In response to the growing trend of macro-based threats, we’ve introduced a new, tactical feature in Office 2016 that can help enterprise administrators prevent the risk from macros in certain high risk scenarios. This feature:

  1. Allows an enterprise to selectively scope macro use to a set of trusted workflows.
  2. Block easy access to enable macros in scenarios considered high risk.
  3. Provide end users with a different and stricter notification so it is easier for them to distinguish a high-risk situation against a normal workflow.

This feature can be controlled via Group Policy and configured per application. It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint documents that come from the Internet. This includes scenarios such as the following:

  1. Documents downloaded from Internet websites or consumer storage providers (like OneDrive, Google Drive, and Dropbox).
  2. Documents attached to emails that have been sent from outside the organization (where the organization uses the Outlook client and Exchange servers for email)
  3. Documents opened from public shares hosted on the Internet (such as files downloaded from file-sharing sites).

Let’s walk through a common attack scenario and see this feature in action.

Claudia is an enterprise administrator at Contoso. After a rash of macro-based malware attacks targeting her organization, she learns of this new feature in Office 2016 and has rolled out a Group Policy update to all Office clients on the network.

Stewart is a cybercriminal looking to attack and penetrate the Contoso network. Stewart uses macro-based malware because he’s had recent successes using it. He launches his attack campaign against Contoso by targeting James, an employee there.

James receives an email from Stewart in his inbox that has an attached Word document. The email has content designed to pique James’s interest and influence him to open the attachment.

Email with a macro-enabled attachment

When James opens the Word document, it opens in Protected View. Protected View is a feature that has been available in Word, Excel, and PowerPoint since Office 2010. It is a sandboxed environment that lets a user read the contents of a document. Macros and all other active content are disabled within Protected View, and so James is protected from such attacks so long as he chooses to stay in Protected View.

Word document instructing a user to enable macros to get out of protected view mode

 

However, Stewart anticipates this step and has a clear and obvious message right at the top of the document designed to lure James into making decisions detrimental to his organization’s security. James follows the instructions in the document, and exits Protected View as he believes that will provide him with access to contents of the document. James is then confronted with a strong notification from Word that macros have been blocked in this document by his enterprise administrator. There is no way for him to enable the macro from within the document.

Warning message appears in a document if macros can't be enabled

 

James’s security awareness is heightened by the strong warning and he starts to suspect that there is something fishy about this document and the message. He quickly closes the document and notifies his IT team about his suspicions.

This feature relies on the security zone information that Windows uses to specify trust associated with a specific location. For example, if the location where the file originates from is considered the Internet zone by Windows, then macros are disabled in the document. Users with legitimate scenarios that are impacted by this policy should work with their enterprise administrator to identify alternative workflows that ensure the file’s original location is considered trusted within the organization.

 

Use Group Policy to enforce the setting, or configure it individually

Administrators can enable this feature for Word, Excel, and PowerPoint by configuring it under the respective application’s Group Policy Administrative Templates for Office 2016. For example, to enable this setting for Word:

  1. Open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
  2. In the Group Policy Management Editor, go to User configuration.
  3. Click Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center.
  4. Open the Block macros from running in Office files from the Internet setting to configure and enable it.

Group policy settings location

You can read more about this Group Policy setting at Plan security settings for VBA macros in Office 2016.

 

Final tips

For end-users, we always recommend that you don’t enable macros on documents you receive from a source you do not trust or know, and be careful even with macros in attachments from people you do trust – in case they’ve been hacked.

For enterprise administrators, turn on mitigations in Office that can help shield you from macro based threats, including this new macro-blocking feature. If your enterprise does not have any workflows that involve the use of macros, disable them completely. This is the most comprehensive mitigation that you can implement today.

Categories: macros, office, spam Tags:

Upatre update: infection chain and affected countries

March 12th, 2015 No comments

Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015,  we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families.

Upatre's malicious actions vary, but it commonly acts as a central distribution platform for a number of other threat families.  For example:

  1. The malware reaches out to a command-and-control (C&C) server.
  2. It obtains instructions on how to spread malware to other machines. For example, it might install Hedsen or Cutwail and utilize the parameters specified by the C&C server. It might download information-stealing malware, such as Dyzap, Kegotip and Gophe families. Evotob might also be installed by Upatre. Evotob is a tampering malware which attempts to disable certain processes on the user's machine.
  3. Kegotip and Gophe mine information from the user's machine.
  4. The stolen information is then sent back to the C&C server.

 

The infection chain 

Essentially, a system is infected with Upatre through either the Hedsen or Cutwail threat family.  Upatre then spreads to other machines using Hedsen and Cutwail (a typical cyclical/symbiotic relationship we often see in spammers and information stealers), in an attempt to steal information about a user and their machine with Dyzap, Kegotip and Gophe families. It also tries to prevent detection by using Evotob.

  

Figure 1: Upatre infection chain since January 2015

 

Where is Upatre most prevalent?

The following chart shows the percentage of Upatre infections in the mostly affected countries.

A breakdown of the top 10 countries affected by the Upatre infections since January 2015

Figure 2: A breakdown of the countries mostly affected by the Upatre infections since January 2015

 

Detection rates for these countries is as follows:

A breakdown of the countries mostly affected by Upatre infections since January 2015

Figure 3: The data shows the United States having the most Upatre infection since January 2015

The data shows the United States having the most Upatre infection since January 2015

Figure 4: A breakdown by top countries reporting malware in the Upatre infection chain since January 2015 

 

How can you help protect your enterprise software security infrastructure from Upatre? 

Upatre manages to sneak in to security infrastructures by employing age-old social engineering tricks. It tricks people by enticing them to click on malicious links through spam emails.

A combination of the following will help protect against Upatre:

  1. Use the following free Microsoft software to detect and remove this threat:

  2. Keep the Microsoft Active Protection Service (MAPS) enabled on your system. See MAPS in the cloud: How can it help your enterprise? for details.

  3. Make sure and keep all software up to date.

 

Patrick Estavillo

MMPC

Upatre update: infection chain and affected countries

March 12th, 2015 No comments

Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015,  we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families.

Upatre's malicious actions vary, but it commonly acts as a central distribution platform for a number of other threat families.  For example:

  1. The malware reaches out to a command-and-control (C&C) server.
  2. It obtains instructions on how to spread malware to other machines. For example, it might install Hedsen or Cutwail and utilize the parameters specified by the C&C server. It might download information-stealing malware, such as Dyzap, Kegotip and Gophe families. Evotob might also be installed by Upatre. Evotob is a tampering malware which attempts to disable certain processes on the user's machine.
  3. Kegotip and Gophe mine information from the user's machine.
  4. The stolen information is then sent back to the C&C server.

 

The infection chain 

Essentially, a system is infected with Upatre through either the Hedsen or Cutwail threat family.  Upatre then spreads to other machines using Hedsen and Cutwail (a typical cyclical/symbiotic relationship we often see in spammers and information stealers), in an attempt to steal information about a user and their machine with Dyzap, Kegotip and Gophe families. It also tries to prevent detection by using Evotob.

  

Figure 1: Upatre infection chain since January 2015

 

Where is Upatre most prevalent?

The following chart shows the percentage of Upatre infections in the mostly affected countries.

A breakdown of the top 10 countries affected by the Upatre infections since January 2015

Figure 2: A breakdown of the countries mostly affected by the Upatre infections since January 2015

 

Detection rates for these countries is as follows:

A breakdown of the countries mostly affected by Upatre infections since January 2015

Figure 3: The data shows the United States having the most Upatre infection since January 2015

The data shows the United States having the most Upatre infection since January 2015

Figure 4: A breakdown by top countries reporting malware in the Upatre infection chain since January 2015 

 

How can you help protect your enterprise software security infrastructure from Upatre? 

Upatre manages to sneak in to security infrastructures by employing age-old social engineering tricks. It tricks people by enticing them to click on malicious links through spam emails.

A combination of the following will help protect against Upatre:

  1. Use the following free Microsoft software to detect and remove this threat:

  2. Keep the Microsoft Active Protection Service (MAPS) enabled on your system. See MAPS in the cloud: How can it help your enterprise? for details.

  3. Make sure and keep all software up to date.

 

Patrick Estavillo

MMPC

Congratulations! You’ve won $800,000!!

Well, maybe not.

But that’s just one of the many ploys that scammers send in their relentless efforts to part people from their money or sensitive personal information like passwords and account numbers.

Microsoft is asking people to take a survey of their experience with online fraud—what kinds of scams they’ve encountered (including those on mobile devices and Facebook), how concerned they are about online or phone fraud, and what steps they take to protect themselves.

In 2012, Microsoft fielded its first such study, interviewing 1,000 US residents to understand their exposure to, and perception of, online fraud and scams.

Respondents reported having encountered roughly eight different scams on average, with these as the top four:

  • Scams that promise free things or coupons (44 percent)

  • Fake antivirus alerts that imitate real programs offering virus repair but that download malware instead (40 percent)

  • Phishing scams using fake messages that mimic those of trusted businesses to trick people into revealing personal information (39 percent)

  • Fraud that features a request for bank information or money upfront from someone (such as a “foreign prince”) who needs help transferring large sums of money for a cut of the total (39 percent)

In the new survey, we’re interested in how scams and responses to scams might have changed since 2012. Are there different scams? What are the most common? Where are they most often occurring—on mobile devices? On Facebook?

Results of our last survey showed that nearly everyone (97 percent) took steps to safeguard their computers, but more than half (52 percent) did nothing at all to protect their mobile devices. So we’re particularly interested to see if these numbers have changed. 

You can help us fight online scams and fraud by taking our survey.

We will release the results of the survey during National Cyber Security Awareness Month this October. Follow the hashtag #NCSAM to read the story. 

Congratulations! You’ve won $800,000!!

September 2nd, 2014 No comments

Well, maybe not.

But that’s just one of the many ploys that scammers send in their relentless efforts to part people from their money or sensitive personal information like passwords and account numbers.

Microsoft is asking people to take a survey of their experience with online fraud—what kinds of scams they’ve encountered (including those on mobile devices and Facebook), how concerned they are about online or phone fraud, and what steps they take to protect themselves.

In 2012, Microsoft fielded its first such study, interviewing 1,000 US residents to understand their exposure to, and perception of, online fraud and scams.

Respondents reported having encountered roughly eight different scams on average, with these as the top four:

  • Scams that promise free things or coupons (44 percent)
  • Fake antivirus alerts that imitate real programs offering virus repair but that download malware instead (40 percent)
  • Phishing scams using fake messages that mimic those of trusted businesses to trick people into revealing personal information (39 percent)
  • Fraud that features a request for bank information or money upfront from someone (such as a “foreign prince”) who needs help transferring large sums of money for a cut of the total (39 percent)

In the new survey, we’re interested in how scams and responses to scams might have changed since 2012. Are there different scams? What are the most common? Where are they most often occurring—on mobile devices? On Facebook?

Results of our last survey showed that nearly everyone (97 percent) took steps to safeguard their computers, but more than half (52 percent) did nothing at all to protect their mobile devices. So we’re particularly interested to see if these numbers have changed.

You can help us fight online scams and fraud by taking our survey.

We will release the results of the survey during National Cyber Security Awareness Month this October. Follow the hashtag #NCSAM to read the story.

9 ways to stay safe online this summer

July 17th, 2014 No comments

Summer is in full swing. Here are our best safety and security tips for the season.

  1. Don’t broadcast vacation plans on your social networking sites. If you’re leaving your home unoccupied and at risk for potential burglary, you might want to wait to post your vacation photographs until you return home. Get more tips for email and social networking safety.

  2. Limit who knows your location. Before you go on vacation, take a few minutes to adjust settings for sharing your location on your social networking sites and any apps on your smartphone. If you have kids who go online, make sure they know this, too. For more information, see Use location services more safely.

  3. Set computer and device rules for when you’re not around. If your kids are old enough to stay home alone when they’re not at school, make sure you talk to them about Internet safety. Download our tip sheet for pointers to jump-start—or continue—online safety conversations.

  4. Learn how to use parental controls. All Microsoft products include built-in privacy controls and safeguards that put you in charge of your children’s entertainment experiences and allow you to customize how personal information is, or is not, shared. Get step-by-step guidance on how to switch on safety settings across Microsoft technology and devices at home.

  5. Stay safe when playing games online. If your children’s summer sport of choice is the Xbox, Xbox One, Kinect, or other online or console game, learn about the core family safety features of Xbox One and find other ways to help kids play it safe.

  6. Update your software on your laptop or tablet. Before you go on vacation, make sure all your software is updated, to help prevent problems caused by hackers. If your laptop is still running Windows XP, read about the end of support for Windows XP.

  7. Check the security level of public Wi-Fi networks before you use them. Choose the most secure connection—even if that means you have to pay for access. A password-protected connection (ideally one that is unique for your use) is better than one without a password. Both Windows 7 and Windows 8 can help you evaluate and minimize network security risks.

  8. Avoid typing sensitive information on your laptop using an unsecured wireless connection. If possible, save your financial transactions for after your summer vacation on a secured home connection. For more information, see How to know if a financial transaction is secure.

  9. Watch out for suspicious messages from your friends on vacation asking for money. This is a common scam cybercriminals use when they’ve hacked into someone’s account. Find a different way to contact your friend. Learn more about scam email messages.

Tax scams: 6 ways to help protect yourself

March 20th, 2014 No comments

We’ve received reports that cybercriminals are at it again, luring unsuspecting taxpayers in the United States into handing over their personal information as they rush to file their taxes before the deadline.

Here are 6 ways to help protect yourself.

1.     Beware of all email, text, or social networking messages that appear to be from the IRS. Cybercriminals often send fraudulent messages meant to trick you into revealing your social security number, account numbers, or other personal information. They’ll even use the IRS logo. Read more about how the IRS does not initiate contact with taxpayers by email or use any social media tools to request personal or financial information.
2.       Use technology to help detect scams. Scams that ask for personal or financial information are called “phishing scams.” Internet Explorer, Microsoft Outlook, and other programs have anti-phishing protection built in. Read more about identity theft protection tools that can help you avoid tax scams.
3.       Check to see if you already have antivirus software. If a cybercriminal does fool you with a tax scam that involves downloading malware onto your computer, you might already be protected by your antivirus software. If your computer is running Windows 8, you have antivirus software built in. Download Microsoft Security Essentials at no cost for Windows 7 and Windows Vista. 
4.       Make sure the website uses secure technology. If you’re filing your taxes on the web, make sure that the web address begins with https, and check to see if a tiny locked padlock appears at the bottom right of the screen. For more information, see How do I know if I can trust a website and What is HTTPs?
5.       Think before you download tax apps. Download apps only from major app stores—the Windows Phone Store or Apple’s App Store, for example—and stick to popular apps with numerous reviews and comments.
6.       Be realistic. If it sounds too good to be true, it probably is. From companies that promise to file your taxes for free, to websites that claim you don’t have to pay income tax because it’s unconstitutional—keep an eye out for deliberately misleading statements.

Safety is an active verb

When we are young, we are taught to brush our teeth in order to develop healthy and preventative habits.  Hopefully by the time we reach adulthood, the act of brushing every morning has become second nature.  Yet, when we go online, we don’t always take the same preventative measures with our personal information.  Perhaps it’s because we haven’t placed enough importance on developing this healthy habit?

Today, Microsoft released the US results of the third Microsoft Computing Safety Index (MCSI).   Designed to gauge consumer online safety habits and behaviors, the Index reveals that the US score has decreased year-after-year since it was first launched in 2011.  

So why the drop?  The data reveals that while people are not necessarily engaging in risky behaviors, they miss active steps to thwart socially-engineered risks.  For example; in 2011, 60 percent of respondents reported using only reputable sites compared to 39 percent in 2013.   In addition, less than half of US respondents are still not taking actions such as limiting the amount of personal information they share online, dropping from 48 percent in 2011, to 40 percent in 2013.  Nor are they using phishing filters to help stay safer, 30 percent in 2011 compared to only 18 percent in 2013.  On average, US respondents are using less than one quarter of the 12 technical tools available for managing online safety, are being used.

The good news: default settings are keeping consumers safer than they realize.  While US respondents report using only half of the foundational settings (automatic updates, antivirus software, firewall protections, secured wireless, up-to-date software), after checking, most actually are better protected than they thought (almost four out of five).

Broken out into three tiers of activity – “Foundational,” “Technical+,” and “Behavioral” – the Index assigns a point scale of 0 to 100 based on an individual’s answers.  The more steps taken in any given tier, the higher the score.

Didn’t participate in the formal survey?  We’ve created an abbreviated version so you can see how you measure up.  Go to www.microsoft.com/security/mcsi and take stock of your personal online habits and practices to learn how you compare to US respondents.    

Just like looking both ways before crossing the street, it’s never too late to begin developing safer online habits. Microsoft suggests these top three tips to help people worldwide stay safer online – at home, at work, and on the go.

  • Protect your computer and your accounts.  Keep all software (including your browser) current with automatic updating and install legitimate antivirus and antispyware software.

  • Look for signs that a webpage is secure and legitimate. Before you enter sensitive data, check for evidence of encryption, meaning a web address with https (“s” stands for secure), and a closed padlock beside it. (The lock might also be in the lower right corner of the window.)

  • Reduce spam in your inbox. Share your primary email address and instant messaging name only with people you know in person and with reputable organizations. Avoid listing them on your social network page, in Internet directories (like white pages), or on job-posting sites.

No matter where or how people access the Internet, exercising safer digital habits needs to remain part of our daily routine.   For additional guidance, regularly check our Safety & Security Center, where all of our tools and materials are located, including our Digital Citizenship in Action Toolkit. “Like” our page on Facebook, and follow us on Twitter.  Get proactive and get involved – in online safety.  

7 ways to avoid TMI

July 23rd, 2013 No comments

Technology can make everything in our lives easier—including sharing too much information (TMI). Just because you can take a picture of your new credit card and post it on Instagram doesn’t mean that you should. In fact, you shouldn’t.

Sharing too much information can lead to identity theft. It can also damage your online reputation, which could prevent you from getting into college, getting a job, or even getting health insurance.

Here are ways to avoid sharing TMI:

  1. Never share your address, phone number, Social Security number, or other personal information through online interactions. 
  2. Use and manage your privacy settings. Limit who can see details of your online profiles.
  3. Never shop, bank, or enter passwords or credit card numbers over public Wi-Fi.
  4. Ask questions. Sometimes we do need to share personal information, but before doing so, ask why the information is necessary and beware of imposters.
  5. Use sites that you can trust. Learn what to look for.
  6. Stop and think before you post an image, blog, tweet, or comment. What does it say about you and how you want to be viewed online?
  7. Take charge of your online reputation: Discover, evaluate, protect, cultivate, and restore as needed.

For more tips on avoiding TMI, check out the hashtag #IsThisTMI on our Twitter channel.

 

There is no Hotmail Maintenance Department

June 13th, 2013 No comments

Cassie writes:

I received an email from the Hotmail Maintenance Department requesting personal information verification. The message included a PDF file. Is this a scam?

Yes. This is one of many types of email cybercrime, also called phishing. Cybercriminals often use the Microsoft name to try to get you to share your personal information so that they can use it for identity theft. Delete the message—do not open it, and do not click any links or open any attachments.

The Hotmail Maintenance Department doesn’t exist—and if it did, the department wouldn’t send unsolicited email messages with attachments that asked for your personal information. Be suspicious of any email messages that appear to come from the Hotmail team; even though your email address still says “Hotmail,” the service is now called Outlook.com.

For more tips on spotting scam email messages, see How to recognize phishing email messages, links, or phone calls.

If you opened the PDF file, your computer might already be infected with malware that can be used to steal your personal information. Scan your computer with the Microsoft Safety Scanner to find out. The scanner will also help you remove any malicious software it finds.

Watch out for prize scams

January 16th, 2013 No comments

We’ve seen an increase in scam email messages that promise recipients they have won some kind of prize or a lottery. These unsolicited messages will often claim that the prize is sponsored by Microsoft or another well-known company. They request personal information that cybercriminals can use for identity theft.

Do not respond to these fraudulent messages with personal information. There is no Microsoft Lottery.

For more information, see:

Watch out for prize scams

January 16th, 2013 No comments

We’ve seen an increase in scam email messages that promise recipients they have won some kind of prize or a lottery. These unsolicited messages will often claim that the prize is sponsored by Microsoft or another well-known company. They request personal information that cybercriminals can use for identity theft.

Do not respond to these fraudulent messages with personal information. There is no Microsoft Lottery.

For more information, see:

What if I no longer have access to my secondary email address?

August 16th, 2012 No comments

Last week we answered a question about what to do if your Hotmail account is sending out spam. We mentioned resetting your password if you can’t sign in because your account has been blocked. One way you can unblock it is to respond to an email message sent by Microsoft to the secondary address you listed when you opened the account.

Many of you wrote in asking what to do if you no longer have access to that secondary email account. The answer: you will need to fill out a support request. (In fact, now would be a good time to make sure that your secondary address is correct.)

Even better, you can associate your Hotmail account with your mobile phone number or other information that hackers cannot easily access. For example, if you lose your password or your account is hacked, Hotmail sends you an account-recapture code in a text message to help you regain access.

You can also set up a “trusted PC”—associate your Hotmail account with one or more of your personal computers. If you need to reset your password to regain control of your account and you use a trusted PC, Hotmail will know you are the legitimate owner.

Categories: fraud, hotmail, Microsoft, security, spam, trusted PC Tags:

Help! My account is sending out spam

August 7th, 2012 No comments

Laura writes:

My Hotmail email address has been hacked. Someone sent out a spam email to everyone in my address book. What do I do?

If it makes you feel any better, Laura, we get this question a lot. Here’s what to do right now:

IMPORTANT: Make sure your new password isn’t one that you use on other accounts or websites. Also, create a password using eight or more characters that don’t form a word that can be found in the dictionary. Find more tips for creating strong passwords.

Should I let everyone know that I’ve been hacked?

Recently we’ve been asked whether we recommend that you send everyone in your contact list an email that warns them not to click on links in emails from you. This really is a personal choice. The most important thing to do is change your password right away.

Personally, we don’t think that an email to everyone in your contact list is necessary. Here’s why:

  • It’s time consuming. Your email contact list could contain every person to whom you’ve ever sent a message from that address. Your email program probably won’t allow you to send one message to everyone in your contact list because it will view it as spam.
  • We think most people probably already know that a message with a random link is usually spam—especially if it’s from someone who doesn’t contact them regularly. Chances are good that such people make up a majority of your contacts, so they might consider an email telling them what they already know as more spam.

However, if you know of anyone in your contact list who is less computer savvy, it couldn’t hurt to send them an email.

If you use the new Outlook.com free email service and you get spam email from someone, you can notify them and then, from the Mark as menu, click My friend’s been hacked to notify Outlook so we can minimize the damage as soon as possible. Learn more about the new Outlook.com.

What do you think?

Should victims of email hacking notify everyone in their contact list? Give us your opinion in the “Leave a Comment” section below. 

Categories: e-mail, email, hotmail, spam Tags:

Try Outlook.com

August 2nd, 2012 No comments

Outlook.com is Microsoft’s new free cloud email service for personal use. You can use Outlook.com with the Outlook desktop application, via the web at http://outlook.com, or via other email apps that support Exchange ActiveSync or POP3.

The new Outlook.com offers several security and privacy features, including:

  • Limiting spam in your inbox to less than 3 percent of the items.
  • Turning on the encryption feature (SSL) by default, which helps protect your account on wireless networks and public computers.
  • Displaying trusted senders in your inbox.

For more information, see Introducing Outlook.com.

Want to keep up with the latest Outlook news? Follow @Outlook on Twitter.

Get rid of junk in your Hotmail inbox

July 3rd, 2012 No comments

Spam and other email that you don’t want can clog up your inbox. Some spam can be fraudulent and can contain malicious software or links to malicious websites, but some email can just be annoying. Graymail is email that you signed up for, but you don’t want anymore.

If you use Hotmail, you can get rid of graymail and automate your inbox in just 60 seconds.

Get more information about graymail.

Categories: hotmail, spam Tags: