sircles.net Computer Support The sircles.net IT support & solutions blog | Viruses and Malware threats

Twitter Feed Popout byInfofru

The sircles.net IT support & solutions blog SEO, Copy Writing, Networking and Internet Safety & Security

Purchase Order No_18081994 - Fake Invoice PDFs with Spam URL Links

Purchase Order No_18081994 - Fake Invoice PDFs with Spam URL Links  

Purchase Order No_18081994 - Fake Invoice PDFs with Spam URL Links

We have seen some fake purchase order emails today that have been modified in order to circumvent our latest advice on receiving bills by email. PDFs are the usual, preferred method but they can also be used to send links to potentially hazardous material and so, to clear up any confusion:

Do not open links from questionable senders in any format!

 

 

 

From:                                         De la Rosa, Samuel <samuel.delarosa@swissport.com>

Sent:                                           30 August 2017 00:57

Subject:                                     Purchase Order No_18081994

Attachments:                          Purchase Order No_18081994.pdf

 



Dear Sir/Madam,

We are pleased to place an order with you which you will find attached.Please confirm the receipt of this order by email and let us have your order acknowledgement.
Do not hesitate to contact us if there are any questions regarding this order.

Best regards,

De La Rosa,Samuel
Customer & Technical Service

 

The email contains a PDF:

 

 

Now the PDF includes a link to an external page:

 

 

There is no reason to send a PDF which contains this link - this is just to avoid detection of the link in the email. If you click on the link on a Windows PC using IE you receive a warning:

 

 


Firstly, remove the tick from this box - never trust any link from anything!!!

A PDF link can be as dangerous as any other link!!!

 

Now do we recognise this domain? http://roarr.org It is an .ORG domain in this case, but unless you recognise the domain, click BLOCK and send the email to JUNK

If you decide to open this particular link, you will receive:

 

 

This has been reported to Microsoft as a dangerous domain - DO NOT OPEN!!!

 

If we continue, against all advice, we can see that it is an impersonation of DocuSign:

 

 

Always check the domain in the address bar at the top against what you are seeing - this is obviously a spam site trying to get your email address and password CLOSE THIS PAGE AND DELETE THE EMAIL!!

 

Phone number email spams

24. August 2017 10:46 by sirclesadmin in Viruses and Malware threats, SPAM
Phone number email spams Watch out for these emails trying to get you to phone an expensive number:

Phone number email spams

Watch out for these emails trying to get you to phone an expensive number:

Name : Sophie Morgan

Email : morgan.sophie@writeme.com

Tel: 8712771062

Message : Please call me on +44 8712771062

If you email the address above you receive:

Subject: Auto-Reply

Hi, unfortunately I am unable to reply to your e-mail at the moment.

Please call me on +44 8714340521 Kind regards Sophie Morgan

The phone number is simply an expensive telephone call from which they will pocket a few pence - DO NOT CALL THIS NUMBER!!!

 

The postal address Address: Wye St, London SW11 2HB, UK and email: jessica.mitchell@post.com now seem to be prevalent with this spam post. It is simply an adjustment to avoid spam filtering, but the phone number is not so easily changed as it is obviously a custom-registered number to send them money. Our advice is to filter based on the phone number, with and without +44.

One of the most annoying issues with this is that the numbers cannot be easily identified or the owners tracked down and held responsible as reverse look-up on these numbers relies on the number having been published in the first place and there is no publicly available register such as with domain names (although these are largely suppressed now - wrongly, in our opinion) and so there is little immediate action that can be taken.

The latest versions of these emails are now appearing as:

 

Name :  Nisha

Email :  nisha@matridtech.net

Tel:  +1-855-370-5507

Message :   May I Have the privilege of Connecting with you?

As you can see from the above they are US numbers in this example.

 

If you have any questions regarding spam or require any assistance, you can use the messenger icon at the bottom of the screen or contact us at https://www.sircles.net 

 

Natwest Spam Emails with Microsoft Word Attachments

Natwest Spam Emails with Microsoft Word Attachments &amp;nbsp; You may receive the following: &amp;nbsp;

Natwest Spam Emails with Microsoft Word Attachments

 

You may receive the following:

 

 

 

From:                                         New post NatWest Bank <noreply@natwest94.ml>

Sent:                                           Monday, August 21, 2017 10:07 AM

To:                                               Support

Subject:                                     NatWest

Attachments:                          NatWest258345907_2243.doc

 

View Your August 2017 online

 

Financial Activity Statement Keep track of your account with your latest

Online Financial Activity Statement from NatWest Bank.

 

Please download and view Microsoft Word attachment

 

So check out your statement right away, or at your earliest convenience.

 

Thank you for managing your account online. Sincerely. NatWest Bank

 

 
These emails are simply to persuade you to open the attachment:
DO NOT CLICK 'ENABLE EDITING' as this will compromise your system!

Spam: SANTANDER ALERTS SERVICE UPDATE from 1412261101@jcom.home.ne.jp

v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VM

 

 

 

Watch out for the following email:

 

 

From:                                                       Santander UK <1412261101@jcom.home.ne.jp>

Sent:                                                         Tuesday, August 1, 2017 7:32 AM

To:                                                            Recipients

Subject:                                                   SANTANDER ALERTS SERVICE UPDATE

 

Valued Customer,

Please note that starting from August 01, 2017 we will be introducing new online banking authentication procedures in order to protect the private information of all online banking users.

You are required to confirm your online banking details with us as you will not be able to have access to your accounts until this has been done.

As you're already registered for online banking all you need to do is to confirm your online banking details.

Confirm your details

Once you've completed this you'll be able to manage your money whenever you want, giving you more control of your finances.

Regards
Customer Service
Santander Bank

 

Lloyds Bank Scam emails originating from the University of Southern Mississippi - Watch out !!!!

Lloyds Bank scam emails originating from the University of Southern Mississippi -&amp;nbsp;Watch out !!!

Lloyds Bank scam emails originating from the University of Southern Mississippi - Watch out !!!!

The following email may arrive in your account:

 

Lloyds 0nline. <usmlloyds@usm.edu> is obviously a spam address - the zero (0) in 0nline is designed to stop the email being filtered out by spam filters checking for 'Lloyds Online' and so this message should instantly be deleted.

Any email from your bank explaining that urgent action needs to be taken is false - your bank would never rely on an action that does not guarantee reception for an urgent matter, they would always phone.

If we look at the language in general below:

 

  1. As we can see the 0nline zero is present
  2. USM.EDU is the email domain of the University of Southern Mississippi who most definitely do not send email on behalf of Lloyds Bank
  3. https://security.lloydsbαnk.co.uk/updates actually point to: https://www.smartideas.bg/sma.htm and if we hover over the link, we can see the true destination.

 

  1. Lloyds Bαnk is a Greek Alphabet character for αlpha which is another tactic to avoid being filtered, as you can see if you examine the a which has been replaced with α.
  2. If we reply to the email we receive:

 

========================================

Clicking the link:

 

The website that we are taken to when clicking the link certainly looks like Lloyds Bank:

 

But if we look at the address in the address bar:

 

We can see that the address is all wrong. If we click the 'How do I know that this site is secure?' link, then there is no satisfactory result. 

This is an effective impersonation of the Lloyds login page and has several verification rules for the input boxes.

This page will return with a different domain once the owners of smartideas.bg realise they have been hacked and they restore the correct website.

Keep an eye out for all emails from the bank - they never email you about security!!!!

As another set of domains names to watch with the same page as above:

http://ourbabyshower.co.za/LLOHDBU0/

http://darylconner.com/LLHSUUNDFY830/V6/ 

Both of the above are fake Lloyds related URLs.

AsiaRegistration.net and other Domain Name Registration and Scams

AsiaRegistration.net and other Domain Name Registration and Scams &amp;nbsp; For anyone&amp;nbsp;

AsiaRegistration.net and other Domain Name Registration and Scams

Look-out!!! Someone in China is going to take over our sector online!

At least I think that is the response this email is expecting.

 

So my company name is allegedly being registered in China and all of the trademarks etc. are in danger dot dot dot.

I have an email here from jim.wang@asiaregistration.net who assures me I need to act fast!

Well first of all, let us look at the email in question:

Dear CEO, Well the CEO is not likely to receive this email but this is a great way of panicking his PA or whoever may receive messages sent to 'info@'

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent. If this email affects you, we are very sorry, please ignore this email. Thanks) This is more of the same - panic panic panic - must act now. It is a bit like finding a hotel room online (always phone around as you will pay half the price)

We are a Network Service Company which is the domain name registration center in China. OK
We received an application from Huadu Ltd on July 18, 2017. They want to register " insolvencyit " as their Internet Keyword and " insolvencyit .cn "、" insolvencyit .com.cn " 、" insolvencyit .net.cn "、" insolvencyit .org.cn " 、" insolvencyit .asia " domain names, they are in China and Asia domain names. But after checking it, we find " insolvencyit " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not? No registration of any domain will affect a company in any other country - there are so many national domain suffixes and other suffixes that registering them all would be a serious drain on your company profits for no reason.

 

Best Regards,

Jim | Service Manager

Asia Registration (Head Office)I have removed the phone numbers etc. for the purposes of this email.

 

Web: www(dot)asiaregistration(dot)net This is important as they are trying to stop their email pointing to www.asiaregistration.net in order to disassociate themselves for some reason - this would indicate wrongdoing of some kind and suggests this email is spam and should be ignored.

Do not ever register domains you do not need - they are a waste of time and should not be bought defensively - unless you are an online retailer and want to prevent a specific competitor buying a certain keyword domain. Stick to your single website and invest in that and the quality of your work will be concentrated in one place to get you a good ranking. Everything else is hearsay and happenstance.

 

 

eBay spam WARNING!! - watch out these ones look good...

So now we are looking at eBay scams that are interested in hacking your eBay account so that they ca

So now we are looking at eBay scams that are interested in hacking your eBay account so that they can get details or account information.

Here is a typical email - the first thing to do is notice that there is a big button with 'dispute this transaction' which is not normally present. Also notice that the email is originating from outlook.com which is unusual for an eBay email:

Also notice that that if we hover over the 'Dispute this transaction' button we see the following:

So the domain name, although having the rover.ebay.com part in, is actually pointing to t.co which is Twitters forwarding domain (Ooops, that's a bit embarrassing) which then forwards you to http://disputetransactionebaycommunicationreview.com/webapps/a3889/websrc 

This page shows up as PayPal:

You can still see the phantom domain at the top though. This is obviously where they are interested in grabbing your PayPal details so do not.

Report this website address as false as soon as you can.

Forward the email to your ISPs spam service email support.

It should be noted that Outlook.com and Twitter.com are both being hijacked for this so beware as it will more than likely pass your anti spam filters!

 

Watching for new roothints and adware

OK, so you have your new Computer and you are dying to get cracking on the Internet as your ISP has

OK, so you have your new Computer and you are dying to get cracking on the Internet as your ISP has just made live your new broadband connection. Your computer was pre-installed and appears to have everything that you need including your bonus installation of Norton Antivirus or similar and free downloads for a year. You install your modem and are ready to go so lets go...

Antivirus Questions?

But maybe we should hold on a second. Norton Antivirus wins a lot of awards etc but then it would. It is manufactured by Symantec and they are definitely a leader in corporate antivirus technology and a good supplier to deal with on that level but they will charge you for any support as a home user and charge you to update your signature files after your trial period. A better option is to lose the installed antivirus and get AVG Free Edition from Grisoft which picks up as many viruses as any other home edition antivirus package. Grisoft's solution is available from http://free.grisoft.com/doc/1 and I would urge you to pay for the full edition if you are a business as the extra functionality is worth it. Avast Antivir are also perfectly good examples and are also free. Whatever you do, make sure you have a suitable solution before just surfing unknown pages.

You should also equip yourself with a Firewall. Surfing the internet without a firewall is leaving yourself open to attacks so at the very least make sure you have either the Microsoft XPSP2 firewall or one of these free firewalls: Kerio, Sygate, ZoneAlarm

ALSO: Keep Windows Updated! Many Windows updates are to close holes exploited by malicious programs and simply staying updated will keep a lot of infections off your system.

But what about Spy-ware?

What antispyware system should I use? Well first of all, a lot of decent antivirus solutions get spy-ware as well as ad-ware and viruses as they are all basically the same thing. They are all darn annoying and the primary reason new internet users run into trouble. Most of the anti-spy-ware solutions these days use all of the spy-ware and virus hassles to try and sell themselves - I have people calling me asking how to get spy-axe and spy-ware-killer OFF of their machines. These are not solutions being sold to enrich computer use, they are immature, trip-you-up pieces of software designed for a quick buck and some new users will be caught out. In my experience there is no anti-spy-ware solution - even the ones from Microsoft and the like - that catch most of the ad-ware and irritations that can be removed simply by going into Control Panel in Windows and removing everything you do not use or recognise.

If you are determined to use other means or have tried all of the above you can also run these on-line scans. PandaActivescan Housecall Scan although they require an Active X download which your Firewall may object to.

The following examples are all free also, and can happily coexist on the same computer:
Free Anti-Spyware: MS Antispyware AdAwareSE SpybotSD SpywareBlaster
It is important that your computer is run at minimum functionality. Windows is like a pen-knife - it can do almost anything you need it to - but if you are not hosting a website then make sure that the Web-Hosting features are uninstalled. You can do this in Control Panel under add/remove programs and then by clicking add/remove windows components on the left (Windows XP - the others are similar.) Every bit of unnecessary functionality can be used against you so try and run a tight ship. Make sure you have a reason to keep everything you see in this screen. If you don't use network printing then get rid of it. If you don't use Fax services then get rid of them. Every one you can dump frees memory and so decreases the work your computer is doing to swap out the page-file which equals more speed.

Once you have spy-ware/ad-ware or a virus infesting your system it will be taking you to an undesirable website or you will be getting pop-ups of some kind or whatever. Do not go running to the first advert you see. Your friends are the other people who have had the problem. Do a search on the Internet for a description of the symptoms and have a read of some articles that do not get money off of you for your custom. Forums and the like. There will be instructions. If you cannot get to a website other than the one to which you are unwittingly directed, go into control panel and add/remove programs, and get rid of anything with an incomplete name (I mean uninstall it by get rid of) or anything that you do not knowingly use. If you are unsure, then have a look in the documentation for the software name in question. Do not just uninstall everything you do not recognise, check the system again at each uninstall to see if the problem is cured so you know for sure which application was causing the problem.

Many viruses and the like kick-off their processes at boot up. There are many places in the Registry (a set of files that do a lot to tell Windows how it should behave) that these processes can give themselves shortcuts to start-up. If you go to the start button on your task bar and choose run and then type regedit into the box which appears, you will be presented with the registry editor. Beware!!!! The Registry is critical to Windows and if you mess about with it you can stop Windows booting up altogether so do not change anything without verifying the information from at least two sources!!! If you look at HKey_Local_Machine -> Software -> Microsoft -> Windows -> CurrentVersion -> Run and Runonce etc. you will see something like that below:

 

Many of the processes aggravating you or your computer are to be found here or other similar places in the Windows Registry. Note that in a lot of articles it is common to substitute HKLM for HKey_Local_Machine and that there are as many trouble causers as do-gooders so try and find a good source of information and verify it. Once you have found a source to be good more than a few times you can start to trust the information you find there.

With issues like SpyAxe where the product repeats that you have a virus, remember a few things. If the product it is asking you to install is not already installed then how can the computer know it has a virus? 

Please feel free to submit any other spy-ware problems at http://forum.sircles.net for us to have a look at. If you wish to try an anti-spy-ware application to help clear up your PC, have a look at the anti-spy-ware review site for a decent opinion of which one works best as we prefer companies to be inspired to make a good product rather than just hard-selling via cheap viruses and ad-ware; if they keep trying to hard-sell you things, tell us, and we will find a better link.

Oi Windows 10, give me back my PC !!!!

If you are, like me, a very boring web user who doesn&#39;t go to many unknown websites or watch lots of

Oi Windows 10, give me back my PC !!!!

If you are, like me, a very boring web user who doesn't go to many unknown websites or watch lots of unsubscribed videos etc. then you might be feeling a little annoyed with the new 'compulsory real-time monitor' arrangement that Windows 10 suffers from. It is, of course, a sign that your computer hard disk drive is now performing two or three times the work for many operations compared to how it was functioning on Windows 7. Real-time scanning (as the word real-time is supposed to explain) means that every file your computer needs to open is examined in advance by a proprietary process before the system comes into contact with it. Now there are two reasons why I don't like this thinking. The first is the obvious performance problem (and whether that wastes more time, energy and money than all the viruses in the world put together is another question.) The second is that Windows 10 downloads so many updates of such unbelievable magnitude that they kill the performance of your machine and the internet and so what is the point of Windows Defender anyway? This is further compounded by the fact that Windows Update, like Windows Defender, now appears to be compulsory.

OK so let’ shave a look at all of the components and how we can disable them as Microsoft have recently started to run scheduled tasks to make sure that the most performance hungry Windows processes are restarted and re-enabled at regular intervals such as Sharepoint Sync in Microsoft Office and Defender in Windows 10.

So we will begin by using the simplest and safest way to disable the Windows Defender Components, using the registry editor.

If you press the Windows key and type 'regedit' and press enter you will be presented with the registry editor and you will need to navigate to the following area:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

This means that under HKEY_LOCAL_MACHINE you expand the folders (called keys in registry editor, even though they lok the same - they are not folders, they are completely different - )

When you find the correct key, you highlight it on the left and then right click on the right hand side, below the (Default) value and select New > DWORD (32-bit) Value 

Give the DWORD the name DisableAntiSpyWare and once it has been created, double click the DWORD and enter the value '1' and press OK so that you have the below:

Now let's try restarting Windows 10....

OK so according to the above view from the taskbar, the Windows Defender application is not running. Let's have a check under the services running by clikcing the start buton and typing services.msc

OK excellent, the service has been stopped and is now set to manual. This is going to speed us up nicely. But now how do we stop the automatic updates from hogging all of the bandwidth and disk speed?

Well there are many sites telling me to use metered connections or policies to disable this function, but the Windows update feature can be disabled by opening up the services.msc applet and disabling the service by finding it as follows:

NB This service has already been disabled but your will not have been.

Now double-click the update service and choose the start-up type:

Once it is set to disabled then click OK to confirm.

Now we are back in control of our Windows 10 PC and our Ineternet connection, RAM, Hard Disk and CPU are all our own again.