Tag Archives: Emotet

Law Enforcement Hacks Emotet and Netwalker


The cops are fighting a game of whack-a-mole with the hackers and likely always will, but this week they whacked hard and had a couple of wins.

In a multi-nation effort including the US, UK, Europol and many others, the good guys (and ladies) took control of the command and control servers for the Emotet malware. Emotet is a huge player in the spam/malware game and this coordinated takedown will set them back a bunch. They had been working on this takedown for three years.

This doesn’t mean that they won’t be back, but it does mean that they will need to basically start over, conning people to click on the wrong links and compromising those computers again. Credit: Homeland Security Today

At the same time, law enforcement from the US and Bulgaria disrupted the Netwalker ransomware gangs by taking down their servers and indicting a Canadian who reportedly made over $25 million using the Netwalker tools. Credit: Metacurity

While this hits are great and high profile, and will definitely have at least a short term affect, there is too much money being made to have the hackers just quit. I don’t think it will deter many hackers, unfortunately.

As long as users and companies don’t treat the threat seriously enough, the hackers will just come back. After all, to paraphrase an old politician – hack a billion dollars here and a billion dollars there and after a while, it adds up to real money.

Security News for the Week Ending November 29, 2019

The Problem with Big Data is, Well, That it is Big

On October 16th researchers revealed that they had found an exposed database with 4 billion records covering 1.2 billion people.  The first database contained information on 1.5 billion unique people (note these numbers do not exactly match) including work phone numbers and mobile phone numbers.  The second database contains hundreds of millions of scraped profiles from LinkedIn.  The data appears to be linked to “data enrichment” firms, People Data Labs and Oxy.io, but the firms say that the server doesn’t belong to them.  They did not say that the data did not originate from them.  Likely, the server belongs to one of their customers.  The good news is that the databases do not contain passwords or credit cards, but still there is a lot of data there.  The term data enrichment is an expression for “we aggregate data from a bunch of sources and put it all together, so if all YOU have, for example is a person’s email, we can tell you how much they make, how many kids they have and the roads they travel on to work, etc…”  Source: Computer Weekly.


California DMV Made > $50 Million Last Year Selling Your Data

First the law requires you to provide all kinds of information to the DMV.  Then the DMV sells that information to anyone who’s check clears.  And they do not need to ask your permission.  In theory the law restricts who they sell your data too, but there are a lot of exceptions. One example was a private investigator who bought the information and gave it to his stalker client who killed the person.  Another is data brokers like Lexis/Nexus.  Maybe the law should be changed, but in the meantime the DMV loves the cash.  Source: Vice


Another Public Leakware Attack

As I said in my November 19, 2019 post titled “Argh – They Have a Name for it Now – Leakware“, leakware is becoming more popular.  Now we have a case of the security and building facilities firm Allied Universal ($7 billion in revenue, 200,000 employees).  Allied was breached and the hackers want money.  To make a point, they leaked 700 megabytes of data.  They say that they have 4 GB+ more to leak and they will give it to Wikileaks.  They posted the sample data to Bleeping Computer’s forum, which took it down and also to a Russian crime forum who was not so supportive.  The hackers initially wanted $2 million.  Not they want $4 million; Allied offered $50k.    A bit of a gap.  Allied says that they take security seriously but didn’t say what they planned to do to protect the stolen data.  If these hackers are Russian, there really isn’t much they can do other than to negotiate.  They have brought in security experts after the breach.  While it is useful to close the barn door once the horses are gone and the barn is burned to the ground, that probably won’t make much difference to the customers who’s data was compromised.  Stay tuned for lawsuits.  Assuming this trend continues, we need to create different defenses for ransomware.  Source: Bleeping Computer

That Thanksgiving e-Card – Yup, Its Malware

With the holiday season starting, the purveyors of malware  are in the holiday spirit too.  They are sending out millions of MALICIOUS, INFECTED e-greeting cards.

Open the card and you, too, will be infected.  In one campaign, the malware is the emotet password stealing trojan.

Open that card and all of your passwords will be sent to Russia or China or some other friendly place.

When I get one of these cards, I send the person who sent it a note thanking them, but telling them that, in an unfortunate sign of the times, it is too risky to open it.

Then I hit the delete key.  Source: Bleeping Computer

Malware Disguises Itself as Amazon Order Confirmation Email

Merry Christmas!

The hackers, of course, do not take Christmas off and are working hard to ruin yours.

Today’s story is about a very active spam campaign that is disguised as Amazon order confirmations.  The first stage of the campaign looks something like this with different subject lines:

Notice that you have to click on ORDER DETAILS to see what the order is.  For many people thinking they didn’t order anything, they get concerned that their account has been hacked and will click on it.  From Amazon’s side, they are always changing things, so people might think “there the fools in Seattle go changing things again” and not give it much more thought.

If you hover over almost all of the links, it will show the legit Amazon links.  Except for the order details link.

It downloads a Microsoft Office Word document.

Think about that for a minute.   Times up!  Does that reasonably seem like something Amazon have ever done in their entire existence?  NO!  That is the first clue.

Then it tells the reader to enable macros (what Microsoft calls enable content now).  That should be a really big red flag.  But not to some.  They don’t read the software license agreements and other legal documents that they are bound by so why read this.

That fires off stage three.  A Powershell script downloads the Emotet malware.  The hackers give it different names, but so far it is always Emotet.

Emotet grew to fame as a banking trojan – stealing passwords to empty your bank account out.

Now it is logging all of your keystrokes, silently, sending your userids, passwords, contacts, emails, texts, etc. to Indonesia and U.S. servers which were previously compromised.

So what are my tips regarding this?

Hover over the link to validate what site it is going to.

Better still, open a new browser window and go to HTTPS://www.amazon.com yourself.  If you don’t see the order, it isn’t Amazon.

If someone asks you to enable macros, just don’t do it.  There are rare occasions, possibly at work, but make sure to validate it independently – like call the help desk.

This virus is particularly nasty and you really want to avoid it  if you can. 

Now that this has been exposed, look for variations on this theme – like a Netflix email instead of an Amazon email.

Information for this post came from Bleeping Computer.