Less than NetZero, or How Personal Email can Spoil Your Day

Why do malware attacks seem to happen to the same people at work all the time—people who you’d think would be the least likely to spend their idle moments on trolling through the worst of the Internet?

And why, after your company has spent a lot of time, money and energy setting up firewalls, anti-virus, anti-malware and spam filters does still an occasional malware attack gets through?

As I noted in my WannaCry missives earlier this week, the most “successful” malware attacks spread through emails and the result of human habits that are hard to break. (“Oh, here’s an email from Uncle Harry.  I haven’t heard from him in years!”)

I got a panicky call yesterday from an employee of a long-time client. “I’m getting this message that says I’ve been attacked and I’m not supposed to reboot or close the message.  I called Microsoft, using a telephone number on the message.  They told me they couldn’t help and that I have to call my IT guy. I’m stuck.”

After taking a deep breath, I said, as calmly as possible, “I’ll be there as soon as I can. Just let everything alone for now.”

It turned out to be an infected website that took over her Chrome browser.  I was able to use the old three-fingered solute (ctrl-alt-delete) and task manager to close the browser windows, updated and ran my good buddy Malwarebytes. It found two PUPs (possibly unwanted programs) and a Trojan (as in horse), which it quarantined. After rebooting, I downloaded the newest version of Malwarebytes and scanned it again. This time we got 16 more nasties.

So, this being a browser event, I asked, “What websites were you on recently?” Her response was “Oh, Google, a government site, and—oh, yeah—I checked my NetZero email.

Bingo. We’ve chosen the safest email systems we can afford for our workplace and it’s doing a reasonable job of keeping out the bad stuff. However, NetZero, and its “ancient” brethren, are still with us.  Given their revenue sources (Why do you think they called it Zero?), it’s not surprising that they don’t vet incoming email as well as the giants (Gmail, Microsoft).

Lures we don’t see on the workplace’s email come crashing through on a web-based personal email account that the employee has had for years. They were just doing what they’ve always done.

So here’s today’s takeaway:  Please ask your employees to check their personal emails on their phone or other NON-WORK device.  Or, ask them to wait until they get home to check their personal emails.

Warning: Phishy Attachments

The world was focused on WannaCry recently, but there here is another ongoing threat that your employees need to be aware of:

Word and Excel Documents as well as .pdf files can carry malware payloads, as well.  If the takeaway message in the last post was “Don’t Click”, today’s is: Don’t Open That Attachment!

By this point, your version of office should have been patched to NOT open any attachments without asking you first.  Sometimes that means that Office will show the attachment but won’t allow you to edit it until you press an button and respond to a pop-up that says, in effect, “Are you sure you want to do this?”

The warning and extra steps are really annoying when it affects stuff that is legitimate, but it’s an important feature that can help prevent you from being a victim of malware. If you need some before-bed reading, you can read the gory details on the SecureElement website: https://securelement.com/securelement-support-advisory-pdf-phishing-scam/
SecureElement Advisory on PDF Phishing scam.

No Clicks!

Do NOT click ANY links that inside ANY emails.

They might look something appear to come from a person or company you deal with on a regular basis.  They may like this…

Click here to get information from Microsoft.

…or they might be a button with a similar phrase.  In either case, hold your cursor over any such link. Note that the link is actually to this site and NOT to Microsoft’s website. Sometimes they will include “microsoft” within the link, but it’s not an actual Microsoft URL. For instance, the link may be something like:

http://microsoft.com.nastybugger.com/gotcha

instead of a legitimate link like…

https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32/WannaCrypt

It also might have a “mailto” link. However, instead of calling up your email client to send a message to someone, the link could be a trigger for a process that attacks a vulnerability in Windows.

So what do I do?

Don’t click the link. Your options are…

  1. Telephone the sender to confirm that they sent you that particular email.
  2. Go directly to the “sender’s” website using your browser (type the URL into the address bar) instead of clicking the link.
  3. If it’s an email link, open your Outlook or other email client and send the message using the email address you have on file already.

Instead, manually go to the company’s website or manually send an email to the person who supposedly sent you the email instead of clicking the link.

What happens if I forget and click a link?

With luck, you have not clicked a bogus link and all is right with the world.  And, then again, this could pop up on your screen:


At this point, there is currently nothing you can do.  Any option it provides will cost you $$$ and may not work.  The best we can do is to wipe your hard drive and start from scratch.

The name of the game is prevention.  Don’t click and make sure your computer has all of the available Microsoft updates installed.

Some other things to know:

  1. If WannaCry installs itself on a computer on your network, it can not only hold your computer for ransom, it can spread to every other computer on the network, including any unpatched servers.
  2. If your computer is still running Windows XP, that computer is the biggest target of WannaCry.  It’s so bad that Microsoft just released a patch for it—several years after Microsoft stopped supporting and updating XP.  Patch that computer NOW! Google “WannaCry Microsoft” (without the quotes) and click the link for “Customer Guidance for WannaCrypt attacks”, which should be among the top results of the search.  Scroll down to the bottom and click the version of Windows you want to patch (It’s on the line that says “Download English Language security updates:”)
  3. Newer versions of Windows (7, 8, 10)had patches released last month. Those patches were supposed to automatically install themselves.  Sometimes your computer is set up to get the updates but not install them until you tell them to.  If you have a message from Microsoft saying that updates are pending, PLEASE install those updates NOW.
  4. Backups are REALLY important.  Under the worst of circumstances (your computer’s hard drive is encrypted and you don’t have the key, there’s a fire or other damage to your computer or network) you can restore from those backups and be back in business in short order.
  5. Your Desktop is NOT backed up! On networks over which I have control, there are up two different backups (one in the cloud and the other on a local external drives).  That’s the good news.  The bad news: I see a LOT of users who store important information on their desktops or the C:\ drive.  BIG MISTAKE!  Generally speaking, files stored on your local computer are not backed up. If your computer dies, your information stored on the desktop dies with it.  Store all data on your server folder (usually your H: drive).  If you want convenience, put a shortcut to that folder on your desktop.
  6. Employees who access their personal emails using a web-based service like Gmail or Yahoo can also be the target of an attack.  The “no clicks” rule applies to personal email and well as corporate.

Get Proactive

AVG, my current anti-virus system of choice, has come out with a new product that not only deals with traditional viruses, but it also monitors whether all computers are current with Microsoft Updates and allows me to force updates to any non-compliant PC remotely and during non-business hours.  I’m conducting a pilot program now and will be in touch with you when (and if) I’m satisfied with the product.

My goal is to have a central control point available for all of my clients’ workstations and servers so that we catch little problems before they become big ones.  I also envision offering vulnerability testing, that checks to see how “exposed” you are to outside threats that don’t come from email.

Today’s Takeaway: Please share the “Do Not Click” part of this post with your employees.