LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 10-13-2020, 12:54 AM   #16
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 15,505
Blog Entries: 9

Rep: Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466

Quote:
Originally Posted by rtmistler View Post
I don't know the real reason for the misspellings
I read somewhere that scammers use bad spelling as a sort of filter: if you're able to recognize these errors it's very likely that you won't fall for the scam anyhow.
Quote:
Originally Posted by rtmistler View Post
This crap comes and goes and changes tactics.
I feel the opposite is true - a few original ideas that largely already existed long before the internet just keep repeating in variations.
Re post #3: one might say the disguises change I guess.
 
Old 10-13-2020, 02:45 AM   #17
cynwulf
Senior Member
 
Registered: Apr 2005
Posts: 2,446

Rep: Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803
The scammers send out mass comms knowing full well that only a tiny fraction of a percentage will get sucked in. But thats typically enough. The non computer literate are the primary target, especially the elderly and not the kind of users who would frequent a site such as this.
 
Old 10-13-2020, 04:45 AM   #18
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 4,712

Original Poster
Blog Entries: 13

Rep: Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688
I wonder where they got that old googlemail address from. I destroyed that account last year, but I hadn't actually used it for a long time before that. They must have scraped it off some other site, maybe the old Linux Forums where I used to be a member.
 
Old 10-13-2020, 06:08 AM   #19
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.8.2003
Posts: 5,211

Rep: Reputation: 1912Reputation: 1912Reputation: 1912Reputation: 1912Reputation: 1912Reputation: 1912Reputation: 1912Reputation: 1912Reputation: 1912Reputation: 1912Reputation: 1912
Quote:
Originally Posted by rtmistler View Post
I've been critical of the habit of assigning names to behaviors, but this seems to be pfishing.

They probably put the 'p' there to differentiate from hook, line, and sinker, over water. Real fishing that is.
Itís spelled phishing...but I agree about the reasoning for the misspelling.
 
Old 10-13-2020, 06:38 AM   #20
boughtonp
Member
 
Registered: Feb 2007
Location: UK
Distribution: Debian
Posts: 674

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422

It's a deliberate respelling in the same vein as phreaking/warez/haxx/etc - i.e. more about being "l337" than to disambiguate from aquatic hunting.

The earliest recorded use of the term phishing was in AOL software where both spellings were used. (See https://arxiv.org/abs/1106.4692)

 
Old 10-13-2020, 07:53 AM   #21
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,453

Rep: Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504
Be aware that there are malware engines that can be embedded in email that "activate" on hover. You do not have to click a link, just run the mouse cursor over the email and it attempts to run and infect your system. You want to do that test in a jail or other restricted environment to limit the exposure.

This is where reading mail in something like Puppy Linux starting from a CD shines. "Try to infect THIS read-only media silly malware pigdog"! ;-)

(Yes, yes I DO miss "python". Very much!)
 
Old 10-13-2020, 08:01 AM   #22
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 4,712

Original Poster
Blog Entries: 13

Rep: Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688
Quote:
Originally Posted by wpeckham View Post
Be aware that there are malware engines that can be embedded in email that "activate" on hover. You do not have to click a link, just run the mouse cursor over the email and it attempts to run and infect your system. You want to do that test in a jail or other restricted environment to limit the exposure.
I didn't know that. That's terrifying! I was taught years ago to hover over email links to see if the text corresponded to the actual address it would take you to.
 
Old 10-13-2020, 08:12 AM   #23
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,453

Rep: Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504
Quote:
Originally Posted by hazel View Post
I didn't know that. That's terrifying! I was taught years ago to hover over email links to see if the text corresponded to the actual address it would take you to.
It is. we had a ransomware attack that triggered that way. I was sysadmin, and I was proud of the user. They realized SOMETHING had triggered and got their machine off network and called me ASAP so the damage was minimal and I had the server and their system restored within hours. (Even if the company had no policy, I would object personally and vehemently to paying criminals.)

It was an email, in Microsoft Outlook, and it was not detected by the AV software in our mail server OR by the different desktop AV software at the workstations.

I am NOT certain it could have fired up from a GMAIL spam folder. I would hope not, but be very careful testing that.
 
Old 10-13-2020, 08:33 AM   #24
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 4,712

Original Poster
Blog Entries: 13

Rep: Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688
But wouldn't a thing like that normally be written to run on Windows machines? Could you have one that ran on Windows and Linux?
 
Old 10-13-2020, 12:37 PM   #25
cynwulf
Senior Member
 
Registered: Apr 2005
Posts: 2,446

Rep: Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803Reputation: 1803
Quote:
Originally Posted by wpeckham View Post
It was an email, in Microsoft Outlook, and it was not detected by the AV software in our mail server OR by the different desktop AV software at the workstations.
interesting. Could it be some kind of embedded html or js? Trouble with outlook, its generally not plain text mail that users use by default. So clearly some script run mouse over was the vulnerability there.
 
Old 10-14-2020, 05:39 AM   #26
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 15,505
Blog Entries: 9

Rep: Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466
Quote:
Originally Posted by wpeckham View Post
Be aware that there are malware engines that can be embedded in email that "activate" on hover. You do not have to click a link, just run the mouse cursor over the email and it attempts to run and infect your system.
This entirely depends on the software used to read email.
I don't use Puppy, and I'm still safe from this.

Quote:
(Yes, yes I DO miss "python". Very much!)
Nothing like a good French Taunt!
Your mother smells of elderberries!
 
Old 10-14-2020, 07:10 AM   #27
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,453

Rep: Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504
Quote:
Originally Posted by hazel View Post
But wouldn't a thing like that normally be written to run on Windows machines? Could you have one that ran on Windows and Linux?
That corporation considered Windows workstations standard, even where the servers were Linux. It was the workstation that was hit, but the encryption ransomware also encrypted some files on the SAMBA share that was mounted form that workstation. I have never seen malware written to run on both Linux and Windows that was not browser based. Not to say it could not be done, but it would require deeper thinking than most criminals put into these things. They are after the money, not a being a "global threat".

The State Agents (N Korea, China, Iran, Russia, possibly the US NSA or CIA) may write intelligence gathering software that runs on more platforms, but you would probably not detect it unless it failed in a way that caused you a problem. There stuff is written mostly to gather data, not to shut you down and make you pay to get your data back. Ransomware writers WANT you to know they have infected you. Intelligence agents want you to never notice the leak. I cannot speak to that except in theory.

Last edited by wpeckham; 10-14-2020 at 07:14 AM.
 
Old 10-16-2020, 08:30 AM   #28
masterclassic
Member
 
Registered: Jun 2007
Distribution: Knoppix
Posts: 200

Rep: Reputation: 54
Quote:
Originally Posted by wpeckham View Post
Ransomware writers WANT you to know they have infected you. Intelligence agents want you to never notice the leak.
That's the point!

I can tell you on my own ransomware attack experience at my job's network, a few years ago. It was a rather small network, a HP server (ms windows server 2008 I think), and about 15 workstations running vista 32 bit (engineering and office software). The server was usually running 24/7. We used to take incremental backup every evening and full backup about once a week. The attack seems to have started in the weekend. Monday morning, colleagues found that their files on server were inaccessible, with their filenames altered (something added to the filename at the end). Some html files were added into the folders, giving a email address where we could ask what to do in order to take our files back. The IT engineer (external) knew already a few things about this kind of attack and said we have to do nothing to contact them, because they are not trusty people, so they could just take the money leaving things in that state. He managed to mount a backup drive in one of the workstations (there is no spare server machine) and this manner the company could continue to work until the main server was restored from backup. This restore went on for the remaining of the week. He investigated how the malware was able to enter the network but couldn't find anything. He checked all local computers and disks, email etc. One of the workstations was totally infected too, as well as two other workstations partially infected (my own workstation contained a folder where the network-attached scanner would send directly scanned documents).

There were 2 more similar attacks later (1 year or some months). It seems that during one of them, the infection started before or during the backup operation. So, the backup was infected too and we had to go to previous backup sets. The bad news are that probably something happened to the server's system it self (one of the administrator's accounts) and this went on for several months, until the entire system was replaced my new hardware+software. Nevertheless it is probable that the system's damage occurred in a different time and was already in previous backup sets. Of course it would be perhaps safer to reinstall the server from scratch but I can't imagine how long it would be to update the system for 7-8 year updates.

It is interesting that norton antivirus was running on all workstations during the first attack (but not on the server computer). After that, an antivirus license has been installed in the server too, nevertheless it didn't seem to prevent further attacks. It is possible that the attack came directly to the server from the internet connection. I don't know anything further about this, just to tell that the antivirus did not prevent it.

In the new network, email accounts are provided by gmail professional subscriptions, however email is read and sent by ms outlook that I *hate*. Furthermore, they couldn't transfer my email archive of 15+ years @#$%^&**&^%$#@
 
Old 10-16-2020, 02:47 PM   #29
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 15,505
Blog Entries: 9

Rep: Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466Reputation: 4466
Quote:
Originally Posted by masterclassic View Post
So, the backup was infected too and we had to go to previous backup sets. The bad news are that probably something happened to the server's system it self (one of the administrator's accounts) and this went on for several months, until the entire system was replaced my new hardware+software. Nevertheless it is probable that the system's damage occurred in a different time and was already in previous backup sets.
Wow.
I wonder how many real-world scenarios are like this: you know there's something bad on the network, but you cannot find and squash it, even with "specialists" and antivirus - until you decide to scrap it all and start from scratch - such drastic measures!
 
Old 10-17-2020, 04:24 AM   #30
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 4,712

Original Poster
Blog Entries: 13

Rep: Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688Reputation: 2688
I think there is an important difference between an office server and a home desktop or laptop machine. Ransomware attacks on home computers are unlikely to be profitable because most home users don't have access to bitcoin and don't have the money to pay large ransoms anyway. Malware for the home user is far more likely to take the form of a keylogger to steal banking passwords or a back door to turn the machine into part of a botnet for spamming or for ddos attacks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Has anyone else had this grub problem after installing Stretch? hazel Debian 8 07-13-2017 02:06 PM
LXer: 'I'm sorry, your lift has had a problem and had to shut down' LXer Syndicated Linux News 0 09-05-2016 07:20 AM
This looks interesting... Anyone had a play with one of these? Joe of Loath Linux - Mobile 2 06-10-2011 01:58 PM
Hello, has anyone else had this problem with SliTaz 3.0? RJARRRPCGP Linux - Software 3 08-09-2010 11:12 PM
has anyone else had this problem superdoyle Mandriva 6 07-18-2005 01:36 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 05:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration