Apr 272018

Beware of attackers trying to steal your passwords and other personal data.

Here we can see a innocent-enough looking email saying that someone you know sent you a file securely. In our case, the email was supposedly from the recipient’s boss using ShareFile, which is a legitimate service that they often use to transfer secure documents to each other. There are some easy ways to catch malicious emails like this: Take a look at the sender’s actual email address. If it doesn’t even have the correct name, like this one, it’s likely a scam. You can also hover your mouse over the download link, but do not click. This will show you the url the link would take you to. If it doesn’t match the subject of the email, it’s likely spam.

Let’s explore what would happen if a user was tricked by this email. When they click the download link, their web browser will open this webpage, showing the supposed name of a file, and an open button.

Gory Details: This page is actually a view of a pdf hosted on Microsoft Sharepoint, which is a website that no email client would blacklist. Clicking the link goes to a dynamic dns url: this allows the programmer to change it to go somewhere else whenever he wants. So if his malicious website gets taken down, he can simply make a new one and change the ddns to go there instead.

Click to Enlarge

Clicking ‘Open’ request that they log in to Microsoft OneDrive. It is asking to login with one of many ways. A keen eye would notice that the url of this log in page is not a Microsoft url, so the page is illegitimate; it was faked to look like a Microsoft page.

Click to Enlarge

Let’s suppose that they try to sign in using Office 365. They click the link, and are taken to this page intended to look exactly like the official login page. We can again still see the URL is malicious.

Click to Enlarge

Now they put in their email and password, and click ‘Sign in’. What happens? It forwards them to the actual Office 365 login page! This page looks almost identical, but we can see it’s at the official URL this time. The intent is to trick the user into thinking that they just mistyped their password, and once they try again on the official page, they get into their account and don’t even realize that they just gave their password away.

Click to Enlarge

What if they had tried to login with Google instead? It comes up with a replica of the Google login process: first they choose organization or individual, and then they are presented with a faked login screen.

Gory Details: This login screen can easily be detected as fake. It’s not centered. The “Email” and “Password” fields are too big. Their font is wrong. You can’t click “Need Help?”, “Create Account”, or the Google logo. None of the page text is highlight-able. The reason for all this is that the page is actually just a screenshot of the login page, with the two fields and a button superimposed on top.

Click to Enlarge

Click to Enlarge

After the user gives up an email and a password, we see something interesting: they replicated Google’s “Verify it’s you” page so that they can get even more information from the user: either their phone number of email. After entering one, the user will be taken to the real login page. They might be confused, but they will not likely suspect foul play.

Click to Enlarge

This is a very in-depth scam. It is injected with a real person’s name so it gets trusted by the user immediately. The first link leads to Microsoft Sharepoint so it’s trusted by the email client. It has protections against being taken down. The replica web pages are (for the most part) very well designed and look real. Finally, at the end it will redirect the user to the real login site, so they don’t suspect a thing.

 Posted by at 1:17 pm
Jan 272018

We recently had a no boot Dell Inspiron 24 Model 5459 in the shop. Would not post and couldn’t get into the BIOS even after pulling the BIOS battery. Pre-boot error message was “boot guard verified DXE that is fail”.

Did some internet searches. Seems like Dell recently released BIOS updates to address the Spectre Variant 2 vulnerabilities and distributed them via their SupportAssist application. The update showed as “Urgent”. Looks like a lot of people are running this update and bricking their computers.

Luckily, many Dells have the ability to roll back the BIOS to the previous version. You can access BIOS recovery options by pressing and holding the CTRL and ESC keys at the same time.
BIOS Recovery options on a Dell PC or Tablet

In this case, the roll back was successful. We uninstalled the Dell SupportAssist application.

We generally don’t recommend doing BIOS or driver updates unless there is a specific issue that is directly affecting your PC. Although the Spectre & Meltdown vulnerabilities are real, the patches are currently causing more harm than good. Dell has since removed this BIOS update and is now advising customers not to install the BIOS updates for Spectre.
Dell Advising All Customers To Not Install Spectre BIOS Updates

 Posted by at 1:33 pm