Archive for category Hacker

Warning: Correspondence from “Harcourt Management LLP”

If you have received any faxed correspondence from “Harcourt Management LLP”, in relation to a supposedly unclaimed inheritance, Bin it. It is a scam.

I see loads of people online asking questions as to the legitimacy of this fax. It is a fake. Key words to check:

  • Edward Baach JD
  • Harcourt Management LLP
  • Harclaw
  • HarclawLLP
  • Gilmoora house
  • Fax +44 207 806 8315
  • Edward@harclawllp.com
  • Ph +44 742 403 1888
  • edbaach2020@gmail.com
  • www.harclawllp.com
  • info@harclawllp.com
  • charituiti@mail.com
  • Mark Dewing of 89 Nile Road, Bunbury, Western Australia as the registrant of www.harclawllp.com

Don’t communicate as per the directions on the fax. They will ask you to fly over to London to sign paperwork and from there, who knows but it will end badly.

Scams are getting more and more sophisticated. They are getting tricker to detect and look more convincing.

I have personally received such a scam this week and after research online,  I can see that this scam is just starting to occur and is more widespread than I thought.
It is for this reason, I am bringing this to your attention and am going to tell you how I confirmed it is a scam.

Always remember,

If it is too good to be true, it’s likely not true!

That should be your first test. Is what you have received bordering on the unlikely, unbelievable and unfathomable?

At our office,  we have received a fax. (Not an email, a fax). It is directed at me and refers to very real family heritage in the UK.
It promises big rewards and no risk (First test fail!).

It is a directed attack. They have the correct name, correct fax number and correct family lineage.
They have done some research.

Please refer to this image (A copy of the fax). See if it fails your first test.

I am on a number of historical websites, my name is on our Business website and so is the business fax number. This could still be a real fax offer.
So why do I suspect it is not real? Lessons for you to use in any scam that comes your way!

I will mark items on this list which can be checked by an IT person. Not all of this will easily be reviewed by a non IT person.

Firstly, Why did I get this fax? Why not my Father, Cousins, Uncle’s? Surely someone else other than myself would be in line to receive any money before me?

  • Locating the website on the paperwork (harclawllp.com), emailing the email addresses on the website, many of the emails bounce (mailbox unknown). A real company would not let their info@ email address bounce.
  • Looking at the registration for the website, it was registered 28 days ago. The website has stamps on it from 2011 (IT Help required)
  • Looking at the web html code in their website, I can clearly see that the website has been ripped from someone else website and had the text changed. (IT Help required)(From the source code, it seems the design was a template taken from www.18carltoncrescent.co.uk/areas_of_work)
  • The lady justice logo on the fax looks grainy, not at all professional.
  • The fax changes through a few fonts on the fax. Not professional.
  • No mention of where the deceased person concerned actually worked or what the Top insurance agency was.
  • The fax comes from the UK and the stamp on the fax confirms this however, the fax report printed at the printer showed an Australian number.
  • The website was registered by someone in Western Australia. (IT Help required)
  • The western Australian registrant comes up in Google as hosting other scam sites
  • Looking up the law society in the UK (in Google), Harcourt Management LLP does not exist. ( https://www.hg.org/firms-united-kingdom.html )
  • Googling Edward Baach JD, he does not exist (At least not as a barrister or solicitor)
  • Reputable business rarely communicate via a gmail account. Especially when they have business addresses @harclawllp.com
  • Mixing Gmail and harclawllp.com email addresses on the same fax looks bad
  • Gmail account with “2020” in the email address looks wrong for a business.
  • Overuse of exciting logos barcodes, rubber stamps and watermarks.
  • There are two different contact phone numbers on the fax. Googling brings up neither. Law firms would advertise their numbers.
  • The website is very sparse. It was very recently registered https://domain-status.com/archives/2018-4-10/com/registered/108
    https://www.whois.com/whois/harclawllp.com  (IT Help required)
  • There is no online mention or obituary for Arthur Jenkin. Being such a wealthy person, surely there would be something in a newspaper.
  • There is no reference to a person of this name, in London or working for any energy company. (In Google)
  • My family name in the fax is in bold, it has an unusual amount of spaces after it (looks like a mailmerge).
  • LinkedIn found the company name https://www.linkedin.com/company/harcourt-management-limited/?originalSubdomain=au – they are in real estate, not law
  • Searching more for the company https://beta.companieshouse.gov.uk/search?q=harcourt+management+LLP, https://beta.companieshouse.gov.uk/company/06682592 , the address that comes up does not match
  • Emailed Golmoora house (Address on the Fax), they say there is no tenant of that name
  • Googled and found others online trying to establish of this guy was a scammer
  • I Emailed the staff listed on the website staff page (using secondary contact information I found from google). Each one said they did not work there and their images and credentials are being fraudulently used.
  • Clicking Edward Baach JD on the website goes to a William Baach ?
  • This fax was Highly confidential yet faxed to a business with 12 people to read it before it got to my desk … how could he expect a fax to be a secret?
  • The servers for the website are in Russia https://db.aa419.org/fakebanksview.php?key=129289  (IT Help required)

Harclawllp.com is a 28 days old domain, situated in Russian Federation. The domain is linked to the IP address 77.222.62.67.
Registration details show that it was registered on 10 Apr 2018 through pdr ltd. d/b/a publicdomainregistry.com and will expire on 10 Apr 2019.
The site returns a status code of 404. The site is being served through nginx/1.9.12.

So, without a doubt this is a scam. I played along. I emailed the Harclawllp.com address only to be told, please use gmail.
I reviewed the email header (IT Help required) and noted that they are using an email platform called Zoho, it is hosted email in UK. It is often used for spam attacks.

I then made contact via google Gmail. I reviewed the email header (IT Help required) and noted that google lists the email being from a Russian address and also that webmail was used to send it.

This just further adds evidence to this being a huge scam.

The person replying was doing so in broken English. I would suspect that this is not how a lawyer would respond.
In the Communication with the remote person, they tried to put the pressure on to allow them to sign documents in my name, documents unseen.
They also wanted my banking details. They then want me to fly to the UK next week to meet with him. (All designed to put pressure on me and stop me thinking clearly).

I asked the person if family living in London can meet with him as my proxy, he said no, although the fax stated he only came to me due to my last name. Weird. Surely a local “Jenkin” would be better.
He has now tried to convince me to setup my own Gmail as it is more confidential.

I am still in communication and gathering as much detail as I can for a Police case.

I have taken this a lot further than the average person however, this has become the classic example of what to look out for.

Hopefully this will help you all be careful with scams and be able to detect them early, else after further research, determine that they are a scam.

Always remember,

If it is too good to be true, it’s likely not true!

 

 

 

Should I tell someone about eCrime ??? YES !!!!

I know that I am in Australia and my experience might not reflect other countries, but I say yes. If you have had an eCrime committed against you (not your general virus or malware) then REPORT IT!!!

The more you report, the more the problem is taken notice of, the more investigation happens.

My post today to Facebook

A win for the good guys.

We had a business client scammed out of a large amount of money through an email.
We pursued it. We recommended and assisted in filling in the eCrime report.
We pushed it along. The police told the client, nothing will come of this. The client also felt that they were banging their head against a wall.
Well, today they receive notification that the money is about to be transferred back.
We helped chase the criminal through the Czech republic and into Spain.
Now, the person is cornered and my client has been offered a chance to be there in court and be a part of the process.

Reporting eCrime is the smart choice ! Things can happen !!!

Tags: ,

Cryptowall 3.0

I have had a brush with Cryptowall 3.0.

Imagine this, visiting a website in your latest favourite browser (Any browser, Google Chrome, IE, Firefox, anyone of them) with a PC which has the latest version of everything (Adobe Flash, Java etc.) and up to date current antivirus, but you get hacked within 5 seconds.

No popups, no request to “allow this to download”, “allow this to run”. It just downloads and runs. You don’t feel it. The machine runs normal. (Even bypassed Microsoft UAC)

Then …  28 PC’s on your network, your Dropbox, your server, your NAS backup drives, your interstate user that is using VPN from a university interstate … are all encrypted and held for ransom.

The website you visited was a trusted website you trust implicitly and you buy goods from it. You had no reason to doubt the website. Nothing pops up strange …. until the damage is done.

You call the Company whom the website belongs to, they know nothing about it and pass you to their web developers. The web developers know nothing of this issue. They look further. All of their clients websites on their servers have been hacked. They take the servers offline.

Potentially thousands of people from around where you live use this service, surfing local websites for local businesses all now being held to ransom.

It could happen to anyone. It could happen to you or me.

It sounds like the work of fiction. Maybe an episode of CSI or NCIS ? Nope. That is what happened.

So how did this website attack this person?

We found a back door in the WordPress code that ran the webskite, over the internet to Russia. This back door was used to gain access to the website and then the code was modified to plant the malware onto visiting remote machines.

When figuring out how the website initially got hacked, I learnt that there are specific strings you can type into Google search.

This key search word shows you a list of every website where a certain file is accessible. The file likely used to allow this hack.

A hacker can click on this file and download it to their end. They open the file in something like notepad …. There is the username and password to the website in a “Hash”. They crack the “Hash” and log into the website, edit the code to include the nasty back door to Russia.

So, using Google … and notepad … and a website for the back door to point to, you can hack a large number of websites, inject this code, then let people browse the website and get infected without any indication on how they got infected.

The file size of the website changes very little and you can reset the file date back to an older date. The webmaster does not know they are infecting people and it goes on for several days. All their backups are now full of the malware.

Then the hacker sits back and earns millions of dollars a day in ransom money.

It scares me that malicious code can be put on your PC and run, and you have no idea. It scares me that you can perform the original hack of the website using Google.

So, trying the Google trick myself, I found the passwords to a hospital website and their member logon database.

Very scary. (I will let the hospital know).

We found the original malicious code and set it up on our Malware testing machine.

We setup wireshark to monitor what it does and Sysinternals Process Monitor. We disconnected the internet and ran the virus. Nothing happened. Double clicking made the mouse change cursor but then nothing.

After watching for a while, We connected the internet. Now the virus wakes up. It needed the internet to activate.

We double click the file and it deletes itself. It appears in C:\XXXXX where xxxxxx is the random name of the EXE file. Then it copies itself into the users startup section of their profile start menu. It then looks out over the internet at numerous internet domains, hands over a Cypher (Encryption key) and starts encrypting files.

I had placed some bait in a folder called C:\$fodder. (Some Microsoft Word and Excel files). This virus went alphabetically though my drive letters and folders and encryopted all my useful files leaving behind help_decrypt.html and help_decrypt.txt files in every folder, on the desktop, in my profile startup start menu folder and the deleted the virus executable when done.

I am encrypted and held for ransom 🙂

Technical details are at http://torblogjp5rjeyhx.onion/mickyj/cryptowall-3-0/

(Yes, it is on Tor. Only advanced computer users will know what to do to get to Tor and on the Tor network, I can post more details).

Tags: ,

There is a new virus and I found it ….. TROJ_CRYPWALL.XXRS

I am as proud as can be. I found an unknown virus and my company was instrumental in it being included in new detection routines as of 23rd June 2015. I am proud to be helping keep the IT world safe, a world I work in everyday and have helped create.

The virus is not named after me but it is my claim to 5 seconds of fame. Now …. to put it into extinction. It has to go. It is a Crypto and dangerous.

I saw several of these viruses arrive in my inbox, with different subjects and senders names. The one common thread was a malformed attachment. Example name “check[1].zip size=16877”

(Contains 6d5770fd.exe(221184 bytes))

If you rename the attachment to a zip file, you can see the exe payload.

An example email:

From: bmack
Sent: Wednesday, 23 June 2015 12:28 AM
To: Michael
Subject: Hope this e-mail finds You well.

Good day!
Hope this e-mail finds You well.

Please be informed that we received the documents regarding the agreement No. 6489-245 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 495-70-75. Feel free to give a call at any time.

Stacey Grimly,
Project Manager

If you see one of these, update your Antivirus. Delete the email. Don’t play with it.

Now, if you find something odd and your antivirus does not detect it, feel welcome to contact me. I will get it to Trend Micro whom will pull it apart. Once they have worked out how to detect and remove it, they share their info with other Antivirus companies. In the end of the day, everyone of these we knock out, get’s us one step closer to holding back the tide of these things.

Tags: , , ,

Criminal law and IT in South Australia

Ever wondered what criminal law applies and what the laws actually are ?

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86B

86B—Interpretation

In this Part—

“computer data” includes data in any form in which it may be stored or processed in a computer (including a computer program or part of a computer program);

“electronic communication” means the communication of computer data between computers by means of an electronic communication network;

“electronic communication network” means devices and systems by which computer data is communicated between computers and includes—

            (a)         a link or network that operates wholly or partially by wireless communication; and

            (b)         the world wide web;

“impairment” of electronic communication includes prevention or delay but does not include interception if the interception does not impair, prevent or delay the reception, at the intended destination, of the computer data that is being communicated;

“modification” of computer data includes—

            (a)         deletion or removal of the data;

            (b)         an alteration of the data;

            (c)         an addition to the data;

“possession” of computer data includes possession of the medium or device in which the computer data is stored;

“serious computer offence” means an offence against section 86E, 86F, 86G or 86H;

“serious offence” means an offence for which a maximum penalty of life imprisonment or imprisonment for a term of at least 5 years is prescribed;

“use”—a person uses a computer if the person causes the computer to perform a function.

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86C

86C—Meaning of unauthorised access to or modification of computer data

        (1)         Access to, or modification of, computer data is unauthorised unless it is done or made by the owner of the data or some other person who has an authorisation or licence (express or implied) from the owner of the data to have access or to make the modification.

        (2)         A person is to be regarded as the owner of computer data if—

            (a)         the person brought the data into existence or stored the data in the computer for his or her own purposes; or

            (b)         the data was brought into existence or stored in the computer at the request or on behalf of that person; or

            (c)         the person has a proprietary interest in, or possessory rights over, the medium in which the computer data is stored entitling the person to determine what data is stored in the medium and in what form.

        (3)         For the purposes of an offence against this Part, the onus of establishing that access to, or modification of, computer data was unauthorised lies on the prosecution.

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86D

86D—Meaning of unauthorised impairment of electronic communication

        (1)         An impairment of electronic communication is unauthorised unless it is caused by the person who is entitled to control use of the relevant electronic communication network or some other person who has an authorisation or licence (express or implied) from the person who is entitled to control use of the relevant electronic communication network to cause the impairment.

        (2)         A person is to be regarded as being entitled to control use of the relevant electronic communication network if the person is entitled by law to determine who is to have access to the network for the purpose of sending or receiving electronic communications.

        (3)         For the purposes of an offence against this Part, the onus of establishing that an impairment of electronic communication was unauthorised lies on the prosecution.

 

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86E

86E—Use of computer with intention to commit, or facilitate the commission of, an offence

        (1)         A person who—

            (a)         uses a computer to cause (directly or indirectly)—

                  (i)         unauthorised access to or modification of computer data; or

                  (ii)         an unauthorised impairment of electronic communication; and

            (b)         knows that the access, modification or impairment is unauthorised; and

            (c)         intends, by that access, modification or impairment to commit, or to facilitate the commission (either by that person or someone else) of, a serious offence (the “principal offence”),

is guilty of an offence.

Maximum penalty: The maximum penalty for an attempt to commit the principal offence.

        (2)         An offence may be committed under this section—

            (a)         whether the principal offence was to be committed at the time the computer was used or later; and

            (b)         even though it would have been impossible in the circumstances to commit the principal offence.

        (3)         If the principal offence is in fact committed—

            (a)         this section does not prevent the person who used the computer from being convicted as a principal offender or as an accessory to the commission of the principal offence; but

            (b)         a person is not liable to be convicted of the principal offence (or as an accessory to the principal offence) and of an offence against this section.

        (4)         A person cannot be convicted of an attempt to commit an offence against this section.

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86F

86F—Use of computer to commit, or facilitate the commission of, an offence outside the State

        (1)         A person who—

            (a)         uses a computer in this State to cause (directly or indirectly)—

                  (i)         unauthorised access to or modification of computer data; or

                  (ii)         an unauthorised impairment of electronic communication; and

knows that the access, modification or impairment is unauthorised; and

            (b)         intends, by that access, modification or impairment, to commit, or to facilitate the commission (either by that person or someone else) of, a prohibited act in another jurisdiction (the “relevant jurisdiction ),

is guilty of an offence.

Maximum penalty: The maximum penalty under the law of this State for an attempt to commit the prohibited act in this State.

        (2)         A “prohibited act” is an act that would—

            (a)         if committed with intent in the relevant jurisdiction, constitute an offence for which a maximum penalty of life imprisonment or imprisonment for a term of at least 5 years is prescribed; and

            (b)         if committed with intent in this State, constitute an offence for which a maximum penalty of life imprisonment or imprisonment for a term of at least 5 years is prescribed.

        (3)         A person may be convicted of an offence against this section—

            (a)         whether the prohibited act was to be committed at the time of the conduct to which the charge relates or later; and

            (b)         even though it would have been impossible in the circumstances to commit the prohibited act.

        (4)         A person cannot be convicted of an attempt to commit an offence against this section.

        (5)         In this section—

“act” includes an omission or state of affairs that is (if it occurred in this State) capable of constituting an element of an offence.

 

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86G

86G—Unauthorised modification of computer data

A person who—

            (a)         causes (directly or indirectly) an unauthorised modification of computer data; and

            (b)         knows that the modification is unauthorised; and

            (c)         intends, by that modification, to cause harm or inconvenience by impairing access to, or by impairing the reliability, security or operation of, computer data, or is reckless as to whether such harm or inconvenience will ensue,

is guilty of an offence.

Maximum penalty: Imprisonment for 10 years.

 

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86H

86H—Unauthorised impairment of electronic communication

A person who—

            (a)         causes (directly or indirectly) an unauthorised impairment of electronic communication; and

            (b)         knows that the impairment is unauthorised; and

            (c)         intends, by that impairment, to cause harm or inconvenience, or is reckless as to whether harm or inconvenience will ensue,

is guilty of an offence.

Maximum penalty: Imprisonment for 10 years.

 

 

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86I

86I—Possession of computer viruses etc with intent to commit serious computer offence

        (1)         A person is guilty of an offence if the person—

            (a)         produces, supplies or obtains proscribed data or a proscribed object; or

            (b)         is in possession or control of proscribed data or a proscribed object,

with the intention of committing, or facilitating the commission (either by that person or someone else) of, a serious computer offence.

Maximum penalty: Imprisonment for 3 years.

        (2)         In this section—

“proscribed data” means a computer virus or other computer data clearly designed or adapted to enable or facilitate the commission of a serious computer offence;

“proscribed object” means a document or other object clearly designed or adapted to enable or facilitate the commission of a serious computer offence.

Examples—

1         A disk, card or other data storage device containing a computer virus or other computer data adapted for the commission of a serious computer offence.

2         Instructions (whether in hard copy or electronic form) for carrying out a serious computer offence.

        (3)         If it is established in proceedings for an offence against this section that the defendant was in control of proscribed data, it is irrelevant—

            (a)         whether the data is stored inside or outside the State; or

            (b)         whether the defendant owned or was in possession of the medium or device in which the data was stored.

        (4)         A person may be convicted of an offence against this section even though it would have been impossible in the circumstances to commit the intended offence.

        (5)         A person cannot be convicted of an attempt to commit an offence against this section.

 

SUMMARY OFFENCES ACT 1953 – SECT 44

44—Unlawful operation of computer system

        (1)         A person who, without proper authorisation, operates a restricted-access computer system is guilty of an offence.

        (2)         The maximum penalty for an offence against subsection (1) is as follows:

            (a)         if the person who committed the offence did so with the intention of obtaining a benefit from, or causing a detriment to, another—$2 500 or imprisonment for 6 months;

            (b)         in any other case—$2 500.

        (3)         A computer system is a restricted-access computer system if—

            (a)         the use of a particular code of electronic impulses is necessary in order to obtain access to information stored in the system or operate the system in some other way; and

            (b)         the person who is entitled to control the use of the computer system has withheld knowledge of the code, or the means of producing it, from all other persons, or has taken steps to restrict knowledge of the code, or the means of producing it, to a particular authorised person or class of authorised persons.

Tags: , , ,

Can a hacker really access my machine and see what I am doing ?

Short answer, yes.

The following is some text from the website http://www.blazingtools.com/bpk.html

I found this tool out there on someones server and logging everything.  It was a good thing we came along and found/removed this.

Do you want to know what your buddy or co-workers are doing online? Or perhaps you want to check up on your children or spouse and know what they are doing on the computer? With Perfect Keylogger it is possible in just 2 minutes! This program runs on the installed computer, fully hidden from its users, and logs everything that is typed in a protected file. Install Perfect Keylogger and take total control of the PC!

Perfect Keylogger is a new generation keylogger which is virtually undetectable. It was created as an alternative to very expensive commercial products like Spector Keylogger or E-Blaster. It has a similar functionality, but is significantly easier to use. Complex internal mechanisms are hidden from the user behind the friendly interface. You can install Keylogger and immediately use it without changing of its settings.

Perfect Keylogger is a popular award-winning tool, translated into 20+ languages. It lets you record all keystrokes, the time they were made and the application where they were entered. It works in the absolutely stealth mode. Stealth mode means that no button or icon is present in the Task Bar, and no process title is visible in the Task Manager list.

Also, Perfect Keylogger can carry out visual surveillance. It periodically makes screenshots in invisible mode and stores the compressed images on the disk so you can review them later.

Our keylogger has unique remote installation feature. You can create a pre-configured package for instant and stealth installation on the target computer.

New Smart Rename feature lets you to rename all keylogger’s executable files and registry entries using one keyword!

One of the most powerful features of Perfect Keylogger is its advanced Keyword Detection and Notification. Create a list of “on alert” words or phrases and keylogger will continually monitor keyboard typing, URLs and web pages for these words or phrases. You tell Perfect Keylogger which phrases to watch out for – for example, “sex,” “porno”, “where do you live,” “are your parents home,” “is your wife sleeping,” “I hate my boss” – whatever you decide to include. When a keyword is detected, Perfect Keylogger makes screenshot and immediately sends email notification to you.

Perfect Keylogger was the first keylogging software solution which can be absolutely invisible in Windows 7/Vista/XP Task Manager! Now we are glad to offer the full Windows 64 bit support – you won’t find it in most of competition products.

The program lets you easily view the log file, displaying the title of the window (for example, title: “John (Online) – Message Session” in ICQ), the date and time of the action and the contents of the typed matter itself.

Unlike some other spy software products, Perfect Keylogger does not send any information to our company. Only you will receive the log files. We guarantee absolute privacy, high quality product and technical support – that’s why we have thousands of satisfied customers.

You pay once, all updates are free. For example, customers, who bought the first version in 2002, now can get the advanced latest version for free! You can be sure that you will always have the most modern spy software!

We have to tell you, that such a software is very complex and only 2-3 products on the market, including this, have a good quality to use them effectively. Do not use a cheap or a free monitoring software! You can get an important data leaks or the system crashes! We can guarantee your system safety with our product.

Perfect Keylogger is available in three editions: full version, full version remote edition and basic edition. Choose the functionality you need.

Tags: ,