As a reminder, the repair utility to address the false positive issue that arose on Monday, April 24, is available. The utility will release and restore quarantined applications to working order on the affected endpoints.
Please note, the utility was built to address only this specific false positive issue. It will be deactivated in the future.
If applications are operating normally on your systems, you do not need to implement the utility.
To obtain the repair utility, open a support ticket, or reply to your existing support ticket related to this issue. Please include your phone number in the ticket.
I want to thank each of our customers and partners for their patience during this time, and we are committed to earning your trust going forward.
UPDATE 4/27/17 2:47 p.m. MDT:
We have 0 calls in queue on our phone line, and are working through about 130 tickets related to the False Positive repair utility. A good portion of those are simply awaiting customer verification.
If you haven’t yet submitted a support ticket and you need the repair utility, please do so here. Include your phone number as well with the support ticket.
Our sincerest thanks to the MSP beta customers who worked with us to further test and validate this repair. We truly appreciate the support of our customers and thank you for your patience.
Update (Business) April 26, 10:25am MDT:
In addition to the manual fix issued Monday, April 24, we have now issued a standalone repair utility that provides a streamlined fix for business customers. It will release and restore quarantined applications to working order on the impacted endpoints.
For access to the repair utility, customers should open a support ticket, or reply to your existing support ticket related to this issue. Please include your phone number within the support ticket.
Our sincerest thanks to the MSP beta customers who worked with us to test and validate this repair. We appreciate the support of our customers and thank you for your patience.
Update (Business) April 25, 9:41pm MDT:
We created a comprehensive repair utility, and have successfully completed QA. We are currently rolling out the utility to a group of beta customers to ensure it works for our broader customer base. We expect to complete that work soon, and then will make it available incrementally to the entire customer base to ensure a successful deployment.
You also can look to our Community for ongoing updates.
Our Support team remains available to those of you who need urgent assistance, and we thank you for working with us through this challenging issue.
On April 24, Webroot experienced a technical issue affecting some business and consumer customers. Webroot incorrectly identified multiple files as malware. Webroot was not breached. Actual malicious files are being identified and blocked as normal.
We recognize that we have not met the expectations of some customers, and are committed to resolving this complex issue as quickly as possible.
For Business
Webroot is making progress on a resolution and will update you when it is available. In the meantime:
Do not uninstall the product or delete the quarantine. This will make quarantined files unrecoverable.
We have rolled back the false positives. Once the fix is deployed, the agent should pick up the re-determinations and perform as normal.
Customers should ensure endpoints are powered on and connected to the internet to receive the fix. Once files have been restored from quarantine, some endpoints may require rebooting.
Those who wish to address the issue manually should follow the instructions posted on Webroot Support.
We are conducting a thorough technical review to ensure we have a complete understanding of the root cause. A summary will be posted in the Webroot Community, and Webroot account representatives will be prepared to discuss the findings in greater detail with you.
For Home
To resolve the issue, customers need to restore the quarantined file(s). Please follow the steps on the Webroot Community and restore the file(s). Webroot offers free 24/7 support for consumers, and can open a ticket for any questions here.
We apologize for the inconvenience this has caused our customers and are taking the actions to earn your trust going forward.
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Neiman Marcus Breach Bigger than Initially Believed
Following the 2015 Neiman Marcus breach, the company only recently disclosed that the impact is far greater than originally believed. The latest findings come on the heels of a January attack that copied the original 2015 hack, during which the information for over 350,000 unique credit cards was compromised. The recent attack exposed an unknown quantity of user’s data, though it focused more on the company’s loyalty card program, InCircle.
Chinese Video Service Accounts for Sale on Dark Web
As the list of data breaches continues to grow, several prominent Chinese companies have seen massive breaches, reaching well into the hundreds of millions range as far as individual accounts affected. Recently, a database belonging to Chinese streaming service Youku was found for sale on the Dark Web for a paltry $300. The database contains the usernames and passwords for nearly 100 million users, most of which have already been decrypted or even found in multiple, previously leaked databases.
Ransomware-as-a-Service, Surprisingly Affordable
The newest trend taking the malware world by storm: cheap ransomware-as-a-service that comes with a user-friendly dashboard, so launching a ransomware campaign is now easier than ever. For the low, low price of $175, aspiring cybercriminals gain access to a fully customizable interface to monitor the infections from start to end. Fortunately for potential victims of this particular variant family, security researchers have been successful in creating decryption keys to remove the malware for free.
Indian Hackers Strike at Snapchat over CEO Comments
In another case of cybercriminals turned hacktivisits, attacks have been launched following a PR nightmare in which Snapchat’s CEO allegedly made comments that the Snapchat platform is meant for “rich people”, not for “poor countries” like India. The hackers claim to have stolen user data for over 1.7 million accounts, though Snapchat has yet to confirm that any leak actually occurred.
International Hotels Group Finds Malware in Payment Systems
Following an investigation that began in the second half of 2016, officials for the International Hotels Group have confirmed that multiple locations had suffered significant credit card breaches. Even more worrisome is that the latest breach was only discovered by the card providers monitoring suspicious activity on the accounts, which suggests that the IHG’s internal security measures aren’t up to snuff.
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Microsoft Patches Critical Zero-day Vulnerability
On Tuesday of this week, Microsoft released a patch for a relatively unknown zero-day vulnerability that allowed attackers to distribute malware through malicious Word documents. Opening the infected document allows it to contact a remote server to begin downloading malware to a victim’s system via a script file embedded in the document. While the Microsoft patch does resolve the issue, we still encourage you to use caution when opening any documents attached to emails, even if they appear to be from a trusted sender.
Legit IRS Online Tool Used Illegitimately
In the past few months, investigators have been looking into some fraudulent activity that was occurring in their Data Retrieval Tool. By using the tool as intended, criminals were able to impersonate legitimate users to begin a tax return form and access that user’s data, thereby creating fraudulent returns. From the initial investigation, it appears nearly 100,000 different user accounts have been tied to this method of identity theft. The scam itself has cost the IRS over $30 million.
Sneaky CIA Malware Uses Pop Culture References
When the Wikileaks Vault 7 post revealed numerous spying tools from a CIA dump, many researchers began digging through the treasure trove of information. Researchers at Kaspersky Lab found several malware programs with code referencing Star Trek, Flash Gordon, and other recent pop culture icons. The malware in question has been linked to a long-standing malware campaign that hit multiple targets across Europe and Asia.
Ex-Employee Hacks Hotel System, Slashes Room Rates
Ever daydream about getting back at a bad boss? One NYC Marriott hotel found itself on the receiving end of a disgruntled ex-employee’s revenge. A few weeks after being fired from his job, Juan Rodriguez hacked into the hotel’s reservation systems and cut prices down by up to 95%, costing Marriott over $50,000 before the intrusion was discovered. Unfortunately for Juan, while he was smart enough to infiltrate their network, he forgot to mask his own IP, which led authorities straight to his apartment.
Patient Records Available Online
As prices for medications and health treatment continue to rise, a lot of people are looking for cheaper ways to obtain prescriptions and services. Unfortunately, this leads to increased risk, particularly in the case of elderly citizens on a fixed income. Recently, a researcher found a database with the medical and personal records for nearly 1 million senior citizens, freely available to the public. But the database in question didn’t belong to a healthcare facility. Instead, it was owned by a telemarketing firm who had gathered a large quantity of sensitive information on the promise of providing cheaper deals on medication.
When you meet Gary Hayslip, don’t let his calm demeanor fool you — underneath is a deep passion for and understanding of the “Internet of Everything” or IoE. To say his 25-year career in information security is impressive would be an understatement. From serving as Command Information Security Officer in the United States Navy to his more recent position as the City of San Diego CISO and deputy director, Gary has become attuned to the ever-evolving role of a CISO in organizations.
As I chatted with him across a boardroom table, I began to picture how IoE has the potential to create abundant opportunity and new risks. Imagine this: smart parking meters making your urban commute easier. Communications between your car’s GPS and parking meters in the vicinity help you find a vacant spot and pay the meter all from an app on your phone. Now imagine the adverse — a powerful DDoS attack using those same smart parking meters to send a flood of communications to an area internet service provider, overloading its network bandwidth, and debilitating internet service for its customers. It can be scary to think about.
According to the FBI, “deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness, provide cyber actors with opportunities to exploit these devices.” For the record, this is why more organizations need the Gary’s of the world.
I caught up with Gary at the Webroot World Headquarters in Broomfield, Colorado, to talk about his decision to join Webroot, his views on IoT, and more.
Webroot: What made you decide to join the Webroot team?
Gary Hayslip: I had been working in the IoT and cybersecurity space around smart cities and smart communities for a while when I came across Webroot. Seeing the Webroot FlowScape® capabilities coupled with how their product suite leverages the power of machine learning to predict and protect against threats in the connected world we live in had me sold. At the end of the day, a forward-leaning company that can offer Webroot’s level of protection to both consumers and partners intrigues me.
Webroot: As an InfoSec leader, what will be your main area of focus at Webroot?
GH: To me, cybersecurity is a business critical function. The Office of the CISO provides enterprise risk management through current state assessments and forecasting. Ultimately, our consistent question to solve is “how can we better support departments across the organization?” I think I’ll bring a unique point-of-view to that question considering I was recently a customer. Along those lines, my insight from the customer point of view will offer an advantage with product strategy to reduce the risk for customers. As Webroot grows, I want to ensure the programs and strategies my teams create are flexible enough to grow alongside the company.
Webroot: What opportunity do you think Webroot can fill in the market?
GH: I see a significant amount of movement in getting IoT devices to market, but not a lot of readiness to make sure these devices can be scanned, monitored, or protected. FlowScape bridges the gap and allows you to see the devices communicating within your networks and gives context around what devices are doing. The Webroot product portfolio truly does protect users across devices, networks, and perimeters. Delivering comprehensive security solutions that detect, defend, and provide analysis to businesses and individuals is our sweet spot.
Webroot: What difference do you want to make in your new role?
GH: The biggest thing for me is making a resilient program ever better. Cybersecurity is a life cycle and breaches are part of that life cycle. It’s never lost on me that threats are constantly emerging and evolving. It’s only fitting for a best-in-industry organization to meet the threats where they live with constant preparation.
In addition to sitting on numerous boards and being an active member of ISSA, ISACA, OWASP, and InfraGard, Gary holds the certifications of CISSP, CISA, and CRISC. Be sure to check out his book CISO Desk Reference Guide.
Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. But you can avoid such attacks by being patient, checking email addresses, and being cautious of sketchy-sounding subject lines.
7 dangerous subject lines to avoid
Cybercriminals initiate their attacks through hyperlinks or attachments within emails. Most of these attacks use urgency or take advantage of user trust and curiosity to entice victims to click. Here are examples of subject lines to be cautious of.
Remember me? It’s Tim Timmerson from Sunnytown High! Criminals use social engineering tactics to find out the names of the people close to you. They may also hack a friend or relative’s email account and use their contact lists as ammo. Next, they research and impersonate someone you know, or used to know, through chats and emails. Not quite sure about a message you received? Hover your mouse over the sender address (without clicking) to see who the real sender is.
Online Banking Alert: Your Account will be Deactivated. Imagine the sense of urgency this type of subject line might create. In your panicked rush to find out what’s going on with your account, you might not look too closely at the sender and the URL they want you to visit. At the end of March, a Bank of America email scam just like this was successfully making the rounds. Initially, the email looked completely legitimate and explained politely that a routine server upgrade had locked the recipient out of their account. At this point, when clicking the link to update their account details, an unsuspecting victim would be handing their login credentials and banking information over to cybercriminals.
USPS: Failed Package Delivery. Be wary of emails saying you missed a package, especially if they have Microsoft Word documents attached. These attacks use the attachments to execute ransomware payloads through macros. Senior Threat Research Analyst Tyler Moffitt walks us through what it’s like to get hit with a ransomware payload from a USPS phishing email.
United States District Court: Subpoena in a civil case. Another common phishing attack imitates government entities and may try to tell you that you’re being subpoenaed. The details and court date are, of course, in the attachment, which will deliver malware.
CAMPUS SECURITY NOTIFICATION: Phishing attacks have been targeting college students and imitating official university emails. Last month, officials at The University of North Carolina learned of an attack on their students that included a notification email stating there was a security situation. The emails were coming from a non-uncg.edu address and instructed users to “follow protocols outlined in the hyperlink”. Afterward, the attacker would ask victims to reset their password and collect their sensitive information.
Ready for your beach vacay? Vacation scams offer great deals or even free airfare if you book RIGHT NOW. These scams are usually accompanied by overpriced hotel fees, hidden costs, timeshare pitches that usually don’t pan out, and even the theft of your credit card information. Check the legitimacy of offers by hovering over links to see the full domain, copy and pasting links into a notepad to take a closer look, and by researching the organization.
Update your direct deposit to receive your tax refund. The IRS warns of last minute email phishing scams that take advantage of everyone’s desire for hard-earned refunds and no doubt, their banking credentials.
Help us create awareness in the community around scams and phishing attacks with dangerous subject lines. From here on, education should be top of mind as our community begins to adopt safer online habits. Share this blog with your friends and family or get in on the #CyberSmart conversation by sharing a Tweet.
Raise your hand if you’ve ever received a call from a company, unsolicited, that got aggressive? Maybe the caller wouldn’t hang up or kept calling back. Maybe the caller asked for money or made a threat. Regardless, you were upset. But when you alerted the company of the bad deed, they gave you some line about phone “spoofing.” Your gut reaction might have been to call BS. But it’s not. Phone spoofing remains a thorn in the side of many consumers across America. According to an online survey conducted by Harris Poll for Truecaller, roughly 27 million Americans reported losing money to phone scams over the last 12 months, a 53 percent increase from 2014.
At Webroot, we’ve heard from our customers they’ve been targets of phone scammers and we want to help educate our community.
We encourage our customers to steer clear from doing business with any callers claiming to be
tech support and requesting access to your computer to “fix a problem” and charge you;
Webroot and trying to sell you a lifetime SecureAnywhere subscription
Webroot teammates DO NOT make unsolicited outbound calls to customers. If you have been a victim of such callers purporting to be Webroot, file a complaint with the FCC. The FCC collects data to track down and prosecute scammers. (Anyone who is illegally spoofing can face penalties of up to $10,000 for each violation.)
What is Phone Spoofing?
Phone spoofing is when a scammer makes another person’s or company’s phone number appear on the receiver’s caller ID in an attempt to impersonate that individual or organization. The end goal is to gain access to your personal information and/or get you to pay for a fake service.
How can I protect myself from phone spoofers?
As a consumer, you have rights and options.
If a number repeatedly calls and doesn’t leave a message, block it.
If you do pick up and it seems like a bogus call, hang up immediately. However, you may find yourself on the other end of a questionable conversation. In this case, place the caller on hold and call their incoming number. If someone picks up on the other end from the company, ask whether or not the person on hold is calling on their behalf. The key is not to share any personal information.
Finally, educate your community. Help others in your life understand what phone spoofing is and how to protect themselves. You wouldn’t use a third party to call if you were stuck in Nigeria and needed a loan! Discuss scams you’ve received and how you handled with friends, so they are aware of the scenario and the appropriate actions to take. We’ve also provided resources to help you navigate keeping yourself safe..
How to stop phone spoofing
The government and telecom industry are working together to put a stop to spoofing. The Truth in Caller ID Act, passed in 2009, prohibits any person or entity from transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongly obtain anything of value. Also, the tech and telecom industries are working on solutions. Similar to our antivirus solutions for email and internet safety, there may soon be better anti-spoofing protections for voice.
Americans receive 15.8 spam calls (cell and/or landline) and 6.3 spam text messages in an average month. Until a complete solution is found, remain vigilant about protecting your personal information.
