DomainTools 101: The Art of Tracking Threat Actors
Blog General Infosec

How To Stay Out of The Cyber House of Horrors

Did you catch that chill in the air? It’s October, and as the leaves turn orange and the cats turn black, we all know that we’re about to be visited by the 3 C’s. That’s right–Costumes, Candy, and Cybersecurity (awareness month). OK, I cheated a little bit on the 3rd C, but here’s what isn’t funny this fall: there are plenty of verifiably ghoulish things floating around in cyberspace, and we all would do well to take a look at a few of them–and how to bust these particular ghosts.


No, my spellcheck didn’t die of fright. There is a recent ransomware variant called “Fantom.” Like a child on the 31st, it is in disguise, but trust me, it is not at all cute. Fantom masquerades as a Windows update, and if the victim falls for the trick, they wind up with critical files locked up, and a demand for a ransom payment to hand over the encryption key that unlocks them. Ransomware is familiar, but the spooky thing about Fantom is that its “Windows” pop-up is convincing enough that it has fooled some users, and it serves as a good reminder to be wary of such pop-ups.

  • How to fight it: fortunately, many if not most of the mainstream security vendors have signatures to detect and block Fantom. As ransomware variants go, it is not among the most sophisticated. Your most important steps to protect are to ensure your anti-virus/anti-malware is up to date and run regular backups of your files, being sure to do at least some backups on media or directories where your system does not have regular write access (or else the ransomware can just go lock your backups, too). Oh–and don’t ever click on a link or a popup if you can’t be absolutely certain that it is what it purports to be.

Body Snatchers

Wow–I just realized that a lot of infosec pros may not even be old enough to catch that reference. But in Invasion of the Body Snatchers, malevolent extraterrestrials create identical clones of people, with the intention of ultimately doing away with all of the humans. Identity theft in Technicolor! The cyber analog is spear phishers, who imitate colleagues or superiors of the intended victim, in hopes of getting the victim to perform some action that ultimately will give the phisher what they are after: money, login credentials, sensitive data, etc. Clever phishers can be very convincing.

  • How to fight it: There’s no getting around the need to educate users about the problem. Encourage them to be skeptical about requests to perform wire transfers, give away credentials, etc. If the “boss” in the email says it’s urgent, it’s worth a phone call or text to them to check whether the email really came from them. Oh, and…don’t click on stuff!

Zombies, Part 1

The victim computers that operate en masse form botnets are often referred to as “zombies.” Just as a “real” zombie often seems to act like its formerly-living version, a zombie computer often seems to be fine, while in reality it is under the control of a bot-master who uses the army to do Bad Things. The classic use of a botnet army is for a distributed denial-of-service attack (DDoS). We recently saw a record-setting DDoS take down the site of security researcher and journalist Brian Krebs. It can be very hard to stop a DDoS, so each of us has a role in keeping potential zombie machines out of the wrong hands. To make it even more spooky, the Krebs attack seems to have been carried out largely by unprotected “Internet of Things” devices (Rise of the Machines?). Far too many IoT devices are exposed directly to the Internet, often with their default passwords still in place.

  • How to fight it: First, be sure you keep systems patched. Many bot programs exploit unpatched vulnerabilities. Also, keep your antivirus/anti-malware up to date. If you are in charge of protecting a network, use egress filtering and technologies such as deep packet inspection to help ensure that computers–or IoT devices such as security cameras–are not making unauthorized connections.

Zombies, Part 2

“Undead” old vulnerabilities are another kind of cyber zombie that can get you if you don’t take appropriate measures. These come up periodically in the context of operating systems or applications on servers or websites, but it’s important to be aware of the threat of zombie mobile device apps that can give attackers unauthorized access or control on the affected devices. App developers are not required to patch their apps!

  • How to fight it: If you allow mobile devices to access to your organization’s internal resources, you need to strongly consider using MDM technology, or at minimum implement a very robust policy on keeping such devices up to date, auditing which apps are installed, and keeping their access to sensitive resources as limited as possible. If the latter are a practical or scalable proposition, that’s a strong argument for MDM or even more restrictive policies.

In addition to putting plastic pumpkins full of candy all over your office, you should use this month in its intended spirit (see what I did there?), to raise awareness about how to keep safe. Every one of us has a part to play in keeping the zombies, (f)antoms, and body snatchers at bay. Save the House of Horrors routine for the black-lights and bowls of cold spaghetti!

Previously published on 10/18 in the Huffington Post and Information Security Buzz