Malware warning ... is this genuine or not?

Community Bar Sport
1

I recently got a message from my web service provider, claiming that an email account had been compromised (this is one of my children's accounts, not my personal one). Whilst plausible, I get messages almost daily claiming that my bank accounts have been compromised and to "log in" to confirm the details.

This particular message suggests I download a malware scanner from:

It also references Wikipedia: Antivirus software - Wikipedia

The Wikipedia page refers to the linked scanner page, so on the surface of it, this all looks genuine.

So my question is: Has anyone heard of this site (malwarebytes.org)? Can you vouch for it, or is it a known "fake" anti-virus site?

I am aware that one technique to install viruses is for software to pretend to be anti-virus.

2

Change the email password.

Malwarebytes is legit AFAIK.

The 'Pro" version isn't worth it though. It's no better than any number of free ones.
.

3

They changed it for me. I got a warning to do a scan first and then they would let me know the new one. That's pretty good service.

4

The world needs more of that...

5

I'm suspicious. Why should they give you the new password only after you had done a scan? Why would they give you a password at all, why not just send you to a password change page? Malwarebytes is definitely legit, and a good product, but I wonder if that and the Wikipedia link aren't just window-dressing.

6

The actual wording was:

ACTIONS THAT YOU MUST TAKE:

  1. You will need to scan and clean all computers that are used to
    access the (redacted) email account
    with up-to-date anti-malware/anti-virus software. See
    Antivirus software - Wikipedia

Many site owners have reported good results when scanning
their machines with MalwareBytes, http://www.malwarebytes.org/

  1. Acknowledge this notice with any information you have
    regarding this issue and the results of scans you have completed.

Once acknowledgment and the results of your scans are received
we can provide you with the opportunity to reset your password
and regain access to your CNC.

There is no specific requirement to run that particular software. They merely seem to be wanting some proof that I have taken action to resolve the issue. I am assuming they don't want the same thing to happen tomorrow if they just give me a new password.

7

Huh. Well none of the usual misspellings or bad grammar. I assume all hyperlinks match the corresponding text. Seems harmless so far. Makes me wonder what happened, where the problem was. The occasional computer gets compromised and I can't imagine an ISP would care. Now if the problem were on their end, and many accounts were compromised, that might explain it.

I wonder what the thing was that happened.

8

According to earlier in the email:

There are four possibilities in these situations...

1: A machine that either was used to access that email account, or the email account password was stored on, was compromised
2: The password used was easy to guess (dictionary type attack)
3: The user/password and addresses were sniffed, e.g. on an unsecured
wireless network
4: This email address was used as a username at an external service and
the password provided was the same as the email account password and
the external service was compromised... There are some that speculate
that this may become more common...

(2) and (4) were possible in this case.

Virus scans seem to be ruling out (1) and the wireless network here is secured, hopefully ruling out (3) however you can never be too certain about that when visiting friends ask for your wireless password so they can get onto the Internet.

Personally I use random passwords for every new online account, just to stop the spread of compromised passwords. However not everyone does that.

9

So - you use LastPass - as Steve Gibson recommends?

10

Paul__B:

[quote author=Nick Gammon link=topic=194149.msg1434145#msg1434145 date=1382146782]
Personally I use random passwords for every new online account, just to stop the spread of compromised passwords.

So - you use LastPass - as Steve Gibson recommends?
[/quote]

I do a fair amount of that, it gets to be a management problem with multiple systems. I was recently looking into KeePass.

@Nick, this new router I recently installed has provision for a "guest" network. I think it's just a second SSID and passphrase, point being that one can change frequently and the one the owners use doesn't have to.

11

Paul__B:
So - you use LastPass - as Steve Gibson recommends?

I'm usually on a Mac, so I use the KeyChain app. But I have also used PasswordSafe.

12

A lot of email providers have started picking up on scam emails that are sent from legitimate addresses. If someone you have received email from before sends a mass email to you and 50 other people, your email client will give you a little pop up saying that the email may be a phishing attempt, and asking you to either "report as spam" or "report as compromised account". I assume if you "report as compromised account" they contact the email provider that the account belongs to.

13

We are in an annoying zone of having a lot of false positives, and false negatives.

For example, I get lots of emails telling me my account at X has been compromised, and to go to Y website to "reset" things. These seem fairly clear spamming attempts, especially if I don't bank with or use X.

However if I do, it gets more complex. For example, yesterday I ordered something from eBay and shortly afterwards got an email telling me that my recent order could not be completed until I log into somewhere.

Or something like this:

You have initiated a payment for $100.00 AUD to WHATEVER.com.
Payment details
Amount: $100.00 AUD
Transaction ID: 5C53687F7327933R

Because the payment was made from an foreign ip address, we put the transaction ID 5C53687F7327933R on hold.

To cancel this payment, please follow the link below:

SOMEDODGYLINK.com

Since the actual link is not displayed it would be easy to be fooled by this stuff.

And just when you get used to ignoring all this crap, a genuine one may slip in, and you ignore that as well, to your peril.

And then you get emails telling you your parcel has been delayed (and just when you happened to be expecting a parcel), so you aren't sure if that is genuine either.

And the worst thing is when I get emails from myself! Emails that I never wrote, offering me work, or some get-rich-quick scheme. Or I get emails from close family members along similar lines. So you simply can't trust the (purported) sender either.

Spammers, may they rot in hell. They are destroying the trust which is required for society to operate normally.

14

Presumably because they don't want any more spam sent via that email account.

15

Wow that's a lot of weird stuff going on. I might think about a new email address.

16

And the worst thing is when I get emails from myself!

It is disconcerting when that first happens, but it is a good thing as it empasises that you cannot trust the addresses displayed in emails. No validation is done to confirm that the FROM address in an email is actually where the email came from.

It is also worth remembering that the REPLY-TO address can be different to the FROM address (and also has no need to be related to where the mail actually came from).

17

Yeah, I've been getting emails which say "DON'T REPLY TO THIS EMAIL ... follow instead."

Which proves that they don't want you to respond to the purported sender. Who is probably fake.

18

And that is going to benefit you how?

19

Paul__B:

[quote author=Jack Christensen link=topic=194149.msg1434558#msg1434558 date=1382193751]
Wow that's a lot of weird stuff going on. I might think about a new email address.

And that is going to benefit you how?
[/quote]

Clean start, although perhaps not without some pain. Disposable addresses work well, too.

20

Clean start, although perhaps not without some pain. Disposable addresses work well, too.
[/quote]

Even better, just get your own domain and make as many addresses as you want.