What Should You Do About the “Microsoft Tech” Support Scam?

What Should You Do About the “Microsoft Tech” Support Scam?

Anyone claiming to be from “Microsoft tech” or “Windows” should be expected to know if there was a virus on your PC, right? And when they guide you into checking the Windows Event Viewer (where harmless errors are logged) and reading out a string of numbers, they usually manage to snare you into their swindle. After all, you don’t want to lose your hard work, or be without your computer due a virus, right?

The objective of this type of scam is to talk you into installing remote software on your computer, so that they then can take control. Once control is taken, this will either allow them to steal data, introduce a Trojan horse or other malware (the remote software itself may be a malicious tool) or just perform a bit of “tech support theatrics” to make it seem as though they know what they’re doing.

Once the “virus” is discovered the scammer will, of course, demand money for their services of “removing” it. This can go a number of directions, but if you refuse, there is the possibility that the scammers have remotely changed your password or encrypted your files, transforming this into a one-on-one ransomware scam.

How do you handle a scam call?

  • Hang up the phone when you identify that the call is uninvited.
  • Do not allow remote access to your computer.
  • Never divulge passwords or pin numbers.
  • Microsoft nor anyone on their behalf will ever call you.

Last, if you paid a “Microsoft tech” support scammer to “remove” a “virus”, call your credit card company right away. Tell them you have been scammed, and they should cancel the transaction. You should also change the password for your credit card account… and all other passwords you use, too.

By giving your credit card details to the scammers to pay for their “service”, you’re also likely to give them the information they need to use your card. By sharing the 16-digit number, the valid until date and the three-digit number on the reverse, you’ve essentially given them everything they need to steal from you. Remember, they called you: this is not a safe way to conduct business!

Let the bad guys spend their money and spin their wheels.

As hackers get smarter so must we…a locked screen no longer secures a pc. There are still simple measures to secure your pc.

Don’t leave your unattended workstation logged in, especially overnight, even if you lock the screen.

Most users lock their computer screens when they temporarily step away from them. While this seems like a good security measure, it is no longer good enough, researchers have found recently. There is new evidence that attackers can use some USB-to-Ethernet adapters to steal credentials from locked Windows computers

Industry experts found out that all it takes to copy an OS account password hash from a locked Windows computer is to plug in a special USB device for a few seconds. The hash can later be cracked or used directly in some network attacks. These attacks can be pulled off with cheap devices, like the Hak5 LAN Turtle, which costs $50.

The USB device can be configured to masquerade as an USB-to-Ethernet LAN adapter in such a way that it becomes the primary network interface on the target computer. This is not difficult because: 1) operating systems automatically start installing newly connected USB devices, including Ethernet cards, even when they are in a locked state and 2) they automatically configure wired or fast Ethernet cards as the default gateways.

For example, if an attacker plugs a rogue USB-to-Gigabit-Ethernet adapter into a locked Windows laptop that normally uses a wireless connection, the adapter will get installed and will become the preferred network interface.

This particular vulnerability is only exposed when a pc is using a wireless connection.

Additionally, when a new network card gets installed, the OS configures it to automatically detect the network settings through the Dynamic Host Configuration Protocol (DHCP). This means that an attacker can have a rogue computer at the other end of the Ethernet cable that acts as a DHCP server.

Once an attacker controls a target computer’s network settings via DHCP, he also controls DNS (Domain Name System) responses, can configure a rogue internet proxy through the WPAD (Web Proxy Autodiscovery) protocol and more. The hacker essentially gains a privileged man-in-the-middle position that can be used to intercept and tamper with the computer’s network traffic.

According to experts, computers in a locked state still generate network traffic, allowing for the account name and hashed password to be extracted. The time it takes for a rogue USB device to capture credentials from a system using this attack is around 15 seconds.

Depending on the Windows version installed on the computer and its configuration, the password hashes will be in NT LAN Manager (NTLM) version 2 or NTLMv1 format. NTLMv2 hashes are harder to crack, but not impossible, especially if the password is not very complex and the attacker has access to a powerful password cracking rig.

There are also some relay attacks against network services where NTLM hashes can be used directly without having to know the user’s plaintext password.

Was all that pretty high tech, involved, and even confusing? This is a high stakes business. Investments into research and development of hacking schemes and equipment pay off. Money and time are invested and risks are taken to illegally obtain personal credentials and passwords. That should be their loss, not yours! Fortunately, despite all they have put into this clever trick, preventing this vector from stealing your personal information won’t cost you a penny or even cost you much time. You are aware and that is the first step.

  • When you leave your computer unattended, log out. SAFE
  • Stay hard wired not wireless when conducting work or using personal credentials. SAFE
  • Secure the physical environment of your workstation. SAFE

Let the bad guys spend their money and spin their wheels. As long as you are aware and prepared, they lose not you.

8 Ways to Fight Off Ransomware

8 Ways to Fight Off Ransomware

Ransomware is very damaging. In line with the evolution from viruses, to botnets and malware families that have occurred over the past 10 years, bad actors continue to find new ways of reinventing old threats. Today, the top trend in modern malware is the proliferation of ransomware.

Ransomware has come a long way from the non-encrypting lock screen FBI scare warnings like Reveton. In 2016, there has been a constant flow of new ransomware families popping up, like Locky, Cerber, Madeba and Maktub, and this is only expected to pick up steam over the balance of the year. Below are 8 tips to help you defend against ransomware.

Install the latest patches for your software, especially Adobe, Microsoft and Oracle apps

A common way in for ransomware is via exploit kits, like Angler. These bundle many application vulnerabilities into one kit, and try drive-by exploits for each one in sequence. The more your apps are outdated, the more likely, some of these exploits might work and infect you with ransomware.

Be skeptical: Don’t click on anything suspicious

Don’t click on any emails or attachments you don’t recognize, and avoid suspicious websites altogether. Most of the infections come from user action – opening attachments or visiting websites, being vigilant is the most effective way to minimize damage.

Block popups

Popups are regularly used by criminals to spread malicious software. To avoid accidental clicks on or within popups, it’s best to prevent them from appearing in the first place.

Use network protection

A very important part of a comprehensive security strategy is to use network traffic monitoring system that is based on machine learning and behavior analysis. As most of these attacks come in via internet channels, make sure your network protection can parse and analyze both email and web traffic.

Turn Windows User Access Control on

Windows has added this security feature to help you stay in control of your computer by informing you when a program makes a change that requires administrator-level permission. User Access Control works by adjusting the permission level of your user account. If you’re doing tasks that can be done as a standard user, such as reading e‑mail, listening to music, or creating documents, you have the permissions of a standard user—even if you’re logged on as an administrator. Take full advantage of it.

Use security content to detect ransomware

You’ll never entirely be able to stop people from opening a malicious email and being tricked into clicking on a phishing link. That act can open a single file that begins acting like a worm and starts propagating through your IT infrastructure or through that of your organization and wreak havoc. It’s critical to have great content so you can start detecting these bugs and squash them before it becomes a problem.

Don’t underestimate the value of continuous monitoring

Look at security vendors with a “products + services” approach. Market-leading security technologies are critical but combined with 24×7 monitoring by security experts is the best approach to securing your IT infrastructure and stopping threats like ransomware. If you have an 9-to-5 business and no one is watching your shop at night, that’s a lot of hours for a malicious bug to move through your IT infrastructure.

Have a robust, in-depth backup plan

Before your company is attacked by ransomware, it is important to have an existing backup plan in place so you can access your data. It’s imperative that an organization’s backup strategy include offline backup, this may require manual processes, but any online backups will be encrypted by attackers, making it useless to the victim. Know the pain points of restoring and recovering data, and make sure that your plan accounts for those pain points. It is important to classify your systems and data when creating your backup plan. Keep in mind which systems and data are most important to your organization and put extra care around the most critical systems in your infrastructure.

Please contact MergerTree Solutions for more information about continuous monitoring and an in-depth back up plan.

U.S. victims have lost $960 million to the schemes over the past three years

Fake Emails Lead to Fraud and Swindling

In the U.S. alone, victims have lost $960 million to the schemes over approximately the past three years, FBI figures show. That figure reaches $3.1 billion when global data from international law enforcement and financial groups is included. The number of victims: 22,143.

In many cases, the scammers pretend to be a business executive at the victim’s company or a trusted supplier. They can do this by hacking into email accounts to send off fraudulent messages. This type of cybercrime, which usually involves a request for a wire transfer, may be called “CEO Fraud” and “The Supplier Swindle” depending on the scheme used.

In other cases, the scammers will create fake email accounts that look like those of the business executive or supplier. Sometimes they pretend to be a lawyer handling confidential matters and pressure the victim into sending funds.

These scammers have requested wire transfers to 79 countries, but most go to banks located in China and Hong Kong, the FBI said.

In some cases, the scammers will follow up with a ransomware attack, the FBI added. Victims may receive an email that contains a link or an attachment with malware. If it’s opened, it will threaten to hold their data hostage.

There are ways to ward off the danger. The FBI said the scammers study their targets carefully, so company employees should be careful about what professional details they post to social media. Spam should never be opened, and any wire transfers should be verified with telephone calls between the subjects.

Security firm Trend Micro has also been tracking these email scams and found that 31 percent of the time, the hackers pretend to be a company CEO.

The schemes most often target a company’s financial department. Forty percent of the malicious email messages were sent to a company’s chief financial officer, Trend Micro has said.

The FBI sent out a warning about these schemes in a recent FBI posting.


Nearly 40 Percent of Enterprises Hit by Ransomware in the Last Year

Malwarebytes™ recently released new findings on the growing threat to companies from ransomware. The report, entitled “State of Ransomware,” was sponsored by Malwarebytes and conducted by Osterman Research to explore ransomware attack frequency, how it works in an enterprise environment, ransom cost, infiltration points, impact, preparedness and more.

“Over the last four years, ransomware has evolved into one of the biggest cyber security threats in the wild, with instances of ransomware in exploit kits increasing 259 percent in the last five months alone,” said Nathan Scott, Senior Security Researcher at Malwarebytes and ransomware expert. “Until now, very few studies have examined the current prevalence and ramifications of actual ransomware incidents in the enterprise.”

Additional international findings include:

  • Nature of attacks: 46 percent of all ransomware attacks originated from email.
  • Cost of attacks: Nearly 60 percent of all ransomware attacks in the enterprise demanded over $1,000. Over 20 percent of attacks asked for more than $10,000, 1 percent even asked for over $150,000.
  • Many are paying the ransom: Globally, more than 40 percent of victims paid the ransom demands.
  • Significant time spent on remediation: More than 60 percent of attacks took more than 9 hours to remediate.
  • Attacks frequent in certain industries: Healthcare and financial services were the leading industries attacked with ransomware globally, both of which were targeted well above the average ransomware penetration rate of 39 percent.
  • Potential loss of life: Amazingly, 3.5 percent even said lives were at stake because of ransomware’s debilitating effects.
  • Severe downtime: 63 percent spent more than an entire business day trying to fix endpoints.
  • Switch from protection to disaster planning: The most popular way of addressing the problem is not through protection, but by backing up data (over 71 percent).

In the United States alone, nearly 80 percent of companies have suffered a cyber-attack in the last year and more than half experienced a ransomware incident. Seventy percent of attacks impacted mid-level managers or higher, while 96 percent of U.S. organizations aren’t very confident in their ability to stop ransomware.

Key U.S. findings include:

  • Security attacks with ransomware are increasing: Nearly 80 percent of U.S. companies have suffered a cyber-attack in the last year and more than half experienced a ransomware incident. US organizations are the most attacked among the countries surveyed.
  • Ransomware attacks target healthcare and financial services: Healthcare and financial services were the leading industries attacked with ransomware globally, both targeted well above the average ransomware penetration rate of 39 percent.
  • Email is the top vector for spreading ransomware: More than half of the U.S. attacks originated with email. Germany (61 percent) and the United States (59 percent) both see the highest level of ingress for ransomware through email, either through email attachments or malicious links in email messages. Email is much less common in the United Kingdom as an entry point for ransomware (39 percent) and in Canada (30 percent).
  • Upper management and C-Level executives are at a higher risk: 68.4 percent of U.S. respondents noted ransomware attacks impacted mid-level managers or higher. 25 percent of incidents attacking senior executives and the C-Suite.
  • Cybercriminals held high-value data for ransom: Nearly 80 percent of the U.S. organizations breached had high-value data held for ransom.
  • Attacks are impacting more than initial endpoints: More than 40 percent of ransomware attacks in all four countries were successful in impacting more than a single endpoint, with nearly 10 percent of the attacks affecting more than one-quarter of the endpoints in the business.
  • Security organizations are not confident in their defenses: Decision makers in U.S. organizations have a relatively low level of confidence in their ability to effectively stop ransomware and are less confident about ransomware prevention than their counterparts in Canada, Germany and the United Kingdom. 96 percent of U.S. organizations aren’t very confident in their ability to stop ransomware.
  • Current enterprise security measures are weak against ransomware: Almost half of ransomware incidents in the U.S. occurred on a corporate desktop within the enterprise security environment.
  • Ransomware remediation takes hours: 44 percent of attacks on U.S. companies forced IT staff to work more than nine hours to remediate the incident. Globally, the figure is 63 percent of incidents that took more than nine hours to remediate.

“The results from this survey further emphasize that any business in any region is incredibly vulnerable to ransomware,” said Marcin Kleczynski, CEO of Malwarebytes. “Cybercriminals are increasing their use of ransomware in their attack strategies globally, causing business disruption, loss of files and wasted IT man-hours. In order to stay safe, businesses must invest heavily in both employee education and technology. “

To view the full State of Ransomware report, visit https://go.malwarebytes.com/OstermanRansomwareSurvey.html.


MergerTree Solutions

There is yet another crafty email phishing scam built to steal your credentials!

We are currently seeing a new email phishing scam that is presented as a message from an IT department explaining that you have email is in a pending state and suggesting that you click a link to release those emails.

This is a picture of a version of this threat:

MergerTree Solutions

Please remember these keys to identify such phishing scams:
1) Check the sending email address, they often appear suspicious. Our messages will show from support@mergertree.com
2) Recognize it is being sent to undiclosed list of recipients, that raises suspicion.
3) Remember to hover over the link, BUT DO NOT CLICK IT. You will then see the actual website address pop up. Most often is it cryptic letters leading to a malicious site used to gather usernames and passwords.
4) You can always forward this type of message to
support@mergertree.com for investigation.

MergerTree Client Support

*To go directly to this ticket, click the “View Ticket” link at the bottom of this email.*

Did you know you can check the status of your Service Ticket in the MergerTree Customer Portal?

If you have any questions you can reach our Help Desk by emailing support@mergertree.com or by calling (713) 982-8099.


Ransomware TA16-091A UPDATED




UPDATED! – US Cert – TA16-091A – updated by DHS yesterday to express the required awareness of the ransomware threats currently active.

This is a BIG issue. We have already seen many medical groups held hostage and ultimately paying the ransom in order to get their data back!

Don’t let this happen to your business or your household! Spread the word. Contact MergerTree for further guidance.

Below is the detailed report from The Department of Homeland Security.

TA16-091A: Ransomware and Recent Variants


Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access into an organization’s network.

What should you do?

  • Be cautious and informed.
  • Think before you click! Don’t click links or open attachments that are suspect or that you did not expect to receive.
  • Contact the sender directly. DO NOT HIT REPLY! Start a new message and send to your known contact to make certain the message received is legitimate.
  • Understand how to identify spoofed email addresses and the URL (the link in the email).
  • Keep your updates current, run Windows or Apple updates regularly.
  • Restrict user’s ability to install programs under their sign in credentials (use an admin account for installs).
  • Share this information with friends and family!





Ransomware is reaching epidemic proportions!

Ransomware is reaching epidemic proportions! So much so the FBI and Homeland Security is providing warning and guidance that we would like to share.

Ransomware is not a new threat, it is a rapidly growing threat. For several years now ransomware has proven extremely profitable to the bad actors. Recently, we are seeing far more of this criminal activity.  Ransomware is usually spread through email that contains an attached or linked malicious payload. The recipient is tricked into opening this link or attachment and this activates the mal-ware which begins encrypting the hard drive!

You can read the full article here.











What should you do?

  • Be cautious and informed.
  • Think before you click! Don’t click links or open attachments that are suspect or that you did not expect to receive.
  • Contact the sender directly. DO NOT HIT REPLY! Start a new message and send to your known contact to make certain the message received is legitimate.
  • Understand how to identify spoofed email addresses and the URL (the link in the email).
  • Keep your updates current, run Windows or Apple updates regularly.
  • Restrict user’s ability to install programs under their sign in credentials (use an admin account for installs).
  • Share this information with friends and family!

Troy Newman’s BLOG

Recent developments in cybercrime have prompted us to recommend that all of our current clients now implement the MergerTree managed cybersecurity platform.

Cybersecurity Business Alert.

Growth and change in the cyber technology environment has increased cybercrime and raised the risk level for all businesses. Here at MergerTree we are vigilant and aware of the evolving cybersecurity threats. Since MergerTree began providing technology solutions in 1999, security has been a driving company principle. We began business by establishing a secure data center to host our clients’ critical business information and applications, and creating a managed service practice to provide secure technology service for our clients.

Businesses like yours form the core of our country.  According to Entrepreneur Magazine there are between 25 million and 27 million small businesses in the U.S. that account for 60 to 80 percent of all U.S. jobs. Those businesses generate billions of dollars in revenue and are critical to the stable infrastructure of the United States.

The federal government realizes the importance of this resource and recognizes the increasing threat of cybercrime.  Money is lost to cybercrime, reputations destroyed, businesses close, and jobs are lost. The government acted in a proactive manner, they acted on the belief that the best way to protect someone is to teach them to protect themselves. The federal government assigned the National Institute of Standards in Technology to develop a guideline for the SMB market. NIST responded and in February 2014 published the NIST Cybersecurity Framework.

MergerTree went to work immediately reconciling our established security practices with those defined in the NIST framework. We strengthened our own cybersecurity stance and delivered stronger security to our managed service clients with no increase in cost. Many of you have seen these changes as we implemented additional security on every level from desktop protection, to email, to server security, and DNS security. We saw to it that the bases were covered and that we were providing several layers of cybersecurity.

Now the threats have increased and we see greater risk to our clients. Since February 2014, MergerTree has worked tirelessly to develop a comprehensive cybersecurity platform to protect our clients. We provide cybersecurity assessments and risk resolution, Written Information Security Policy development, and managed cybersecurity for many MergerTree clients. Now we recognize the cybercrime threat has grown and we strongly recommend each of our clients implement our cybersecurity platform.

We will be contacting you to introduce the full cybersecurity platform and discuss implementation.

Watch this video for more information on our new 24x7x365 cyber threat response.