Phishing: tentativi di rubare crdenziali accesso hosting Aruba

Segnalo questa mail in cui qualche malintenzionato prova a rubare le credenziali di accesso del vostro dominio su Aruba

Il mittente è un indirizzo valido di Aruba, ovvero comunicazioni[at]staff.aruba.it e tutta la mail è ben confezionata. L'unico errore evidente è nell'oggetto della mail, che presenta un italiano poco credibile. 

Cliccando sul link contenuto nella mail, si arriva ad una pagina clone della schermata di login per il servizio hosting di Aruba (vedi seguito) che però è ospitata al seguente indirizzo: hxxp://www.genioman.it/aruba/Logon.html. Server, questo chiaramente compromesso. 

Il clone è ben fatto, tranne per il captcha che risulta assente. Una volta inserite delle pseudo credenziali, il finto sito vi rimanda alla pagina ufficiale di Aruba. 

Ramsonware fight: fake SDA mail will deliver you a virus..

Hi guys,
during last months I tried to help a lot of friends to fight several ramsonware infections, but I never saw a real fake email and how the attack is done.

Today, one of my mail addresses has received an email from someone who is presenting as SDA.
Here how the email looks like

At the first look, the email seems safe (obviously only if you really wait for some gift :) ), but after just reading few words, you can easily understand that the email has been translated with an automatic tool.
Ok, this is fake, but I want to go deep into the matter.

The sender: the sender is not SDA, of course, but it is a real address coming from italian institute. Someone has been comprimesed there.

Email content: all the active content of the email come from a compromised russian server
where are hosted the images of the fake email and the redictor to the fake SDA courrier page. Example  (BE CAREFUL):

hxxp://podboika.ru/vNq1MzUKiYwQ/yZXbPmC1s9p5FN6.php?id=xxxxx

That link will redirect to a fake SDA page where theorically you should download your tracking number (BE CAREFUL):
hxxp://c4zj.sdaexpress-italia24.org/tduw.php?id=ZnVja3lvdUBmdWNrLnJ1 (the address changes)

Nothing to say, really they did a fantastic clone of the SDA site and all the links point to the real SDA site, except 1: the download button ("SCARICA").  It downloads from the same server a zip file called spedizione_13952.zip, containing an obfuscated javascript file having the same name. You can take a look of the code here.


Of course, I have not the time to deobfuscate the whole code, but using some tricks I'm able to decrypt the string of some routines and I found the links where the real malware is hosted (BE CAREFUL):

function xHkt() {
    var yIlLgr = "hxxp://ofnar.is/1.exe";
    return yIlLgr;
}
function tGJ() {
    var OSLQYzU = "hxxp://probst-elektro.ch/media/1.exe";
    return OSLQYzU;
}

At the time when I'm writing this post, the file 1.exe is still not recognized as a virus and Kaspersky says that it is safe!!

But I know that it is not the truth!!

So, let's have a safe look on the file 1.exe. To do that I've used the free service for the automatic malware analysis provided by hybrid-analysis.com and here is the full report.

Conclusion: be careful and don't trust the internet!

Windows 10: personalizazione desktop a mo di Windows 8

Non riesco a spiegarmi perché Microsoft vuol rendere la vita dell'utente Windows 10 difficile a tutti i costi, tarpando le ali alla personalizzazione anche per le cose più semplici.
Un esempio?
Provate a mettere lo sfondo bianco del desktop con un'immagine centrata.

Fortunatamente è disponibile un trick per fare ciò.

Accedete al menu Esegui cliccando sul tasto WIN+R
Poi scrivete questa stringa:

control /name Microsoft.Personalization /page pageWallpaper

Et voilà, il vecchio menu di personalizzazione del desktop è di nuovo disponibile!

Windows 10 activation by phone

Windows 10 wants to live connected to the internet, it's clear. But there are some situations where it is not possible or it is mandatory forbidden.
In these cases you have to use the procedure to activate the Windows copy by phone. But how?
The activation menu, in fact, doesn't show clearly this possibility, but a workaround exists.

• Log in using an administrative account
• Type "SLUI 04" in the search box of the menu
• Select and run the application you find

A renewed "Activation by phone" mask should appear and by following the wizard you should able to activate your authentic copy of the OS follow the step by step procedure by phone.

Credits: http://windows.microsoft.com/it-it/windows-10/activation-errors-windows-10