End-of-life (EOL) is an expression commonly used by software vendors to indicate that a product or version of a product has reached the end of usefulness in the eyes of the vendor. Many companies, including Microsoft, announce the EOL dates for their products far in advance.
Every Windows product has a lifecycle. The lifecycle begins when a product is released and ends when it’s no longer supported. Knowing key dates in this lifecycle helps you make informed decisions about when to update, upgrade, or make other changes to your software.
Windows 7 EOL
For those that were unaware, Windows 7 reached EOL on January 14, 2020. When a Windows Operating System (OS) hits the end of its lifecycle, it no longer receives updates from Microsoft.
That means Microsoft no longer supports users of Windows 7, and Windows 7 will no longer receive updates, although Microsoft has been known to make exceptions for urgent vulnerabilities. And while organizations may be able to extend support by paying for it, home users are advised to move on to more modern operating systems.
Or as Microsoft puts it:
“Now is the time to shift to Windows 10. Get robust security features, enhanced performance, and flexible management to keep your employees productive and secure.”
And of course, they have a point. If cybercriminals discover a vulnerability in Windows 7, there is no guarantee that this vulnerability will be patched by Microsoft. And while there is still a large Windows 7 user base, it pays off for the cybercriminals to weaponize such a vulnerability and use it to their advantage. Keep in mind that most of the exploit kits active in the wild focus on older vulnerabilities, which will not be patched if you are using EOL software.
Is Windows 10 more secure?
While the call to move on to Windows 10 by Microsoft makes it sound mighty safe, what exactly are these security features that Windows 10 has over Windows 7? We know it’ll be supported by Microsoft, and therefore any known vulnerabilities will be patched. Its other security features are as follows:
Windows 10 includes Windows Defender by default, which provides a baseline level of antivirus protection.
SmartScreen is a reputation system that tries to block harmful and unknown file downloads.
Windows 10 includes Microsoft Edge instead of Internet Explorer, which is targeted most often by exploits.
On the downside, you might argue that Windows 10 has a lot of new features that tend to come with new problems and risks. However, Windows 10 has been around for a while now, so the worst problems should have been tackled.
However, we want to stress: Moving on to a new operating system, while safer than sticking with a legacy system, is no substitute for a strong security solution. Even Windows 10 machines need anti-malware protection.
According to a spokesperson from our malware removal staff, the correlation between browser use and malware is actually higher than the one between OS version and malware. Meaning: The browser you use has a much bigger impact on the likelihood of being infected than the OS that you use. So even if you switch over to Windows 10 but keep using Google Chrome, you can still be easily infected. Now that Windows 10 has switched over to Edge, many cybercriminals are focusing on exploits for Google Chrome, one of the most popular browsers today.
Other operating systems
To avoid potential infection—or because they’re looking for a change— some Windows users might consider moving to entirely different operating systems, such as Mac or Linux. But layering up built-in protection with security software is important, even if you decide to switch.
In some cases, people may consider switching to a Chromebook, which is certainly a cheaper option if it offers enough capabilities to replace your current Windows desktop or laptop. But even Chromebooks can—and do—get infected.
We don’t expect a lot of users to switch to a more hardcore Linux OS, since they might expect a huge learning curve (another misconception) or their favorite software is not available (unfortunately, not a myth). However, even if they do, Linux OSes are not free from malware. They’re simply attacked less often because cybercriminals understand their user base isn’t as large (and therefore, their payday isn’t as big).
Windows 7 user base
Currently over 23 percent of Windows users worldwide are still on Windows 7, and only 69 percent have already switched to Windows 10. The rest are using the less popular Windows 8 or versions of Windows that have gone EOL long before Windows 7.
Oddly enough, the percentage of Windows 7 users has hardly decreased after reaching the EOL date in January (from roughly 24 percent to 23 percent). With this huge amount of potentially unpatched systems still active in the market, any exploitable vulnerability will result in a widespread disaster.
Would WannaCry have had such an enormous impact if Windows XP and Windows Server 2003 had been abandoned before it spread? We will never know. What we do know that Windows 8 and 10 did not need to be patched for the vulnerability that was used to spread WannaCry. They were not contributing to the choir of systems trying to infect their neighbors. Emergency patches were released for several older Windows versions, including Windows 7. At the time, Windows 7 was still supported.
We got you
It is not our habit to promote our own products in our blogs, but we wanted to let you know that whichever OS (and browser) you chose next, we’ve your back. As a demonstration, here is a list of the available Malwarebytes consumer versions created to protect our users:
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your company’s network, becomes more important. However, you should be extra careful of bogus security software, especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects against the actual COVID-19 virus infecting people across the world.
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the commercial packer Themida turns your PC into a bot ready to receive commands:
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs. Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to our Machine learning engine.
We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to flag this website as a phish.
Coronavirus has changed the face of the world, restricting countless individuals from dining at restaurants, working from cafes, and visiting their loved ones. But for cybercriminals, this global pandemic is expanding their horizons.
In the past week, Malwarebytes discovered multiple email scams that prey on the fear, uncertainty, and confusion regarding COVID-19, the illness caused by the novel coronavirus. With no vaccine yet developed, and with much of the world undergoing intense social distancing measures and near-total lockdown procedures, threat actors are flooding cyberspace with emailed promises of health tips, protective diets, and, most dangerously, cures. Attached to threat actors’ emails are a variety of fraudulent e-books, informational packets, and missed invoices that hide a series of keyloggers, ransomware, and data stealers.
Much of these numbers mean nothing without real, useful
examples, though. Yes, coronavirus scams and scam sites are out there, but what
do they look like, and how do they work? We’re here to explain.
Here are some of the many email scams that Malwarebytes spotted in the wild, with full details on what they say, what they’re lying about, and what types of malware they’re trying to install on your machines. The good news? Malwarebytes protects against every threat described.
Impersonating the World Health Organization
Earlier this week, we found an email phishing campaign sent by threat actors impersonating the World Health Organization (WHO), one of the premier scientific resources on COVID-19. That campaign, which pushed a fake e-book to victims, delivered malicious code for a downloader called GuLoader. That download is just the first step in a more complex scheme.
As we wrote:
“GuLoader is used to load the real payload, an information-stealing Trojan called FormBook, stored in encoded format on Google Drive. Formbook is one of the most popular info-stealers, thanks to its simplicity and its wide range of capabilities, including swiping content from the Windows clipboard, keylogging, and stealing browser data. Stolen data is sent back to a command and control server maintained by the threat actors.”
Unfortunately, this GuLoader scam is just one of many in which threat actors posed as WHO professionals as a way to trick victims into downloading malicious attachments.
As cybersecurity researchers at LastLine wrote: “Acting as a fully-functional information stealer, [Agent Tesla] is capable of extracting credentials from different browsers, mail, and FTP clients. It logs keys and clipboards data, captures screen and video, and performs form-grabbing (Instagram, Twitter, Gmail, Facebook, etc.) attacks.”
The Agent Tesla campaign that we tracked on Wednesday involved an email with the subject line: Covid19″ Latest Tips to stay Immune to Virus !!
The email came to individuals’ inboxes allegedly from the WHO, with a sender email address of “firstname.lastname@example.org.” Notice that the sender’s email address ends with “.com” when legitimate WHO email addresses instead end with “.int.”
The email alleges to include a PDF file about “various diets and tips to keep us safe from being effected with the virus.” It is signed by a “Dr. Sarah Hopkins,” a supposed media relations consultant for the WHO.
A quick online search reveals that the WHO has a public website for contacting its media relations representatives, and that none of those representatives is named Sarah Hopkins. Also, note how “Dr. Hopkins” has a phone number that doesn’t work, at +1 470 59828. Calling the number from a US-based phone resulted in an error message from the mobile service provider.
the above scam is just one example of an email campaign that both impersonates
the WHO and attempts to deliver Agent Tesla.
Agent Tesla scam arrives in individuals’ inbox with the email subject line “World
Health Organization/Let’s fight Corona Virus together”
Already, savvy readers should spot a flaw. The unnecessary space placed between the words “Corona” and “Virus” mirrors a similar grammatical error, an unnecessary hyphen, in the GuLoader scam we covered on Malwarebytes Labs this week.
The entire body of the email reads, in verbatim:
We realise that the spread of the COVID-19 coronavirus may leave you feeling concerned, so we want to take a moment to reassure you that your safety and well-being remains our absolutely top priority.
Please be assured that our teams are working hard and we are monitoring the situation and developments closely with the health and governmental authorities of all countries we operate in. See attached WHO vital information to stay healthy.
we personally thank you for your understanding and assure you that we will do our utmost to limit disruptions this event brings to your travel plans while keeping your well-being our top priority.
This campaign attempts to trick victims into downloading a
fake informational packet on coronavirus, with the file title “COVID-19 WHO
RECOMMENDED V.gz.” Instead of trustworthy information, victims are infected
with Agent Tesla.
While this campaign does not include as many smoke-and-mirror tactics, such as a fake media representative and a fake phone number, it can still do serious damage simply by stoking the fears surrounding COVID-19.
Finally, we found a possible WHO impersonator pushing the NetWire Remote Access Trojan (RAT). RATS can allow hackers to gain unauthorized access to a machine from a remote location.
If Remote Access Trojan programs are found on a system, it should be assumed that any personal information (which has been accessed on the infected machine) has been compromised. Users should immediately update all usernames and passwords from a clean computer, and notify the appropriate system administrator of the potential compromise. Monitor credit reports and bank statements carefully over the following months to spot any suspicious activity on financial accounts.
The NetWire campaign included a slapdash combo of a strange
email address, an official-looking WHO logo inside the email’s body, and plenty
Sent from “Dr. Stella Chungong” using the email address “email@example.com,”
the email subject line is “SAFETY COVID-19 (Coronavirus Virus) AWARENESS –
Safety Measures.” The body of the text reads:
To whom it may concern,
Go through the attac=ed document on safety measures regarding the spreading of Corona-virus.
Common symptoms include fever, cough, shortness in breath, and breathi=g difficulties.
Dr. Stella Chungong
The litany of misplaced “=” characters should immediately raise red flags for potential victims. These common mistakes show up in a wide variety of malicious email campaigns, as threat actors seem to operate under the mindset of “Send first, spellcheck later.”
Other malspam campaigns
Most of the coronavirus scams we spotted online are examples of malspam—malicious spam email campaigns that cross the line from phony, snake-oil salesmanship into downright nefarious malware delivery.
Here are a number of malspam campaigns that our threat
intelligence team found since March 15.
First up is this strange email titled “RE: Due to outbreak ofCoronavirus,” which arrives to users’ inboxes from the vague sender “Marketing,” with an email address of “firstname.lastname@example.org.” A Google search reveals that bcsl.co.ke appears to point to Boresha Credit Service Limited, a debt collector based in Kenya.
The short email reads:
We have been instructed by your customer to make this transfer to you.
we are unable to process your payment as the SWIFT CODE in your bank account information is wrong,
please see that enclosed invoice and correct SWIFT CODE so we can remit payment ASAP before bank close.”
Again, scrutinizing the details of the email reveals holes
in its authenticity.
The email is signed by “Rafhana Khan,” a supposed “Admin
Executive” from the United Arab Emirates. The email sender includes this extra
bit of info that leads us nowhere: TRN No. 100269864300003.
What is a TRN, and why would it be included? At best, we can assume this is the individual’s “tax registration number,” but think about the last time anyone signed an email with the US equivalent—their tax identification number. You’ve probably never seen that before, right? That’s because tax IDs are meant to be private, and not shared in email signatures. We can assume that the threat actors included this bogus bit of info to add some imaginary credibility. Really, it’s just nonsense.
The email’s attached invoice, once again, pushes GuLoader to
the potential victim.
According to the cybersecurity news outlet Security Affairs, HawkEye “is offered for sale on various hacking forums as a keylogger and stealer, [and] it allows to monitor systems and exfiltrate information.”
The HawkEye scam comes packaged in an email with the subject
line “CORONA VIRUS CURE FOR CHINA,ITALY” from the alleged sender “DR JINS
(CORONA VIRUS).” Again, potential victims receive a short message. The entire email
Kindly read the attached file for your quick remedy on CORONA VIRUS.
The email sender lists their place of work as the non-existent, misspelled RESEARCH HOSPITAL ISREAL at the address NO 29 JERUSALEM STREET, P.O.C 80067, ISREAL.
On March 15, we also found an email scam targeting victims
in the UK and pushing, yet again, GuLoader. This time, threat actors promised
updated statistics on the number of confirmed coronavirus cases in the United
The malicious email comes from the sender “PHE” with the
email address email@example.com, which, like one of the examples above, appears
to come from Kenya.
Because threat actors have one, overplayed tactic in these types of campaigns—putting in low effort—the content of the email is simple and short. The email reads:
Latest figures from public health authorities on the spread of Covid-19 in the United Kingdom.
Find out how many cases have been reported near you.
There is no email signature, and not even a greeting. Talk
about a lack of email etiquette.
Finally, we found another campaign on March 18 that targets
Spanish-speaking victims in Spain. The email, titled “Vacuna COVID-19:
prepare la vacuna en casa para usted y su familia para evitar COVID-19,” pushes
The email is signed by “Adriana Erico,” who offers no phone
number, but does offer a fax number at 93 784 50 17. Unlike the fake phone
number we tested above, we could not test the authenticity of this fax number,
because the Bay Area is under a shelter-in-place order, and, truthfully, I
don’t own a fax machine in my home.
Threat actors are always looking for the next crisis to leverage for their own attacks. For them, coronavirus presents a near-perfect storm. Legitimate confusion about accurate confirmed cases, testing availability, and best practices during social distancing makes for a fearful public, hungry for answers anywhere.
To help prevent the spread of the illness, remember, wash
your hands for at least 20 seconds, refrain from touching your face, and practice
social distancing by maintaining a distance of six feet from people not in your
This is difficult, this is new, and for many of us, it presents a life-altering shift. It’s important to consider that, right now, banding together as a global community is our best shot at beating this. That advice extends to the online world, too.
While coronavirus might have brought out the worst in cybercriminals, it’s also bringing out the best across the Internet. This week, a supposed “Covid19 Tracker App” infected countless users’ phones with ransomware, demanding victims pay $100 to unlock their devices or risk a complete deletion of their contacts, videos, and pictures. After news about the ransomware was posted on Reddit, a user decompiled the malicious app and posted the universal passcode to defeat the ransomware. The passcode was then shared on Twitter for everyone to use.
Over the last decade, remote work and working from home has grown in popularity for many professionals. In fact, a 2018 study found more than 70 percent of global employees work remotely at least once per week. However, the coronavirus pandemic and resulting lockdown in many parts of the world have forced a large number of employees into unfamiliar territory—not just remote work, but full-time working from home (WFH).
I have been working remote for over five years now, from several locations and mostly WFH, so I dare say I can speak from personal experience.
WFH physical security
The first so-obvious-it’s-not-obvious tip is to make sure your work devices are physically safe, and that you avoid offering unauthorized views of confidential information. Here are a few ways to shore up physical security while WFH:
If you need to leave your home for supplies or other reasons, make sure your work devices are either shut down or locked—including any mobile phones you might use to check email or make work phone calls.
If you live with a roommate or young children, be sure to lock your computer even when you step away for just a bit. Don’t tempt your roommates or family members by leaving your work open. This is true even for the workplace, so it is imperative for WFH.
If you can’t carve out a separate work space in your home, be sure to collect your devices at the end of your workday and store them someplace out of sight. This will not only keep them from being accidentally opened or stolen, but will also help separating your work life from your home life.
Perhaps your office network was so protected that little thought was given to restricting access to servers with sensitive data. Or perhaps you now have to work on your personal laptop—one that you didn’t think much about securing before coronavirus upended your life.
Either way, it’s time to start thinking about the ways to guard against unauthorized access. If you think cybercriminals (and regular criminals) will be sensitive to global events and refrain from attacking remote workers, sadly, you’d be mistaken.
Access to the your computer’s desktop should at least be password protected, and the password should be a strong one. If the system is stolen, this will keep the thief from easily accessing company information.
If office network permissions previously gave you unfettered access to work software, now you may be required to enter a variety of passwords to gain access. If your workplace doesn’t already offer a single sign-on service, consider using a password manager. It will be much more secure than a written list of passwords left on your desk.
Encryption also helps protect information on stolen or compromised computers. Check whether data encryption is active on your work machine. If you’re not sure, ask your IT department whether you have it, and if they think it’s necessary.
If you’re connecting your work computer to your home network, make sure you don’t make it visible to other computers in the network. If you have to add it to the HomeGroup, then make sure the option to share files is off.
Separate work and personal devices
Easier said that done, we know. Still, just as it’s important to carve out boundaries between work life and home life while WFH, the same is true of devices. Do you have a child being homeschooled now and turning in digital assignments? Are you ordering groceries and food online to avoid stores? Best not to cross those hairs with work.
While it may seem cumbersome to constantly switch back and forth between the two, do your best to at least keep your main work computer and your main home computer separate (if you have more than one such device). If you can do the same for your mobile devices—even better. The more programs and software you install, the more potential vulnerabilities you introduce.
Don’t pay your home bills on the same computer you compile work spreadsheets. You can not only create confusion for yourself, but also end up compromising your personal information when a cybercriminal was looking to breach your company.
Don’t send work-related emails from your private email address and vice versa. Not only does it look unprofessional, but you are weaving a web that might be hard to untangle once the normal office routine resumes.
Speaking of homeschooling, it’s especially important to keep your child’s digital curriculum separate from your work device. Both are huge targets for threat actors. Imagine their delight when they find they can not only plunder an organization’s network through an unsecured remote worker, but they can also collect highly valuable PII on young students, which garners a big pay day on the dark web.
Make sure you have access to your organization’s cloud infrastructure and can tunnel in through a VPN with encryption.
Secure your home Wi-Fi with a strong password, in case VPN isn’t an option or if it fails for some reason.
Access to the settings on your home router should be password protected as well. Be sure to change the default password it came with—no 12345, people!
Cybersecurity best practices
Other WFH security precautions may not be all that different from those you should be practicing in the office, but they are easy to forget when you are working in your own home environment. A few of the most important:
Be wary of phishing emails. There will be many going around trying to capitalize on fear related to the coronavirus, questions about isolation and its psychological impacts, or even pretending to offer advice or health information. Scan those emails with a sharp eye and do not open attachments unless they’re from a known, trusted source.
Related to phishing: I’m pretty sure we can expect to see a rise in Business Email Compromise (BEC) fraud. Your organization may be sending you many emails and missives about new workflows, processes, or reassurances to employees. Watch out for those disguising themselves as high-ranking employees and pay close attention to the actual email address of senders.
Beware of overexposure on social media, and try to maintain typical behavior and routine: Do you normally check social media on your phone during lunchtime? Do the same now. Once again, watch out for scams and misinformation, as criminals love using this medium to ensnare their victims.
Other security precautions
Not every organization was prepared for this scenario, so it’s only natural that some may not have the level of RemoteSec in place that others do. Make sure to get yourself up to speed with the guidelines that your organization has in place for remote work. Ask for directions if anything is unclear. Not everyone has the same level of tech savvy—the only stupid question is one that isn’t asked.
I have listed some of the questions you may need to have answered before you can rest assured that WFH is not going to be a security disaster. Here are some to consider:
When you are working remote for long periods, make sure you know who is responsible for updates. Are you supposed to keep everything up to date or can your IT department do it for you?
Your system may require additional security software now that it has left the safer environment of your organization’s network. Check with your IT department on whether you should install addition solutions: Will you need a security program for your Window PC or for your Mac (which was hit with twice as many threats as Windows computers in 2019)? If you’re using an Android device for work, should you download security software that can protect your phone? (iOS doesn’t allow outside antivirus vendors.)
How will data storage and backup work? Can you save and back up your local files to a corporate cloud solution? Find out which one they prefer you to use in your specific role.
On a different note
This is a big adjustment for many people. Your first few days of WFH may leave you irritated, uncomfortable, unmotivated, or just plain exhausted. Adding security tips to the list may just add to your fatigue right now. We understand. Take it a day at a time, a step at a time.
When working from home, find a comfortable working area where you can assume a healthy posture, minimize the distraction from others, and where your presence has the least impact on how others have to behave. Take breaks to stretch your legs, and give your eyes a rest. And if you enjoy WFH, now is the time to prove to your employer that it’s a viable option in the long run.