Viruses, malware, and phishing Oh My

The Colorado Area website attracts friends and families of alcoholics searching for relief and recovery. Unfortunately (as for many websites) there is lots of money to be made by tampering with web pages so they point to advertising or commercial sites, and even more by preying on unsophisticated email users.  This page surveys the STATUS of the Area website with respect to these threats and mentions known issues.

As of December 2021, there are no known trojans or malware (of any sort) known to be present.  Several security-related software tools examine the website frequently.

After examining the notes below, please contact the Website Coordinator with reports of what you believe to be security threats on the Area website. It would be very helpful to provide:

  • Your operating system (e.g., Windows 10, or Ubuntu Linux, or MacOS Mojave etc.) and its version
  • The web browser you are using (e.g., Chrome, or Safari, or Edge) and its version
  • Whether you have anti-malware software (such as NortonLifeLock, McAfee Total Protection, etc) installed, which it is, and its version

Remember that the very capable and frequently-updated Windows Defender provided by Microsoft is turned on by default.   However, Windows 10 will automatically switch off Windows Defender if you install a third-party antivirus program!

For users with Colorado Area email accounts

These include District Representatives, officers such as the Area Chair, the Delegate, etc, and former panel members), and Coordinators. The principal concern is spurious email.  See below for how to detect it.

For members and visitors

Website users from time to time report warnings about malware or ‘viruses’.  These reports almost always come from Windows users who have paid for commercial anti-malware software such as McAfee or Norton.  More details are below.

For users with Colorado Area email accounts [details]

The Area website is a ‘Google site’, meaning that email accounts (with @al-anon-co.org addresses) are set up and administered by Google-provided enterprise tools.  These are already protected against a wide variety of email misbehavior.  However, occasional bogus emails can slip through.  ‘Phishing’ is the sending of emails that APPEAR to be valid but are intended to solicit information (phone numbers, mailing addresses, or credit card info) from the hapless recipient.

Phishing

Here’s a recent example

Hello Member-
Your Yearly subscription for NORTON 360 has been renewed AND updated successfully.
The charged amount will be reflected within the next 24 to 48 hrs. on your profile of account.
Billing info
INVOICE NUMBER : YMUN72645GLC
Product Name : NORTON 360
ISSUE DATE : 31-08-2021
End Date : 1 year from ISSUE DATE
Total Amount : $242.73 USD
Payment Method : Auto Debit
If you wish to unsubscribe and ask for a Refund then please feel free to contact our Billing Dept. as soon as possible!
You can Reach us on : +1 – ( 818 ) – ( 275 ) – 7825
Kind Regards
Billing Dept

[Other common phishing subjects include GeekSquad and Norton Protection subscriptions.] Not long after, the Website Coordinator received a followup from Google Workspace alerts. Here is a report on a different phishing attempt that got through:

This Phishing message detected post-delivery alert is to inform you that Google automatically reclassified messages as phishing.
The alert details include:
Summary: Google detected and reclassified 71 message(s) from joannmorr@comcast.net as phishing post-delivery. These messages were not opened and have been removed from recipients' inboxes. There was 71 recipient(s).
Activity date: Tuesday, Aug 31, 2021 9:17:23 PM (UTC)
Actor: joannmorr@comcast.net
Total messages: 71
Received by: dr21@al-anon-co.org, dr19@al-anon-co.org, recorddeleted@al-anon-co.org, dr18@al-anon-co.org, dr25@al-anon-co.org, panel52@al-anon-co.org, dr16@al-anon-co.org, publiccontact@al-anon-co.org, dr10@al-anon-co.org, literature@al-anon-co.org, dr1@al-anon-co.org, dr6@al-anon-co.org,...

There are two points to take away: (i) you can trust Google to detect and usually block ordinary ‘junk’ mail to Area accounts; (ii) It is important to develop a good ‘nose’ for phishing. Some common giveaways are: an urgent deadline approaching; a balance due which is enough to cause worry, (iii) sloppy spelling and haphazard capitalizing of words.

For members and visitors [details]

Reports from virus detection/malware commercial software

In general, for-pay anti-malware software loves to inform you when it FINDS something it regards as a threat, so you believe you’re getting something for your money. However, if it can detect it, the software ALREADY has the tools to block its effect, so these are almost always WARNINGS. It is ‘zero day’ (hitherto undetected and hence uncorrectable) threats that are serious.  Generally, Windows Security is quite adequate to deal with malware, provided you are dutiful about keeping its threat definitions up to date–see Windows Security under Settings on a Windows machine.

The HTML/ScrInject.B trojan is new to the 2021 Website Coordinator, so thanks to those who reported it.  This trojan affects only Windows machines, and is “benign” in that anti-malware PC programs have known about it for a fairly long time and are able to block its effects. 

Note that Mac or Linux users will generally be oblivious to these.


Fatal error: Uncaught wfWAFStorageFileException: Unable to save temporary file for atomic writing. in /home/sqdltb8cv4ty/public_html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php:35 Stack trace: #0 /home/sqdltb8cv4ty/public_html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php(659): wfWAFStorageFile::atomicFilePutContents('/home/sqdltb8cv...', '<?php exit('Acc...') #1 [internal function]: wfWAFStorageFile->saveConfig('livewaf') #2 {main} thrown in /home/sqdltb8cv4ty/public_html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php on line 35