Wiz's Computer and Website Security Blog

May 27, 2017

Anybody who has read my computer forum posts and blog articles over the years knows that I am a proponent of using less privileged computer user accounts for daily use, rather than an Administrator account. While you may have a few extra hoops to jump through, they aren't that complicated. And, you will greatly reduce your likelihood of having your computer compromised by well over 90% of the malware in circulation today (see footnotes).

Why you should not operate a Windows PC from an Administrator account for your daily browsing and email.

Most computer malware targets Windows operating systems and usually depends on installing malicious files and "backdoors" into operating system folders, and/or modifying legitimate system files to do illegal things (like sending spam, participating in distributed denial of service attacks, hosting credential phishing web pages or pages promoting useless herbs and dangerous counterfeit drugs, installing keyloggers that steal your login credentials, downloading fake security and extortion programs, theft of confidential documents, etc). Only administrator accounts have permission to install such files into system folders, or modify system files and settings. Once in the system folders, the cybercriminals behind the malware may have total control over that computer. This is referred to by hackers and Botmasters as being "Pwned."

Some malware attacks target your web browsers and their components and plug-ins (like Flash Player, Java, PDF readers and other media players). Many Ransomware attacks come via hostile email attachments or poisoned links to compromised websites. Still other attacks are Internet "Worms" that scan computers connected to the Internet looking to exploit new and old vulnerabilities in various Windows operating systems, or Microsoft Office programs. If an exploit attack isn't blocked by up-to-date anti-malware protection, and it detects that the account in use has administrator privileges, the exploit script will continue until it is fully entrenched, often without any user interaction until it's too late.

However, if the same attacks as above (written to infiltrate system files and folders) are launched against a computer that is running as a less privileged account, the malware installation will likely fail and exit. Or sensing that it requires higher privileges, it may open UAC boxes asking for your administrator password and permission to install it. Unless you are tricked into allowing this to happen, refusing to grant this permission will halt the malware, or severely limit its impact. Your own user account could still be compromised, but not other password protected user accounts or operating system files (which also includes "Program Files").

The rest of this article deals with the steps to take to change your Administrator user account into a less privileged Standard User account on a Windows 10 computer.

Operating a Windows computer as a Standard User is safer than as an Administrator. This is even true if you get caught by certain types of Ransomware that try to delete "Volume Shadow Copies" of your files, which you could otherwise restore. Deleting them and disabling the VSS requires Administrator privileges, which Standard Users lack. So, if you've been operating as your computer's Administrator, let's look at a process you could follow to operate a Windows 10 PC as a less privileged Standard User.

Let us suppose that you have a Windows 10 computer and are currently have the only user account, which by definition has administrator privileges. If you have been operating this way for a sizeable amount of time, you have probably created and downloaded a lot of files. Sure, you could create a brand new Standard User account for better online safety, but converting your existing account is simpler. Here is how you can demote your existing administrator account into a less privileged user account.

My preferred method to open Control Panel is to use the keyboard combination of the Windows key + X (or just right-click on the Start button), let go when the dark gray start menu appears, then press the P key. You can also open Control Panel by using the Windows + R key and typing control panel into the "Run" input box then pressing the Enter key. When Control Panel opens click on User Accounts. Proceed as follows.

1. Click on the large link labeled: User Accounts
2. Click on Manage another account
3. Accept the UAC challenge
4. Click on Add a user account
5. A blue box opens asking you to type in the following.
6. User name
7. Password
8. Reenter password
9. Password hint
10. Make sure the password is strong and not easily guessable. You can use symbols, capital letters, lowercase letters and spaces. But, choose one that you will remember when you have to type it into UAC challenges from your Standard user account.
11. Click on the Finish button.
12. The new account name will now appear in the "Manage Accounts" page.
13. Click on the new user account to open it for editing.
14. Click on Change the account type.
15. Under Choose a new account type, select: Administrator.
16. Click on the Change account type button to set the correct group membership.
17. Press Ctrl + Alt + Delete and click on Switch Users.
18. Click on the new Admin user name, type in the new password and log into that account. This is a very important step that sets up the documents folder structure and file permissions for the new user account.

Now it's time to demote your old account from Administrator to Standard User.

When you have setup the replacement Administrator account, log out of it. At the Welcome Screen, click anywhere to display the installed user names. Click on your old name and log back into it. If you previously used Switch Users to setup the new account, your old Desktop and open windows will still be running. It should still have Control Panel open to the User Accounts applet. Otherwise, repeat the process used before to open Control Panel > User Accounts > Manage Accounts and click on your old account name to Make changes to your account.

1. Under the old account's management page, click on Change your account type.
2. Select your new account type opens.
3. Change the selection dot from Administrator to Standard user.
4. Click on the Change account type button.
5. If you already have a password that you trust, keep it. Otherwise, use the link to Change your password, or Create a new password, as outlined earlier.
6. Log out of your account, then log in (aka: Sign in) again and you will have reduced user privileges along with the protection this offers.

You will see a lot more UAC approval boxes under a Standard User account. If you initiated the process, simply type in the user name and password for the new Administrator account and click the Yes button. If you find that a particular program cannot fully install, uninstall, or update from the Standard account, close the program if it was open, then use Switch Users, or log out, then log into the Administrator account. Complete the installation, or deinstallation, or driver update, then log out and log back into the Standard User account.

Because of the way software is written, some programs, most drivers and most if not all Windows updates require you to reboot (restart) your computer. This flushes out old files that were in use in the computer's RAM memory and replaces them with the updated files. In the case of uninstalls, rebooting finishes off the deleting of unneeded files folders and removes old entries from the Windows Registry (reducing clutter and possible program or file conflicts).

That's about all there is to it. You will learn to cope with the UAC challenges and enjoy stronger computer security. But, don't become smug. You could still be tricked into allowing something malicious to be installed by means of social engineering. Don't become the weak link between the chair and the keyboard!

---

Footnotes

Here are links to articles that demonstrate that people who choose to operate a Windows computer with less than administrator privileges have over a 90% reduction in exploitability.

• 94% of critical Microsoft vulnerabilities mitigated by removing admin rights
• 94% of Microsoft vulnerabilities can be easily mitigated
• 90% of critical Windows vulnerabilities mitigated by eliminating administrator rights
• 90 percent of Windows 7 flaws fixed by removing admin rights
• One change that instantly makes your computer smarter
• Most Malware Stopped by Limited User Accounts - Tom's Guide
• Microsoft technical page describing the reasons for and usage of UAC (User Account Control) prompts.

Posted by Wiz at 2:15 AM | Permalink

back to top ^

May 8, 2017

Just when you thought that all the gullible people have wisened up, another pump and dump email scam emerged on April 11, 2017. This one was pumping up a Pink stock with the trading symbols: QSMG. The company owning those symbols is Quest Management, Inc., which was based in Latvia at the time of this writing.

Quest Management lists its company profile as the following:

Quest Management, Inc. engages in the development of marketing channels to distribute fitness equipment products to wholesalers online. The company was founded on October 12, 2014 and is headquartered in Malta, Latvia.

Keep this in mind as you read the details of the failed pump and dump scam that just finished its disastrous run during the first week in May, 2017.

Seven days before the pump campaign began, on April 3, 2017, QSMG stock was worth $1.05 per share. One week later, they issued a press release about their intent to purchase a little known biotech company and their stock soared up to $2.33 on April 13. Remember, QSMG deals in fitness equipment, not medicine. Somebody, or a group of people conspired to blow that announcement way out of proportion via fake news in a huge email spam blast that began on the morning of April 11, 2017. The details will fascinate you as you delve into the twisted minds of pump and dump scammers and their fake news writing techniques.

The email scam pumping QSMG stock arrived with the following totally false subjects, in chronological order, beginning with April 11, 2017 and ending on May 2, 2017.

1. This biotech has developed a cure for cancer and its shares are soaring.


2. This company found a cure for cancer. Their stock is flying.


3. An imminent green light from the fda will send this drug maker soaring.


4. Here is a tip that could change your life


5. I have a tip to share with you


6. This company's being acquired tomorrow


7. Your chance to make an amazing move is quickly slipping away


8. This is your opportunity to get a 20 bagger in the market very fast


9. Here's a life changing tip that will guide you through trump's America

Some of the email body text used to ensnare gullible investors included the following hooks:

1. This is a super rare opportunity that may never come again. This biotech company has finally found a cure for cancer after more than 20 years of stem cells and immunotherapy research.


2. QSMG is guaranteed to hit 25 bucks a share overnight once they release their announcement to the public. You really need to think about buying shares right now before it shoots up higher.


3. One of my friends at Goldman told me to buy QSMG this morning. He is an expert at this stuff and has never let me down before.


4. Their biotech arm, Stemvax has developed a cure for cancer and just completed successful human trials under the FDA's supervision.


5. Once QSMG's official announcements for the cure become public, there's no saying how high their share price will go.


6. The doctors at QSMG have been working nonstop for more than 20 years to get to this moment a cure for cancer.


7. I have a good friend who works at the fda, and from time to time he tells me about things before they happen


8. In less than 2 days, this stock will go up 20 times overnight.


9. Write this symbol down, it's the first letter of each word: Quest Science Management Gate that's q followed by s then m and g


10. This means that if you can put 10 thousand in right now, you will take out 200 grand by Thursday morning.


11. The symbol for this company is the first letter of each of the following words: Quick, Should, Must, Get.


12. Let me put this in perspective for you. It means that every 10 thousand bucks you put in this will turn into almost a quarter million when the news is out


13. Special circumstances call for special measures, and a friend of mine reached out to me over the weekend telling me that there's a small company on the verge of being bought out by a top 500 firm.


14. Take it the way you will, but watch symbol : Quick Sure Mary Garage (use the first letters of each word to make up your 4 letter symbol which you'll use to buy the stock)

All of these claims are totally bogus. The only people who made any profit were the ones who first bought into this stock in the days before the pump began. They were able to double their money in two days. Then, one by one, they sold all their shares and cashed out, causing the value of the stock to plummet.

One week after QSMG peaked and the scammers cashed out, it dropped down to 72 cents a share. This decline continued unabated and as of May 5, the value was only 31 cents. That means that the victims, who bought thousands of shares at or near $2.33, lost up to $2 a share when the dump occurred and continued. None of the claims were true about any of the companies involved. As happens in every pyramid scam, only the top investors win, at the expense of those who follow. Every pump and dump scam begins and ends the same way, with a few winners who conspired together and lots of losers who got suckered in.

You can avoid being scammed into investing in a pump and dump scheme if you take the time to look up the symbols and profiles of all of the companies mentioned in the message body text. You can read press releases and see what the companies are actually involved in. Most have no connection to the products being touted in the spam blasts and there are never any followup big announcements about a cure for cancer, or big acquisition that was supposedly coming in a couple of days. It's all snake oil folks!

Never trust anything like these topics that arrive in your email inboxes from complete strangers claiming they want to do you a favor by sharing this tremendous information that will double or triple you fortune in a few days or a week. Fool's Gold, sold by Carpet Baggers.

W.C. Fields one said: "Never give a sucker an even break, or smarten up a chump!" That's how pump and dump scammers work. But, I am here to smarten you up.

All of the QSMG scam emails were sent from infected computers that were part of a criminal botnet. I reported all of them to SpamCop. If you join SpamCop, you too can help the anti-spam cause by reporting email spam and scams. The sender's ISPs are notified, as are any web hosting companies involved in spam links. This at least gives their ISPs and web hosts a chance to notify their customers to disinfect the botted computers or websites, or even take them offline until they do so.

Lastly, if you use MailWasher Pro to filter your incoming email before downloading it to your email client, I have already updated my Pump and Dump Scam filters to delete these messages for you. My MailWasher Pro filters are here.

Posted by Wiz at 1:35 AM | Permalink

back to top ^