A new Eir phishing scam has been uncovered which has prompted the Irish communications company to issue a warning to customers. Hundreds of customers received emails offering them a refund yesterday. To claim the refund, the email recipients have been instructed to login to their My Eir account. A fake link is supplied in the email which must be clicked to claim the refund.
Eir Phishing Scam Captures Credit Card Details of Customers
That link directs the email recipient to a fake webpage. The malicious website has been designed to look identical to the Eir website. Users are required to confirm their credit card details in order to obtain the refund. Those credentials are logged by the website and are sent to the criminals running the Eir phishing scam.
Eir has warned customers to be on the lookout for the fraudulent email messages and to delete them if they are received. Any individual who has fallen for the Eir phishing scam and has provided credit card details via the malicious website faces a high risk of credit/debit card fraud.
Phishing email campaigns such as this are commonplace. Attackers use a variety of social engineering techniques to get users to reveal sensitive information such as credit and debit card numbers, which are used by the attackers to make online purchases and rack up huge debts in the victims’ names.
The malicious emails can be extremely convincing. Criminals use legitimate imagery in the phishing emails to fool email recipients into believing the emails are genuine. The malicious spam messages usually contain a link that directs to victims to malicious websites where personal information must be disclosed in order to receive a refund, free gift, or to view important documents. The websites can look identical to the legitimate sites.
Spam Email Poses a Considerable Risk to Businesses
Email scams often direct victims to malicious websites containing exploit kits which probe for weaknesses in browsers and plugins and leverage those vulnerabilities to download malware.
The malware poses a considerable risk for businesses. Malware is used to gain a foothold in a computer network, which can be used to launch cyberattacks to steal valuable data or to gain access to corporate email and bank accounts.
To protect against such attacks, employees should be instructed never to use links sent in emails and to login to websites directly via their browsers. Employees should be provided with training to help them identify phishing emails and email and web spam.
Businesses should also use an anti-spam solution such as SpamTitan to capture spam and phishing emails. Preventing the messages from being delivered to end users is the best form of defense against such attacks, and reduces reliance of employees to identify phishing scams.
The FBI issued a new public service announcement which includes new business email compromise scam data. The new data indicates U.S. businesses have lost almost $960 million to business email compromise scams in the past three years, and the total losses from these scams is now almost $3.1 billion.
What is a Business Email Compromise Scam?
A business email compromise scam is a sophisticated attack on a company by scammers that attempt to trick individuals into wiring funds from corporate accounts to the bank accounts of the attackers. Businesses most commonly targeted are those that frequently make foreign transfers to international companies. The attackers must first gain access the email account of the CEO or another high level executive. Then an email is sent from that account to an individual in the accounts department requesting a bank transfer be made. Occasionally the scammer asks for checks to be sent, depending on which method the targeted organization most commonly uses to make payments.
A business email compromise scam does not necessarily require access to a corporate email account to be gained. Attackers can purchase an almost identical domain to that used by the targeted company. They then set up an email account in the name of the CEO using the same format as that used by the company. This can be enough to fool accounts department workers into making the transfer. Business email compromise scams use a variety of social engineering techniques to convince the targeted accounts department employee to make the transfer.
Business Email Compromise Scams are a Growing Problem
The FBI has previously warned businesses of the growing risk of business email compromise scams. In April this year, the FBI Phoenix Office issued a warning about a dramatic rise in BEC attacks. The data showed that between October 2013 and February 2016 there had been at least 17,642 victims of BEC attacks in the United States, and the losses had reached $2.3 billion.
New data from the FBI suggest that the problem is far worse. The FBI has now incorporated business email compromise scam data from the Internet Crime Complaint Center (IC3). 22,143 reports have now been received from business email compromise scam victims, which correspond to losses of $3,086,250,090.
Between October 2013 and May 2016, there have been 15,668 domestic and international victims, and losses of $1,053,849,635 have been reported. In the U.S. alone, there have been 14,032 victims. Since January 2015, there has been a 1,300% increase in losses as a result of BEC attacks. The majority of the funds have been wired to Asian bank accounts in China and Hong Kong.
The FBI warns of five scenarios that are used by criminals to commit fraud using BEC scams:
- Requests for W-2s or PII from the HR department – The data are used to file fraudulent tax returns in the names of employees
- Requests from foreign suppliers to wire money to new accounts – Attackers discover the name of a regular foreign supplier and send an email request for payment, including new bank details (their own).
- Request from the CEO for a new transfer – The CEO’s (or other executive) email account is compromised and a request for a new bank transfer is sent to an individual in the accounts department who is responsible for making bank transfers
- A personal email account of an employee of a business is compromised – That account is used to send payment requests to multiple vendors who have been identified from the employee’s contact list
- Impersonation of an attorney – Emails are sent from attackers claiming to be attorneys, or representatives of law firms, requesting urgent transfers of funds to pay for time-sensitive matters
To protect against BEC attacks, businesses are advised to use 2-factor authentication on all business bank transfers, in particular those that require payments to be sent overseas. Organizations should treat all bank transfer requests with suspicion if a request is sent via email and pressure is placed on an individual to act quickly and make the transfer.
The FBI recommends that businesses never use free web-based email accounts for business purposes. Organizations should also be careful about the information posted to social media accounts, in particular company information, job descriptions and duties, out of office details, and hierarchical information about the company.
The self-proclaimed Spam King, Sandford Wallace, has been sentenced to 30 months in jail for a Facebook spam campaign conducted between November 2008 and February 2009.
Wallace hacked approximately 550,000 Facebook accounts and used those accounts to post spam messages to users’ walls which directed their Facebook followers to webpages which harvested login credentials and other personal information.
For each account that was compromised, Wallace gathered details of the users’ friends and posted spam messages to their walls. Wallace used an automated script to sign into the hacked accounts and post spam messages. In total, more than 27 million spam messages were sent via those accounts. Wallace was allegedly paid for sending traffic to websites via the spam messages. Wallace’s activities earned him the nickname “Spamford” Wallace.
It has been widely reported that Wallace was a career spammer, having first made a business out of spamming in the 1990’s with a company called Cyber Promotions. The company was reportedly sending around 30 million spam emails a day.
Wallace had been found guilty of Internet offenses in civil cases in the past, resulting in a fine of $4 million in 2006 for use of malicious popup adverts and a fine of $230 million for phishing attacks via MySpace in 2008. This is the first time the spam king has received a criminal conviction for his online activities.
Wallace was indicted in 2011 for the improper accessing of Facebook accounts and for sending unsolicited adverts on three occasions, spread over a period of 4 days. He was banned from accessing Facebook, yet violated the court order resulting in a charge of criminal contempt of court. Wallace was released on a bond, and while he was due to be sentenced in December, the case had to be delayed after two of Wallace’s lawyers quit.
The Spam King’s campaigns have resulted in him being ordered to pay more than $1 billion in damages, although Wallace was unable to pay the civil fines.
Wallace was convicted of one count of fraud and related activity in connection with electronic mail and one count of criminal contempt. The Office of the United States Attorney for the Northern District of California recently announced the sentence, which was passed down by Judge Edward J. Davila.
In addition to the jail term, the spam king has been ordered to pay fines of over $310,000. Wallace could have received a maximum jail term of three years. Wallace will also be required to undergo 5 years of supervised release once the sentence has been served. That sentence begins on Sept, 7, 2016.
Spike in Spam Emails Containing Malicious Office Macros
The documents containing the shipping notices contained a malicious macro. In order to open the attached file, users were required to enable macros on their devices. Doing so would trigger a ransomware download. Email recipients who have their office settings configured to automatically allow macros to run are at particularly at risk, as simply opening the email attachment would result in Locky being downloaded onto their devices.
Proofpoint also recorded this spike in malicious spam emails, although the company put the total number of emails in the campaign at over 100 million, making this one of the largest spam email campaigns seen in recent years, and certainly one of the biggest campaigns of 2016.
The Amazon spam email campaign is being distributed using spam botnets on virtual machines and consumer devices. This campaign was notable because the attackers were able to manipulate the email headers. This made the messages appear legitimate to email recipients. Any email recipients who regularly use Amazon.com for purchases could easily be fooled into opening the file attachment.
The emails used the subject line: “Your Amazon.com order has dispatched” along with a code number, closely mimicking the emails sent up Amazon. The body of the email did not contain any text. If users want to find out which order the email refers to, they would need to open the file attachment. The emails also appear to have been sent from the Amazon.com domain, making it much harder for email recipients to determine that the messages are malicious spam.
Surge in Spam Email Highlights the Importance of Using Spam Filtering Solutions
SpamTitan captures 99.97% of spam email and prevents malicious spam emails from being delivered to inboxes. Since malicious actors are getting much better at masking their messages and making them appear legitimate, it is essential to limit the volume that are delivered to end users rather than rely on individuals to be able to identify emails as spam.
A recent report issued by the Anti-Phishing Working Group highlights worrying phishing activity trends. According to the Phishing Activity Trends Report, the number of new phishing websites is growing at an alarming rate.
A recent report published by PhishMe showed that email phishing activity has now reached unprecedented levels. Phishing email volume increased by 789% quarter over quarter. The APWG report shows that cybercriminals are also increasingly conducting web-borne attacks. Phishing websites increased by 250% from the last quarter of 2015 through the first quarter of 2016.
APWG expected to see an increase in the number of phishing websites created in the run up to the holiday season. Every year, criminals take advantage of the increased number of online purchases being made around Christmas. Many new phishing websites are created in November and December and online fraud always increases in December.
However, typically, there is a drop in spamming an online fraud in January. This year that fall did not occur. In fact, the number of new phishing websites continued to rise in January. There was a slight fall in February, before a major increase in March. According to the Phishing Activity Trends Report, in December 2015, 65,885 unique phishing websites were detected. In January 2016, the total had risen to 86,557. By March the total had reached a staggering 123,555 unique phishing websites.
Cybercriminals are most commonly targeting the retail sector and are spoofing websites in an attempt to defraud consumers. 42.71% of phishing websites target the retail sector, with the financial sector in second place with 18.67% of sites. Payment services accounted for 14.74% of sites, ISPs 12.01%, and multimedia sites 3.3%.
The phishing activity trends report indicates an increase in the targeting of cloud-based or SAAS companies, which it is claimed is driving the attacks on the retail sector.
More than 55% of phishing websites contain the name of the target brand somewhere in the URL. Attackers are concentrating the attacks on the most popular brands. By March 2016, APWG reported that 418 different brands were being targeted using phishing websites.
Phishing email campaigns are known to be sent extensively from outside the United States, although when it comes to phishing websites they are usually hosted in the United States. 75.62% of phishing websites are hosted in the US.
The United States also hosts the most phishing-based Trojans and downloaders – 62.36%. China is also being extensively targeted. China hosted 5% of phishing-based Trojans and downloaders in January. By March, the figure had risen to 13.71%.
More than 20 million new malware samples were detected at the start of 2016 – That’s an average of 227,000 new malware samples every day. The majority of new malware are Trojans, which account for 66.81% of new samples. Viruses were second (15.98%) and worms third (11.01%).
The massive rise in phishing websites highlights how important it is for caution to be exercised when purchasing online. Businesses should also take additional precautions. Web filters can be used to block phishing websites from being visited by employees. A web filtering solution – WebTitan for example – can also be used to prevent drive-by downloads of malware and ransomware.
The latest phishing email statistics released by the anti-phishing training company PhishMe show the extent to which the use of phishing has increased in recent months.
PhishMe compiles quarterly phishing email statistics and tracks the volume of phishing emails being sent. During the first three months of 2016, the volume of phishing emails increased by a staggering 789%. More than 6.3 million more phishing emails were sent in Q1, 2016 than in Q4, 2015.
According to the quarterly report, the biggest problem currently faced by personal and corporate computer users is ransomware. Ransomware emails now account for more than 93% of all phishing emails. Ransomware offers a quick payout for cybercriminals and the campaigns can be quickly developed and run. In fact, ransomware emails are being sent by criminals with little or no programming skill. They can simply purchase ransomware kits on darknet marketplaces and obtain a cut of the ransom payments that are made.
Targeted ransomware attacks are now being conducted on businesses of all sizes. Criminals are well aware that many organizations do not regularly perform backups of critical data. Even when backups are performed, many organizations do not unplug their backup devices. The latest ransomware variants are capable of deleting Windows shadow copies and encrypting backup files on connected storage devices. This gives organizations no alternative but to pay the ransom demand to recover files. The biggest threat is now Locky. Locky is delivered via spam email using JSDropper or malicious Word macros.
PhishMe’s phishing email statistics also show two other main trends. Cybercriminals are tending to concentrate on soft-targeted campaigns. Spear phishing emails target just one or two individuals, but the latest trend sees malicious emails messages sent to a group of individuals in an organization – the billing department for instance. The emails are targeting specific roles in an organization rather than specific individuals.
The increase in malicious spam email shows how important it is for organizations to employ a robust spam filtering solution – SpamTitan for example – and to also ensure that employees are informed of the high risk of phishing attacks occurring. Employees should also be instructed how to identify phishing emails and told how they should respond if they believe they have been sent a malicious email message.
A new report by anti-phishing training company PhishMe shows a marked rise in the volume of ransomware emails in March. The report shows that spam emails are now predominantly being used to deliver ransomware to unsuspecting victims. The spike in ransomware emails highlights how important it is to conduct anti-phishing training and to use anti-spam solutions to prevent the malicious file-encrypting software from being delivered to employee’s inboxes.
Spike in Ransomware Emails as Criminals Seek Easy Cash
Ransomware has been around for about a decade, yet it has not been favored by cybercriminals until recently. Throughout 2015, under 10% of phishing emails were being used to transmit ransomware. However, in December there was a major spike in ransomware emails, which accounted for 56% of all phishing emails in December. The upward trend has continued in 2016 and by March, 93% of phishing emails contained ransomware – or were used to infect users by directing them to malicious websites where drive-by downloads of the malicious software occurred.
Spam email volume has been in general decline, in no small part to the shutting down of major botnets in recent years. However, that does not mean that the threat of cyberattacks via email can be ignored. In fact, PhishMe’s figures show there has been a surge in the number of phishing emails being sent. In the first quarter of 2016, the number of detected phishing emails soared to 6.3 million, which represents a 789% increase from the volume captured in the last quarter of 2015.
Ransomware is increasingly being used by cybercriminals for a number of reasons. Ransomware is now easy to obtain and send out. Many ransomware authors offer ransomware-as-a-service to any criminal looking to make a quick buck. Not only can the ransomware be hired for next to nothing, instructions are supplied on how to use it and criminals are allowed to set their own ransoms and timescales for payment. All they need to do is pay a percentage of the ransoms they obtain to the authors.
What makes the use of ransomware even more attractive is the speed at which criminals can get paid. Time limits for paying ransoms are usually very short. Demands for payment within 48 hours are not uncommon. While phishing emails have commonly been used to obtain credit card details from victims, which then need to be sold on, criminals can run a ransomware campaign and rake in Bitcoin payments in just a few days.
The ransoms being demanded are also relatively low. This means that many individuals can afford to pay the ransom to obtain the decryption keys to unlock their files, and businesses are also likely to pay. The cost of recovering data and restoring systems, together with the lost revenue from the time that computer systems are down, is often less than the ransom being demanded.
Ransomware Is Becoming Much More Sophisticated
The latest forms of ransomware now being used – Locky, CryptXXX, TeslaCrypt, and Samas (Samsam) – are capable of spreading laterally. Not only can the ransomware infect files on a single computer, other networked computers can also be infected, as can network drives, servers, portable storage devices, and backup drives. Some forms are also capable of deleting Windows shadow copies and preventing the restoration of files from backups.
All that the criminals need is for one business computer to be infected in order to encrypt files throughout the network. That means only one end user needs to be fooled into opening an infected attachment or visiting a malicious webpage.
Ransomware emails often contain personal information to increase the likelihood of an individual clicking a malicious link or opening an infected attachment. Word files are now commonly being used to infect users. Embedded macros contain code that downloads the malicious payload.
The malicious software is sent out in spear phishing campaigns targeting one or two users in a company, such as accounts and billing department executives. Personal information is often used in the emails – names, addresses, and job titles for example – to increase the likelihood of attachments being opened and links being clicked.
As criminals get better at crafting phishing emails and the ransomware becomes more sophisticated, it is more important than ever to use anti-spam solutions such as SpamTitan to trap ransomware emails and prevent them from being delivered. SpamTitan traps 99.9% of spam emails, helping organizations protect their networks from ransomware attacks.
With 1.65 billion active Facebook accounts, the social media network is a big target for scammers, so it is no surprise that there is a new Facebook phishing scam currently doing the rounds. If the spammers behind the latest attacks can get even a tiny percentage of users to fall for the scam they could be in for a very big payday.
Latest Facebook Phishing Scam Warns of Violation of Terms of Service
The latest Facebook phishing scam threatens account holders by telling them that their accounts will be closed due to a violation of Facebook’s terms of service. The email claims that the account owner has been reported for irregularities of content and that action must be taken to correct the issue of the account will be permanently closed.
The message contains an ow.ly shortlink that users must click to verify that they are the actual owner of the account. The link contains the works “Verify” and “Facebook,” which may fool some message recipients into thinking the message is genuine.
The link included in the email is fake of course. It directs the victim to a phishing website where they are asked to supply their login credentials. If account holders are fooled into clicking the link they are likely to proceed and enter in their account login and password, which will not grant access to Facebook to remove the offending violations. It will simply give those credentials to the attackers. Victims are also asked to supply their date of birth and a security question.
Since many people often use the same passwords for multiple social media accounts, email accounts, and online banking, the potential losses could be considerable. Worse still, many individuals use the same passwords for their private accounts as they do for their work accounts. The fallout from this single scam could therefore be considerable.
With the login and password, the attackers could abuse the account and use it to send phishing messages to all of the account holder’s friends. However, the latest scam does not stop there. After supplying these details, the second phase of the scam starts. The victim is directed to a new page where they are asked for their credit card details to confirm their identity. If supplied, the details would be used to make purchases in the victim’s name
This latest Facebook phishing scam is fairly easy to spot as it contains many tell-tale signs that the notification is not real. The message starts with “Dear Customer” for a start. It would be reasonable to assume that Facebook would know the account holder’s name and would address the email to them personally. Not that Facebook sends out email notifications such as this, although many users would be unaware of that. The message also uses poor grammar, and an ow.ly link rather than a facebook.com hyperlink.
Suspected Page Forgery Facebook Scam Email Targets Business Users
Another version of this scam uses the same format as Facebook notifications sent to account holders via email. This email is harder to identify as a Facebook phishing scam. The link supplied appears to be a genuine Facebook link and the address supplied in the email also appear to be genuine. Correct English is used and the email has been very carefully crafted.
Clicking the link will take the user to a webpage that uses the Facebook logo and color scheme. The page explains there has been a violation of Facebook’s Terms of Service and that an unacceptable offer has been made using Facebook’s offer creation tool. Users are asked to secure their account if this is a mistake. To secure the account users must enter their username and password, and set a new security question. As with the other version, the account details will be used to hijack the account.
All Facebook users – businesses and individuals – should be particularly wary about Facebook emails and be wary of scams. If any Facebook messages are received, the account should be checked by logging in via the browser or using the Facebook App, never using the link supplied in the email. If there is a problem with the account, users will be informed of this when they login.
According to a recent report on spam email from anti-virus software developer Kaspersky Lab, the decline in spam email over the past few years appears to have reversed, with the first quarter of 2016 seeing a major increase in malicious spam email volume.
Major Increase in Malicious Spam Email Volume Reported by Kaspersky Lab
Over the past few years there has been a decline in the number of spam emails, as cybercriminals have sought other ways to deliver malware and defraud computer users. In 2015, the volume of spam emails being sent fell to a 12-year low. Spam email volume fell below 50% for the first time since 2003.
In June 2015, the volume of spam emails dropped to 49.7% and in July 2015 the figures fell further still to 46.4%, according to anti-virus software developer Symantec. The decline was attributed to the taking down of major botnets responsible for sending spam emails in the billions.
Malicious spam email volume has remained fairly constant during 2015. Between 3 million and 6 million malicious spam emails were detected by Kaspersky Lab throughout 2015; however, toward the end of the year, malicious spam email volume increased. That trend has continued in 2016.
Image source: Kasperky Lab
Wide Range of Malicious Files Being Sent in Spam Email
While it was common for virus-loaded executable files to be sent as email attachments, these are now commonly caught by email filters and are marked as spam. However, spammers have been developing new methods of getting past traditional webmail spam filters. The spam emails intercepted by Kaspersky Lab now contained a wide variety of malicious files.
One of the most common methods now used by spammers is to send office documents infected with malicious macros. Microsoft Word files with the extension DOC and DOCX are commonly used, as are rich text format files RTF, Adobe PDF files, and Microsoft Excel spreadsheets with the extensions XLS and XLSX.
These file formats are commonly opened as many end users are less suspicious of office documents than they are about ZIP, RAR, and EXE files. Most office workers would know not to open a EXE file that was emailed to them by a stranger, yet an office document – a file format they use on a daily basis – is less likely to arouse suspicion.
Instead of the emails containing the actual malware, virus, or ransomware payload, they contain Trojan downloaders that download JS scripts. Those scripts then perform the final stage of infection and download the actual malware or ransomware. This method of attack is used to bypass anti-virus protections.
Web Filters and Email Spam Filters Should be Used to Reduce the Risk of a Malware Infection
There has been an increase in drive-by downloads in recent years as attackers have lured victims to websites containing exploit kits that probe for vulnerabilities in browsers and browser plugins. Visitors are redirected to these malicious websites when visiting compromised webpages, via malvertising, and malicious social media posts. While drive-by downloads are still a major threat, the use of web filters and anti-virus software browser add-ons are blocking these malware downloads and malicious websites.
Email is still a highly effective way of getting past security defenses and getting end users to install malware on their devices. Carefully crafted emails that include unique text increase the likelihood of the scammers getting users to open malicious attachments. Oftentimes, the messages include personal information about the recipient such as their name or address. This has helped the spammers to get the victims to take the desired action and run malicious macros and install malware.
It may be too early to tell whether spam email volume has only temporarily spiked or if there is a reversal in the decline of spam, but organizations and individuals should remain vigilant. The increase in malicious spam email volume should not be ignored.
Staff members should receive regular training on how to identify malicious email messages and phishing scams. It is also a wise precaution to use a robust spam filter such as SpamTitan. SpamTitan blocks 99.97% of malicious spam email messages, dramatically reducing the probability of malware, ransomware, adware, and spyware being installed.
Scammers are constantly coming up with crafty ways to fool computer users into revealing login credentials and installing malware, with the latest speeding ticket email scam being used for the latter. Emails are being sent to individuals claiming they have been caught driving too fast and are sent a link to click to pay their speeding ticket.
If the targeted individual clicks on the link contained in the spam email they will be directed to a malicious website that will download malware onto their computer.
This particular scam has been used to target drivers in Philadelphia. While the majority of spam emails are sent out randomly in the millions in the hope of fooling some individuals into clicking on malicious links, this particular campaign is anything but random. Individuals are being targeted that are known to have exceed the speed limit.
Not only have the attackers obtained the email addresses of their targets, they have also send details of where the individual exceeded the speed limit. So how is this possible?
This particular speeding ticket email scam is understood to have been made possible by the attackers hacking a Smartphone app that has access to the GPS on the phone. The attackers use location data and the phones GPS to determine which individuals have exceeded the speed limit. They are then sent a speeding ticket scam email telling them to click on a link where they can see details of their vehicle license plate in the location where the infraction took place. They are also informed of the speed limit in that location together with speed that the individual was travelling. The speeding driver is told he or she has 5 days to pay the citation.
While this speeding ticket email scam could easily be used by the attackers to obtain credit card details or phish for other information, it appears to only be used to install malware. Clicking on the link in the email to view license plate details does not actually reveal the image. It silently installs malware.
The police department in Tredyffrin, PA, where drivers were targeted with this speeding ticket email scam, has not cited callers for their speeding violations when they have called to query the fine, even when they have confessed to speeding over the phone.
How to Protect Yourself Against Email Scams
This speeding ticket email scam is particularly convincing as it uses real data to fool users into clicking on the malicious link. Many spam email campaigns now use personal information – such as real names and addresses – to fool targets into opening infected email attachments or clicking on malicious links. This type of targeted spear phishing email is now all too common.
To protect against attacks such as this, there are a number of steps that should be taken.
- If contacted by email and asked to click a link, pay a fine, or open an attachment, assume it is a scam. Try to contact the individual or company to confirm, but do not use the contact information in the email. Perform a search on Google to obtain the correct telephone number to call.
- Carefully check the sender’s email. Does it look like it is genuine?
- Never open email attachments from someone you do not know
- If you receive an email offering you a prize or refund, stay safe and delete the email
- Ensure that anti-virus software is installed on your computer and is up to date.
File-encrypting ransomware is now one of the main UK cybersecurity threats. Rather than stealing sensitive corporate data, criminals have taken to locking it with powerful encryption to prevent businesses from performing day to day functions. Without access to data, business often grinds to a halt.
Ransomware is nothing new, but over the past few years it has become much more popular with cybercriminals who are increasingly targeting businesses. If criminals can succeed in breaching businesses’ security defenses and locking critical files, a ransom can be demanded in order to supply security keys to unlock the encryption. If no viable backup copy exists, businesses may be left with no alternative but to give in to attackers’ demands. Those demands include sizable payments in Bitcoin – A virtually anonymous currency.
Ransomware attacks in the United States have attracted the headlines, but across the pond, ransomware attacks on UK businesses have also been increasing. According to the latest research from ESET, ransomware is now one of the main UK cybersecurity threats accounting for more than a quarter of threats. In the week of April 19 to 26, 26.16% of threats involved ransomware.
How to Block Ransomware Infections
Unfortunately, there is no single method of blocking ransomware infections that is 100% effective, although by using a multi-layered approach, small to medium-sized businesses can greatly reduce the probability of ransomware being installed on their computers and networks.
Ransomware is installed via a number of different methods, although one of the most common methods of ransomware delivery is spam email. Spam email is used to send out malicious attachments that install malware, which in turn installs ransomware on computers. One of the most common methods of infection is Word documents containing malicious macros.
Attackers also use emails containing malicious links. End users are enticed to click those links using social engineering techniques. One click is often all that is required to install ransomware. While it is possible to train employees to be more security aware, all it takes is for one member of staff to install malware for a network to be encrypted. The latest strains of ransomware are capable of encrypting files on single computers, connected USB drives, and network drives. It is important to provide staff training, but a software solution should also be used to block spam emails and prevent them from being delivered.
SpamTitan can keep an organization well protected from malware and ransomware infections. SpamTitan uses two leading anti-virus engines – Kaspersky and ClamAV – to block the vast majority of spam email. SpamTitan detects and blocks 99.98% of spam email, which prevents end users’ spam and phishing email detection skills from being put to the test.
SpamTitan blocks malicious emails, infected email attachments, and links to phishing websites and sites where drive-by downloads of malware take place. This single software solution can help organization mitigate the risk from many of the main UK cybersecurity threats.
If you want to block ransomware and malware and reduce the time your employees spend sifting through spam email, contact the sales team today for further information or sign up for a free SpamTitan trial.
Businesses have been put on alert following the discovery of a new personalized phishing scam that attempts to trick users into installing malware on their company’s computers. These new personalized phishing scam emails are primarily being used to spread CryptoWall ransomware, although that is far from the only payload delivered.
New Personalized Phishing Scam Delivers Wide Range of Malware
The new scam is also being used to deliver the Arsnif/RecoLoad POS reconnaissance Trojan to organizations in the retail and hospitality industries, as well as the Ursnif ISFB banking Trojan.
The current attack does not target all employees. Instead it is used to try to install malware on the computers of users with elevated network privileges such as senior executives, CFO’s, senior vice presidents, CEO’s, heads of finance, and company directors. These individuals not only have access to a far greater range of data, they are also likely to have access to corporate bank accounts.
If the payload is delivered it can result in POS systems being infected, access to bank accounts being gained, as well as widespread data encryption with ransomware. Once single email could cause a considerable amount of damage. The emails are currently being used to target organizations in the financial services, although the retail, manufacturing, healthcare, education, business services, technology, insurance, and energy sectors have also received large volumes of these emails.
What makes this particular phishing campaign stand out is the fact that the emails have not been delivered to random individuals. Many spammers send out phishing emails in the millions in the hope that some individuals will respond. However, this is a personalized phishing scam targeting specific individuals. Those individuals have been researched and the emails include data specific to the target.
Each email refers to the recipient by name and includes their job title, address, and phone number in the body of the email. The subject is specific, the email crafted for a particular industry, and the attached files and links have been named to make them appear genuine. The emails have also been well written and do not contain the spelling and grammar mistakes typical of spam email.
A personalized phishing scam such as this is not usually conducted on such a large scale. Spear phishing emails are usually send to just a handful of individuals, but this personalized phishing scam is being sent to many thousands of people, in particular those in the Unites States, United Kingdom, and Australia.
The data used in the email body could have been harvested from a social media site such as LinkedIn, although the scale of the attack suggests data has been obtained from elsewhere, such as a previous cyberattack on another company such as a supplier or an Internet site. Companies that do not use a robust spam filter such as SpamTitan are particularly at risk.
Eastern European hackers may only have had access to GozNym banking malware for a few days, but they have already used the malicious software to make fraudulent bank transfers from more than two dozen bank accounts. The new malware is primarily being used to target banks and credit unions, although the attackers have also used the malware to attack e-commerce platforms. 22 attacks have been conducted on financial institutions in the United States with a further 2 attacks in Canada. So far the attackers behind the GozNym banking malware have managed to steal at least $4 million from U.S and Canadian banks.
GozNym Banking Malware Combines Gozi ISFB with Nymaim Source Code
As the name suggests, GozNym banking malware was developed by combining two different malware strains – Nymaim and Gozi ISFB.
IBMs X-Force Research team believe the new malware is the work of the team behind Nymaim malware, as the source code of Nymaim is understood to be only held by the original developers of the malware. The source code for Gozi ISFB malware has previously been leaked on two occasions. X-Force analysts think the Nymaim malware developers obtained that source code and used the best parts to form the new hybrid Trojan.
Nymaim malware has previously been used almost exclusively as a method of ransomware delivery, although the group behind the malware started using it as a banking Trojan late last year. Nymaim malware is a two stage malware dropper that is loaded onto computers using an exploit kit.
Links to a website containing the Blackhole Exploit Kit are sent via spam email. Once Nymaim has been loaded onto a computer, the second payload is deployed. In the case of GozNym banking malware the second stage is the running of Gozi ISFB code.
GozNym banking malware is stealthy and persistent. The malware remains dormant on a computer until the user logs into their bank account. When account details are entered, GozNym records the login credentials and silently sends them to the attackers’ command and control server. If GozNym banking malware is installed, the user will be unaware that their banking sessions have been compromised.
IBM recommends using adaptive malware detection solutions to reduce the risk of an attack. Anti-spam solutions such as SpamTitan can prevent emails containing the malicious links from being delivered, while WebTItan web filtering solutions can be used to block websites containing malicious code and exploit kits.
With new malware constantly being developed – around 1,000,000 new malware samples are now being released every day according to Symantec – organizations now need to implement sophisticated multi-layered defenses to protect their networks from malware infections.
Over the past three years business email compromise scams have been conducted with increasing regularity. However, over the past year the number of business email compromise scams reported to the Federal Bureau of Investigation (FBI) have increased dramatically.
Since January 2015, the FBI reports there has been a 270% increase in BEC attacks. FBI figures suggest the total losses from business email compromise scams since October 2013 has risen to $2.3 billion. Reports of successful BEC scams have been sent to the FBI from over 79 different countries around the world, which have affected more than 17,642 businesses.
Business email compromise scams involve the attacker gaining access to a corporate email account, such as that of the CEO, and requesting a bank transfer be made to their account. An email is sent from the CEO’s account to an accounts department employee, and all too often the transfer is made without question.
Unfortunately for U.S Businesses, BEC attacks are likely to increase as more cybercriminals get in on the act. Security experts have warned that the situation is likely to get a lot worse before it gets better. With the average fraudulent bank transfer between $25,000 and $75,000 and considerable potential to obtain much higher sums, criminals are more than willing to conduct the attacks.
A recent report from Dell SecureWorks indicates some hackers are selling their services on underground marketplaces and are offering access to corporate email accounts for just $250. Since cybercriminals could buy access to corporate email accounts, even relatively unskilled criminals could pull off a BEC scam and potentially have a million dollar+ payday. A number of large corporations have been fooled by these scams and have recorded losses of well over $1 million.
Business Email Compromise Scams Can Be Highly Convincing
BEC scams are convincing because even with security training, staff members tend to assume attacks will come from outside their organization. Employees are suspicious about emails that request the disclosure of login credentials, and a request to make a bank transfer that has not come from within an organization is likely to be immediately flagged as a scam.
However, when the CEO sends an email to a member of the accounts department requesting a bank transfer, many employees would not think to question the request. The person arranging the transfer would be unlikely to call the CEO to confirm payment. The transfer may go unnoticed for a number of days, by which time the funds would have been withdrawn from the attackers account and would be impossible to recover.
To conduct this type of attack the attacker would need to gain access to the email account of the CEO or an executive in the company who usually sends bank transfer requests to the accounts department. Once access has been gained, the attacker can read emails and learn the terminology typically used by that member of staff.
An email can then be written in the same language used by that individual. This ensures that the email does not rouse suspicions. Attackers research the transfer requests that are typically made and set the dollar amounts accordingly.
Since the account transfers are made to bank accounts outside the United States, the companies most frequently targeted are those that often make International payments. To the targeted accounts department employee, the request would seem perfectly normal.
How to Reduce the Risk of Employees Falling for BEC Scams
There are a number of ways that organizations can reduce the risk of employees falling for business email compromise scams. SpamTitan could not block a request sent from a compromised email account, but oftentimes attackers spoof email addresses. They purchase a domain that looks very similar to the targeted company, often transposing two letters. Oftentimes a domain is purchased replacing a letter “i” or an “L” with a “1”. If the email address of the sender is not carefully checked, this could well go unnoticed. SpamTitan can be configured to automatically block these spoofed email addresses to prevent these emails from being delivered.
To prevent employees from falling for business email compromise scams sent from compromised email accounts, policies and procedures should be introduced that require all account transfers to be verified by two individuals. Large transfers should also, where possible, be confirmed by some means other than email. A quick call to sender of the email for instance.
Organizations that choose to do nothing could regret failing to take precautions. Take the Austrian Airline parts company FACC for example. It reportedly lost approximately $55 million to such a scam.
Vulnerabilities in Adobe Flash Player are discovered with such regularity that news of another raises few eyebrows, but the latest critical vulnerability – discovered in Adobe Flash Player 126.96.36.199 and earlier versions – is a cause for concern. It is already being exploited by hackers and is being used to infect users with ransomware.
Any device that is running Adobe Flash Player 188.8.131.52 (or earlier) is at risk of the vulnerability being exploited and malicious file-encrypting software being installed. The latest vulnerability can be used to attack Windows, Macs, Linux systems and Chromebooks, according to ProofPoint, although Adobe reports that the vulnerability only affects Windows 10 and earlier versions running the vulnerable versions.
Flash vulnerabilities are usually exploited by visiting malicious websites or webpages that have been compromised and infected with exploit kits. Those exploit kits probe for a range of weaknesses, such vulnerabilities in Adobe Flash Player, and exploit them to download malware or ransomware to the user’s device.
These drive-by attacks occur without users’ knowledge, as the downloaded file is not displayed in the browser and is not saved to the download folder. It is also difficult to determine whether a website has been compromised or is malicious in nature without software solutions that analyze the website content.
Vulnerabilities in Adobe Flash Player Exploited to Deliver Cerber and Locky Ransomware
The latest attack uses the Magnitude exploit kit. The fact that it is Magnitude suggests the latest ransomware attacks are the work of an individual cybercriminal gang. That gang has acted quickly to include the latest Flash vulnerability into Magnitude.
According to Trend Micro, the vulnerability is being used to deliver Locky ransomware – the malicious file-encrypting software that has been used to attack hospitals in the United States in recent weeks. Locky was reportedly the ransomware used in the attack on Hollywood Presbyterian Medical Center in February. That infection cost the healthcare organization $17,000 to remove, not to mention the cost of attempting to remove the infection and restore backup files prior to the ransom being paid.
ProofPoint suggests the vulnerability is being used to deliver Cerber ransomware. Cerber is a new ransomware that has was released in the past month. It can be used to encrypt files on all Windows versions, although not those in Russian.
Cerber and Locky are being downloaded via malicious websites, although these are typically not visited by the vast majority of Internet users. In order to get traffic to these sites the attackers are using spam email containing malicious attachments.
In contrast to many malicious spam emails that install malware using executable files and zip files, the attackers are using Word documents containing malicious macros. The macros do not download the ransomware directly, instead they direct the victim, via a number of redirects, to a malicious site where the drive-by download takes place.
The vulnerability, named as CVE-2016-1019, will crash Adobe Flash when it is exploited. Adobe reports that the vulnerability exists in 184.108.40.206. Trend Micro says the exploit will not work on versions 220.127.116.11 and 18.104.22.168, only on Flash 22.214.171.1246 and earlier versions due to mitigations put in place by Adobe.
ProofPoint’s Ryan Kalember said that the exploit has been engineered to only work on earlier versions of Flash and that attacks have been degraded to evade detection. All versions of Flash could potentially be used for the attack should the criminals behind the Magnitude exploit kit so wish.
Of course, this is just one of many vulnerabilities in Adobe Flash Player that can be exploited and used to deliver ransomware or other forms of malware. To prevent attacks, sysadmins should ensure that all devices are updated to the latest version of the software. Adobe said it was releasing a security update to address the vulnerability on April 7, 2016.
Vulnerabilities in Adobe Flash Player are addressed with updates, although there are two software solutions that can help to protect users from attack. Anti-spam solutions such as SpamTitan can be used to prevent spam email from being delivered, reducing the risk of end users opening Word documents infected with malicious macros.
WebTitan products tackle these attacks by blocking malicious websites, preventing users from visiting sites where drive-by downloads take place. There is usually a wait while vulnerabilities in Adobe Flash Player are addressed, and these two solutions can help keep devices malware free until updates are applied.
The past two months have seen a number of healthcare organizations attacked by cybercriminals; however, the MedStar Health ransomware attack discovered on Monday this week must rank as one of the most severe.
The MedStar Health ransomware attack is the latest in a string of attacks on U.S. healthcare organizations, as hackers up the ante and go for much bigger targets where the potential rewards are greater. It would appear that the 10-hospital health system will not need to pay a ransom to regain access to its data, but for three days MedStar Health has been forced to work without access to some of its computer systems after they were shut down to prevent the spread of the infection.
MedStar Health Ransomware Attack Affects 10 Hospitals and More than 250 Outpatient Facilities
MedStar Health is a large U.S health system operating more than 250 outpatient facilities and ten hospitals in the Washington D.C., area. On Monday morning, a virus was discovered to have been installed. The infection triggered emergency IT procedures and rapid action taken to limit the spread of the virus. Three clinical information systems were shut down, including email and the electronic health record system used to record and view patient data.
Without access to email and patient data, services at the hospital were slowed although business continued as close to normal as possible. No facilities closed their door to patients. However, in the 48 hours since the virus was discovered, IT security teams have been working around the clock to bring systems back online. Yesterday, MedStar Health reported that systems were being brought back online with enhanced functionality added bit by bit.
MedStar Health has kept the media and patients notified of progress via social media. The health system reported that “The malicious malware attack has created many inconveniences and operational challenges for our patients and associates.”
While no information was initially released on the exact nature of the computer virus that was discovered to have infiltrated its systems, a number of sources indicate the malicious software was ransomware. It has since emerged that the MedStar Health ransomware attack involved a ransomware from the Samsam family. The ransomware is also known as MSIL and Samas. The attack occurred at the Union Memorial Hospital in Baltimore.
Some computer users were presented with a message demanding a ransom to unlock files. The Baltimore Sun reported that the MedStar Health ransomware attack saw attackers demand a ransom of 45 Bitcoin (approximately $18,500) to unlock all 18 computers that were infected, with an offer to unlock one machine for 3 Bitcoin (approximately $1233).
FBI Issued Warning About Samsam Ransomware on March 25
The FBI reached out to businesses for assistance dealing with the latest ransomware threat from Samsam. While many ransomware infections use email as the vector, Samsam is installed via a tool called JexBoss. JexBoss is used to discover a vulnerability that exists in JBOSS systems. This attack is not conducted using phishing or website exploit kits, instead it works by compromising servers and spreading the infection laterally.
The vulnerability exploited is in the default configuration of the Boss Management Console (JMX) which is used to control JBoss application servers. In its default state, JMX allows unsecured access from external parties and this is used to gain shell access to install the ransomware.
Once a web application server has been infected, the ransomware does not communicate with a command and control server, but will spread laterally and to infect Windows machines, hence the need to shut down systems. The MedStar Health ransomware attack could have been much more severe had rapid action not been taken.
This attack highlights just how important it is to ensure that all systems are patched and default software configurations are changed. Other attacks recently reported by healthcare organizations in the United States have involved Locky ransomware, which is spread via exploit kits on compromised websites and via email spam. Healthcare organizations can protect against those attacks by using web filtering and anti-spam solutions. However, it is also essential to train staff never to open email attachments from unknown sources.
It is getting harder for cybercriminals to deliver malware via email, so attack methods have had to become more sophisticated; the latest attempt uses a malicious PNG file to deliver a banking Trojan.
Simply sending malware as an attachment in a spam email is certain to result in some unsuspecting users’ computers being infected, but cybercriminals are now having to use more advanced techniques to evade detection and get past spam filters and antivirus software. The latest attack method is an example of how attackers are using much more sophisticated methods to evading detection.
Malicious PNG File Used to Infect Windows, OS X, and Linux Machines
A new campaign has been discovered by SecureList which is being used, at present, to attack computers in Brazil. However, while the majority of victims are located in Brazil, the malware is also being used to attack users in Spain, Portugal, the United States and beyond.
To evade detection, the attackers have encrypted a malicious payload in a malicious PNG file – a common image format many people do not usually associate with malware.
The image file is not attached to an email and sent in a spam message, instead the initial attack takes place using a PDF file containing a malicious link. The PDF file is sent out in spam emails which use social engineering techniques to fool users into opening the attachment. The PDF file does not contain any malicious code, instead it uses a link to infect users. Clicking the link in the PDF file initiates the infection process.
The link is used to get users to download a malicious Java JAR file, which in turn downloads an infected ZIP file. The zip file contains a number of other files, including a malicious PNG file, or file with a PNG header. Researchers analyzed the binary file and determined that the PNG file size was much larger than it should be for the size of the image.
Further analysis showed how the malicious PNG file was loaded to the memory – using a technique called RunPE which is used by hackers to hide malicious code behind a legitimate process. In this case that process is iexplore.exe.
The malicious PNG file cannot infect a user on its own, as a launcher is required to decrypt the contents of the file. The attackers send the PDF file to start the infection process. Since the zip file contains the PDF extension, users downloading the file are likely to double click to open, thus infecting their systems. Since the malicious code in the PDF file is encrypted, it is not picked up by antivirus software. However, SecureList points out that the malicious files used in this attack are picked up by Kaspersky Lab products.
A new wave of spam email has prompted antivirus companies to issue a warning about emails infected with Nemucod malware. The emails are rapidly spreading around the globe, with Japan currently the worst hit; however, the prevalence of infected spam email is also particularly high in Europe, Australia, Canada, and the United States.
Nemucod Malware Used to Infect Devices with Teslacrypt and Locky Ransomware
Nemucod malware is a Trojan downloader that is used to install a payload of ransomware. Currently Nemucod malware is being spread via spam email and is being used to download Locky and Teslacrypt ransomware onto the devices of anyone who opens the infected email attachments.
In contrast to many malware-infected emails which contain numerous grammatical and spelling mistakes, the emails being used to spread this nasty malware are well written and convincing. The emails claim the attachment is an invoice or an official document such as a notice requiring the target to appear in court.
As we have previously reported, Teslacrypt and Locky ransomware are particularly nasty ransomware. On download they search the user’s computer for a wide variety of file types and lock all of those files with powerful encryption. They will also search for files on attached portable storage devices, virtual devices, and network drives. Locky is also capable of removing volume shadow copies (VSS) making it impossible for infected users to restore their devices to a point before the ransomware infection.
Documents, images, spreadsheets, system files, and data backups are all encrypted. Locky has been programmed to encrypts hundreds of file types. Fortunately, there are a number of steps that can be taken to prevent malware and ransomware infections.
How to Prevent a Ransomware Infection
Steps can be taken to reduce the risk of ransomware being installed, but even the best defenses can be breached. It is therefore also essential to ensure that all critical data files are backed up regularly. If a daily backup is performed, at worst, an organization should only lose a maximum of 24 hours of data.
It is essential that once backups are made, the drive uses to store the backup files is disconnected. Some ransomware variants are capable of scanning network drives and can encrypt backup files on connected backup devices.
Simply receiving a malicious spam email that has been infected with malware will not result in a device being infected. A device will only be infected if an end user opens the infected attachment.
The best way to defend against ransomware is never to open email attachments that have been sent from unknown individuals. While this is straightforward for individual users, for businesses it is harder to ensure that no member of staff will be fooled into opening an infected email attachment.
It is therefore essential to provide all members of staff with security training to ensure they are aware about best practices to adopt to reduce the risk of installing ransomware. However, all it takes is for one member of staff to open a malicious email attachment for the network to be infected. For peace of mind, a robust spam filtering solution for businesses should be implemented. SpamTitan blocks 99.9% of all spam email, drastically reducing the risk of ransomware and other malicious emails from being delivered to end users.
Locky ransomware may be a relatively new threat for IT security professionals to worry about, but it has not taken long for the malicious malware to make its mark. It has already claimed a number of high profile victims and is fast becoming one of the most prevalent forms of ransomware.
Early last month Hollywood Presbyterian Hospital in California experienced a ransomware attack that took some of its systems out of action for a week until a ransom demand of $17,000 was paid and the hospital’s EHR was decrypted. During that week, staff at the hospital were forced to record data on paper, were unable to check medical records, and X-Ray, CT scans and other medical imaging files were inaccessible. The hospital was not targeted, instead it was the victim of a random attack. That attack was linked to Locky ransomware.
Locky Ransomware Capable of Encrypting Files Stored on Network Drives
Locky ransomware infections occur via spam email messages and it appears that Hollywood Presbyterian hospital’s systems were infected via an email campaign. Locky ransomware is not delivered via spam email directly, instead infection occurs via a malicious Word macro.
When the macro is run, the malicious code saves a file to the disk and downloads the ransomware from a remote server. Upon download the malware searches for a range of file types located on the device on which it is saved, as well as searching portable drives, virtual devices, and network drives to which the computer is connected. Volume Snapshot Service (VSS) files are also removed, removing the option of restoring via Windows backup files.
Staff training on malicious file detection often covers common file types used to mask malicious software such as screensaver files (SCR), executables (EXE), and batch files (BAT). In the case of Locky ransomware, users are more likely to be fooled as infections occur as a result of Word document (DOC) macros. Any user who receives and opens an infected Word document will automatically download Locky to their computer if they have macros set to run automatically. Since users are instructed to enable macros upon opening the infected document, many may do so in order to read the contents of the file.
According to Trustwave SpiderLabs, 18% of the spam emails it had collected over the course of the past week were ransomware, and Locky is believed to comprise a large percentage of those emails. The ransomware is being delivered by the same botnet that was used to send out Dridex malware last year. While the mastermind behind the Dridex banking malware, Moldovan Andrey Ghinkul, has now been apprehended and extradited to the U.S, the botnet infrastructure is being used for this much simpler attack.
The attacks may be simpler but they are providing to be effective. According to Fortinet, over three million hits have been recorded from the Command and Control server used to communicate with Locky.
The infections are unlikely to end until the botnet is taken down. In the meantime, it is essential to exercise caution. While the ransomware does not attack Russian systems, all other users are at risk. Businesses in particular should take action to reduce risk, such as advising staff of the threat of infection via Word files and Zip files. Using a spam filtering solution such as SpamTitan to block malicious attachments is also strongly advisable to prevent malicious emails from being delivered to staff inboxes.
A number of new tax season scams have been uncovered in recent weeks, with one in particular causing concern due to the sheer number of victims it has already claimed. Over the past three weeks, four healthcare providers in the United States have been added to the list of victims. The four healthcare providers have recently announced members of staff have fallen for a W-2 phishing scams and have emailed lists of employees to scammers. Names, Social Security numbers and details of employee earnings have been disclosed.
Healthcare Providers Targeted by New Tax Season Scams
Healthcare HR and payroll staff are being targeted by scammers attempting to gain access to the names, contact details, and Social Security numbers of hospital employees with a view to using the data to commit tax fraud. The latest tax season scams are convincing. The scammers find out the names of staff working in the HR and payroll departments who are likely to have access to employee W-2 forms. A spear phishing email is then sent to the employees requesting a list of W2 copies of employee wage and tax statements for the previous year. They are instructed to compile the lists and enter them in a spreadsheet or PDF and email them as soon as possible.
What makes the scams convincing, and employees likely to respond, is the requests appear to come from within the organization and appear to have been sent by either the CEO or a senior executive. The emails appear to have been sent from the correct email address of the CEO or executive, leading the employees to believe the requests are genuine.
The “From” email address is usually masked so that it appears genuine; although it is not. A reply to the email will be sent outside of the company to an email account being monitored by the scammers. In some cases, domains have been purchased that are very similar to those of the target organizations. Usually two letters have been transposed making the domains appear genuine. An email account is then set up with the same format as used by the company. A quick glance at the email address may not rouse any suspicion.
It may take days or weeks before these tax season scams are detected. By that time, fake tax returns are likely to have been filed in the names of the victims.
HR and payroll staff must be particularly vigilant at this time of year as tax season scams are rife. However, the rise in number of successful phishing attacks suggests that payroll and HR staff have not received refresher training on the dangers of phishing. With attacks still taking place, now is a good time to issue an email bulletin to all staff with access to employee data to warn them of the risk, and to advise them to exercise extreme caution and not send any employee data without checking and double checking the validity of the email request.
IRS Issues New Warning About W-2 Phishing Scams
At the start of February, the IRS issued a warning about the sharp rise in tax season scams this year. Just over a month into tax season and record number of phishing scams and tax season-related malware had been discovered. In January, 1,026 reports of tax-related incidents had been reported, which is an increase of 254 over the previous year.
The incidents continued to increase throughout February, with last year’s total of 1,361 already having been exceeded in the first two weeks of the month. The high volume of tax season scams reported in February prompted the IRS to issue another warning on February 29, with the W-2 phishing scams causing particular concern. So far this tax season, reported tax-related malware and phishing attacks have increased 400% year on year.
Last week a healthcare provider had its electronic health record system locked by ransomware; now a Zika virus email scam has been uncovered, showing the depths that some hackers and cybercriminals will stoop to in order to make a quick buck.
The latest email scam takes advantage of the public interest in the Zika virus epidemic in Brazil. Since April last year, the number of reported cases of Zika fever has grown. Zika fever is caused by the transmission of the Zika virus by Aedes mosquitos. Zika fever produces similar symptoms to Dengue fever, although the symptoms are often milder.
Scientists have also been alerted to a rise in the number of cases of microcephaly reported in Brazil. Microcephaly is a birth defect resulting in babies being born with a smaller than average head as well as other poor pregnancy outcomes. The rise in microcephaly has been linked to the increase in cases of Zika virus.
While no concrete evidence has been uncovered to suggest that pregnant women contracting Zika are likely to give birth to babies with microcephaly, there is concern that Zika can cause the birth defect. The World Health Organization (WHO) reports the virus has now spread to 23 countries. People are naturally worried. Women in Brazil and Columbia have been told to avoid becoming pregnant and hold off having children, while the government in El Salvador has told women not to get pregnant until 2018.
A potentially global health issue such as Zika is naturally a worry for any woman looking to start a family, and understandably the latest news about the virus is likely to be read. Scammers have been quick to take advantage of the media interest, and a scam has been developed to take advantage and infect computers with malware
Zika Virus Email Scam Delivers JS.Downloader Malware
The Zika virus email scam is currently doing the rounds in Brazil and is being sent in Portuguese. The Zika virus email scam appears to have been sent from Saúde Curiosa (Curious Health), which is a legitimate health and wellness website in Brazil. The email contains an attachment infected with JS.Downloader. JS. Downloader is a malware that is used to download malicious malware to infected users’ devices.
The subject line of the email is “ZIKA VIRUS! ISSO MESMO, MATANDO COM ÁGUA!” which translates as Zika Virus! That’s Right, killing it with water!” The email tells the recipient to click on the link contained in the email to find out how to kill the mosquitos that carry the virus, although the email also contains a file attachment which the email recipient is urged to open. Doing so will install the malware onto the user’s device. The link directs the user to Dropbox with the same outcome.
Anyone receiving an unsolicited email with advice about the Zika virus, regardless of the language it is written in, should treat the email with suspicion. This is unlikely to be the only Zika virus email scam sent by cybercriminals this year. With the Olympics taking place in Brazil in the summer, criminals are likely to use topics such as the Zika virus to spread malware.
If you want information about Zika, check the WHO website. If you receive an Zika virus email, delete it and do not click on any links in the email or open any attachments.
Over the past 12 months, cybercriminals have used ransomware with increasing frequency to extort money out of businesses, leading some security experts to predict that healthcare ransomware infections would become a major problem in 2016.
Would cybercriminals stoop so low and attack the providers of critical medical care? The answer is yes. This week a U.S. hospital has taken the decision to pay a ransom to obtain the security keys necessary to unlock data that had been encrypted by ransomware. The attack does not appear to have been targeted, but the ransom still needed to be paid to unlock the hospital’s electronic medical record system.
Last year, Cryptowall infections were regularly reported that required individuals to pay a ransom of around $500 to get the security key to recover files. However, when businesses accidentally install ransomware the ransom demand is usually far higher. Cybercriminals can name their price and it is usually well in excess of $500.
Healthcare Ransomware Infection Results in Hospital Paying $16,664 to Unlock EHR
While businesses have been targeted by cybercriminal gangs and have had their critical data locked by ransomware, it is rare for healthcare providers to be attacked. The latest healthcare ransomware infection does not appear to have been targeted, instead a member of staff inadvertently installed malware which locked the hospital’s enterprise-wide electronic health record system (EHR): The system that houses patient health records and critical medical files.
The EHR of Southern California’s Hollywood Presbyterian Medical Center was locked on February 5, 2016., with physicians and other members of the hospital staff unable to access the EHR to view and log patient health information. An investigation into the IT issue was immediately launched and it soon became apparent that the database had been locked by ransomware.
No one wants to have to pay cybercriminals for security keys, and the hospital took steps to try to recover without having to give in to ransom demands. The Police and FBI were contacted and started an investigation. Computer experts were also brought in to help restore the computer system but all to no avail.
The news of the healthcare ransomware attack broke late last week, with early reports suggesting the hospital had received a ransom demand of 9,000 Bitcoin, or around $3.4 million. The EHR was taken out of action for more than a week while the hospital attempted to recover and unlock its files.
Eventually, the decision had to be taken to pay the ransom. While it may have been possible for patient health data to be restored from backups, the time it would take, the resources required to do that, and the disruption it would likely cause was not deemed to be worth it. Allen Stefanek, CEO of Hollywood Presbyterian Medical Center, took the decision to pay the ransom to obtain the security key to unlock the data.
In a statement posted on the company’s website he confirmed that the reports of a ransom demand of 9,000 Bitcoin were untrue. The attackers were asking for 40 Bitcoin, or $16,664, to release the security key to unlock the hospital’s data.
Stefanek said, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
Fortunately, healthcare ransomware attacks are relatively rare, as many healthcare providers in the United States already have controls in place to reduce the likelihood of an attack being successful. Staff are trained to be vigilant and not to install software on healthcare devices or open suspicious email attachments. Many use a spam filter to quarantine suspect emails. The latter being an essential protection against healthcare ransomware attacks.
The Importance of a Robust Spam Filter to Prevent Healthcare Ransomware Attacks
A healthcare ransomware attack does not just have a financial impact; it has potential to cause actual harm to patients. The delivery of healthcare services is slowed as a result of the inability to access and share healthcare data, and not being able to view patient health records could delay the delivery of critical patient care or result in incorrect medications being prescribed. That could be a life or death matter. Preventing healthcare ransomware attacks is therefore essential. A technological solution should be employed for maximum protection.
TitanHQ’s SpamTitan software has been developed to keep businesses protected from malware and ransomware attacks. SpamTitan uses two anti-malware engines to maximize the probability of spam emails and malicious attachments being caught and prevented from being delivered to end user inboxes. SpamTitan catches 99.9% of Spam email and quarantines emails with suspicious attachments to prevent them from being delivered.
If you want to reduce the risk of a suffering a ransomware attack and having to pay cybercriminals to unlock critical data, using a robust, powerful anti-spam solution such as SpamTitan is the best way to protect computers and networks from attack. Along with staff training to improve understanding of healthcare ransomware and other malware, it is possible to prevent attacks from being successful.
For further information on SpamTitan anti-spam solutions, contact the TitanHQ team today:
US Sales +1 813 304 2544
UK/EU Sales +44 203 808 5467
IRL +353 91 54 55 00
Or email firstname.lastname@example.org
Virgin Media customers have been complaining about an increase in spam emails since September last year, with many targeted with spoofed emails; however, the Virgin Media spoofed emails are not the result of a data breach according to a statement recently issued by the ISP.
Virgin Media Spoofed Emails Not the Result of a Data Breach
Customers first started to receive spam and spoofed emails in September last year, shortly after Virgin Media moved from Google to its own platform. The problem appears to be affecting individuals with blueyonder and ntlworld email accounts.
The Virgin Media spoofed emails indicate the company has suffered a data breach and hackers are in possession of email accounts and email address books. Virgin Media has denied it has suffered a data breach, although the ISP has acknowledged that some its users are being targeted by spammers and that it is aware of a “spoofed email message problem.”
Virgin Media are claiming that the increase in email spam is a consequence of the change of platform. The ISP maintains its own spam filters are not as effective as those used by Google, hence the increase in email spam since the switch of platform.
While this is plausible and would explain the increase in email spam, it does not adequately explain the Virgin Media spoofed emails. Customers have reported that a number of their address book contacts have received spoofed messages which would appear to have been sent from their email accounts.
Some of the affected customers claim that the spoofing occurs in waves every 3 to 4 weeks. Emails are sent to five address book contacts at a time. Those emails contain a link to a malicious website which is used to download malware to the users’ computers. The victim is aware of the spoofing as they often receive bounce-backs from undeliverable messages.
Customers Blamed for Virgin Media Spoofed Emails
The lack of a reasonable answer and a solution to stop the Virgin Media spoofed emails from being sent has led a number of customers to take to social media sites to vent their spleens and share details of their experiences. A Facebook group has been set up for this purpose. Around 70 customers have come forward and shared their experiences on the Facebook group so far.
Customers complaining about the email spoofing to Virgin Media are being informed that the message storm problem is due to customers, not a data breach. Customers disagree, with many claiming the problem cannot be local. Many bounce backs are generated as the email addresses are out of date, whereas the address books on local computers are not. The problem is therefore with the email address books stored on Virgin Media servers.
Disgruntled customers unhappy with the response they have received from Virgin Media have now complained to the Information Commissioner’s Office, which is looking into the issue.
What are the penalties for spamming? A man from Indianapolis has just discovered the penalties for sending spam can be severe, having been recently sentenced to serve over 2 years in jail.
Indianapolis man discovers the penalties for spamming can be severe
Phillip Fleitz, 31, of Indianapolis was recently sentenced to 27 months in a federal penitentiary after violating the CAN-SPAM Act of 2003: A law introduced to make the spamming of cell phones and email accounts illegal. The law was introduced by George W. Bush to protect U.S. citizens from unwanted marketing messages and pornography. Under the CAN-SPAM Act of 2003, the penalties for spamming include lengthy jail terms and hefty fines.
US District Judge Maurice Cohill Jr. passed sentence in a Philadelphia court earlier this month. The judge said the spam campaign orchestrated by Fleitz was “sophisticated and serious,” and resulted in millions of spam messages being sent to U.S. citizens. Fleitz, along with two other individuals involved in the massive spamming campaign, were raking in between $2,000 and $3000 per week. They were paid for the clicks they managed to generate by sending users to marketing websites.
The marketing websites gathered contact details from visitors, a practice which is legal. What is not legal, and contravenes the CAN-SPAM Act of 2003, is using spam marketing to generate traffic to those websites.
Fleitz was the only individual from the trio to receive a jail term as he was the architect of the scheme. “It was his idea. He was the first to do it,” said prosecuting US attorney Jimmy Kitchen. Last year, Fleitz pled guilty to using a protected computer to relay or retransmit multiple commercial electronic mail messages with the intent to deceive or mislead recipients, with the sentence only just being passed.
Spammer arrested after Darkode website takedown
Flietz was arrested as part of an FBI investigation into Darkode, a website used by hackers and cybercriminals to market illegal computer skills. The taking down of the website resulted in 12 individuals being charged for computer crimes.
The two other individuals involved in the spam campaign, Naveed Ahmed, 27, wrote the program that allowed the scheme to operate. He received 2-years’ probation and was sentenced last year. Dewayne Watts, wrote the spam messages which were designed to fool users into responding. He received 2-months’ probation, including a period of 6 months of being confined to his house.
The spamming campaign was run via servers based in China between September 2011 and February 2013. Fleitz recruited Ahmed to write a computer program that enabled the spammers to send millions of spam text messages and emails to mobile phones and computers. Ahmed’s program mined cellphone numbers and matched them up with carriers. The messages written by Watts advised the recipients they had won gift cards that could be claimed by clicking the links contained in the messages.
The penalties for spamming under the CAN-SPAM Act of 2003 can be severe. While Fleitz only received 27 months in jail, he could potentially have been sentenced to a maximum of 60 months of jail time and fined up to $250,000. When determining the penalties for spamming, judges take prior history into consideration as well as the severity of the offences.
Each January, the PwC Annual Global CEO Survey is published detailing the major perceived threats to corporate growth. This year the results of the survey show that CEOs are more worried about the cost of dealing with cyberthreats, and believe that they can actually have a major negative impact on corporate growth.
Cost of dealing with cyberthreats a major impediment to 2016 growth
The global survey probed 1,409 CEOs about their concerns about impediments to growth, with cyberthreats ranking as one of the top ten major problems. 61% of respondents said they were worried about cyberthreats and the effect they will have on growth this year.
Over-regulation and geopolitical uncertainty were considered to be more pressing concerns, being cited by 79% and 74% or respondents, while the availability of key skills was mentioned as a major threat to growth by 72% of CEOs. The cost of dealing with cyberthreats was ranked as the eighth biggest impediment to growth in 2016.
While 60% of CEOs believe there are more opportunities for growth than 3 years ago, 66% said there were now more threats to growth. 26% said they only saw more opportunities, while 32% saying they only saw more threats.
The cost of dealing with cyberthreats is considerable, although nowhere near as high of the cost of failing to deal with them. Last year the Ponemon Institute calculated the cost of cyberthreats and determined the cost to businesses is soaring, with the IBM sponsored study determining the average cost of dealing with security breaches had risen to $3.8 million.
Some of the large organizations included in the study suffered cybercrime losses as high as $65 million, with the cost of cyberthreats having risen by 23% over the course of the past two years.
The IBM Cost of Data Breach Study determined the cost per stolen record to be between $145 and $154. When cybercriminals manage to steal millions of customer records, the cost to business can therefore be considerable.
Major cyberthreats of 2016
- Cloud computing
- Mobile devices
- State sponsored hacking
- Phishing attacks
- Medical devices
Cyberthreats may be an impediment to growth, but it doesn’t mean that those threats cannot be mitigated. Given the increasing risk it is imperative that adequate security defenses are put in place to repel attacks. Malware and ransomware are becoming more sophisticated and much more difficult to identify, as are the phishing campaigns that are used to deliver the malicious software. Anti-phishing strategies must therefore be implemented to block malicious emails and staff members must be trained how to identify phishing attacks when they do occur.
Implement SpamTitan to block emails from being delivered to employee’s inboxes, conduct regular staff training exercises to better educate employees, and perform phishing email tests to ensure that members of staff get practice at identifying dummy phishing emails.
It is also essential to develop policies and controls to limit the types of websites that employees are able to visit when using their work computers as well as for BYOD. Drive-by malware downloads are an increasing threat. Exploit kits are much more commonly used to probe for security vulnerabilities, such as out of date plugins. These can be exploited and used to download malware to devices without any interaction from the user.
To mitigate the risk, patch management policies must be developed. It is more essential than ever to ensure that all software is updated as soon as patches are released.
What was the best antivirus software solution for 2015 for the enterprise?
Protecting against the ever increasing number of cyberthreats is a full time job. The attack surface is now broader than ever before and hackers are developing increasingly sophisticated methods of obtaining data. The measures that must now be implemented to keep cyberattackers at bay have also increased in diversity and complexity.
Once of the core protections required by all organizations and individuals is an anti-virus software solution, and there is certainly no shortage of choice. But what was the best antivirus software solution for 2015?
The best AV software engines rated by AV-Comparatives
What AV engine detects and removes the most malware? What product offers the best real world protection? Which boasts the best file detection rates? These are all important considerations if you want to keep your organization protected. These and other factors were assessed over the course of the year by AV-comparatives.
AV-Comparatives is an independent testing lab based in Innsbruck, Austria. Each year the company publishes a report detailing the results of the AV tests the company conducted over the course of the year. The report is an excellent indicator of performance.
The company tested 21 of the top AV products on the market, subjecting each to a wide range of rigorous tests to determine the potential of each to protect users against malicious attacks.
The test results clearly show that not all antivirus products are the same. While all AV engines under test offered an acceptable level of performance, “acceptable” may not be good enough for enterprise installations.
The best antivirus software solution of 2015
AC-Comparatives rated performance and issued a number of awards to companies that excelled in specific areas of antivirus and antimalware protection. Gold, Silver and Bronze awards were awarded along with an overall best antivirus software solution for 2015 award.
Antivirus award categories:
- Real-world detection
- File detection
- False positives
- Overall performance
- Proactive protection
- Malware removal
Contenders for the ‘Best Antivirus Software Solution for 2015 Awards’
The Antivirus protects tested and considered for the awards were:
- Avast Free Antivirus
- AVG Internet Security
- Avira Antivirus Pro
- Baidu Antivirus
- Bitdefender Internet Security
- BullGuard Internet Security
- Emsisoft Anti-Malware
- eScan Internet Security Suite
- ESET Smart Security
- F-Secure Internet Security
- Fortinet FortiClient (with FortiGate)
- Kaspersky Internet Security
- Lavasoft Ad-Aware Free Antivirus+
- McAfee Internet Security
- Microsoft Windows Defender for Windows 10
- Panda Free Antivirus
- Quick Heal Total Security
- Sophos Endpoint Security and Control
- Tencent PC Manager
- ThreatTrack VIPRE Internet Security
- Trend Micro Internet Security
The Best Antivirus Software Solution for 2015 Award
After assessing all categories of anti-virus protection there were two AV products that excelled in all categories and received an Advanced+ rating: Bitdefender and Kaspersky Lab, with Kaspersky Lab bestowed the best antivirus software solution for 2015. Kaspersky Lab is one of the two AV engines at the core of SpamTitan anti-spam solutions.
The Russian antivirus company also received a Gold Award for “Real-World” protection, file detection, and malware removal, as well as a Silver Award for proactive (Heuristic/Behavioral) protection, and a Bronze Award for overall low system impact performance.
The astronomical cost of remediation after a cyberattack prompts many companies to take out a cyber insurance policy, but what exactly do cyber insurance policies cover? Is phishing covered by cyber insurance for instance? How about accidental data exposure by employees? Fraudulent bank transfers? Before taking out a cyber insurance policy it is vital to check exactly what the policy covers. If you already have a policy, it might be a good idea to check that too before you need to make a claim.
Debate over whether phishing covered by cyber insurance
In the United States, one company is currently embroiled in a dispute with their cyber insurer over whether phishing is covered by a cyber insurance policy taken out by the company to protect against computer fraud and cyberattacks.
Ameriforge Group Inc., took out cyber insurance with a subsidiary of Chubb Group. The policy, provided to AFGlobal Corp by Federal Insurance Co., was believed to cover computer fraud and funds transfer fraud. A claim was recently submitted to recover $480,000 after a member of staff from its accounting department fell for a spear phishing attack and made a $480,000 bank transfer to the account of the attacker. The insurance policy provided up to $3 million in cover, yet the claim was denied by the insurer on the grounds that the policy did not cover CEO fraud or business email compromise (BEC) as a result of phishing.
In order for the policy to payout, a cybersecurity attack must involve the forgery of a financial instrument. That did not occur in this case. The insurer maintains that the scam email did not qualify as a financial instrument, and therefore the losses suffered cannot be claimed under the terms of the policy.
The business email compromise scam that the policy does not cover
The phishing scam in question is one that is being conducted with increasing frequency. The risk is so high that last year the FBI issued a warning about BEC attacks. These attacks are being conducted all too often on U.S. businesses.
In this case, the person to fall for the BEC phishing scam was AFGlobal Corp’s accounting director Glen Wurm. He received an email from his CEO requesting a bank transfer be made for $480,000. The email was written in a style which was typical of the communications sent from the CEO. This suggested the attacker was well aware of the relationship between the two individuals and had been monitoring email communications.
The phishing email is reported to have contained the following message:
The email was followed up with a phone call from a person claiming to be Steven Shapiro, after which, wiring instructions were sent to allow the transfer of funds to an Agricultural Bank of China account. The money was transferred as requested and it was only when a follow up email was received a week later requesting a further transfer of $18 million that suspicions were raised. Of course, by that point the transferred funds had been withdrawn and the account had been closed.
Chubb Group claims phishing not covered by cyber insurance policy
Chubb Group maintains that this cyberattack is not covered by the insurance policy issued, as the incident falls outside the forgery coverage provided. The claim refers to forgery by a third party and that the email was a financial instrument. The issue in this case is whether the phishing email qualifies as a financial instrument. Chubb’s legal team claims it doesn’t.
In order to be a financial instrument, Chubb says:
For the claim to be paid, the financial instrument must have involved a written promise, order or direction to pay that is ‘similar’ to a “check” or “draft”. As it stands, Ameriforge Group will be required to cover the cost.
This is not the first time that Chubb Group has refused to pay a fraud claim, and Chubb Group is certainly not the only insurance company to refuse to pay out after a phishing attack. Companies are therefore advised to check whether phishing is covered by a cyber insurance policy, and also to find out the specific criteria that must be met in order for a successful claim to be made. It may be a wise precaution to obtain additional cover if the terms of the policy do not allow phishing fraud claims to be made.
If you receive an email alerting you to a new WhatsApp voicemail message that you have received, it could well be the latest WhatsApp scam email that is currently doing the rounds. This new scam is particularly nasty.
Malicious WhatsApp scam email discovered
The WhatsApp scam email is being used as part of an attack on businesses and consumers, and will result in Nivdort malware being loaded onto the device used to open the email.
Security researchers at Comodo discovered the WhatsApp scam email and have warned that the malware contained in the email attachment has been developed to affect users of Android phones, iPhones, as well Mac and PC users.
The WhatsApp scam email looks like it has been sent by WhatsApp, although there are a number of tell-tale signs that the WhatsApp scam email is not legitimate. For a start, WhatsApp will not send messages to a user’s email account, but will only inform users of a missed call or voicemail message through the app itself. However, many of the 900 million users of the chat software program will not be aware of that.
The email contains the imagery typically associated with the Facebook-owned messaging platform, but a check of the sender’s address will reveal that this email has not been sent from WhatsApp. The email also contains a zipfile attachment. Opening the zip file will result in malware being installed onto the device used to open the attachment.
The attackers are sending out multiple variants of the email with different subject lines. Each subject line also contains a string of three, four, or five randomly generated characters after the message, such as “xgod” or “Ydkpda”
The subject lines in some of the scam emails have been detailed below:
If you receive any email from WhatsApp you should treat it as suspicious. You should never open any email attachment from any person you do not known, and must be particularly caution with .zip files. If in doubt, delete the email and remove it from your deleted email folder.
Malware Delivered by the WhatsApp scam email campaign
Nivdort is a family of Trojans that collect data from the computers on which they are installed. In order to avoid being detected the malware is loaded into the Windows folder. The latest variant is loaded to multiple system folders and also the registry. Even if detected by anti-virus software it is possible that not all traces of the malware will be removed. The malware may still be able to receive commands and exfiltrate data from the infected device.
It seems like almost every day that a new bank transfer email scam is launched, yet the perpetrators of these email scam campaigns appear to rarely be caught and punished for their offenses. However, one such scammer has now been arrested and made to stand trial for his alleged crimes against companies in Texas.
Nigerian, Amechi Colvis Amuegbunam, 28, of Lagos was arrested in Baltimore and has now been charged with defrauding 17 companies in North Texas and obtaining $600,000 via bank transfers.
Nigeria is famed for 419 email scams, otherwise known as advance fee scams. These spam email campaigns receive their name from the section of the Nigerian criminal code that the email scams violate. These bank transfer scams typically require the soon-to-be victim to make a transfer of a sum of money to cover fees or charges in order to receive a substantial inheritance. This type of email bank transfer request scam is not only conducted by criminal gangs operating out of Nigeria, although that is where a substantial number of the criminals are based.
Convincing bank transfer request scam used to defraud Texas companies of over $600,000
However, Amuegbunam obtained funds from Texan companies using a much more believable scenario; one that is being increasingly used by organized criminal gangs operating out of Africa, the Middle East, and eastern Europe.
The emails Amuegbunam sent appeared to have come from the email accounts of company executives, which had been forwarded onto members of staff who were authorized to make bank transfers on behalf of the company. By using the real names of top executives, account department employees were fooled into believing the transfer requests were legitimate. The companies being targeted had been researched, the correct email account format determined, names of senior executives and management determined, and the names of account executive targets discovered.
To make the bank transfer request scam more believable, Amuegbunam used a domain name that differed from the real company domain by two characters. By transposing just two characters, the email address appeared to be genuine at first glance, certainly enough to fool the victims.
The FBI started investigating the bank transfer request scam in 2013 after employees from two companies in North Texas were fooled into making large bank transfers. Amuegbunam has used the domain lumniant.com instead of luminant.com to make an email appear to have come from within the company. The account executive who fell for the bank transfer request scam made a transfer of $98,550. The second company fell for the same scam and transferred $146,550.
Amuegbunam has now been charged with defrauding 17 Texas companies using the same method. If convicted of the crimes, he faces a fine of up to $1 million and a jail term of up to 30 years. He is just one individual however. Many more are operating similar scams.
It is therefore essential that members of the accounts department, and others who are authorized to make transfers on behalf of the company, are told how to identify a bank transfer request scam. They must also be instructed to carefully check domain names on any transfer requests and to specifically look for transposed letters.
In the United States, tax season starts on January 1 and Americans are required to complete their annual tax returns before the April 15, deadline. As is customary at this time of year, new IRS tax refund spam email campaigns have been launched by cybercriminals.
During the first quarter of the year employees must get their tax documents from their employers and collect and collate all paperwork relating to their earnings over the year. Many dread having to pay out thousands of dollars in tax, but for some there is some good news.
The IRS has been sending emails to millions of Americans telling them that their previous tax returns have been assessed and they are due for a tax refund. The notifications have arrived by email and details of the refund are contained in an email attachment. All the recipient needs to do is to open the attached file to find out how much money they are due to have refunded.
Unfortunately, the email notifications are bogus and have not been sent from the IRS. This is just the latest IRS tax refund spam campaign to be launched by cybercriminals. The email is anything but good news. The IRS tax refund spam email contains a zip file, but instead of details of a refund, the file contains a rather nasty selection of malware and ransomware. Worse still, the batch of malware is sophisticated and capable of evading detection. The malware remains resident in the memory of the device used to open the email attachment. The mail recipient is unlikely to discover their device has been infected until it is too late.
If anti-spam solutions have been installed the IRS tax refund spam emails should be caught and quarantined. Even if not, some users will have to try hard to infect their devices. If security software has been installed on the device, opening the attachment should result in warnings being issued. The user will need to ignore those warnings before proceeding. Many do just that. The attraction of a tax refund after overspending at Christmas is too difficult to resist.
For many users the latest strains of malware included in the zip file will not trigger AV engines and even some anti-malware software programs will not identify the files as being malicious. The threat to businesses is therefore serious. If the attachment is opened and run, the malware will be installed and granted the same network and device privileges as the user.
IRS tax refund spam contains CoreBot and the Kovter Trojan
Opening the email attachment will deliver the latest strain of the Kovter Trojan. Kovter is not installed on the computer’s hard drive as commonly occurs with malware. This makes it much more difficult to detect. Instead, malicious code is run with the malware residing in the memory. Memory resident malware does not tend to persist. Once the infected computer is rebooted, the malware doesn’t reload. However, in the case of Kovter it does. Kovter is reloaded via the registry each and every time the computer is booted. Kovter is fileless malware that runs commands via Powershell in a similar fashion to Poweliks. If a computer does not have Powershell installed, the user is not protected. Kovter will just download it and install it on the device.
Kovter is not new of course. It was first identified two years ago, but it has since evolved to evade detection. In addition to being used to deliver ransomware, which locks the computer until a ransom is paid, it is also being used to perform click-fraud and generate revenue for the hackers via CPC campaigns.
Kovter is known to be used on an affiliate basis. Any individual who signs up is paid based on the number of devices they are able to infect. Cybercriminals have been spreading infections via a range of exploit kits such as Angler, Neutrino, and Fiesta. The IRS tax refund spam attack is a new way of getting the malware installed on devices.
The zip file also installs CoreBot; a particularly nasty malware that poses even bigger problems for businesses. If employees are fooled by the IRS tax refund spam and open the zip file, CoreBot can prove particularly problematic to detect, and can potentially cause a lot more damage. CoreBot is a modular malware that can have additional functions added by hackers as and when they desire. It has previously been used as a data stealer, although recently it has been used for man-in-the-middle-attacks on financial applications and web services. The malware is capable of stealing banking credentials and login information. It can also be used to exploit new zero-day vulnerabilities.
It security professionals should be wary and should warn their company’s employees of the tax refund spam, and instruct them not to open any zip file attachments, or any email attachments that have been sent from unknown senders. The IRS will not notify individuals of a tax refund in this manner. Any IRS email with a file attachment is likely to be spam and contain malware.
If you work in the accounting department of your company, you need to be more vigilant as cybercriminals are specifically targeting account department executives. Whaling attacks are on the increase and cybercriminals are using domain spoofing techniques to fool end users into making bank transfers from corporate accounts. Once money has been transferred into the account of the attacker, there is a strong probability that the funds will not be recoverable.
Whaling, as you may suspect, is a form of phishing. Rather than cybercriminals sending out large volumes of spam emails containing malware or links to malicious websites, individuals are targeted and few emails are sent. Cybercriminals are putting a lot of time and effort into researching their targets before launching their attack.
The aim is to gather intel on an individual that has the authorization to make bank transfers from company accounts. Individuals are usually identified and researched using social media websites such as Twitter, LinkedIn, and Facebook.
When individuals are identified and the name and email address of their boss, CFO, or CEO is discovered, they are sent an email requesting a bank transfer be made. The email is well written, there is a pressing need for the transfer to be made, and full details are provided in the email. They are also given a reasonable explanation as to why the transfer must be made. The email also comes from senior management.
In the majority of cases, the transfer request will not follow standard company procedures as these are not known by the attackers. However, since an email will appear to have been sent from a senior figure in the company, some account department employees will not question the request. They will do as instructed out of fear of the individual in question, or in an attempt to show willingness to do what is required of them by their superiors.
Unfortunately for IT security professionals, whaling emails are difficult to detect without an advanced spam filtering solution in place. No attachments are included in the email, there are no malicious links, just a set of instructions. The attack just uses social engineering techniques to fool end users into making the transfer.
What is Domain Spoofing?
The whaling attacks are often successful, as users are fooled by a technique called domain spoofing. Domain spoofing involves the creation of an email account using a domain that is very similar to that used by the company. Provided the attacker can get the correct format for the email, and has the name of a high-level account executive, at first glance the email address will appear to be correct.
However, closer inspection will reveal that one character in the domain name is different. Typically, an i will be replaced with an L or a 1, an o with a zero, or a Cyrillic character may be used which is automatically converted into a standard letter. If the recipient looks at the email address, they may not notice the small change.
To reduce the risk of account department employees falling for whaling attacks, anti-spam solutions should be implemented and configured to block emails from similar domains. Staff must also be told not to make any transfer requests that arrive via email without first double checking with the sender of the email that the request is genuine, and to always carefully check the email address of the sender of such a request.
A new Lloyds Bank phishing scam has been uncovered. The UK bank’s customers are being targeted just before Christmas with a highly realistic email, apparently sent from Lloyds Banking Group. Christmas is a time when people let their guard down. Its busy at work, there is much to do, and minds are invariably on Turkey, holidays, and rushing to get last minute preparations completed.
New Lloyds Bank phishing scam is highly realistic
The email contains the exact same font, logo, and styling that are used on the real online banking portal, making the campaign one of the most realistic online banking phishing scams we have seen.
The latest Lloyds Bank phishing scam is pure simplicity. It is brief and to the point, and has been designed to scare users into clicking on the link and signing into their account to check their bank balance.
All that the email says, is “You have One New Message. Your account has been accessed in multiple locations. Click below to update your Lloyds Bank Account, with a hyperlink using the anchor text “Sign In.” There are no spelling mistakes or grammatical errors to warn users that the email is anything but genuine.
In fact, even clicking the sign in link is unlikely to arouse suspicion. The link will direct the soon-to-be victim to a website containing an exact copy of the Lloyds Bank portal that customers will be very familiar with. All of the text is genuine, and the website features apparently clickable links in all the right places. It is an almost exact replica of the real site.
Only if a user decides to click on any of the links will they realize something is not quite right. The scammers have only taken an image of the real site. They have not made any of the links actually clickable.
But then again, after the recipient of the email has been sent a warning telling them their account is under threat, they are unlikely to suddenly decide to check the latest mortgage rates or take out a loan.
The only part of the website that works is the section where users are required to enter their user ID, password, and memorable word. Once the credentials have been entered, the victim will be redirected to Lloyds. That may arouse suspicion when their login attempt did not work, but the scammers hope that few will bother to change their password when they realize their account has not been compromised.
The scammers are likely to act quickly. Once they have a User ID, password, and memorable word, they have the basic information necessary to access the account. That information may be sufficient to gain access to the account and make a fraudulent transfer. If not, it will be used as the basis for a further spear phishing email to attempt to get the answer to a security question. If the victim fell for the first campaign, chances are they will fall for another.
There is only one other giveaway that this is a Lloyds Bank phishing scam. The URL is not lloydsbank.com.
The scam highlights the importance of checking the URL before entering any login credentials and checking to make sure the site address starts with https://. This site is clearly not genuine and has no green padlock, indicating something is amiss to anyone even casually checking the web address. However, not all online banking customers will do that when the website appears to look like the real deal.
Following the recent news that Intel Security will be discontinuing McAfee SaaS Email Protection products, SpamTitan is preparing for 2016 when business customers start looking for a new email security vendor to ensure continued protection.
McAfee SaaS Email Protection to Come to an End
Intel Security, the new company name for McAfee, has taken the decision to exit the email security business. The company will be dropping McAfee SaaS Email Protection products and will be concentrating on other areas of business.
From January 11, 2016, McAfee SaaS Email Protection and Archiving and McAfee SaaS Endpoint will stop being sold by Intel Security. The news is not expected to trigger a mass exodus in early 2016, as Intel Security has announced that it will continue to provide support for the products for a further 3 years. Support for both McAfee SaaS Email Protection and Archiving and SaaS Endpoint will stop after January 11, 2019. However, many customers are expected to make the switch to a new email security provider in the new year.
SpamTitan Technologies Anti-Spam Solutions
SpamTitan Technologies offers a range of cost effective business email security appliances which keep networks protected from malware, malicious software, and email spam. Users benefit from dual AV engines from Kaspersky Lab and Clam Anti-Virus, offering excellent protection from email spam, phishing emails, and inbox-swamping bulk mail.
SpamTitan is a highly effective anti-spam solution that was first launched as an image solution. Following an agreement with VMware, SpamTitan was developed into a virtual appliance. The range of anti-spam products has since been developed to include SpamTitan OnDemand in 2011 and SpamTitan Cloud in 2013. In August 2015, SpamTitan blocked 2,341 billion emails and has helped keep business networks free from malware and viruses.
SpamTitan was the first Anti-Spam Appliance to be awarded with two Virus Bulletin VBSPAM+ awards and has also received 22 consecutive VBSpam Virus Bulletin certifications. Additionally, SpamTitan was awarded the Best Anti-Spam Solution prize at the Computing Security Awards in 2012.
Companies in over 100 countries around the world have chosen SpamTitan as their anti-email spam partner. The email security appliance stops 99.98% of email spam from being delivered.
WebTitan Web Filtering Solutions from SpamTitan Technologies
WebTitan Gateway offers small to medium businesses a cost effective method of blocking malware and malicious websites, with highly granular controls allowing individual, group, and organization-wide privileges to be set. Delivered as a software appliance that can be seamlessly integrated into existing networks, it is an essential tool to protect all business users and allow the Internet to be viewed securely.
WebTitan Cloud is a cloud-based web filtering solution requiring no software installations. Create your own web usership policies and block malware-infected websites, objectionable websites, and restrict Internet access to work-related content with ease. Benefit from a comprehensive set of reporting tools which allow the browsing activity of every end user in the organization to be easily monitored.
WebTitan Wi-Fi has been developed for Wi-Fi providers and MSPs to allow easy control of Internet access. WebTitan Wi-Fi allows users to easily block objectionable content and malicious websites, with controls able to be applied by location. The cloud solution requires no software installations. All that is required to start protecting your business is a simple DNS redirect to WebTitan cloud servers.
WebTitan web filtering solutions blocked 7,414 malware-infected webpages in August 2015, and have helped keep businesses better protected from malicious website content, phishing campaigns, and drive-by malware downloads.
In the United States, healthcare industry phishing campaigns have been responsible for exposing the protected health records of well over 90 million Americans over the course of the past 12 months. That’s over 28% of the population of the United States.
This week, another case of healthcare industry phishing has come to light with the announcement of Connecticut’s Middlesex Hospital data breach. The hospital discovered four of its employees responded to a phishing email, resulting in their email account logins being sent to a hacker’s command and control center. In this case the damage caused by the phishing attack was limited, and only 946 patients had their data exposed. Other healthcare organizations have not been nearly so lucky.
Largest ever healthcare industry phishing attack suffered in 2015
In February, Anthem Inc., the second largest health insurance company in the United States, discovered it had suffered the mother of all healthcare data breaches. Approximately 78.8 million health insurance subscriber records were obtained by criminals in the attack. The breach did not occur in February, but months previously, with the hackers being allowed plenty of time to exfiltrate data.
Another U.S. health insurance company discovered it too had been hacked just a couple of weeks later. Premera Blue Cross similarly found out that hackers had gained access to its systems many months previously and had potentially obtained the records of over 11 million insurance subscribers.
Both security breaches were highly sophisticated in nature, but were discovered to have their roots in healthcare industry phishing campaigns. Employees had responded to phishing emails which ultimately allowed hackers to gain access to huge volumes of highly confidential healthcare data.
In 2014, Community Health Systems suffered a data breach that exposed the PHI of 4.5 million individuals in what was then the second largest healthcare data breach reported. That data breach had its roots in a phishing campaign sent to its employees.
Healthcare industry phishing attacks occurring with alarming frequency
In just 12 months, many healthcare providers and health plans have suffered at the hands of phishers. Some of the healthcare industry phishing attacks have been summarized in the table below:
Successful U.S. Healthcare Industry Phishing Attacks in 2015
|Premera Blue Cross
|CareFirst Blue Shield
|Saint Agnes HealthCare
|St. Vincent Medical Group
Cybercriminals attracted by easy targets and big rewards
In the United States, healthcare organizations and their business associates are covered by legislation which requires robust protections to be put in place to keep computer networks secure and patient health data safeguarded from attack. The Health Insurance Portability and Accountability Act (HIPAA) requires administrative, technical, and physical controls to be used to keep the Protected Health Information (PHI) of patients secure at all times.
Even though the industry is heavily regulated, the industry lags behind others when it comes to data security. Hackers often see healthcare organizations as an easy target. Their networks are complex and difficult to protect, and IT security budgets are insufficient to ensure that all of the appropriate protections are put in place to keep data secure.
On top of that, healthcare providers and health insurers store an extraordinary volume of highly sensitive data on patients and subscribers. Those data are much more valuable to thieves than credit card numbers. Health data, Social Security numbers, and personal information can be used to commit identity theft, medical fraud, insurance fraud, credit card fraud, and tax fraud. One set of patient data can allow criminals to fraudulently obtain tens of thousands of dollars, and the data can typically be used for much longer than credit card numbers before fraud is detected.
It is therefore no surprise that healthcare providers are such a big target. There are potentially big rewards to be gained and little effort is required. Healthcare industry phishing is therefore rife, and spear phishing campaigns are now increasingly being used to get busy healthcare employees to reveal their login credentials. Many of those campaigns are proving to be successful.
Industry reports suggest that the healthcare industry in the United States does not have sufficient controls in place to prevent against phishing attacks. A KMPG study conducted earlier this year showed that 81% of U.S. healthcare organizations had suffered cyberattacks, botnet, and malware infections. Other research conducted by Raytheon/Websense suggested that the healthcare industry in the United States suffered 340% more data breaches than other industries.
Healthcare industry phishing emails are not always easy to identify
Just a few years ago, a phishing email could be identified from a mile away. They contained numerous spelling mistakes and grammatical errors. Nigerian 419 scams were commonly seen and easily spotted. Malicious email attachments were sent, yet they could be easily identified as they were rarely masked. It is easy to train staff never to open an executable file sent via email.
Today, it’s a different story. Healthcare industry phishing emails are not always easy to identify. Malicious emails are crafted with a high level of skill, spell checks are used, subjects are researched, as are the targets. Links are sent to phishing websites that cybercriminals have spent a lot of time, money, and resources developing. Even a trained eye can have trouble identifying a fake site from a real one. The threat landscape has changed considerably in just a few years.
Sometimes healthcare industry phishing emails are so convincing that many members of staff are fooled into responding. Franciscan Health System is a good example. In 2014, a phishing campaign was sent to the healthcare provider via email. The scam was straightforward. Workers were sent an email containing a link and a good reason to click it. They clicked through to a website which required them to enter their login credentials. 19 workers reportedly fell for the campaign and revealed their email account login names and passwords. Contained in their email accounts were patient data. As many as 12,000 patients were affected.
What can be done to reduce the risk of phishing attacks?
There are a number of controls and safeguards that can be implemented to reduce the risk of healthcare industry phishing campaigns being successful, and multi-layered defenses are key to reducing risk.
Conduct Regular Staff Training
All members of staff should be trained on email and internet security, and told how to identify phishing emails and phishing websites. They must be issued with a list of best practices, and their knowledge should be tested. The sending of dummy phishing emails is a good way to check to see if they have taken onboard the information provided in training sessions.
Use Powerful Anti-Virus and Anti-Malware Software
Separate anti-virus and anti-malware solutions should be used and virus/malware definitions updated automatically. Regular scans of the network and individual devices should be scheduled at times of low network activity.
Employ Spam Filtering Software
Spam filtering solutions are essential. One of the best ways of preventing end users from falling for phishing emails is to make sure they never receive them. Powerful anti-spam solutions will block and quarantine malicious email attachments and prevent phishing emails from being delivered to end users.
Implement Web Filtering Solutions
Not all phishing campaigns come via email. Social media websites are often used as an attack vector and malicious website adverts can direct users to phishing websites. Implementing a web filter to limit the types of websites that users are permitted to visit can significantly reduce the risk of users falling for a phishing campaign. Web filtering solutions will also block access to known phishing websites.
A recent study conducted by CyberArk has revealed that enterprises now face a high level of risk of privileged account hacking. In fact, the majority of enterprises are at risk of being hacked. Many companies are underestimating the risk, although IT professionals have long been aware of the danger of privileged account hacking.
The study suggests 88% of enterprise networks are susceptible to attack. A complete compromise of the corporate network is possible via 40% of Windows machines. The researchers predict that all it would usually take is for one privileged account to be hacked to allow the attackers to gain access to most accounts and systems. The researchers also determined that any enterprise that has Windows hosts is susceptible to attack via privileged account hacking.
To produce the report “Analyzing Real-World Exposure to Windows Credential Theft Attacks” CyberArk surveyed 51 organizations of varying sizes to determine the level of risk faced from privileged account hacking and the extent to which networks could be compromised should hackers manage to gain access to super-user and/or service accounts.
The results of the survey paint an incredibly worrying picture. The hacking of privileged accounts is not just a problem that must be dealt with by large corporations. Small to medium-sized businesses are also being targeted. Hackers are gaining access to their systems and are using them to launch attacks on their supply chain partners.
The privileged account hacking risk is often underestimated
Many organizations are not even aware how substantial the privileged account hacking risk is. An organization employing 500 individuals may have 1500 or more privileged accounts according to the researchers. The risk of attack is greatest with servers and lower with workstations. This is because servers can be used to gain access to a much wider range of systems and data than workstations. If any one server is compromised, attackers can use that machine for privileged account hacking and can gain access to many other Windows hosts on the network.
Attackers have months to analyze the network infrastructure and exfiltrate data
Mandiant recently estimated the median number of days for enterprises to discover their networks have been compromised is 229 days. The latest report from CyberArk also suggests a similar timescale for detection – placing the time frame at between 6 to 8 months. Once attackers have gained access to a network, they are exceptionally good at hiding and covering their tracks, and have months to browse the network.
How are hackers gaining access to privileged account login credentials?
In many cases, user credentials are stolen via phishing campaigns. Oftentimes, the attacks are highly sophisticated and highly targeted. Individual users are selected and a campaign is developed to fool them into visiting a malicious website and downloading malware or opening an infected email attachment.
Information about the target is obtained via social media networks such as Facebook, Twitter, or LinkedIn. Their contacts are identified, and a phishing email is either sent from a hacked colleagues account or is masked to make it appear that it has been sent from a trusted individual.
All too often a sophisticated attack is not necessary. If malware can be installed on just one single computer, shared-privilege accounts can be used to gain access to a wide range of systems.
What can enterprises do to protect their networks from privileged account hacking?
Protecting against the hacking of privileged accounts is difficult. It is not possible to eliminate privileged accounts as they essential to the functioning of the business. Since these accounts cannot be eliminated, efforts must be made to make accounts more secure. Unfortunately, the management of privileged accounts is complicated and is difficult to automate.
A survey recently conducted by Dimensional Research/Dell highlights the extent of the current problem. 560 IT professionals were asked about privileged access management and 41% revealed that they did not use any software at all or rely on Excel or other spreadsheet software packages to manage their accounts.
Fewer than half of respondents did not log or monitor privileged account access. 23% did not have a defined account management process. 28% did not have a defined process for changing default passwords on new equipment and software. Passwords were also found not to be changed frequently. Only a quarter of organizations changed admin passwords every month.
Make it harder for networks to be compromised by privileged account hacks
In order to improve security and prevent the hacking of privileged accounts, IT professionals should:
- Develop a defined process for managing privileged accounts
- Conduct a full audit of the network to locate all privileged accounts
- Ensure all passwords are unique, complex, and very difficult to guess
- Monitor and audit account passwords
- Use different passwords for different systems
- Change default passwords on all new devices and software
- Change passwords at least once a month
- Implement an automated solution to manage privileged accounts
- Ensure that a full risk assessment is conducted and any security holes are plugged rapidly (Hours rather than weeks or months)
- Conduct an audit of all suppliers and business partners to ensure they have sufficient security in place
- Implement solutions to protect users from phishing and spear phishing attacks, such as anti-spam software with anti-phishing controls
- Implement a web filter to reduce the probability of a user downloading malware to the network from malicious websites.
Fail to secure your login credentials, and privileged account hacking will not be only be a risk; it will be a reality.
Cryptowall 3 ransomware is the latest incarnation of the Trojan that first appeared in the latter half of 2014. This variant was discovered earlier this year and it has been used to extort millions out of individuals and businesses.
The threat from ransomware is growing
Ransomware infections have been reported much more frequently in recent months. A fortune has already been spent undoing the damage caused. Unfortunately, since the malware is evolving, it can be difficult to block.
Cryptowall 3 ransomware is very similar to previous incarnations and operates in a very similar fashion. The problem is that the algorithm it uses to obfuscate the dropper, which is applied three times, differs from Cryptowall 2. This makes it harder to identify.
Cryptowall 3 ransomware employs multiple dropper files and contains a number of different exploits. Once initiated, code is injected into a new explorer.exe process which installs the malware while disabling system protections. Malicious code is then hidden in a new SVChost.exe process.
The malware collects a considerable amount of data from the host computer, obtains an external IP address, establishes a connection, and registers the machine with the hacker’s command and control center. A POST request is made and the main Cryptowall 3 thread is initiated.
Cryptowall 3 ransomware subsequently encrypts certain file types on mounted network drives and local drives using public-key cryptography. The key to unlock the encryption is only stored on the hacker’s server. The victim is then advised to pay a ransom to have the infection removed and files unlocked. Failure to respond will see files locked forever or permanently deleted.
Cryptowall 3 ransomware is spread via email spam
Cryptowall 3 ransomware is primarily, but not exclusively, spread via spam email. The email contains a zip file attachment which houses an executable file. If the executable file is run, it installs the malware on the host computer. Videos, text files, and images files are then encrypted with its RSA2048 algorithm. Users often have files created on the desktop instructing them how to unencrypt their computer. Once infected, users are given approximately 7 days to pay the ransom, which is commonly $500 in the form of Bitcoins (2.17).
There is no guarantee that payment will result in the encryption being removed, although oftentimes it is. Payment certainly does not mean all traces of the malware will be removed from the infected machine. Users are often allowed to decrypt certain files to prove that the criminals behind the campaign can actually make good on their promise.
Victims are usually given little alternative but to give into the hacker’s demands, unless they want to lose all the files that have been encrypted.
Millions have been obtained from Cryptowall 3 ransomware infections
Cryptowall 3 ransomware has spread rapidly and the malware has already claimed tens of thousands of victims. The malware was only discovered in January 2015, yet already the criminals behind the infections have managed to obtain an estimated $325 million in ransoms according to Cyber Threat Alliance (CTA) figures. The ransoms have been tracked via Bitcoin payments, although the system used to assess criminals’ profits is somewhat unreliable. The figure of $325 million has been confirmed, but the total profits from Cryptowall 3 ransomware infections could well be double that total.
Cryptowall 3 ransomware infections usually start with a phishing campaign. The phishing campaigns usually contain an attachment with an innocent looking name, such as “invoice” or “fax”.
Drive-by attacks have been known to install the malware. These take advantage of security vulnerabilities in browser plugins. Exploit kits such as Angler are also used.
Fortunately, it is possible to train employees to be more cautious and not to open file attachments sent from unknown individuals. However, the emails may appear to have been sent by a friend, relative, or colleague inside their company.
Training should be provided to employees and company-wide warnings issued. However, the best defense is to prevent the ransomware from being delivered to inboxes. If SpamTitan Anti-Spam solutions are implemented, Cryptowall 3 ransomware email spam will be blocked and quarantined. End users will then be prevented from accidentally installing the malware.
‘Tis the season to be jolly, but it is also the season for holiday email spam. Malware infections increase during holiday periods and this year is unlikely to be any different. Holiday email spam is coming, and it doesn’t matter whether you’ve been naughty or nice. If you do not take precautions, you are likely to receive a gift of malware this Christmastime.
Holiday email scams are sent in the billions at this time of year because of one simple fact: They work. People let their hair down over Christmas and New Year, but they also let their guard down. That gives online criminals an opportunity to get malware installed, fool consumers with phishing campaigns, and generally cause some festive mayhem.
Holiday email spam is now being sent: Avoid the Christmas rush and get your malware now!
Christmas week may see many people infected with malware, but the run up to Christmas can be even worse. As soon as the first decorations go up in the shops, holiday email spam starts to be sent. Email is commonly used to send malware.
Nasty malicious programs are masked as Christmas screensavers, phishing campaigns will appear as festive quizzes, and you can expect an African prince to need your assistance with a huge bank transfer. Don’t be surprised to find out that you have won a Sweepstake in a country you have never visited or that one of your online accounts will be hacked requiring you to receive technical support.
These and many more scams will be delivered in a wave of holiday email spam and, if you let your guard down, you may inadvertently fall for one of these often cleverly devised scams. Some of the latest phishing scams are incredibly convincing, and you may not even realize you have fallen for the scam and have become a victim.
Employers Beware: End users are especially gullible at this time of year
Everyone must be wary at this time of year due to the huge increase in spam email campaigns. Employers especially must take care as employees can be particularly gullible at this time of year. Their minds are on other things, and they are not as diligent and security conscious as they may usually be.
To make matters worse, each year the scammers get better and holiday email spam becomes more believable. If one of your employees falls for holiday email spam attack, it may not only be their own bank account that gets emptied. Phishing campaigns are devised to get employees to reveal critical business data or login credentials. The FBI has warned that business email is being targeted. In the past two years over 7,000 U.S. firms have been targeted and have suffered from criminal attacks. Those attacks initially target employees, and the festive season is an ideal time for a business email compromise (BEC) attack to take place.
Common Holiday Email Spam Campaigns in 2015
Send an email bulletin to your employees highlighting the risk that holiday email spam poses, and warn them that they may shortly start receiving phishing emails and other spam campaigns. They are likely to have forgotten how risky the festive season can be.
Business Email Compromise (BEC) Attacks
The FBI has already released a warning this year to organizations that perform wire transfers on a regular basis and/or work with foreign suppliers. They are being targeted by cybercriminals using sophisticated scams that start with the compromising of a business email account. Social engineering and phishing tactics are used to get employees to reveal their login credentials. Once access to bank accounts has been obtained by criminals, fraudulent transfers are made. Holiday email spam campaigns are expected to be sent targeting organizations and specific employees within those organizations. During the holiday period employees must be told to be ultra-cautious.
Holiday e-card scams
Holiday e-card scams are common at Christmastime. Criminals take advantage of the growing popularity of e-cards and send out spam emails in the millions telling the recipient to click a link to download their e-card. However, those links are sent to convince users to download malware to their computers. Any email containing a file attachment claiming to be an e-card is likely to be fake. The attachment may be malware.
Christmas and other holiday-themed screensavers are commonly downloaded by employees. These screensavers can be fun and festive, but may actually be malicious. Employers should consider implementing a ban on the downloading of screensavers as a precaution. Staff members should be warned that any .scr file sent in an email should be treated with suspicion and not downloaded or installed. Criminals mask attachments and the .scr file may actually be an executable file that installs malware.
Ashley Madison revelations and TalkTalk scams
A number of major data breaches have been suffered this year that have resulted in customer data being exposed. Criminals are threatening to expose personal data, especially in the case of Ashley Madison clients. Emails are sent threatening breach victims, informing them that they must pay not to have their data posted on the internet. Some criminals will be in possession of the data; other scams will be speculative. If an email is received, it is essential that professional advice is sought before any action is taken.
If you receive an email asking you to take action to secure your account after a company you use has suffered a data breach – TalkTalk for example – it is essential to only change your password via the official website. Do not click on links contained in emails. They may be phishing scams.
Free Star Wars tickets
You can guarantee that such a major event for moviegoers will be the subject of multiple email spam campaigns. Criminals would not pass up the opportunity to take advantage of the release of a new Star Wars film.
There are likely to be competitions aplenty, free tickets offered, and many other Star Wars spam campaigns in the run up to the release. This is the biggest movie release of the year for many people. Fans of the films are excited. They want to see snippets of the film, read gossip, and find out if Luke Skywalker will actually be in the new film. Many people are likely to fall for scams and click phishing links or inadvertently install malware.
Get prepared this holiday season and you can keep your computer and network spam and malware free. Fail to take action and this holiday time is unlikely to be jolly. Quite the opposite in fact.
Criminals are increasingly using ransomware – Chimera ransomware for example – to extort victims. Ransomware encrypts certain file types with a powerful algorithm that cannot be unlocked without a security key. Unfortunately, the only person to hold that key is the hacker responsible for the ransomware infection.
Organizations and individuals that perform regular data backups can avoid paying the ransom demands and not face losing important files. If files are encrypted, they can be recovered from backups – provided of course that regular backups of critical data have been performed. Worst case scenario: Some data may be lost, but not a sufficient amount to warrant a ransom being paid.
Criminals are aware of this failsafe and have recently started to up the stakes. The criminals behind Chimera ransomware have been found to be using a new tactic to scare victims into giving into their demands. Even if a backup file has been made, victims can be easily convinced to pay the ransom. They are told that if the ransom is not paid, the files will be made public. Confidential information will be posted on darknet sites or listed for sale in online marketplaces.
Criminals Target Businesses and Encrypt Critical Files Using Chimera Ransomware
Hackers are known to send ransomware out randomly. The more computers that are infected; the more ransoms can be collected. Chimera ransomware on the other hand is being used more specifically, and small to medium sized businesses are being targeted. This stands to reason. An individual may not be willing, or able, to pay a ransom. Businesses are different. They may have no choice but to pay to have files unlocked. If data are posted online, the potential cost to the business could be far higher than the cost of the ransom.
How are computers infected with Chimera ransomware?
Spam emails are sent to specific individuals within an organization. Those emails contain innocent looking email attachments: the types of files that would commonly be received by the individuals being targeted. Business offers are sent, applications for employment, or invoices.
Attachments may not be opened or could be blocked by spam filters. To get around this issue, hackers often send links to cloud-storage services such as Dropbox. The user clicks the link and downloads the malware thinking it is a genuine file.
Once installed the malware gets to work encrypting files stored on local and mounted network drives. The user is not made aware of the infection until their computer is rebooted. In order to unencrypt files, the end user must pay the ransom. This is typically $500 in the form of Bitcoins.
It is not known whether hackers have acted on their threats to publish company data. Many businesses have been too scared to find out and have given in to the ransom demand.
How to protect your business from Chimera ransomware
There is no such thing as 100% protection from Chimera ransomware, but it is possible to reduce the risk of infection to a minimal level. Installing Anti-Spam solutions can prevent malware from reaching inboxes; however not all products offer protection from phishing links.
SpamTitan software on the other hand employs a powerful spam filter which uses dual AV engines to maximize the probability of malicious emails being caught. It also includes an anti-phishing module to protect against phishing links. If you don’t want to have to pay a ransom to recover your data, installing SpamTitan is the logical choice.
Are you protected from Chimera Ransomware? Would you risk the publishing of your business data or would you pay the ransom?
If you live in Ireland, you may receive an email offering you a refund on your electricity bill; however, the email is not genuine. Scammers are targeting current and former customers of Electric Ireland hoping they will respond to the offer of a refund. By doing so they will receive no money. They will just have their bank accounts emptied.
The Electric Ireland phishing scam is highly convincing
The Electric Ireland phishing emails appear to be genuine. They give a valid reason for clicking on the link contained in the email, and have been well written. The link directs the recipient to a phishing website that looks genuine. Even the request made on the website is perhaps not unreasonable.
In order to receive the refund, customers must enter in their banking information to allow the electricity company to make a transfer. In order to confirm their identity, current and former customers must supply proof of identity. The scammers ask for a scan of customers’ passports.
Other reports indicate that some customers have been sent links to fake websites that require them to disclose their mobile phone numbers as well as security codes and passwords.
It is unclear how the scammers have obtained the email addresses of Electric Ireland customers, as according to the utility company there has been no security breach, and the database in which customer account information is stored remains secure. However, an audit is being conducted by the company’s IT department to determine if any individual has managed to infiltrate its network or has otherwise gained access to customer data.
A spokesman for the Garda has confirmed that many Irish citizens have already fallen for the Electric Ireland phishing scam and have reported that fraudulent withdrawals have been made from their personal bank accounts.
The Electric Ireland phishing scam is one of many highly convincing campaigns to have been uncovered in recent weeks. Online criminals have become more skilled at crafting emails and setting up malicious websites, and it can be difficult to determine whether a request is genuine or fake.
The Electric Ireland phishing scam may look genuine, but legitimate companies would not send emails requesting sensitive information of that nature to be disclosed over the Internet. It should also be noted that if a company has taken excess funds from a bank account to pay a bill, the company would be able to issue a refund directly to the same bank account. They would not require those details to be provided again – nor request copies of ID, mobile phone numbers, or passwords.
If any individual who has fallen for the Electric Ireland phishing scam they should contact their bank immediately and place a block on their account. This will prevent the criminals from making any fraudulent transfers. However, it may be too late for many customers to prevent losses being suffered.
To reduce the risk of falling for phishing scams, the best defense is to block spam and scam emails from being delivered. To do this a spam filter should be used, such as that provided by SpamTitan. SpamTitan Technologies Anti-Spam solutions also include an Anti-Phishing module to ensure all users are better protected from malicious websites when surfing the Internet.
Any time an email is received that offers a refund, it is ill advisable to click on an email link. Attempts should be made to contact the company directly by calling the number listed on that company’s website. The matter should first be discussed with the company’s customer service department. Never open an email attachment contained in the email, and never divulge confidential information over the internet unless 100% sure of the genuineness of the website.
Cybercriminals are using SSL certificates installed on fake domains to fool users into thinking that the websites are genuine. The websites often use names that closely resemble a well-known brand. We have previously reported that criminals have been using domains containing typos to obtain website traffic and fool the unwary; however, it is also common for domains to be purchased using a well-known company name with additional words added to the end.
Because the websites contain the brand name, many visitors will be fooled into thinking that the websites are genuine. This is even more likely if a website has a valid SSL certificate and displays a padlock next to the URL. This is seen as a sign by many consumers that the website is real. A SSL certificate can no longer be trusted. It is only one indication that a website is genuine. Many new websites are offered a free SSL certificate.
Electronic Frontier Foundation phishing scam brought to an end
One website that has been fooling visitors into thinking the site was official is believed to have been set up by the cybercriminals behind the Pawn Storm phishing campaign: A group of hackers known as APT28. The group, which has links to the Russian government, used the brand name of the Electronic Frontier Foundation as part of a phishing campaign.
The Electronic Frontier Foundation phishing campaign used a .org website with the domain name, ElectronicFrontierFoundation. The official site used by the company is also a .org, but just uses the company’s initials: EFF.
The Electronic Frontier Foundation phishing site was not used to obtain bank account or credit card details, instead it was used to spread malware. The fake site was discovered to contain malware that exploited a zero-day vulnerability in Java software.
Electronic Frontier Foundation was alerted to the existence of the website and issued a complaint to the UN’s World Intellectual Property Organization (WIPO) – an organization that helps protect the intellectual property rights of corporations. After assessing the compliant, WIPO ruled that Electronic Frontier Foundation was entitled to take control of the domain, which has been ordered to be transferred to the non-profit digital rights group. Once that happens, the site will no longer pose a threat and ownership will be transferred from an individual based in Bali, Indonesia.
Organizations believing their copyright has been infringed can attempt to claim a registered domain by following the Uniform Domain-Name Dispute-Resolution Policy (UDRP) set up by ICANN. However, it can take a long time for the process to be completed. All the time that a fake domain is active it can result in a loss of income for the company concerned. Many customers or potential customers could have malware installed or be defrauded until the matter has been addressed and ownership of the website transferred.
In a case such as this, the domain name and SSL certificate made the website appear 100% legitimate, which no doubt resulted in many people having their computers infected with the malware.
Bermuda residents and holiday home owners have been put on high alert after a new BELCO email scam has been uncovered. A warning has now been issued by the company after some customers were targeted by scammers and were sent malware-infected emails from the company’s email domain.
BELCO, the Bermuda Electric Light Company Limited, supplies electricity to homes in Bermuda and is the only supplier in the British Overseas Territory. All individuals who own or rent a property on the islands are at risk of receiving a spam email that could potentially infect their computer, mobile phone, tablet or laptop with malware.
The type of malware sent in the spam emails is a form of ransomware. This type of malware is particularly nasty as it will allow the perpetrators of the campaign to lock files on an infected computer and potentially also on a business network to which the device connects. The malware delivered in the BELCO email scam can also cause corruption of computer files. The criminals behind the campaigns have designed the malware to give victims little choice but to pay the ransom.
Critical files are encrypted via the ransomware to prevent the user from gaining access. The only way of regaining access to the files is by restoring them from a backup or by paying a ransom to the criminals behind the campaign. Once a ransom has been paid, the criminals behind the BELCO malware attack will supply a security key that can be used to unlock the data. There is no guarantee that the security key will be provided once the ransom has been paid and it is conceivable that the criminals could continue to extort customers who give into their demands.
On a personal computer, files such as personal documents or family photographs could potentially be encrypted and lost. For business users the risk is even higher. Without access to critical files, all business could effectively grind to a halt. Even when a backup can be used to restore the ransomware-encrypted files, significant losses could be suffered. Performing a full restoration of data takes time and unless a backup was made just minutes before files were encrypted, some data will invariably be lost. Customers will also experience disruption to services while remediation takes place and systems are restored.
BELCO email scam uses legitimate company domain
The BELCO email scam uses a common technique to fool targets into installing malware on their devices. Criminals have been using email to deliver malware for many years, but they are now getting very good at creating highly convincing campaigns. It is becoming much harder to identify a spam email containing malware.
What makes this campaign particularly convincing is the emails appear to have been sent from the BELCO.bm domain. Even an individual who has adopted email security best practices, such as checking the sender’s address before opening an attachment, may be fooled into installing the malware contained in the email.
The email informs the recipient of an unpaid electricity bill and includes a warning that electricity will be cut off if the bill is not paid promptly. In order to find out how much money needs to be paid customers are required to open the attachment. Doing so will result in the malware being installed.
The email was sent from the address billerz @belco.bm. The domain is correct, although there is no official billerz address used by the electricity company. A warning sent to customers advises that any legitimate bill sent by the company will come from ebilladmin @belco.bm.
Simply receiving the email will not infect a computer but it is imperative that the attachment is not opened under any circumstances. Any customer receiving the email should delete it immediately from their inbox or spam folder. They should then ensure it is also deleted from their deleted email folder.
Identifying spam and scam emails
The BELCO email scam is convincing. It could easily pass for a genuine email if the recipient of the email is not particularly security conscious. There are tell-tale signs that it is a fake.
- The email address differs from the one usually used by the company to send electronic electricity bills
- There is a threat contained in the email – Immediate action is required to avoid unpleasant consequences
- Insufficient information is included in the email body, requiring the user to open an attachment
- The email address contains an odd spelling not typically used by a reputable company – billerz
Individuals, and especially companies, should consider implementing additional controls to prevent emails such as this from being delivered. Using a spam filtering solution will prevent the vast majority of spam and scam emails from being delivered. As more phishing and spam emails are being sent, and the perpetrators are becoming more skilled at creating convincing campaigns, this is one of the best defenses to prevent accidental malware infection. The cost of an Anti-Spam solution will be considerably less than the cost of a ransom to unlock vital data.
UK workers are being targeted with a new email money transfer scam, according to a new police intelligence report. The current threat level has been deemed to be high enough to warrant a warning being issued by Financial Fraud Action UK to alert UK employees to the risk of attack.
Rather than the campaign being sent in mass email spam mailings, individuals are being targeted by criminals using a new spear phishing campaign that attempts to fool users into making a transfer from their personal account in order to secure an important work contract, or help resolve an urgent work issue.
The highly convincing scam involves the sending of emails to individuals in a particular organization that is being targeted. The perpetrators of the campaign have masked the email address of the sender, making it appear as if the email has actually been sent by their boss, a work colleague, or member of the accounts department. In some cases, the emails have actually been sent from a real account.
Email money transfer scam conducted in two separate attacks
Criminals first compromise an email account in the organization under attack by gaining access to an individual’s login credentials using a separate phishing campaign or by hacking passwords. Criminals have been able to gather a large amount of data on individuals via social media networks such as Facebook, Twitter, and LinkedIn. That information is subsequently used to craft convincing email campaigns to fool their targets into revealing sensitive information to gain access to their email accounts.
Those accounts are then used to send email requests to other individuals within the organization asking for a bank transfer to be made. The requests are out of the ordinary but, as explained in the scam emails, the payments are critical to the running of the business. Once a transfer has been made, the money is rapidly withdrawn from the scammer’s account. Victims are left with little recourse to get their money back.
The email money transfer scam has proved to be particularly effective. Employees see that the email has been sent by a manager and out of a sense of duty, or fear of job loss, they respond without first checking the genuineness of the email. Oftentimes, the perpetrators of the crime have sent emails from senior managers and partners’ accounts. An employee lower down the ladder would typically not usually have direct contact with these people, lessening the chance of them contacting that person directly to validate the request. Contact information is often provided in the email that will put the target in direct contact with the scammer, who will then validate the request.
Senior managers and partners are the initial targets in this new email money transfer scam. Criminals attempt to fool them into revealing their login credentials. Employees are the secondary targets who actually arrange the transfers to the fraudsters’ accounts. Both groups of individuals should be warned of the risk, and measures should be implemented to reduce the risk of the phishing campaigns being delivered.
To protect against the first attack made by the perpetrators of this email money transfer scam, it is recommended that companies make the following changes to improve security:
- Issue alerts to their employees, including senior managers, warning of the latest wave of phishing campaigns to put them on high alert.
- Enforce changes to email account passwords, ensuring that only secure passwords are used. Stipulate a minimum of 8 characters, force the use of special characters (!,”,£,$,%,^,&,*,(, or ) for example), and ensure that at least one capital letter and number is included.
- Purchase a robust Anti-Spam filtering solution to prevent phishing emails from being delivered to employee’s inboxes. SpamTitan also includes an Anti-Phishing module that can provide additional protection against complex campaigns such as this.
- Ensure that all Anti-Virus software has virus definitions updated on a daily basis
- Scammers often attempt to obtain login credentials by fooling targets into visiting a link to a malicious website containing malware. The sites may contain malicious code that probes for weaknesses in the target’s browser. The attackers then use SQL injection techniques to exploit software vulnerabilities and install keyloggers to obtain passwords. Anti-Phishing software can block these sites, providing protection even if an email link is clicked.
- Security vulnerability scans should be conducted regularly. Updates may be issued regularly so daily checks should be conducted. A scan may reveal a critical Windows 10 security update is required, or Oracle, Chrome, Firefox, Skype, or Adobe Flash may need to be updated.
- Inform employees of the company’s processes for requesting payments via bank transfers and confirm that under no circumstances would an employee receive a request via email to make a transfer to a senior manager or partner.
Protecting end users from becoming victims of an email money transfer scam
End users should also be informed about the correct actions to take when receiving email requests:
- This email money transfer scam relies on the user being fooled into thinking the email has been sent from a manager’s account. End users should check the email address used to make sure it has been sent from a company account, but to be wary that an email could have been hijacked.
- To contact the person who has made the request directly. Since email accounts may have been compromised, this should be done via telephone using the company switchboard or direct deal numbers, not the telephone numbers supplied in the email.
- To exercise extreme caution when receiving any request which appears to be out of the ordinary, especially when that request involves making a bank transfer or requests that sensitive information is disclosed.
- To read any email carefully, and then re-read it to identify spelling errors, grammatical mistakes or language that would be out of keeping with an email typically sent by that individual.
A new DRIDEX email scam has been discovered that has prompted an angry reaction from Swedish furniture retailer Ikea. The criminals behind the malware have targeted Ikea customers by sending fake emails encouraging them to open a DRIDEX-infected email attachment. It has been estimated that hundreds of thousands of emails have been sent in the past few days alone.
As is common with spam emails, users are not specifically targeted. Instead the senders of the emails rely on volume. This is why targeting a retailer the size of Ikea is particularly effective. The chances of an email arriving in the inbox of a customer is relatively high in Europe. Many individuals regularly visit IKEA or have done so in the past.
What is particularly worrying about this campaign is the fact the emails look genuine. They contain an attachment which appears to be a purchase receipt from IKEA. The receipt looks exactly the same as one supplied by the store.
IKEA is concerned that the spam emails will tarnish the company’s reputation, even though there is nothing the company could have done to prevent the campaign from being launched. The advice provided is not to open any attachments in emails that appear to have been sent by the furniture retailer.
What is DRIDEX Malware?
DRIDEX is a nasty malware designed to steal online banking login names and passwords, and is a new variant of CRIDEX: A known form of malware with a worm and Trojan variant (W32.Cridex and Trojan.Cridex). The new form of the Cridex malware achieves its objective via HTML injection. This is a technique used by hackers to inject code to exploit vulnerabilities in popular applications such as Java or ActiveX. HTML injection modifies page content.
This method of attack is effective as the user is fooled into thinking a site being visited can be trusted, as the page is located within a trusted domain. When the user enters a login name and password, these are then sent on to the hacker. In this case, the user would reveal their bank logins and passwords, which would then be used to make fraudulent transfers to a hacker’s account.
DRIDEX malware first emerged in November last year and attacks have mainly affected computer users in Europe. Due to the ease at which the perpetrators of this campaign can obtain users’ banking credentials, this malware is particularly dangerous. All users, not just IKEA customers, should be particularly wary about opening email attachments or responding to emails containing links to webpages, especially if the emails are sent from individuals not known to the email recipient.
The malware was first used in the UK, but has since spread around Europe and has now been received in Sweden where IKEA is based. To date it has been estimated that the malware has allowed the perpetrators of the campaign to obtain around £20 million from fraudulent transfers, in addition to $10 million from U.S. banks. IKEA is now monitoring the situation and is attempting to identify the source of the emails; however, since the perpetrators of campaigns such as this are typically mobile, it is particularly difficult to catch the criminals responsible.
How is it possible to protect against DRIDEX Malware?
Email scams such as this are becoming increasingly common and users can easily be fooled into installing malware. DRIDEX appears to be primarily transmitted by spam email attachments.
Fortunately, there is an easy way of protecting against a DRIDEX malware infection. Since spam emails are now becoming harder to spot, the easiest solution is to prevent DRIDEX emails from being delivered. To do that, a spam filter such as SpamTitan is required.
SpamTitan is able to identify spam emails containing DRIDEX as the signature of the malware is present in the Anti-Virus engines used by the software. SpamTitan uses two separate AV engines which increases the probability of the malware being detected.
Since new malware is being devised and sent with increasing regularity, all email users should also be taught how to identify potential phishing emails as a failsafe to ensure. This will help to ensure they do not become another email scam victim, or inadvertently compromise their employer’s network.
Email spam may not be the first choice of hackers for making money, but there are plenty of online criminals who still use email to fool users into installing malware on their computers or revealing sensitive information.
This week, two new email spam warnings have been issued following reports that consumers have received emails that have aroused their suspicions. When checking the authenticity of the emails received, they discovered they were scams. The warnings were issued by the Better Business Bureau (BBB) in an effort to prevent the scams from claiming victims.
The latest email spam campaigns differ from each other, but use tried and tested techniques which have proven to be highly effective in the past.
Jury Duty Scam Email Discovered
Trust in authority figures is being exploited in a new email spam campaign in which users are urged to take action as a result of missing jury duty. A similar email is doing the rounds warning recipients of an impending court case. Should the recipient of the email ignore the request, the case will be heard in their absence and they will not be allowed to mount a defense.
The emails shock recipients into taking rapid action such as clicking a link or opening an email attachment. These two emails are clever in the fact they warn users of the need to respond to a judge or turn up in court, yet the crucial information needed to do so is not supplied in the email body.
Any email recipient believing the email is genuine is likely to open the attachment or click a link to find out which court needs to be visited. By doing so they are guaranteed to have their computer, laptop or mobile device infected with malware.
The BBB was alerted to the scams and issued a warning advising recipients of these emails to delete them immediately. Advice provided saying the U.S. Courts would not contact individuals about jury duty by email. Letters are mailed or telephone calls are made in this regard.
Church Leaders Warned not to Fall for Money Transfer Email Spam Campaigns
The second scam was recently reported by the finance director of Grace Bible Church, who received a request via email to transfer funds to a senior pastor. In this case, the email appeared to be official, having been sent from the senior pastor’s email account.
It is a good security practice to always check the authenticity of an email that requests a transfer of funds. In this case all it took was a quick phone call to the pastor in question to reveal that the request was bogus.
If it is not possible to contact the individual, deleting the email would be the best next course of action. If the request is genuine, the individual in question is likely to make contact again. Spammers tend to send these campaigns randomly. A second request is unlikely to be received if the first is ignored.
The Fight Against Email Spam is Getting Easier
Spam email campaigns are still an effective method of malware delivery. Social media posts and infected websites may now be the preferred method of infection, but users must still be wary about opening attachments or visiting links sent from people they do not know.
Awareness of the tell-tale signs of an email scam has improved in recent years. So has security software used to detect phishing campaigns. SpamTitan Technologies is one such company that provides a highly effective spam filtering solution. It boasts an exceptionally low false positive rate and catches over 99.98% of all spam emails.
Part of the reason why SpamTitan’s Award Winning Anti-Spam solution is so effective at catching email spam is in part due to the power of the AV engines used. Instead of using one class-leading AV engine, it uses two: Kaspersky Labs and Clam Anti-Virus.
By installing this anti-spam solution, malicious emails used to phish for sensitive information can be blocked before they are delivered to an email inbox. Businesses looking to reduce the risk of end users infecting their desktop computers, laptops and portable devices with malware and viruses, will find SpamTitan’s Anti-Spam solutions for the enterprise highly cost-effective. Rather than purchasing a package that offers protection for far more IP addresses than are required, IT professionals can purchase a license that covers end users without wastage.
Softlayer Rated Biggest Spam Hosting ISP by Spamhaus
According to a new report by the not-for-profit anti-spam organization, Spamhaus, the biggest spam hosting ISP is Softlayer, the IBM-owned cloud computing provider. A reported 42% of the ISP’s outbound emails have been discovered to be spam.
The report, issued on Wednesday, shows the ISP to be the current biggest offender, found to be supporting spammers and hosting numerous malware operations. The extent of the company’s emails found to be spam is astonishing, making it the undisputed champion of spam. Spamhaus has recorded over 685 separate spam issues on Softlayer, almost three times as many as the ISP in second place, Unicom-sc, which has had 232 reported spam issues.
Typically, the biggest web hosting companies and internet service providers do not feature so highly in the spam list, as they tend to employ numerous measures to prevent their servers being used by spammers and internet criminals. While Softlayer has not featured so highly in the past, recently it has been rising up the rankings, even though it does make efforts to fight spammers and implements controls to prevent them from using its servers.
In recent years the company has increased efforts to keep spammers at bay, and has taken firm, decisive action when reports of spamming have been received. But this has not proved to be sufficient.
It would appear that the ISP is now being targeted by Brazilian cybercriminals who are using its services to send out high volumes of spam emails and host numerous malware-infected websites. Softlayer is understood to have relaxed its criteria and vetting processes recently in an effort to attract more business; which does appear to have been successful, albeit for the wrong kind of business.
Spamhaus also pointed out that it has received requests to have Softlayer removed from its listing, but will only do so when it is clear that all of the issues have in fact been resolved. Spamhaus pointed out that cyber-criminals from Brazil were so active that “many listed ranges were being reassigned to the same spam gang immediately after re-entering the pool of available addresses.” The report went on to say, “these specific issues would not be removed until Softlayer was able to get control of the overall problem with these spammers.”
Softlayer has responded to the new number 1 ranking, saying affirmative action is being taken to tackle the issue. Communications Director, Andre Fuochi, recently told Krebsonsecurity, “We are aggressively working with authorities; groups like The Spamhaus Project, and IBM Security analysts to shut down this recent, isolated spike.”
Unfortunately, while action is being taken, it is not fast enough to stop the spammers. As soon as accounts and websites are shut down, more are created. Users are able to provision and de-provision sites and applications cheaply and quickly, which is why the ISP is struggling to stop spam emails from being sent and malware sites from being created.
Cloudmark recently confirmed Spamhaus’s rating, saying the Softlayer network was the largest single source of spam in the world during the third quarter of this year. The spammers and scammers will always find a home somewhere, but to find it at a company owned by IBM must come as a major embarrassment. IBM is, after all, a major player in the software security market.
A bank phishing scheme operated by a Moldovan man has resulted in $3.55 million being transferred from the bank accounts of a Pennsylvania mining company – the Penneco Oil Company Inc. – according to federal prosecutors.
The perpetrator of the campaign, Andrey Ghinkul, 30, has been charged following his recent arrest in Cyprus. He is awaiting extradition to the United States, with a hearing scheduled for next week.
The phishing campaign was sent out to numerous companies, with a number of recipients reportedly opening the email, only to have their computers infected with Bugat malware. Bugat Malware is a little known form of malware, operating in a similar fashion to the well-known Trojan Zeus.
Bugat malware functions as a SOCKS proxy server, allowing hackers to directly download and execute programs on an infected host’s computer, or upload files to remote servers. In order to escape detection, the malware communicates encrypted data with its command, and by doing so fails to trigger many traffic inspection software warnings.
The malware has been used to log information entered during online banking sessions, with Firefox and Internet Explorer browsers so far exploited. With the information obtained, hackers are able to make fraudulent wire transfers and ACH transactions. So far, small to mid-sized businesses have been most commonly targeted.
While many organizations are now looking out for Zeus infections, this new form of malware can escape detection more easily. The attacks also show how cybercriminals are diversifying their attacks in order to gain access to financial account information and avoid detection.
The phishing campaign was used to send emails to a number of recipients in U.S companies, with the emails appearing to have been sent from medical providers, indicating the recipients had received a positive diagnosis for cancer.
Bugat Malware Bank Phishing Scheme Nest Hackers Over $10 Million
According to the FBI, Bugat malware has resulted in around $10 million in funds being transferred from U.S company accounts to hackers in Russia and Belarus.
The transfers from Penneco Oil’s accounts were made possible by the malware, which recorded bank passwords as they were entered on the infected computer. That information was then used to make the transfers. The first transfer of $2.2 million was made in August 2012, with the funds being received by a bank based in Krasnodar, Russia. A second transfer was made the following month, this time the recipient account was in Minsk, Belarus.
While the transfers did go through, action was swiftly taken by the bank – Indiana, PA-based First Commonwealth – and the funds were rapidly restored. Senior Vice President of Penneco, D. Marc. Jacobs, said the bank “worked to completely restore our funds almost immediately.” In this case, Penneco had all funds restored and the bank had to cover the cost.
Should Ghinkul be extradited, the case will be heard in Pittsburgh where another attempted victim was targeted. Sharon City School District nearly lost $999,000 to a Russian account. Fortunately, that transaction was successfully blocked.
A new iTunes email scam has been uncovered which attempts to trick users into revealing their credit card numbers, according to a recent report issued by Malwarebytes.
The latest iTunes email scam targets users of iTunes and offers them a refund for a purchase that has been made using their iTunes account, indicating they have been affected by an email scam already. In order to receive the refund, the users must provide their Apple ID, password, and credit card details so the refund can be processed.
Emails have been sent to iTunes account holders telling them that their account has been fraudulently used to purchase an app valued at £34.99 ($53), with the emails containing a fake receipt for the purchase. The app is question is provided by CoPilot Premium HD, a supposed navigation service. The receipt contains a link that the recipient of the email must click in order for their refund to be issued, if the purchase is not genuine.
There is of course no such app, and the high price is perhaps a warning that something is amiss. Unfortunately for users looking to protect themselves from fraud, the very actions they take to protect themselves will actually ensure they do become victims.
Not the Only iTunes Email Scam Recently Uncovered
This is not the only email phishing scam to have been sent to Apple users in recent weeks. Another email spam campaign attempts to get users to click a link to update their credit/debit card, which users have been informed in the email is about to expire. Users have been requested to click a link and enter their new card details, including the CSC code on the reverse of their card, as well as the new expiry date.
As with many email scams of this nature, the email is sent with a threat of account suspension if they do not comply. In this case, users have little time to respond. The email link is said to expire in one hour’s time if it is not clicked, reducing the time for users to verify if the email is in fact genuine.
They are provided with a link to store.apple.com which is seemingly genuine; however, hovering over the link will reveal that the link directs them to a different location.
There are other common tell-tale signs that the email is a fake, even though the correspondence does contain seemingly genuine Apple imagery and appears to have been sent from Apple’s customer service department. One of the most telling signs is the volume of spelling mistakes contained in the email. Any email sent by Apple is likely to have at least been run through a spell check before being used as a template for millions of Apple device owners. A sure sign that the email is not genuine.
The email contains spelling and grammatical errors such as informing the recipient that the link will “expire one hours after the email was sent.” iPhone “ore” iPads is another, and feature is spelled “feauter.”
The advice to all Apple users is to take time to carefully read any email sent from Apple, and to attempt to verify any request to provide ID numbers or financial information.
It has now been over a year since the U.S Postal Service was affected by a phishing campaign that resulted in the exposure of the personal information of 800,000 current and former workers, yet the postal service is still not effectively dealing with the phishing threat. Employees have been tested, and they are not identifying phishing emails.
Postal Service Employees are at Risk of Falling for Phishing Emails
The network data breach of 2014 occurred as a result of employees falling for spear phishing campaigns, which allowed criminals to gain access to postal service networks containing sensitive data. The data thieves were able to gain access to the network and exfiltrate data without meeting much in the way of resistance. It would appear that if a similar campaign was conducted again now, even more data may be exposed.
The Office of the Inspector General (OIG) recently took the decision to put postal service workers to the test, to determine whether lessons have been learned since last year. In total, 3,125 fake phishing emails were sent to employees of the U.S Postal Service to determine whether they were actually able to identify a potential phishing campaign.
There was some good news. 75% of workers were able to resist the temptation to click on the phishing links in the emails. The bad news was 25% did click. Unfortunately, all it takes is for one person to respond to a phishing email for criminals to gain access to data. 780 responses to fake phishing emails shows risk is not being effectively managed.
However, perhaps worse still, was the lack of compliance with policies that had been put in place in the wake of last year’s successful attack. For instance, the postal service’s Computer Incident Response Team should be alerted if a suspicious email is received by workers, yet only 7% of employees did so during the test.
The reason is perhaps quite easy to explain. Only 4% of staff had completed the Postal Service cybersecurity training course, so presumably were unaware of the policy of reporting suspicious emails, if they were in fact able to identify them as suspicious.
OIG Report Shows Postal Service is Not Dealing with the Phishing Threat
The OIG report on the cybersecurity test stated that awareness training does have a positive impact, and can substantially reduce the risk of employees responding to a phishing campaign. Research shows training can reduce security-related risks by as much as 70%.
Policies must of course be turned into procedures, and the staff must receive training. The OIG said, “When management does not require all employees with network access to take annual information security awareness training, users are less likely to appropriately respond to threats.”
One of the main problems for organizations trying to tackle the threat of phishing is the fact that criminal organizations and hackers are developing ever more complex and convincing campaigns to fool users into opening malware-infected attachments and visiting links to malware-infected websites. However, if training is not provided to the staff, even uncomplicated phishing campaigns could well succeed.
At present, only new members of staff and CIO office members are required to undergo annual cybersecurity training: That is not the most effective way of dealing with the phishing threat. However, in response to the OIG report, the Postal Service will be implementing new training policies by April 2016.
The Federal Trade Commission has issued a warning over a new gaming email phishing scam that targets video game players and takes advantage of their love of the games to get them to divulge their account information.
Gamers invest considerable time and money into buying add-ons and developing gaming characters; however, the fear of loss of their gaming account is seeing many fall for the latest scam.
Cyber Criminals Opt for Gaming Phishing Email Scam
Hardcore gamers are not difficult to find, having registered on forums and gaming websites, providing their email addresses and other information about their gaming habits. Once criminals obtain email addresses of gamers, they are sent fake emails from gaming companies suggesting they have been discovered to have sold gaming items or characters for real money, and by doing so have violated the rules of the game.
Consequently, the users are threatened with account suspensions, or in some cases, legal action. A number of emails have been received by gamers with threats that they will be sued for amounts up to $2,700 for repeated violations of gaming rules and regulations. The intention is not to get the users to part with that money, but to get them to reveal details of their bank accounts or credit cards used to make purchases.
Users are often fooled into responding out of fear of losing their accounts or being suspended or banned from their favorite games. The email campaigns can also be highly convincing, using templates that appear legitimate, often including company logos and names the users may be familiar with.
The scammers have been targeting users of some of the most popular online games, such as World of Warcraft and Diablo III, both produced by Blizzard Entertainment, although the scam is not restricted to players of these games. The volume of emails sent to gamers, and complaints received, has resulted in Blizzard emailing users to tip them off to what it called “rampant scams.”
The FTC has also got involved, issuing a warning of its own. According to the FTC warning, targets are advised that they should check the status of their accounts and challenge the suspension if they have done no wrong. They are supplied a link for this purpose and are required to fill in a ‘verification’ form.
They are then asked to enter information in order to confirm their accounts and identities, and must reveal account and financial information. The perpetrators of the scam then empty their accounts.
This is not the only technique used by online fraudsters to get users to reveal their credentials. Gamers are being sent spam emails asking them to login in order to receive free gifts and exclusive game add-ons, with users requested to click a link in the email to login in order to claim their prize.
It is not always essential that account details are entered in the online forms to which the users are directed to. The links contained in the emails can direct the users to malware-infected websites. Malicious software is automatically downloaded to the users’ computers, allowing the perpetrators to gain access to the device and trawl files looking for personal information such as bank account details, login names and passwords.
Gamers have been warned to always try to verify any such emails, and not to click on links, open attachments or use the contact details provided. All requests that are out of the ordinary should be independently verified with the company concerned, using the gaming website’s contact information.
There has been some good news reported recently that indicates email spam levels are now at the lowest point seen in the past 12 years. According to a report issued by Security company Symantec, spam emails fell to 49.7% of all emails sent in June this year. Spam email levels fell further still in July, dropping to 46.4% of total email volume. Symantec also reported that the volume of phishing campaigns also saw a fall in June.
A number of reasons have been cited for the fall in spam levels, including bringing a number of spammers to justice and closing down their criminal networks, in addition to shutting down a number of rampant botnet networks, many of which were located in the United Kingdom.
The botnets were identified by UK police forces which orchestrated a number of takedowns. UK and European internet service providers had been collaborating with the police and passed on information on suspected botnets, helping to reduce the effectiveness of the networks, ultimately leading to many being shut down.
While this is good news, this does not mean there has been a reduction in risk. Phishing schemes may have seen a small drop in June, but the number of malware variants now being discovered has increased dramatically. The variation in malware is causing a problem, as the malicious software is becoming harder to identify. The extent of the increase in variants is considerable. In just two months the number of malware types had almost doubled from 29.2 million in April to 57.6 million pieces of malware caught by Symantec in July. This is the second highest figure reported in the past 12 months, with only November 2014 seeing more malware attacks caught (63.6 million).
The attack landscape is constantly changing, with cybercriminals now diversifying their attack vectors. Ransomware for instance, is becoming more popular. Just under half a million attacks (477,000) were thwarted by Symantec in June, with the volume of ransomware having risen for two months in a row.
While cyber criminals based in the UK and United States may be diversifying attack vectors, hackers in other countries still favor email spam, with eastern Europe and China still seeing huge volumes of spam emails being sent. It is certainly not a time to let one’s guard down or become complacent about email spam.
Businesses Still Receiving High Volumes of Spam Emails
Overall, levels of spam may have fallen, but small to mid-sized companies are still seeing high levels of spam emails received, with the percentage of spam emails remaining above 50%. Spam email traffic to small to medium companies (those with one to 250 employees) stood at 52% in June.
Malicious emails are also still being used extensively to target organizations of all sizes. In June, malicious emails were being most commonly used against companies employing 1501-2500 individuals, with one in 164 emails recorded as being malicious in nature.
In July the figures had improved, with organizations employing 251-500 individuals the most common recipients of malicious emails, registering one email in 260 as being malicious in nature, closely followed by small organizations employing under 250 individuals, with one in 275 emails rated as malicious.
Spam emails were still being sent at high levels to particular industries, with mining and manufacturing industries receiving high levels of spam in June. Over 56% of emails received in the mining sector were spam, with the manufacturing, construction, retail and non-traditional service industries all registering spam email volumes of 53% or more in June.
The figures for July actually showed an increase in spam for some industry sectors. Mining had increased to 55.7%, with only very slight falls in spam levels in other industry sectors. Manufacturing, retail and construction all registered spam percentages above 53%.
Each of the other 6 industry sectors (Professional services, agriculture/forestry/fishing, wholesale, non-classifiable establishments, finance/insurance/real estate, and non-traditional services) all registered spam email percentages of between 51.9% and 52.5%, indicating email spam remains a major problem for most U.S. businesses.
The Ponemon Institute has released a new report detailing the cost of phishing attacks on U.S businesses, suggesting the average annual cost for U.S companies has now risen to $4 million. Ponemon calculated phishing attacks take an average of 23.7 days to resolve, and are having a huge impact on U.S organizations, with smaller companies often suffering the most.
Cost of Phishing Attacks & Cyber Crime Assessed
The report indicates that the biggest costs suffered as a result of cyber crime come from phishing campaigns and social engineering, which accounted for 16% of total cyber crime costs. Phishing and social engineering were found to have affected 59% of organizations, while botnets affected 66% and web-attacks were suffered by 76% of organizations.
The Ponemon study, conducted in conjunction with HP Enterprise, involved a representative sample of 58 private and public sector U.S organizations being surveyed on cyber crime and the costs of dealing with criminal attacks. The results of the study show that in the U.S, the mean annualized cost of cyber crime has risen to $12.7 million per year, with the highest total average cost of dealing with cyber crime being $15.42 million – more than double that of Germany in second place.
The study showed that organizations are having to pay between $1.6 million and $61 million per year to resolve cyber attacks. The cost of the dealing with those attacks was found to be higher for larger organizations, although the per capita costs were highest for smaller organizations.
The new 2014 Cyber Crime Report shows the cost of dealing with attacks has risen 19% in just 12 months, with the global average cost of cyber crime estimated to have exceeded $7.7 million. Some companies are having to cover costs of up to $65 million to resolve criminal attacks, which were shown to have increased in both frequency and severity during the past 12 months. Email attacks remain one of the biggest causes for concern, being one of the main methods used by criminals seeking access to computer networks.
Phishing Emails Are Proving to be Highly Effective
Earlier this year, communications company Verizon produced a report indicating phishing campaigns can be highly effective methods of attack, and suggested that all too often staff training efforts are not particularly effective. Many organizations are now providing staff with information on how to identify phishing emails, yet this information does not appear to be retained. The study found that 23% of individual who received a phishing email opened it, and an alarming 11% of recipients clicked on the link contained in the email or opened the attachment.
The provision of training manuals on phishing to employees can be effective, but retention of information tends to be poor. The Ponemon study did suggest that one of the best methods of training staff how to identify phishing emails is to provide examples, indicating the sending of simulated phishing emails was particularly effective at reinforcing training, providing up to a 37% return on investment.
With phishing emails representing such a substantial proportion of cyber security costs, and training proving not always particularly effective at substantially reducing the risk of attacks being successful, greater efforts should be put into intercepting phishing emails and preventing them from being delivered to recipients’ inboxes. For that, a robust and effective email spam filter is required.
Although many reports suggest that email spam is reducing, email spam and botnet infection is still a major issue for most U.S organizations and individuals – with criminal practices netting cybercriminal gangs billions of dollars every year.
Determining the infection levels and the volume of spam being sent was one of the missions of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG). M3AAWG, is a global organization tasked with promoting cybersecurity best practices and fighting organized internet crime. M3AAWG was formed a decade ago by a number of leading internet service providers, with the goal of improving collaboration and sharing knowledge to make it harder for criminals to spam account users. By reducing the impact of email spam on individuals and organizations, ISPs would be able to better protect users, IPS’s email platforms and their reputations.
Quantifying Email Spam and Botnet Infection a Complex Task
It was discovered that quantifying email spam and botnet infection levels was a complex task; one that was only possible with collaboration between internet service providers. As a result of this collaboration, the organization has produced reports on the global state of email spam and botnet infection. Its latest analysis suggests that approximately 1% of computer users are part of a botnet network.
The data gathered by M3AAWG involved assessing 43 million email subscribers in the United States and Europe.,The data analysis showed that IPS’s typically block between 94% and 99% of spam emails. The company’s report suggests that on the whole, IPS’s do a good job of blocking email spam.
The figures look impressive but, considering the huge scale of email spam, billions of spam emails are still getting through to users, with financial organizations and other companies now being regularly targeted with spam and malware.
Email spammers are well funded, and criminal organizations are using email spam as a means of obtaining tens of billions of dollars each year from internet fraud. Spam emails are sent to phish for sensitive information, such as bank account information, credit card details and other highly sensitive data including Social Security numbers. Accounts can be emptied, credit cards maxed out and data used to commit identity theft; racking up tens of thousands of dollars of debts in the victims’ names.
In years gone by, email spammers concentrated on sending emails randomly to accounts with offers of cheap Rolexes, Viagra, potential wives and the opportunity to claim an inheritance from a long lost relative. Today, spammers have realized there are far greater rewards to be had, and emails are now sent containing links to malware-infected websites which can be used to compromise users’ PCs, laptops and Smartphones, gaining access to highly sensitive data or locking devices and demanding ransoms.
Some emails may still be sent manually, but the majority are sent using botnets. Networks of infected machines that can be used to send huge volumes of spam emails, spread malware or organize increasingly complex attacks on individuals and organizations. The botnets are available for hire, with criminals able to rent botnet time and use them for any number of reasons.
Many of the attacks are now coming from countries where there is little regulation and a very low risk of the perpetrators being caught. Countries in Africa, as well as Indonesia and the Ukraine house huge volumes of cybercriminals. They have even set up call centers to deal with the huge volume of enquiries from criminals seeking botnet time to orchestrate phishing and spamming campaigns. Tackling the problem at the source is difficult, with corruption rife in the countries where the perpetrators reside.
However, it is possible to reduce spam level, and the risk of employees falling for a scam or downloading malware by installing a robust email spam filter, reducing the potential for spam emails and phishing campaigns getting through to individual accounts. According to Verizon, 23% of users open phishing emails and 11% open attachments and click on links. Stopping the emails from reaching users is therefore one of the best methods of defense against attacks.
Lawyers representing plaintiffs affected by spammy marketing practices by business networking website LinkedIn have reached a $13 settlement in a California court, with the LinkedIn email spam lawsuit likely to result in users of the website receiving a payout of around $10 per person.
Lawyers argued that the marketing practices used to attract new users breached California’s common law right of publicity and constituted unfair competition, with millions of users having had their privacy violated. The class-action lawsuit was filed in September 2013 and lasted two years before LinkedIn agreed to settle the case without admission of liability. LinkedIn claimed no wrongdoing and that its business practices broke no laws.
Alleged Spammy Marketing Practices used by LinkedIn to Attract New Users
Users of LinkedIn are permitted to import contacts from email accounts such as Gmail. Users electing to “Add Connections”, will generate an email that is sent to their contacts list inviting those individuals to connect and sign up for an account with the website.
Site users were asked before emails were sent to their imported email contacts, but they were not advised about a further two emails that were triggered if their contacts did not respond to the original email request within a fixed period of time. The follow-up emails were reminders that the invitation was still waiting for approval.
The lawyers claimed that LinkedIn had been “breaking into its users’ third-party email accounts, downloading email addresses that appear in the account, and then sending out multiple reminder emails.” The case centered on the fact that users were not advised that this would be the case. It was claimed that the website was using the names and likeness of users to drum up more business without consent, thus breaching the privacy rights of site members.
Last year, LinkedIn petitioned U.S. District Judge Lucy Koh requesting the case be dismissed, as users had in fact given their consent for contacts to be sent emails; however, Koh ruled that while consent had been provided for one email to be sent, users had not given LinkedIn consent to send any further emails if individuals did not respond to the initial request to join the website.
Other claims made against LinkedIn were rejected, such as the breach of federal wiretap law and claims of hacking users accounts. As a result, the case was required to be resubmitted.
LinkedIn Users Invited to Submit Claims for Compensation
The LinkedIn email spam lawsuit has now been settled, although users of the site are unlikely to receive much in the way of compensation. Any user who used the Add Connections feature of the website between September 17, 2011 and October 31, 2014 have now been invited to submit claims, and have until December 14, 2015 in order to do so.
Due to the volume of individuals affected, it is probable that the payout for each affected user will be around $10. LinkedIn has agreed to add further funds – $750,000 – if the volume of claims it receives results in individuals qualifying for a payout of less than $10 a head. Linked in will also be required to cover legal fees in addition to paying the $13 million settlement.
From the end of the year, all users of the “Add Connections” feature will be informed that by doing so, they are giving their consent for their imported email contacts will be sent one email, and up to two follow-up emails if no response is received from the initial request. There will also be a new option added which will allow invitations and reminder emails to be stopped.
The threat from phishing emails is causing Health IT professionals major headaches, and is one of the main data security concerns according to a recent HIMSS cybersecurity survey. The recent HIMSS survey was conducted on 300 healthcare IT security professionals and suggests that the increase in phishing emails is one of the main reasons why the healthcare industry is having to invest so heavily in data security. 69% of survey respondents believed that to be the case.
Phishing campaigns are now being devised that are difficult to identity, with cybercriminals investing considerable time and effort into creating highly convincing emails in an attempt to get healthcare employees to divulge their login credentials.
Threat from Phishing Keeps CISOs Awake at Night
Criminals may still be sending random email spam in an attempt to obtain credit card details and banking information, but healthcare providers are now being increasingly targeted for the high volume of Social Security numbers and other personal patient information held; data that can be easily used to commit identity theft and obtain far more than is possible with credit card numbers. According to HIMSS Senior Director of Research Jennifer Horowitz, phishing is now “the number one thing that keeps CISOs up at night.”
The survey showed that data security has become one of the main business priorities for healthcare organizations, with 87% of respondents claiming data security has increased in priority over the course of the last year. Out of the respondents that said data security is a main priority now, two-thirds believe phishing to be the main cause for concern, and the same volume of respondents claimed their organizations had already suffered a phishing or other online scamming attack.
Phishing is a technique used by cybercriminals to obtain personal information, and is used as part of a wider attack on a corporate network. If users can be convinced to visit a link to a website or open an attachment, malware is downloaded to their device. A third of survey respondents indicated they have already become the victim of such an attack this year.
One problem faced by the healthcare industry in particular is the tactics used by criminals frequently change. Phishing was a technique most commonly associated with mass spam emails sent by individuals in the hope that some email users would fall for the scams. It would appear that now individuals, or specific groups of individuals, are being targeted. Many criminals now opt for quality over quantity, and are devising campaigns to target individuals with access to the data they seek. These “spear phishing” campaigns can prove to be highly effective.
Tackling the Threat from Phishing Emails
Efforts are being made by healthcare organizations to reduce the risk of individuals falling for campaigns. Spam filtering can be effective at limiting the volume of emails that make it through to the inboxes of healthcare workers, and training is now being provided to staff to help individuals recognize the signs of a phishing email. However, it would appear that while training is sometimes provided, this is not subsequently tested in many cases. Phishing email exercises designed to test users’ ability to identify phishing campaigns are still not being used by the majority of healthcare organizations. Only a quarter claimed they are using exercises to test staff readiness to deal with the threat, and that is a recipe for disaster.
City of London Police are sending emails containing important information about a murder suspect. You must be vigilant, and if you see this individual, you should not approach him! The attachment sent via email contains his image, so you will know to avoid him and alert the police if you see him. Unfortunately, opening the attachment will make you a victim. You will not be murdered, but you may end up having your bank account emptied. Yes, this is a City of London Police email scam, and it attempts to convince the good, law abiding public to infect their devices with malware.
City of London Police Email Scam Warning!
One of the latest email scams to be wary of, especially if you live in the UK, involves spam emails with the subject “London City Police.” Contained in the email is a bulletin detailing a murder suspect on the loose, together with a malware-infected attachment.
Fortunately for the wary, there is a clue in the subject that the email is not genuine. There is of course no “London City Police.” The police force in question is called “The City of London Police.” That said, the shock of receiving an email from law enforcement about a murderer on the loose may be enough to convince many to open the email and the attachment.
As one would expect, the email contains a stern warning, with the content phrased in such a way that it could in fact have been sent by the police force. A murderer on the loose in London is a serious matter, and this cunning email spam campaign has been devised to play on the fear that such a matter is likely to create.
How would the Police force have got your email address, and those of everyone else living in your area? That is something that many victims of this email scam may ponder after opening the attachment. Of course, by then it will be too late. Opening the attachment will result in malware being installed on the victim’s computer.
Fortunately, email scams such as this are easy to avoid, in fact, they would not even get to the point of being delivered to an inbox, if precautions have been taken, as explained by Steven Kenny, Customer Support Manager at TitanHQ.
Kenny pointed out that by using SpamTitan, computer users will be protected. He said, “This malware was blocked by SpamTitan before it had a chance to make it to users’ inboxes.” He went on to say, “The malware contained in the attachment was flagged as a virus. The attachment is a zip file, once executed; the malware goes to work.”
SpamTitan Blocked the City of London Police Email Scam
The image below is a screenshot of the City of London Police email scam, which was successfully blocked by SpamTitan.
Current High Risk of Malware Infection
Malware poses a major risk to individuals, but businesses are especially at risk of infection. Employees may be wary of opening emails on their own devices, but are they as security conscious at work?
It is perhaps easier to believe that a work email address would be in the police database, rather than a personal email account. This may lead employees to believe that the email is genuine. Unfortunately, all it takes is for one employee to open an infected attachment, and their computer, and the network it connects to could be infected.
Since email is essential in business, protections must be put in place to ensure networks are not compromised as a result of the actions of employees. If malware is installed, the losses suffered can be considerable. It therefore can pay dividends to implement protection such SpamTitan spam filtering. This will prevent malware-infected emails from being delivered to employees’ inboxes.
A new Netflix phishing scam has been uncovered which works by telling users their Netflix accounts have been closed, requiring action to regain access to the service. Doing so will give your confidential login details to the scam operators.
Netflix has 62.27 million users, making it a highly attractive target for email scammers and spammers, and consequently Netflix phishing scams are common.
Latest Netflix Phishing Scam Convinces users to Reveal their Account Details
Recipients of the fake Netflix emails are required to click a link in order to reactivate their accounts. Unknown to the victims of this Netflix phishing scam, clicking on the link will direct them to a fake Netflix page, and by reactivating their accounts they will be giving the scammers their account names, passwords, and potentially other sensitive information.
Unfortunately for Netflix users, revealing passwords for one account may also mean other online accounts are compromised. Many users share their passwords across different websites, often using the same or similar passwords for Netflix, Facebook, and a host of other sites, including online banking portals.
TitanHQ recommends Netflix users ignore the email and delete it, and certainly do not to click on the link in the email. Phishing scams such as this usually direct users to a website that has been infected with malware, and clicking the link will result in that malware being downloaded, even if no information is entered on the page.
The best course of action is to login to your Netflix account as you would normally do, by typing in the URL or using your bookmark, and check your account status directly with Netflix. In all likelihood, it will still be active.
Further Information on the New Netflix Phishing Scam
Below is a screenshot of the latest Netflix phishing scam. The email appears genuine enough, although close inspection will reveal a few grammatical errors, such as missing apostrophes and misplaced exclamation marks. However, the email could be enough to fool the unwary, and especially individuals who tend to skim read emails and click first and think later.
This phishing campaign is similar to others that have been recently sent to users of other online services. Phishing emails are devised to give the recipient a legitimate reason for handing over sensitive information, usually via webpage.
These include, but are not limited to:
- Upgrading security settings
- Performing essential system maintenance
- Verifying account details to prevent fraud
- Claiming a refund for a bill that has been paid
- Giving money back for an incorrect charge
- Offering you a free gift or service
Email scams often deliver malicious programs – malware – that has been created to steal confidential data such as account login names and passwords. Phishing campaigns are launched on social media, although email is the most common way that these scams are delivered.
Generally speaking, phishing campaigns can be categorized in three types:
Off-the-Shelf Jacking Toolkits
Criminals can purchase malware online which can be used to scam users into revealing passwords, which can subsequently be used to empty bank accounts, rack up debts, or hold people to ransom (the latter is becoming increasingly common and is referred to as ransomware). Once access is gained to an account or computer, Ransomware is used to encrypt data. The users are then required to pay a ransom to the perpetrator of the scheme in order to get their data unlocked.
These campaigns are usually opportunistic in nature, and involve millions of spam emails being sent. It is a numbers game, and some users will click on the phishing links and compromise their computers and networks.
Zero-day Vulnerability Exploits
The net is also cast similarly widely with these email phishing campaigns; however, the malware delivered is more complex, and the hackers behind these schemes are considerably more skilled. Zero-day vulnerabilities are new security flaws that have been discovered in software that have yet to be discovered by the software vendor. Consequently, patches do not exist to deal with the threat. Malware is created to exploit these vulnerabilities, which is usually delivered via an infected email attachment, although it can be downloaded when users visit a phishing website.
Spear Phishing Campaigns
These are targeted attacks that are conducted on individuals, or in some cases, organizations. The perpetrators of these schemes are skilled, and invest considerable time and effort into creating convincing campaigns. Oftentimes extensive information is gathered on the targets prior to the phishing emails being sent.
These schemes similarly use zero day vulnerabilities, and these advanced persistent threats (APT) have been used in a number of high profile attacks, such as the recent Carbanak malware attacks which have made the headlines recently.
How to Avoid Becoming a Phishing Victim
The best defense against attack is to be vigilant. Security awareness training for employees is essential. Staff members must be alerted to the risk, the consequences of clicking on a phishing link, and told how to identify scams. They should be instructed to check links before clicking (by hovering the mouse arrow over the link to check the real address).
It is also essential to keep all software patched and up to date. This applies to operating systems, applications, web browsers and other software. Software should be configured to update automatically wherever possible. Organizations should also develop concise patch management policies. Continuous security audits should be conducted and multi-layered network security controls developed.
There are a number of ways that spam and phishing emails can be prevented from being delivered to users, such as using a spam filter. Web filtering is particularly useful in prevent users from visiting known malware and phishing sites.
In 1998, ICANN issued the first domain names and IP addresses. There were not many top level domains (TLDs) to choose from. Each country had its own domain suffix, but the choice was limited to .com, .org, .net, .edu, .mil and .gov. Over the years, a few more options have been introduced such as .me, .mobi, .tv and .biz, but the suffix that has caused the most controversy is .xxx – a TLD intended for websites containing images of a sexual nature.
The .xxx TLD was seen as a method of introducing a red light district to the Internet, cleaning it up aside from a dirty corner that could be policed and easily blocked. Some purveyors of pornography allegedly welcomed the move, while others were opposed to it.
There were protests, but the new TLD was released in December 2011, and ICM Registry – a Fort Lauderdale for-profit business – was assigned responsibility for allocating the TLDs. Incidentally, the contract for this was quite lucrative. ICM Registry expected to make in the region of $200 million per year out of the deal.
Sometimes a good idea on paper doesn’t always work out so well in practice. For instance, some companies had spent a long time building up a brand name. They operated their domain on the .com domain, had bought up the .net, .mobi, .org versions and all other TLDs to protect their brand. They did not like the idea of having to do that again with the XXX version, and neither would they be willing to move their main site over to the .xxx TLD.
Few were in favor of the new XXX TLD
Pornographers were not the only objectors to the introduction of the .xxx TLD. The Bush Administration was opposed to the release. In fact ICANN was asked to withdraw support for the proposal. Criticism of the proposal mounted and ICANN came under a considerable amount of pressure. The American Department of Commerce, that has power over ICANN, received over 6,000 complaints about the introduction of the .xxx TLD. Even politicians who had originally backed the idea in the year 2000 changed their mind a decade later. Naturally, conservative groups also applied pressure to block the proposal. It was not enough. The TLD was released – with a delay of a month – and a swathe of new porn websites were subsequently launched.
Unsurprisingly, there has not been a reduction in the number of .com porn websites on the Internet. The new domain has seen even more created. Go figure!
ICANN was subsequently sued on the grounds that it had created a monopoly and that the introduction of the TLD forced businesses to spend even more money registering domain names to protect their brands from being piggybacked. After a couple of years, the lawsuit was dropped.
Controls put in place to protect trademarks
ICM regulators created the new TLD in order to clean up the Internet apparently. The .xxx TLD was seen as a way to make it easier for people wanting to view pornography to find it (it wasn’t exactly difficult, it must be said – type “porn” into a search engine for example) and as a way of promoting a responsible attitude toward it. It would, in theory at least, eventually lead to a dedicated area where pornographic websites could be housed.
However, trademark and patent protection advocate Inventa pointed out that opposition to the new .xxx TLD was virtually universal. No one wanted it apart from ICANN (and ICM Registry).
As for the fears that domain-sitters and entrepreneurs would take advantage, there were controls to prevent this. Eligibility criteria needed to be met. A company owning the trademarked .com version of a website could purchase the corresponding .xxx TLD to use as an adult domain or to prevent others from using it. Amazon.xxx, for example, could only be bought by Amazon.com. The ICM Registry reserved it for them. If there was no trademark, the domain name could be bought by anyone.
Was it worth all the effort?
ICM Registry would be inclined to agree, but as for making the Internet a safer place for children, cleaning up some porn, and having a dedicated online red light district, that clearly hasn’t worked. The biggest names in Internet porn still use their dotcom websites and have not made the switch to XXX domains. People interested in viewing pornography do not need an .xxx TLD to be able to find it, and don’t care what the name of the website is let alone the TLD, provided it gives them what they are looking for.
It is no easier to block pornographic websites than it was before the release. Simply blocking access to XXX suffixed websites will make no discernable difference to the amount of porn that is viewable online.
Until laws are passed to force porn websites to use the XXX domain – which would be incredibly difficult to implement – the move has not been particularly effective.
The only way to block effectively access block pornography from being displayed is to use a web filter such as SpamTitan Technologies. By using real-time classification, URL filtering, blocklists, keyword filters and other tools, SpamTitan Technologies web filtering solutions prevent the websites from being viewable. Something very important for schools, universities, colleges, charities, and corporations.
Any organization believing written policies on allowable uses of the Internet are sufficient to stop inappropriate use, should bear in mind that surveys have revealed that 20% of men and 13% of women have admitted to downloading pornographic content while at work. A recent pool of 500 Human Resources professionals indicated two thirds had discovered pornographic content on work computers, and the majority of porn is viewed during office hours (between 9am and 5pm).
If you want to stop employees accessing pornography in the workplace, the only effective way of doing so is with a robust web filtering solution.
Former employees of Kaspersky Labs have tipped off the media to an alleged practice of faking malware. It is claimed the company used fake malware to get rival anti-virus companies to flag the programs as malicious, potentially tarnishing their reputations with numerous fake positives.
For obvious reasons, the tip-offs have come from anonymous individuals who claim to have worked for Kaspersky Labs, yet their identities naturally cannot be verified. They could in fact be employees of rival anti-virus companies. It is therefore difficult to determine whether there is any truth in the allegations. Kaspersky Labs denied the allegations, in fact Eugene Kaspersky has been quite vocal on social media and has spoken out on Twitter, vehemently denying the accusations.
In an effort to find out more, we contacted Kaspersky Labs to find out further details. We received a reply as follows:
Kaspersky Denies Fake Malware Claims
“Contrary to allegations made in a Reuters news story, Kaspersky Lab has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing. Such actions are unethical, dishonest and illegal.” Kaspersky went on to say, “Accusations by anonymous, disgruntled ex-employees that Kaspersky Lab, or its CEO, was involved in these incidents are meritless and simply false. As a member of the security community, we share our threat intelligence data and IOCs on advanced threat actors with other vendors, and we also receive and analyze threat data provided by others. Although the security market is very competitive, trusted threat data exchange is a critical part of the overall security of the entire IT ecosystem, and we fight hard to help ensure that this exchange is not compromised or corrupted.”
Interestingly though, there does appear to be a grain of truth in the accusations, with the anti-virus software giant confirming that harmless malware was in fact created and uploaded. However, this was part of a test of its own software systems, not an attempt to discredit rivals. The statement issued explained the experiment:
“In 2010, we conducted a one-time experiment uploading only 20 samples of non-malicious files to the VirusTotal multi-scanner, which would not cause false positives as these files were absolutely clean, useless and harmless. After the experiment, we made it public and provided all the samples used to the media so they could test it for themselves. We conducted the experiment to draw the security community’s attention to the problem of insufficiency of multi-scanner based detection when files are blocked only because other vendors detected them as being malicious, without actual examination of the file activity (behavior).” The story was reported at the time in the media.
Kaspersky also explained that “After that experiment, we had a discussion with the antivirus industry regarding this issue and understood we were in agreement on all major points.” Further information on cascading false positives can be found here.
“In 2012, Kaspersky Labs was among the affected companies impacted by an unknown source uploading bad files to VirusTotal, which led to a number of incidents with false-positive detections. To resolve this issue, in October 2013, during the VB Conference in Berlin, there was a private meeting between leading antivirus vendors to exchange the information about the incidents, work out the motives behind this attack and develop an action plan. It is still unclear who was behind this campaign.”
False positives are common in the internet security industry. What is not known, and probably never will be, is who creates the bad samples that lead to false positives. As Ronan Kavanagh, CEO at TitanHQ, points out,“Kaspersky is an excellent product, we have never had an issue with it, quite the opposite in fact. Of course we have seen false positives, we were targeted by bad samples as were many other security vendors but we would have no visibility on who carried out these attacks. The critical thing is that as an industry we work together in fighting back”.
Have you discovered false positives when you have run your software security programs?
The threat to corporate data security is higher than ever, with hackers and other cyber criminals devising ever more complex ways of gaining access to company secrets, employee data, and protected health information. IT security teams now need to monitor and track new threats like never before. Phishing emails must be blocked, employees must be prevented from visiting malicious websites, audits must be conducted to check for malware and viruses, and systems protected against keyloggers and Trojans.
The volume of new malware now being discovered is enough to keep IT security professionals awake at night, with many fearing the security of their systems. IT budgets are strained enough as it is, and the rapidly changing threat landscape is placing those budgets under even greater strain.
What Information are Cyber Criminals Trying to Obtain?
Individual hackers may attempt to break through security defenses for any number of reasons, in fact their aims are not always financially motivated. A grudge may be held against an ex-employer. Business practices may be deemed to be questionable. A company’s carbon footprint may even make it a worthy target for attack. Often the aim is to sabotage, with unscrupulous business competitors willing to employ hackers to enable them to gain a competitive advantage.
However, in the majority of cases, cyber criminals attack companies for the data they hold, which can be sold on to the highest bidder on Darknet websites or used to obtain goods, services, or cold hard cash. Data carries a high value on the black market as it can be used for a myriad of different types of fraud.
Healthcare data can be used to fraudulently obtain medical services. Insurance data used to make bogus insurance claims. Social Security numbers can be used for identity theft or to file false tax returns, and credit card details used to rack up thousands of debts in victims’ names. Corporate secrets such as product development information can be obtained and sold to competitors. The theft of that information can be used by competitors to devastating effect.
Some cyber criminals are not interested in stealing data, just in preventing companies from accessing it. If ransomware can be installed, criminals are able to encrypt an entire system and hold the company to ransom. They will only release the security keys to unencrypt data if a ransom is paid.
How Are Criminals Obtaining the Data?
Spam emails and phishing campaigns (via email, social media networks and over the telephone) are common, although one of the biggest threats to data security comes from malware. If malware can be installed on computers or servers, it can record and exfiltrate data to the hacker’s control centers. All communications can be intercepted and all keystrokes recorded. This enables hackers to obtain login names and passwords: Those used to access internal systems or online bank accounts. It is not just corporate data that is at risk. Any information stored on clients and customers can also potentially be obtained by the attackers.
Common Hacking Techniques Used to Gain Access to Data
Some of the techniques used by hackers to gain access to data include:
Cross Site Request Forgery (CSRF)
Even apparently safe websites can allow hackers to install malware or access sensitive data. This type of attack involves legitimate websites sending requests to other sites. Twitter has suffered cyber attacks involving this method, resulting in logins and passwords of site users being obtained.
Web 2.0 Application Exploits
Take two innocent looking sections of malware code that have been installed on a website. Individually they do no harm, and can easily evade detection. However, when two appear on the same webpage they interact and infect visitors’ devices with malware.
One of the most popular techniques for hacking involves the insertion of meta-characters or SQL commands into input fields on a website. The commands are able to execute back-end SQL code.
All Companies are at Risk, and the Majority Have Already Been Impacted by Malware
If you think only small to medium sized organizations are at risk from malware (due to IT security budgetary constraints) think again. Even the world’s largest corporations are at risk from malware. Earlier this year, Apple was targeted by hackers and suffered a serious malware attack. Full details of the extent of the attack were not disclosed, but a number of Apple Mac computers were compromised by the attackers.
How could the hackers install malware on the computers of such a security conscious company with exceptionally deep pockets? Via a perfectly legitimate website! Users had visited a software development website, with the hackers gaining access via an unpatched Java bug.
The biggest social media sites are not immune to attack either. Twitter suffered a malware attack that exposed the confidential accounts of approximately 250,000 users. This is believed to have happened as a result of the same unpatched Java vulnerability.
No Company is Immune to Cyber Attacks
Around this time last year, a medical equipment manufacturer called Neurocare was targeted by cyber criminals. In that attack, all employees of the organization were affected. In that case, it was not the company’s systems that were attacked directly. The malware came via the company’s payroll processor.
These are all very large companies. But last year hackers used malware to pull of an even bigger and bolder campaign, launching an attack on the International Monetary Fund (IMF). As you could well imagine, the IMF has rather robust security controls in place, yet even they proved no match for the hackers. The attackers just went for the weakest link: IMF employees.
That attack involved spear phishing. Individuals working for the IMF were targeted with a highly convincing campaign which allowed malware to be installed on their computers. That attack was highly sophisticated in nature, and is believed to have been orchestrated by a team of hackers who had received backing from foreign governments. Highly confidential data was exfiltrated in the attack.
Phishing Campaigns Have Proved to be Highly Effective
This year, Kaspersky Labs reported a sizable increase in phishing attacks involving Apple IDs. Two years ago, the average number of attacks per day was just 1,000. Only 12 months later that figure had jumped to 200,000 per day.
Even security firms are not immune to phishing scams. RSA, a prominent American computer and network security company, suffered a phishing attack that was caught by the company’s spam filter. The emails were quarantined, yet were opened from within, unleashing a Trojan that harvested data from employee accounts. RSA’s SecurID tagsix was compromised in that attack.
RSA should not be singled out of course. Even bigger companies have suffered at the hands of phishers. An estimated 20% of Fortune 500 companies have become victims of these campaigns. Even the world’s largest corporations have been hit in recent months. IBM has been affected, and bigger companies still. Microsoft and Google are also victims of phishers.
Beware of Blended Threats Delivered Through Spam Email
The web may now carry the highest risk of malware distribution, but email is still commonly used to deliver malicious software. It remains one of the commonest attack vectors used by phishers. Email spam can be used to attack any device capable of receiving and opening email. This means tablets and Smartphones are vulnerable to attack, not just laptop computers and desktops.
One of the biggest threats comes from blended attacks. These are spam emails that contain links to malicious websites, or even legitimate websites that have been infected with malware. These threats are more difficult to deal with. They require a different form of defense that uses a combination of standard email anti-spam controls along with web security defenses.
Spam may not be the favored choice of hackers these days, but it still represents a serious threat to businesses. Dealing with the emails can waste an extraordinary amount of time and money. Spam can take up huge amounts of bandwidth that affects all employees in a company. Dealing with spam adds significant amounts to operational budgets.
The messages by themselves may not be dangerous, but links to malicious websites can represent a serious problem, especially if staff members have not been warned how to identify malicious links. Infected attachments also place computer systems at risk. Both methods can be used to deliver malware, which has potential to cause a serious amount of damage.
A number of defenses can be used to reduce the risk of malware attacks. Anti-virus software is a must, as is a separate anti-malware shield and scanner. Anti-spam controls are vital, as they can prevent the delivery of phishing emails to employees. Web filtering solutions are also highly beneficial. If a spam email gets through to an endpoint user, the software can prevent a malicious website from being visited.
Unfortunately, there is no single control that can be used to prevent all attacks. The solution is to use multi-layered security defenses and to keep them updated.
A spam filter is one of the best ways to reduce email spam risk; however regardless of whether you choose this important email security measure, there are a number of steps you can take to reduce email spam risk, keep your devices protected, and your valuable data out of the hands of spammers and scammers.
11 Spam Filtering Essentials to Reduce Network Security Risk
Listed below are 11 spam filtering essentials that you can implement to reduce spam volume and the risk of cyber attacks.
1. A Real-Time Block List (RBL) is essential
Spam is commonly sent from a known spam server – one that has been blacklisted, or is known to be used by email spammers. Using a Real-time Block List (RBL) is one of the best protections, that will prevent malicious emails from being delivered to inboxes. This one email security feature has been shown to reduce spam email delivery by 70–90%, and it only takes a few minutes to implement.
Even if you use a spam filter this measure is important. It will reduce the load on your spam filter, email server, and network. An RBL works by blocking messages before they are downloaded, which will also help to save bandwidth. There are a number of ways to do this, although zen.spamhaus.org is one of the best. It is widely regarded as being the best at spam blocking, is updated frequently and importantly boasts a very low false-positive rate.
2. Recipient Verification will block spam sent to invalid email addresses
Spammers like to bombard companies with emails in the hope that some will get through, or that a catch-all is in place and all will be delivered. Common email addresses used are webmaster@, info@, admin@, sales@ etc. etc. These email addresses are commonly used by companies and there is a good chance that they will be delivered to someone. However, you can use Recipient Verification (RV) to reject the bulk of these emails, and only have properly addressed emails delivered.
To do this, use Microsoft Active Directory integration or upload a CSV file of valid email addresses to your spam filter and mail server. This technique will prevent speculative emails from being downloaded and will similarly reduce the load on your spam filter and mail server, and save bandwidth. This method of spam prevention will take longer to complete than setting up your RBL, but it is a worthwhile investment of your time as it will result in a major reduction in spam delivery.
3. Configure your server to require correct SMTP handshake protocols
This is one of the most effective methods of blocking spambots and it will stop the majority of spambot emails from being downloaded and delivered. This is a fairly quick task to complete, and should only take you a few minutes. You will need to set your configuration to require a HELO (EHLO) with a Fully Qualified Domain Name. However, it is important to note that it may be necessary to add some of your suppliers to a whitelist to ensure that their messages do not also get blocked. Not all of your suppliers and contacts will have their own email servers configured correctly, so genuine emails may be caught and blocked. Individual organizations will find this step particularly beneficial. MSPs less so, or not at all.
By using the above three spam prevention methods – which incidentally can be used on virtually all email servers – you will make a considerable bandwidth saving, and dramatically reduce the number of spam emails that are downloaded. This will also help to protect your network from malware. If you allocate just 30 minutes to do all three, it will save weeks of your time, which can be better spent on other cybersecurity tasks.
4. Regularly scan for viruses
A basic security measure is use is a robust and powerful anti-virus program, regardless of whether you use spam filtering. If you don’t implement spam filtering, this measure is especially important, as you are more likely to have viruses delivered to email inboxes.
Even with spam filtering in place, it is also important to have anti-virus software installed and, of course, AV engine and virus definitions need to be kept up to date. Software should be configured to update definitions automatically.
With spam filtering in place, it should be possible to stipulate the update frequency. Be aware that a different anti-virus can be employed to protect endpoints. Using the same AV engine for mail servers and endpoints means that if for any reason your AV software does not detect a virus, all endpoints could potentially be affected. By using a different AV engine for endpoints and mail servers, you maximize the probability of a virus being detected. Fortunately, competition is fierce in this market, so you should not have to pay top dollar to have two different engines in use.
The following steps will apply if you have a spam filter. These will apply no matter which spam filter is used, be that open source, commercial or even cloud-based spam filtering.
5. Certain attachments carry higher risks so block them!
Executable files – those with a .exe suffix – are particularly risky. Fortunately, it is not necessary to run the risk of a user double clicking on them. The best option is to block these file types and other risky file types if they are not typically needed by staff members. Be aware that spammers are sneaky. It is common knowledge that .exe files are risky, so they mask them with other extensions: PDF, XLS, DOC files for example. To counter this, block by MIME type, not by file extension.
6. Take Action to Block Phishing Emails
Phishing emails can easily fool employees into clicking on links that direct them to URLs loaded with malware. There are a number of URLs that are recognized as phishing websites and it is possible to block these quickly and easily. To do this, use SURBL and URIBL lists to check for website domains that frequently appear in unsolicited emails.
7. Ensure that your spam pattern library is regularly updated
You may find that your spam pattern library cannot be configured manually, as this may be hard-wired into your spam filter. Spam signatures are based on a huge database containing recently added spam, as well as past signatures, with the spam-fighting community adding to the database on a daily basis. There are many different resources that can be used, although if you want to ensure you have a fully up to date database of spam signatures, SpamAssassin is arguably the best choice.
8. Bayesian filtering will recognize more spam and block less ham
A Bayes engine is used by most spam filtering engines and can be trained to recognize spam, and differentiate it from ham (i.e. not spam). It is therefore important to use a regularly updated spam pattern library, which will assign incoming emails with a score, in addition to using feedback provided by end users. The Bayes engine learns what is spam and what is not, and will apply the lessons learned to new emails that are received, constantly improving its detection rates to ensure all spam is caught, and false positives are reduced.
9. Stipulate the spam score that is right for your company
As a system administrator you have the power to decide what spam score is right for your company. This will depend on how much risk you want to take. You will find that spam filters will usually allow you to dictate how aggressive they are, although you may find this requires a certain degree of tweaking to ensure that spam doesn’t get through and ham doesn’t get accidently blocked. A spam score is assigned by a number of factors, although the type of attachments and the email content are the two main ways that the spam score is calculated. This process is not particularly time consuming, but bear in mind that the first two weeks after your spam filter has been installed is when this task will need to be completed. Be sure to use your trial period to tweak your spam filter to ensure that spam is blocked and the number of false positives are kept to a minimum.
10. Get your end users working for you
Your spam filter will not always get things right, and some spam and junk emails will slip through the net from time to time. It is therefore useful to instruct end users to manually mark any spam and junk emails received, should they get delivered to their inboxes. End users can help to train your Bayes engine to recognize new spam emails and correct false positives.
11. Provide email security awareness training to employees
Nowadays it is essential that all staff members receive security awareness training. They must be taught how to identify spam emails, phishing campaigns, and potential viruses. They must also be informed of the correct actions to take if they do discover a phishing scam or suspect that an email may contain malware or a virus. Also instruct them on the correct actions to take if they do accidentally open a suspicious attachment.
Is it the job of a system administrator to train employees how to protect themselves and their computers? Arguably it is not, but it can save a lot of headaches down the line. Even a little training can go a very long way. Unfortunately, this is an area of email security that is all too often forgotten.
What is essential, is that employees are aware of the risks of falling for a phishing campaign or downloading malware. In some cases, it could spell the end of a company, and along with it, their jobs. You can always use CryptoLocker to scare employees into paying attention.
Training could well make all the difference. Besides, if you do provide training and employees still take risky actions and infect the network, you will have a clean conscience and can say it is not my fault! And be justified in saying it.
LinkedIn is a social networking website aimed at professionals, which helps them develop contacts, network, get new business, and find new employment opportunities. One of the main purposes of the site is to build up new contacts, making the site perfect for criminals looking to phish for information. The information that can be gathered can be used against individuals – or organizations – to conduct highly convincing spear phishing campaigns.
What is a Spear Phishing?
You may be aware of phishing, a technique used by criminals to get computer users to reveal their login names, passwords, credit card details and other highly sensitive information. Phishing is like using a trawl net behind a boat. The aim is to catch as much as possible. Sooner or later something will swim into the net. With phishing, spam emails are sent out in the millions in the hope that someone will respond. It is a numbers game, and the unwary will be caught.
Spear phishing on the other hand is not random. Individual victims are targeted. Spear phishing campaigns are often very convincing, and emails are sent containing information that is likely to fool a specific individual – or small group of individuals- into revealing passwords, login credentials, security codes or other information. These campaigns are also highly effective at getting users to click links to malicious websites, or open malware-infected email attachments.
How does Spear Phishing Work?
In order to convince users to install malware or reveal their sensitive information, those individuals must be convinced to take a specific action. To increase the chances of that happening, the criminals behind the campaigns need some nuggets of information. These could be gained from social media websites. People reveal a wealth of information about themselves on Twitter and Facebook, and some leave their accounts open for anyone to see.
LinkedIn is similarly being used by hackers to gain information about users, with the data harvested being utilized in future phishing and spamming campaigns. Data is collected on users, and used to devise phishing emails containing malicious software or links to malware-infected websites, or fake websites which convince users to enter in their sensitive details.
LinkedIn Used by Scammers to Gather Sensitive Data
One of the latest scams identified involves the creation of fake LinkedIn contacts. Accounts are created by scammers, and then used to make connections with people in similar industries. Unfortunately, connecting with these individuals will allow them to obtain a wealth of information on you, such as your employment and education history, phone numbers and whatever information you add to your profile. In many cases, you will be supplying your entire CV to a hacker by accepting them as a contact. Fake LinkedIn contacts are now a major problem as they pose a big security risk.
This means that every contact must be vetted and assessed before you agree to a connection, and who has the time to do that?
How to Spot Fake LinkedIn Contacts
Fortunately, there are some common tells, and a little research (even a couple of minutes) can reveal fake LinkedIn contacts.
No photograph has been added
LinkedIn is all about making professional contacts. Photographs are therefore essential. People like to see who they are connecting with. If no photograph has been added, treat the account with extreme suspicion. Would the CEO of a mining company really be that concerned about someone finding out what he or she looks like?
Stock Photographs Used
Stock photographs can be purchased from image libraries for cents. Complete a quick Google image check against the user’s name and photo. If they are interested in business networking, their photo is likely to appear on other websites. If it appears under a different name, you will know the account is a fake.
Stolen Photographs Used
A photo search can reveal quite a lot of information about the genuineness of a contact. If your prospective contact is a librarian, it is perhaps unlikely they will also be a Ukrainian heavyweight boxing champion (Not necessarily of course!)
Numerous fake accounts have been created with the individuals claiming to be directors of companies. By day, they are the CEO of two or three different companies, by night they supplement their income by producing internet porn (Images have been taken from adult sites and used for LinkedIn). Unlikely perhaps, that CEOs would feel the need to do this.
Some fake LinkedIn accounts are very convincing
Not all fake LinkedIn accounts are suspicious. Many have extensive contacts, and a realistic profile. However often times that information has been lifted from other websites. Sometimes a photo will not have been used elsewhere online, but frequently the text has. One way of checking is to cut and paste small section of their profile and pasting it in Google. It may reveal that the data has been copied from a legitimate LinkedIn account or other social media site.
What is the Risk of Connecting with Fake LinkedIn Contacts?
There are a number of reasons why criminals go to the trouble of creating fake LinkedIn contacts. Spammers can use LinkedIn to obtain email addresses. Criminals can gain information to launch phishing campaigns and information can be gathered to commit identity theft. If a scammer can convince you they are genuine, they may create a fake job for you and get you to reveal some very sensitive information.
Of course the only way to be sure that you are not accepting fake LinkedIn contacts is to only connect with people you know, but that kind of defeats the whole purpose of the website. The answer is therefore to conduct a rudimentary check to make sure the person you are about to share information with is in fact genuine.
Ireland may not produce many highly innovative cybersecurity companies, but Galway-based SpamTitan technologies is bucking that trend. The company has recently been rising up the ranks and has now taken its place among the best cybersecurity companies in the world, according to the latest Cybersecurity Ventures report.
Only four Irish companies have made it into the Q2 2015 edition of the Cybersecurity Ventures Cybersecurity 500 list: Netfort, PixAlert, VigiTrust and SpamTitan Technologies, with SpamTitan now having ascended to position 123.
This is a major achievement, with the company having previously been placed at 393 for the previous quarterly report. The massive jump in position has been attributed to the hard work put in by all members of staff, who are committed to providing the best possible service in the fight against cybercrime. The company can now be considered one of the best, and also one of the hottest new prospects in the world of cybersecurity.
Each quarter, Cybersecurity Ventures publishes its new top 500 list, which features companies from all around the world. Experts in the field of cybersecurity assess companies for the efforts made, as well as determining each company’s potential. CISOs, VCs and a host of security professionals provide their input for the reports.
Many similar reports tend to focus on the size of the company, turnover and profits achieved. This list is different as it is more concerned with potential and innovation. Founder and CEO of Cybersecurity Ventures, Steve Morgan, said, “We do not think a list of the largest cybersecurity companies is useful to our target audience of cyber and IT security decision makers, evaluators, and recommenders”. He went on to say, “They already know who the biggest vendors are. Instead, we give a nod to the hottest and most innovative companies.” It is, after all, these companies that really need the recognition.
The list contains all of the hottest new prospects and top performers, with the ranking based on each company’s merits and prospects. Ronan Kavanagh, CEO of SpamTitan Technologies is proud of the rise in position, and the value of the list. After hearing of the new position in the top 125 cybersecurity companies, he said, “We recognize the importance of being included on such a significant industry list as the Cybersecurity 500.” He went on to say, “At SpamTitan, our staff are assisting our customers on a daily basis in dealing with the constant threat of cyber attack, and this is now as important for the smaller businesses as it is for the fortune 500 company. We are delighted to be working with Cybersecurity 500 in highlighting the need for vigilance and raising awareness for all businesses.”
For further information, and to find out the full list of top 500 companies, visit www.Cybersecurity500.com
The administration of usernames and passwords is time consuming business, although there is some good news for system administrators. Both Yahoo and Google have now produced alternatives. Google’s Authenticator and the On-Demand passwords from Yahoo look like they could well be viable solutions, but at the present moment in time, they are not universal. It is probable in the short to medium term that passwords will be required as the last line of defense against cyberattacks. It is essential that the last line holds strong, so two-step verification must be implemented.
Since you are going to have to carry on using passwords for the immediate future, it is a good idea to make some changes that will make administration tasks a lot easier, more straightforward and less time-consuming. Furthermore, we recommend making some changes to ensure your last line of defense is particularly strong. It may be tested.
Improve the strength of your passwords
You can use a Single Sign On (SSO) session to gain access to everything. Many people do. Even cybercriminals. SSO makes life easier because you can access everything you need to with the one password. Unfortunately, a hacker or cyber-criminal only needs to compromise one password in order to gain access to everything as well.
If you decide to use an SSO approach, you had better be sure your password is secure. We advise you to use different passwords for each system and to make sure that each of those is secure. It is better to be safe than sorry.
Regardless of whether you opt for multiple passwords or go for the SSO approach, you need to make it as hard as possible for your password to be guessed. This applies to all network users not just IT staff.
Password controls should be used: Minimum character limits should be implemented, along with other controls to ensure only strong passwords are created.
Furthermore, you should help employees create stronger passwords. Research conducted by Carnegie Mellon University’s CUPS (CyLab Usable Privacy and Security) Laboratory has shown that the addition of numbers to passwords can help improve security, but they determined it is far easier to guess passwords when these are added to the end of a password. This is where many people add them. They use their normal password with the characters and numbers added to the end. It is easy to remember that way, it is accepted by the password controls.
Even when passwords do not contain numbers or symbols they can be more secure than short passwords containing numbers and symbols. “AGoodExampleOfASecurePassword” is easy to remember and doesn’t need to be written down. Write it down and there is a chance it will be found. It is actually much better than using “E&”F*$G” for example. That would be very hard to remember, especially if you have more than one password like that to commit to memory and you need to change it every month. You would need to write it down, which is a major risk.
Additionally, a long password is more secure than using any 6-digit code. That said, make sure at least one capital letter is used (preferably more) and a number and a symbol, and that they are not just added to the end.
Avoid using structural passwords
It is tempting to keep using structural passwords. Many companies use a password such as the individual’s initial and the first four digits of their surname plus four digits at the end. The problem is that if the structure is determined, it makes it easier to work out the passwords for the entire organization, including individuals with full system privileges. If they are simply too practical to give up, only use them for individuals with low-level privileges.
Enforce password changes regularly
The longer a password is used; the more opportunities an attacker has to crack it. If you enforce a change every month or two, this is much more secure than keeping the same password for a year. Since new passwords are difficult to remember, why not take advantage of one of the many password managers that exist, such as Dashlane or LastPass. They are also good at helping with password creation, especially for creating longer passwords (and remembering highly complex ones). For greater security use an offline password generator.
It is also worthwhile checking the strength of your password. Take advantage of the Password Assistant if you use a Mac. CUPS found that password strength meters are effective at ensuring secure passwords are created.
Be careful about your use of social media
Could your password be guessed by anyone with access to your Facebook account? Have you used your pet’s name and published that name on Facebook? Your password strength meter will not know if you have used your dog’s name as your password with an exclamation mark at the end. It will not know what you have published via social media.
Assume your social media accounts may be compromised, and never choose a password using your name, a pet’s name, house name, date of birth, or any other information that is accessible through your social media accounts.
Make your passwords ultra-secure and do your bit to protect your organization
If you use the above controls to ensure your passwords are secure, your organization will be better protected. If a security breach occurs, make sure that it is not your account that a hacker uses to gain access to your system.
Passwords are used to prevent unauthorized individuals from accessing accounts, services and software. They keep data and networks secure, they prevent bank accounts from being plundered and ensure only one person can access sensitive information. If passwords are obtained by a criminal, this excellent security measure is worth absolutely nothing.
The daily news is full of stories about companies that have had their security perimeter breached and usernames and passwords stolen. Keyloggers are installed that obtain passwords, and accounts are bombarded by robots trying combination after combination until the right sequence of numbers and letters is found. Dark net marketplaces list passwords for sale by the thousand, and username and password combos can be purchased for just a couple of dollars a set.
How do passwords actually get stolen?
There are many techniques that are used and a myriad of ways that passwords can be obtained. Some of the most common methods are details below:
Keyloggers – Installed on users’ computers via malicious websites and infected email attachments. They record keystrokes and transmit the information to a hacker’s command and control server
Phishing – Users give passwords away by responding to phishing campaigns
Hacking – Security vulnerabilities in websites are exploited and the Active Directory or LDAP database is stolen
Social Engineering – People give their login credentials to bogus callers, fake customer service personnel, or via IT support scams
Is it so easy for hackers to steal passwords?
Sometimes it can be, but oftentimes security controls prevent a username and a password from being obtained. Passwords are often hashed to prevent this. A login name is obtained, and the number of characters in a password, but not the actual password itself as it is often encoded. The hacker must decode the passwords before they can be used.
What is Password Encoding?
There is a big difference between encoding and encrypting. If data are encrypted, they cannot be unlocked without a security key. This is why ransomware is so effective. Once encrypted, data is inaccessible unless a security key is entered. Security keys cannot be guessed.
Encoding is different. The single data field is encoded using an algorithm that hashes the password. When a password is entered, the hashing algorithm checks the text against the stored hashed version of the password. If the two match, access to an application is granted.
So how are passwords guessed?
In UNIX, a hashed password is stored in an LDAP system, but the type of algorithm that was used to encode the password is also stored. The hacker can work out the password if they have a dictionary of hashed values corresponding to the algorithm used.
The dictionary can be searched to find out if there is a match. These dictionary attacks will not reveal every password, but they can identify some of the most common words used for passwords.
A dictionary can be created by running common words through the algorithm. If you run the word “password” through an MD5 encoding algorithm, the hash it produces will be the same as any other system that uses MD5 encoding. This is how passwords are often guessed. It is not a hacker sitting at a computer entering in different combinations one after another in the hope he or she gets lucky. They can quickly run hashed passwords through their dictionary. Many will be revealed.
This is why it is essential that common passwords are always avoided. “Password”, “123456”, “bigguy”, “administrator” etc. It is also why it is important to use more than a few characters. How long would it take a hacker to compile a list of hashed two digit passwords? By the time you get up to 6 or 8 digits, the possible combinations are too numerous to compute. Since hashing allows up to 255 characters, it is not realistic for a super dictionary to be created. However, since many people use common words, and most use 5 or 8 digit passwords, a surprising number can be very rapidly guessed.
If you also use a common word you are asking for trouble, and if you also share passwords across multiple accounts, everything will be compromised if one is guessed.
Facebook hacking is rife and, if it happens to you, you are not alone. Unfortunately, there is no one to blame other than yourself. Facebook hacking is caused, in the vast majority of cases, by poor security practices and a lack of security awareness.
Facebook accounts get hacked because:
- Passwords are stolen in phishing attacks
- Two-factor account authentication is not used
- Passwords are shared across multiple sites
- Keyloggers have been installed on a computer used to access Facebook
If a hacker manages to obtain one password, chances are that same password is used on other sites. Criminals sell passwords online, and there are plenty of would be purchasers. Hackers even buy them on exchanges. Sharing passwords across sites is therefore very bad news, especially on sites that have poor security practices.
Fortunately, on Facebook at least, if you are hacked you can report it easily and should be able to recover your account.
A blocked Facebook account does not necessarily mean you have been hacked!
Facebook does frequently block user accounts. It does this as a security precaution, which is good for all users and offers some peace of mind. How often are accounts blocked? About 600,000 times a day, according to TechCrunch!
That is an awful lot of compromised accounts, yet do bear in mind that Facebook has over a billion users. So 600,000 represents just 0.06% of the total. Which is 6/10,000 if you prefer fractions to percentages.
When Facebook blocks an account is because the account has potentially been compromised. According to Facebook, this occurs when “we are not absolutely confident that the account’s true owner is accessing the account and we either pre-emptively or retroactively block access.”
This means that there is suspicious activity, Facebook often errs on the side of caution and blocks access. That could indicate an account has been hacked, or that action is being taken to prevent the account from being hacked. The good news is that when this happens, only the real owner can get the account unblocked. In theory at least.
When the figures of the number of blocked accounts emerged, the story was widely misreported in the media. Facebook was accused of a “shocking lack of security,” but the compromised account definition had not been read by many Facebook users, and even some reporters. Also bear in mind, that those 600,000 blocked accounts will include many false positives.
Determining exactly how many Facebook accounts have been hacked is rather difficult, unless you work for Facebook and have access to that data. It is possible however to come up with a fairly reasonable estimate, based on research conducted by security and market research firms. Their data can be used to get a reasonable estimate.
Take Statista’s figures for example. It conducted surveys on individuals who had been hacked, and 66% said they had had their Facebook accounts compromised. Then combine that with study data from Pew Research. The company determined that the volume of “internet users have had an email or social networking account compromised or taken over by someone else without permission” was 22%.
Using a simple calculation an estimate can be obtained: There are 1 billion Facebook users. 22% of individuals claim to have had an account hacked, and Statista says 66% of those were Facebook accounts. That works out at 145 million users, which should be a fairly reasonable estimate.
Fortunately, Facebook security is robust. A mobile phone is required as part of the account recovery process, so you would need to have lost that as well in order for your challenge question to be used to login. SSL certificates prevent network snooping, and the brute force approach will be prevented by Facebook’s security controls. But phishing scams are likely to leave your account open.
Fortunately, there are ways that you can protect yourself, and your Facebook account.
It can be difficult to avoid phishing scams, and all too easy to fall for one. One of the best defenses is to use Antispam software. SpamTitan’s software will prevent phishing campaigns from being delivered to your inbox. Parental controls at home, and web filtering controls at the office are excellent ways of blocking malicious links.
Unfortunately, not all access points have the above controls, so you will have to rely on common sense and become more security aware. For example:
- Never click on a link that appears to take you to an unfamiliar site.
- Never open email attachments sent from unfamiliar senders.
- Use different passwords – don’t share them between websites
- Use complex passwords, containing characters, capitals, and numbers
- Don’t share everything about your life on social media
- Change passwords regularly, certainly every 6 months
- Don’t reuse passwords
- Keep your anti-spam software, virusguard, and anti-malware programs updated, and scan regularly
- Set your account recovery options and security questions as if they were passwords
And remember, just because you have friends and family on Facebook, don’t let it create a false sense of security. You can never be sure how security conscious they are! Complacency is likely to leave you vulnerable to hackers.
If your Facebook account has been hacked, let us know. We want to hear your stories!
Phishing emails may not account for a high percentage of total email traffic, but they are becoming more prevalent. In fact, since 2014 the growth of these malware spreading emails has tripled, according to a new report issued by Kaspersky Labs.
Kaspersky determined that the percentage of phishing emails in total email traffic is now 0.0071%. Compare that to spam emails which accounted for 66.34% of all email traffic in the first quarter of 2014, and the figure seems very small. However, the damage that can be caused by the emails is considerable. For some companies, the damage can be catastrophic. When phishing emails lead to financial losses, funds can rarely be recovered.
Phishing emails are becoming increasingly common, but spam appears to have declined a little. A fall of 6.42% was registered since the last quarter of 2013.
Social Media Overtakes Email as Main Method of Phishing Campaign Delivery
Phishing campaigns are frequently delivered to potential victims via email. A link to a malicious website is sent – often randomly – to individuals in the hope that they are fooled into clicking. That link will take the person to a website where they are required to enter confidential data such as login names and passwords. Oftentimes, visiting the website will result in malware being downloaded to the visitor’s computer.
Spam emails are still favored by cyber criminals in some countries such as China and South Korea; however, social media has now overtaken email as the main method of delivery of phishing campaigns according to Kaspersky.
This may not come as a surprise. Rather than hackers sending the campaigns to new victims, victims of phishing campaigns share the links voluntarily (and unwittingly) via Twitter and Facebook pages. Infecting new computers could not be any easier.
Infected email attachments are still a popular method of malware and virus delivery. If these attachments are opened, the user will install malware and viruses on their device.
Top Ten Malicious Programs Spread by Email
Even with the rise in popularity of social media for malware delivery, spam emails are still responsible for spreading a huge volume of malware. In Quarter 2 of 2014 alone, Kaspersky Labs were able to block an incredible 528,799,591 malware attacks. The volume of different types of malware is also astonishing. During the same period, Kaspersky Labs detected and blocked 114,984,065 unique potentially unwanted objects.
Many of the viruses and malicious programs are camouflaged to look innocent. Take the most popular malicious program used by cyber criminals as an example. Trojan-Spy.HTML.Fraud.gen appears to be a standard HTML page containing a form for online banking. When data is entered, the information is transmitted to hackers who are then able to use the information to gain access to users’ bank accounts.
Cybercriminals Earning over $100 Billion a Year
Cybercriminal attacks are increasing in frequency and severity, and this is unlikely to change given the huge sums of cash that can be obtained. According to recent estimates by the FBI, the proceeds of cyber crime are in the region of $100 billion per year. The bad news is that criminals are devising ever more sophisticated ways of attacking organizations, and many of those organizations are ill-prepared to deal with the risks. Oftentimes even basic security measures against cyber attacks are found to be lacking. This is due to extremely limited IT security budgets, which hamper efforts to deal with all the threats.
Many organizations do not have clear and concise IT security policies in place, and do not place an individual in overall charge of cybersecurity. Sometimes there is not even a dedicated IT security professional employed and many organizations are still not providing all members of staff with security awareness training.
A failure to employ the appropriate staff, allocate sufficient budgets to IT security and train the staff can prove very costly indeed. Lost and stolen data, system downtime and drained bank accounts result in far heavier losses than the cost of implementing security measures to prevent attacks. Even the cost of new IT security staff will pay dividends in the long run.
Staff Security Awareness Training is Critical
Spam emails and phishing campaigns generally have one of two main aims: To trick users into revealing sensitive information or to fool people into downloading and installing malicious software and code. The latter allows hackers to take control of computers and infiltrate networks.
Spam and phishing emails can be very convincing, yet there are a number of tell-tale signs that emails are not all they appear to be. By providing training to staff members on these tell-tale signs, the risk of employees falling for a scam can be drastically reduced.
Email Security Solutions Must be Employed to Protect Sensitive Data from Attack
Can you be sure that staff members will be vigilant and security aware? Unfortunately, even with training, employees will make mistakes. They are human after all. It is therefore important to install security solutions that will limit the volume of spam emails that are delivered to employees’ inboxes.
One of the best solutions is a spam filter such as SpamTitan Anti-Spam. This data security solution has now been employed by IT security professionals in over 120 countries around the world. They benefit from being able to block over 99.7% of spam emails.
Since SpamTitan uses two separate anti-virus engines (Kaspersky AV and Clam AV) the catch rate is particularly high. Furthermore, SpamTitan includes an anti-phishing module as standard that filters out emails containing links to known malicious websites. This further reduces the risk of an employee accidentally clicking on a link and downloading malicious software. Consequently, SpamTitan is one of the best investments to protect against cyber attacks.
You may be trying to reduce your company’s carbon footprint, but what efforts have you made to reduce your company’s data footprint?
If your company is attacked and hackers gain control of your servers, they will not be able to gain access to data that are not stored on your systems. If you use cloud archiving, you can migrate old data that you are not legally permitted to delete and keep your company information safe and secure. It is possible to reduce your company’s data footprint without incurring major expenses.
Use the cloud to reduce your company’s data footprint
The cloud offers many advantages to companies. It is not just a matter of protecting data from attack. Data need to be stored somewhere and the hardware required is expensive. Space must be dedicated to storage, which could be much better purposed. A server room doesn’t make most companyies any money. An extra telemarketing operation based in the same space would. It would arguably expose the company to less risk.
The huge cost of data storage can be avoided
Data storage requires hardware, and that hardware costs a lot of money to purchase, keep supplied with power, and kept cool. Hardware can also malfunction spontaneously, or as a result of power spikes and cooling issues. It is no surprise that the cloud has proved so popular. It eliminates the cost of purchasing and maintaining rooms of computer equipment.
Amazon realized this and started its Amazon AWS business. Small businesses especially would benefit, as they would not need to buy expensive hardware. Large companies could make huge savings, reducing staff costs as well as equipment costs.
Cloud services benefit all
There were a number of things that all came together to allow Amazon AWS – and cloud computing in general – to be offered to businesses. Virtualization was critical, as were Microsoft Hypervisor and VMware. Companies such as Amazon were able to use a single server to run multiple systems and to divide those among its customers. Standardization resulted in data being transferred to the cloud. After all, it didn’t make sense to have a separate device for every function and, if those devices could be housed in a huge data center with the cost covered by someone else, that made a lot of sense.
Of course, it is not just the cost of the equipment and the running cost that can be saved. Computers require software and software is licensed. Every license adds to the cost. For cloud service providers it makes sense, as they can get a lower license cost by buying hundreds or thousands of licenses. The same goes for equipment purchases. Amazon AWS gets a much better price on its tens of thousands of computers than a company that only requires one.
Staff costs are reduced because one dedicated individual can service many hundreds of servers. They can also be given tools to do this to reduce the time it takes. This is not an option for SMBs.
Is it possible to reduce your company’s data footprint and stay secure?
Unfortunately, no data protections are 100% secure. If you want to reduce your company’s data footprint, you will not reduce your level of risk to zero. It doesn’t matter where data are located, there will be a possibility that the data can be accessed. The aim is to maximize security and reduce risk as far as possible, but you will never get that risk down to 0%.
Cloud storage however is likely to be as close to 0% as you are likely to get as a small business owner. The protections put in place to secure cloud data are considerable. Cloud service providers must ensure their customers’ data are protected, because a data breach could potentially destroy all faith in their business. As a result, highly sophisticated multi-layered security defenses are used. The data are protected by teams of personnel, 24/7. The resources available to cloud service providers are many orders of magnitude greater than those available to a SME. In short, the cloud will give you the best security you are likely to be able to get.
Cloud archiving and backups also ensure that state and federal regulations are satisfied. SOX and HIPAA require data to be backed up and stored off site. Those backups must also be secured. If data is encrypted and stored in the cloud, even if a security breach does occur, the data will not be accessible by the hacker. Use a cloud service provider that encrypts data at rest and in motion, and you will have the best security you can get. You will just need to make sure your encryption keys are not stolen.
Backup your data but maintain an email archive
With your data backed up and secured in the cloud you will be protected against data loss, but what about accessing your data? With a backup you will be limited. If you need to access certain files, or search for data elements, you will need an archive. An archive is a store of data that you can use whenever you need to. You can recover or access data as and when required without having to restore everything as you would need to do if you only had a backup.
ArcTitan – The convenient and cost-effective email archiving solution
You may want to reduce your company’s data footprint, but some data needs to be accessed and searched often. Email for example. You can create a backup of your PST files, but restoring them means restoring the whole email account and that can take hours. On top of that, all mail items will be restored, even those that are no longer required.
An email archive is the logical solution. Individual emails can be accessed and restored when needed. If you ever need to access files stored in an email account, or access old emails, you can with an email archive: Quickly and easily.
ArcTitan allows data from Google Docs, Office 365, MS Exchange, Zimbra and Lotus to be restored, as well as individual emails. Searches can be performed to find the required email or document. Plain text queries can be made from a desktop, laptop, mobile phone or tablet. The data does not need to be retrieved first, as the search can be performed and then the individual file or email accessed.
Move your data to the cloud and you can lower your operational costs, improve data security, and access your data whenever you need to. You can reduce your data footprint without violating state and federal regulations, and still maintain access. Store your backed up data in an encrypted file in the cloud, and maintain access to your old emails by creating an email archive in the cloud.
Is archiving old emails worthwhile?
For a business, archiving old emails is essential. It can save time, money and also prevent legal issues.
Even so, many companies do not archive old emails and use backups instead. This is a mistake. The purpose of a backup is to allow lost data to be recovered in the event of a system failure, accidental deletion, fire, or cyberattack. Any time data is lost, it can be restored from a backup tape. A backup is therefore an important failsafe.
Backups are not typically saved for a long period of time. Backup tapes are used again and should not be kept indefinitely. If you store backups for legal reasons and have thousands of tapes, you will be spending a small fortune on the wrong technology.
The reason? Backups are not designed to be searchable. If a file is present in a backup it can be restored, but searching for information in a backup file can be difficult and time consuming. Finding information can really be a chore.
An archive is different because email archiving allows fast searches to be conducted. If you sent an email on a particular date, to a particular person, it would be a relatively easy task to obtain this from a backup. However, if you sent an email containing information about a report, or you can only remember certain words, finding that email in a backup could be very difficult indeed. Fortunately, an email archive can easily be searched. Just use a particular word or search term and you will be able to find the missing email in next to no time at all.
There are legal requirements relating to stored data. Many industries are required to keep data for a long period of time. If a legal request is made to supply data, finding the required information can take an extraordinary amount of time. It may be necessary to search through many different daily backup tapes to find the required information.
Email archiving can save you money
- Due to the security risk, backups are often encrypted. To find information, data must be unencrypted, sifted through, restored, and encrypted again. This takes time. In an email archive, information can be obtained much more quickly.
- The more storage space you need the more it will cost. Using backup tapes is an expensive way of storing old data. Email archiving on the other hand allows storage space to be used much more efficiently. Archiving systems can remove duplicates and that can save a considerable amount of space.
- It is easy to move an archived email from one location to another. Migration is simple, even when moving to an updated server.
- Space is at a premium, especially when it comes to email. Email is usually housed on a server that has limited space. Limits have to be set on individual mailboxes, which means many users end up deleting emails when they have reached their storage limit. Busy professionals don’t have time to do this and typically delete huge volumes of emails – including many that are important. IT departments then get requests a few days later asking for a hastily deleted email to be restored from a backup tape. An efficient archiving system eliminates this headache.
- Old emails need to be checked to identify data leakage. When an insider is found to have stolen data it is essential to check email accounts to find out what has been stolen. When audits have to be conducted, it is far easier with archived email than obtaining data from backups.
The flexibility provided by an email archiving system is essential for businesses. It makes old emails much easier to locate, information can be retrieved rapidly, and it is a more cost efficient method of storing old data than backups. If you have yet to implement an efficient archiving system, now is the time to do so. In the long run it will save you a lot of time, effort, and money.
Cyber criminals are using phishing to lure web visitors into revealing their sensitive data. Internet surfers are presented with a baited hook, which draws them into revealing login names, passwords, security keys and other valuable data.
The technique can be employed by individuals with little to no hacking skill, luring users to a malware-ridden website in exchange for payment. There are plenty of would-be criminals looking to make a quick buck, and since the campaigns can be so effective, online thieves and criminals are increasingly using this technique to make money.
Many online criminals use phishing in random campaigns sent via email. There is little skill involved. It is simply a numbers game. If enough emails are sent, sooner or later someone will respond and fall for the bait. However, we are now seeing much more sophisticated campaigns launched.
It used to be easy to spot a phishing email. They were littered with grammatical errors and spelling mistakes. Images were used that were clearly fake, and the emails would only fool the most unsuspecting computer user. They claimed victims, nonetheless, but only a few.
Some of the phishing emails now being sent are extremely convincing and very difficult to identify. Even well trained, security-conscious IT professionals have fallen for some of the scams. The reason? They work by exploiting traits in human behavior and use techniques that are particularly effective at drawing the required response.
Human Traits Successfully Being Manipulated by Hackers
Cyber criminals are exploiting human behavior to get users to click on links to malicious websites or open attachments. They rely on common traits that are all but guaranteed to get the desired response. The male of the species, for instance, is easily tricked into opening an apparent JPEG file if he is promised a glimpse of bare female flesh. An offer of sex from an unknown admirer can also work particularly well.
Not everyone is motivated by sex. For others the promise of financial gain does the trick. Criminals exploit greed to get users to click on a link. A money making scheme, or a hot stock tip, can entice many people to click on a link. Curiosity is also exploited. Major news events, conspiracy theories, celebrity news, and information on natural disasters have all been used by email spammers and scammers to get people to visit a malware site or open an email attachment.
Even the sense of duty has been exploited. Emails are sent from the accounts of work colleagues, bosses, civil authorities or law enforcement officers. These are effective at fooling users into complying with requests.
By exploiting human traits and evoking emotions, recipients of these scam and spam emails swallow the hook, and often the line and sinker too.
Spear Phishing: Effort Put in is Rewarded with More Victims
The sending of millions of mistake-ridden emails results in very few individuals falling for the scams. When email spam filtering software is employed, the filters will prevent these emails from even being delivered.
However, a little research goes a long way. Phishers who invest time into researching victims can see the time they spend on the campaign really pay off. A search on social media will reveal a considerable amount of information on an individual. Employers can be found on LinkedIn, Facebook can be used to find out friends’ names, and Twitter exploited to find out a user’s interests. With this information, highly effective campaigns can be developed.
These phishing campaigns are referred to as spear phishing. As the name suggests, the hacker goes after one fish. These campaigns can be incredibly effective as they exploit trust. If an email is sent that appears to be from a friend or colleague, it is far more likely to be opened. But how is this possible?
SMTP Weaknesses Are Exploited by Phishers
Unfortunately, the SMTP protocol contains a security weakness. Hackers can exploit this weakness to mask the true sender of an email and the return address. To the casual viewer it appears that the email has been sent from a known individual, and even replying to the mail appears to direct it to the correct mail recipient.
Fortunately, a spam or phishing email is not dangerous. It requires an action to be taken by the recipient. Deleting such an email will delete the risk. Only opening the attachment, downloading it, or visiting a link contained in the email will result in the delivery of malware, a virus or the installation of malicious code.
Unfortunately, while most employees know never to double click on a file with a .exe extension, file extensions can be all to easily masked. They can be made to appear as a PDF file or JPEG, or other supposedly innocent file type. Without training, users are likely to open these attachments, and unwittingly activate the executable file.
The way to prevent users from clicking on links and opening attachments is to provide them with security awareness training. Teach staff members how to identify phishing campaigns, and they can check the genuineness of emails before they take action. Developing a culture of security awareness is therefore essential in the fight against cyber crime.
Blocking the emails with a spam filter is even better. That way, the email will never be downloaded and delivered. Unfortunately, from time to time emails do slip through the net. When that happens, employees must know how to react.
Training is therefore important even if a robust and reliable spam filter is used. After all, it is best to be shown how to deal with a phishing email that never arrives than to fall for the first one that gets past a spam filter.
The news is full of reports of data breaches that have been suffered by companies and even governments. Numerous media reports detail how hackers have managed to obtain tens of thousands of confidential records, or in some cases, tens of millions or more. However, it is rare that a hacker is caught and brought to justice for the crimes committed.
Recently, a hacking group in Russia was reported to have stolen a staggering 1 billion passwords. If that was not shocking enough, the authorities know the individuals are located in central Russia. They are also in their early 20s. If they have been identified, why have they not been arrested?
Bringing hackers to justice is complicated
In this case, there are problems because it is the United States that wishes to take action. The crimes were committed against Americans but some countries are unwilling to turn over their own citizens to other countries. In this case, should the criminals be tried in Russia or in the United States? Where should justice occur, where the crimes were committed or in the country most affected by the crimes? Should hackers be extradited?
If there is no treaty in place between two countries, hackers will be tried and sentenced (or not) in their own countries. The United States has tried to get five Chinese hackers extradited and brought to the United States to face trial. They worked for the Chinese military. China is unlikely to take any action, and certainly will not release them to the United States. The individuals are believed to be behind attacks on Alcoa, U.S. Steel and Westinghouse, as well as on other U.S. firms. The criminals were indicted, but that is as far as the U.S. got. They are very likely working on new hacks against U.S. companies.
In some cases, hackers do not need to be extradited. The FBI has previously tricked hackers into coming over to the United States voluntarily. By doing so the tricky issue of extradition has been avoided. The FBI set up a job interview for two hackers using a fake Seattle company. The pair, Alexey Ivanov and Vasily Gorshkov, arrived for the interview and were promptly arrested. The latter received a sentence of 3 years, the former got 48 months.
Spam email kingpin sent 30% of all junk emails!
If you are a cybercriminal or spammer and you have launched attacks on Americans, it is a wise move never to visit the country. However, some just can’t resist. When visiting a car show in Las Vegas in 2010, Russian super-spammer, Oleg Nikolaenko, was arrested and charged for his crimes. He had used a botnet to send the spam emails. That botnet included a staggering half a million computers. Even more staggering was the volume of emails he sent. An estimated 10 billion per day. He is awaiting trial.
Hackers are very good at hiding their real identities and consequently can be difficult to locate. It can be even harder to bring them to justice.
It should come as no surprise to hear that many successful hackers are based in countries that offer protection against extradition to the United States. Unless there are international laws signed, and more cooperation between countries to tackle the global problem of cybercrime, they are unlikely to be tried and sentenced for their offenses.
There is good news for users of SpamTitan Technologies’ anti-spam solutions. The company’s innovative solutions for dealing with email spam have been awarded VBSpam+ certification from Virus Bulletin. The Virus Bulletin anti-spam software tests are widely regarded to include some of the email security industry’s most rigorous tests, and the results are trusted by industry professionals and users alike.
The anti-spam award is only issued to companies whose spam solutions are shown to be effective in practice. Any product that fails to block sufficient volumes of spam emails will not receive accreditation. SpamTitan has performed consistently will in Virus Bulletin Tests, and this is the 28th consecutive time that the company has received an anti-spam ranking from the bi-monthly tests run by Virus Bulletin.
In contrast to previous tests, Virus Bulletin has assessed products on two counts this time around. Spam catch rates were examined in addition to the number of false positives. Overactive anti-spam products that block genuine emails can cause many headaches for businesses. Any email that is incorrectly blocked could potentially mean the loss of a client. It is therefore essential for an anti-spam solution to have a very low false positive rate.
When tested in May 2014, SpamTitan registered 0 false positives. In March when the test was last run, SpamTitan also registered a false positive rate of 0. These results were among the best recorded for all email spam solutions tested by Virus Bulletin. In fact, SpamTitan has only recorded one false positive result since November 2013, demonstrating the consistency of the product. It continues to deliver industry-leading standards of spam-detection. Users of the product also benefit from an extremely competitive pricing model.
SpamTitan Demonstrated a Spam Catch Rate of 99.81%
The May 2014 test for spam blocking saw SpamTitan register a catch rate of 99.81%, with only a slight drop registered since the test was last performed in March, when 99.85% of spam emails were blocked. The consistent results and superior spam-blocking also saw the company receive its fourth VBSpam+ award for exceptional performance. This earned the company a position in the Top 5 anti-spam products under test. The spam-catching percentages achieved over the past months have also been very high, with the lowest rating being 99.73% (January 2014.)
CEO of SpamTitan Technologies, Ronan Kavanagh, was proud of the high ranking and spoke of the importance of having an independent third party conduct performance tests. He pointed out that the Virus Bulletin test results can be trusted as they have no bias. Organizations looking to deploy an anti-spam solution can therefore rely on the results and choose accordingly. Companies already using anti-spam software can also view the results to assess how well their chosen product fares against the competition.
An anti-spam solution must be effective, as any spam emails that get past the filter could potentially result in a phishing email being delivered to an employee. The high catch rate shows the quality of the product that uses not one but two different anti-virus engines to ensure dangerous emails prevented from being downloaded and delivered to end users.
eBay customers have started to receive emails advising them to change their passwords. Their user names and passwords have been obtained by hackers, and a new password must be set for security reasons.
Unfortunately for many eBay account holders, the requests to change passwords have not been sent by eBay, but by phishers. The emails contain a link to a website which looks like eBay, but it isn’t. It is a fake website devised to get users to reveal their current passwords. This sneaky phishing campaign is likely to catch out many eBay account holders.
Data breach was suffered, but not identified for 2 months
In late February/early March, three employees of eBay had their login credentials compromised in a cyberattack. The cybercriminals used the login credentials to access a database containing the names of 233 million site users. Phone numbers, addresses, email addresses, dates of birth, and customer names were stolen, along with encrypted passwords.
In early May, eBay became aware of the breach, two months after it occurred. The company then waited a couple of weeks to make the announcement. The delay was because eBay didn’t realize that account information had actually been stolen. It took the best part of a month to realize data were actually stolen in the attack. Fortunately, PayPal information was not compromised and neither was any financial information.
A breach that does not involve bank account details or credit card information being exposed can still be serious and, in this instance, eBay account holders are at risk.
Passwords may have been encrypted but hackers I’ll be able to guess some as they have a lot of personal data. Dates of birth for example. They are often used as passwords. Since email addresses were obtained, the victims that have not had their passwords guessed are now being spammed with phishing campaigns.
Most customers will be aware of the exposure of their data and as a result, they may believe the phishing emails to be genuine. If they do, they will inadvertently reveal their passwords when they attempt to change them.
Investigations launched into the eBay data breach
Investigations into the eBay data breach have now been launched by state attorneys general in three States – Connecticut, Illinois and Florida. In Europe investigations are also being conducted. The attorney general of New York has spoken out about his expectations. He believes credit protection services should be offered to breach victims without charge. At the present moment in time, eBay has no plans to offer any risk remediation services to customers.
eBay has been criticized for the slow identification of the breach, as well as the slow response when it was discovered. Initially there were no victims, then there were 145 million. eBay finally settled on 233 million accounts.
It may not be a problem for spammers to send 233 million emails, but for eBay that has taken some time. The company tweeted news of the breach, but email notifications took a considerable amount of time to be sent. This may have resulted in more individuals responding to the phishing requests.
eBay breach victims must exercise caution
A data breach of this magnitude, affecting a company as large as eBay, is worrying. How good were the security measures it had in place? Why was the phishing campaign not identified before three people responded? Why were the phishing emails not blocked and prevented from being delivered? Only time will tell.
Since information has been compromised, and hackers are now attempting to guess passwords based on the personal data they have acquired, it is a wise security precaution for account holders to login to the site directly and change their passwords. They should not respond to an email, as it may be a phishing campaign.
Unfortunately, all it takes to lose swathes of customers and destroy the reputation an ISP is for a single email spammer to get a block of your IP addresses blacklisted by a number of ESPs and RBLs. It is a nightmare scenario, yet it is one that could all too easily play out.
Customers using any of the blacklisted domains would have their outbound emails blocked and, if they cannot send emails, they will leave in their droves for another provider. Perhaps even worse than losing those valuable customers will be the comments they invariably post all over the Internet. Negative feedback can seriously damage a company’s reputation and it can take a long time for a damaged reputation to be restored.
There are steps that can be taken to at least temporarily fix the situation. The IP addresses affected could be swapped, and netblock could be used as a temporary fix. Unfortunately, recovering blacklisted IP addresses is a very slow process. During this time, other IP address blocks could be lost.
Managing risk is difficult. It is possible to set limits on the number of emails that can be sent by a particular domain. Alerts can be configured to identify a domain that is being used to send spam, and it may be caught in time to prevent blacklisting. IP netblocks can be changed should it not be possible to prevent a domain being blacklisted by ESPs and RBLs.
The process of undoing the damage caused by spammers is a nightmare as well. New domains must be warmed up, and efforts made to ensure they are operated within acceptable ESP limits. Otherwise they will just get blacklisted again and the process must restart.
Fortunately, there is a solution that can be adopted by MSPs and ISPs that can prevent blacklisting. Install the latest version of SpamTitan!
SpamTitan v6.3 includes outbound email filtering
SpamTitan will prevent spam emails from being delivered to inboxes; however, version 6.3 also includes a sophisticated and powerful outbound email filter that can be used to prevent spam emails from being sent from accounts. If a domain is hijacked and used to send spam emails, or is used by an individual within your organization, the emails will be blocked and the ESP will not be alerted.
SpamTitan v6.3 uses the same identifiers to clean and filter outbound email as it does for incoming spam. System administrators can set rate limits by email address, IP address range, or domain.
If an organization needs to send a high volume of emails, to avoid inadvertently causing problems with an ESP, a pool of IP addresses can be used to send email and these can be rotated. This allows risk to be effectively managed. Damage to the reputation of IP addresses and the business itself can be easily prevented.
Any MSP providing multiple client domains can implement SpamTitan v6.3 and ensure that emails are sent safely, while the risk of blacklisting is kept to a bare minimum. The Anti-Spam solution will also ensure that incoming emails are cleaned and spam is quarantined, while the Anti-phishing module will protect against malicious attachments.
How many times have you had a phone call or an email from a manager in your organization asking for you to give them the password of an employee to enable them to access their email account?
This request is often made when an individual is on leave and a call is received from a client or colleague wanting to know if they have actioned a request sent before they left. All too often a client has sent an email to their account manager before he or she went on vacation, but it was accidentally missed.
Access to the email account is necessary to avoid embarrassment or to ensure that a sales opportunity is not missed. Maybe the employee in question has failed to set up their Out of Office message and clients are not aware that they need to contact a different person to get their questions answered.
In years gone by, managers used to keep a log of all users’ passwords in a file on their computer. In case of emergency, they could check the password and access any user account. However, this is risky. Nowadays this is not acceptable behavior. It also invades the privacy of employees. If a password is known by any other individual, there is nothing to stop that person from using those login credentials any time they like. Since passwords are frequently used for personal accounts as well as work accounts, disclosing that password could compromise the individual’s personal accounts as well.
Maintaining lists of passwords also makes it harder to take action over inappropriate internet and email use. If a password has been shared, there is no way of determining whether an individual has broken the law or breached company policies. It could have been someone else using that person’s login.
IT staff are therefore not permitted to give out passwords. Instead they must reset the user’s password, issue a temporary one, and the user will need to reset it when they return to work. Many managers will be unhappy with these procedures and will still want to maintain their lists. Employees will be unhappy as they often use their work email accounts to send personal emails. Resetting a password and giving a manager access could be seen as a major invasion of privacy.
What is the solution?
There is a simple solution which will ensure that the privacy of individuals is assured, while forgotten Out of Office auto-responders can be set. Important emails will not be missed either. To do this you can set up shared mailboxes, although these are not always popular.
Do this in Outlook and a manager may need to have many set up in their Outlook program. It will also be necessary for them to train staff members how to use the shared mailboxes, and policies might need to be written. They may need to have to permanently keep the mailboxes of multiple teams open in Outlook.
Is there an easier option?
There is another choice, and that is to delegate permissions. It is more complicated to implement this control as it requires an MS Exchange Administrator to provide Delegate Access. Using Delegate Access will make it possible for an individual, with the appropriate permissions, to send an email on behalf of another employee. This means mailboxes do not have to be open all the time. They can just be opened when an email needs to be sent. This may be ideal, but it will not allow a manager to set up a forgotten Out-of-Office auto-responder.
That would require a member of the IT department, a domain manager, to do it. A ticket would need to be submitted requesting the action. This may not be popular with managers, but it is the only way for the task to be performed without revealing the user’s login credentials or setting up a temporary password which would breach their privacy.
You might be unpopular, but security is vital
If you encounter resistance, you must explain the reasons why password sharing is not permitted: The risks it poses and the problems it can cause.
These matters should be included in a company’s computer, Internet and email usage policies. If the sharing of passwords contravenes company policies, any requests to share passwords would result in the IT department breaching those policies. Requests to divulge that information would therefore have to be denied.
Of course, Out-Of-Office auto-responders are not an IT issue. This is an issue that should be dealt in staff training. It is also a check that a manager should make before a member of staff leaves and goes on holiday, while the employee is still at work.
Reasons why passwords should never be shared, even with a manager
- Passwords are private: This is a fundamental element of IT and network security. This rule cannot be broken or bent
- There are alternatives to sharing of passwords that will achieve the same aim: ticket requests, shared mailboxes, and delegate permissions these should be used instead
- The sharing of passwords violates an individual’s privacy
- If a password is shared, the results of an account audit cannot be trusted
- Data security is more important than an auto-responder
- Acceptable Usage Policies would be violated
If a ban on password sharing does not exist in your organization, it must be implemented as a priority. You will not be able to do this without the support of senior managers. You may not feel that it is your job to try to implement a ban, but you should make a case for it. It will help your department protect the network, it will save you time in the long run, and it will be better for the business.
If you are a network decision maker, what should be your main focus? Which issues should demand your attention? This post covers five important considerations if you want to protect your critical assets.
The current threat landscape has become very serious
If you work in a large corporation, chances are you will not need to be reminded about the seriousness of the current threat landscape. However, if you work in an SME, the severity of the current situation may not be so apparent. According to the results of the 2012 Verizon Data Breach Investigations Report (DBIR), the main threat of data theft comes not from hackers intent on profiting from selling stolen data, but from hacktivist groups. In 2011, hacktivists were behind 58% of data breaches. Hackers were involved in 81% of all data breaches reported throughout the year.
One of the main issues in 2014 are what Verizon calls “low and slow attacks.” These are authentication attacks, web exploits and social engineering-based attacks. Malware is evolving and carries a much higher risk than when many companies deployed their security systems. The threat landscape is constantly changing and you must stay alert to the changing risks.
Corporate data is one of your biggest assets – Protect data like you protect your financial assets
Company data is incredibly valuable to cybercriminals. Credit card numbers (with expiry dates, holder names and CSCs) sell for up to $6 a set. If hackers obtain several hundred or several thousand, they can make a tidy profit. If Social Security numbers can be obtained, in particular those of minors, they can sell for up to $200 a set, especially if accompanied by medical records. Bank account information is also valuable. Account information can be sold for up to 10% of the balance of the account. As for proprietary company data, to the right person that could be sold for millions of dollars. Data is highly valuable and criminals will attempt to steal it. You must therefore ensure it is appropriately protected.
End users are actually the first line of defense
Firewalls and other systems designed to repel DDoS attacks and stop malware from being installed may be seen as the first line of defense; however, your end users are actually the first line. They are also the weakest link in the security chain, and cybercriminals know it. Many criminals target end users as it is easier to get them to download malware or reveal login credentials than to break through a firewall.
If you want to keep your network secure you must provide training and make end users more security aware. They must be instructed how to identify phishing campaigns, be shown good practices to adopt when surfing the Internet or using email. Social media best practices must also be taught, especially if access to the websites is not blocked.
Application and platform management policies need to be developed
In order to protect networks and connected devices from being infected with malware and viruses, policies must be developed covering the permitted uses of computer equipment, applications, Smartphones and other BYOD devices.
Even some companies that have adopted BYOD have not issued staff members with detailed policies on the allowable uses of their devices in the workplace. SpamTitan recently conducted a research study that showed a third of organizations have not covered the use of messaging and collaboration tools in their corporate policies. Make sure the use of Smartphones, tablets, portable storage devices, collaboration tools, email, Social media, and web 2.0 applications are all covered. This will help to ensure staff do not take unnecessary risks.
Prohibition didn’t work – Neither do blanket bans
Total bans on the use of Smartphones, laptops, social media, or online shopping at work will not prevent end users from bringing their devices to work or using the Internet for personal use. Controls such of these may actually have a negative impact on staff happiness and productivity. Many employers believe the reverse is the case and issue total bans. Controls must be implemented to prevent theft of data, but carefully consider blanket bans. They may sometimes be effective at protecting networks, but they are rarely good for the business.
The World Cup will take place later this year, and Brazil is now completing the final preparations as the host of this year’s tournament. The World Cup generates huge global interest from football fans as well as those that would not normally watch a soccer game. Criminals take advantage of this and use the hype surrounding the World Cup to launch their scams. We have already seen World Cup spam emails caugh by our spam filters, and a great many more World Cup spam emails will appear over the coming weeks.
There will be many promotional campaigns launched by companies of all sizes. The major global brands invest heavily in World Cup promotions and sponsorship deals, taking advantage of the huge audiences the games attract. It is a great opportunity to get a brand noticed and a great time for scammers to go unnoticed.
It can sometimes be difficult to distinguish scams from real promotional campaigns, although a good gauge is “if it sounds like it is too good to be true, it probably is”.
Some of the scams that have been uncovered so far have been listed below. Be wary of these and other potential scams.
Malware delivery via World Cup spam emails
Email spam is not all about cheap watches and Viagra. Criminals use bulk emails to convince the unsuspecting to divulge their personal information with the aim of committing identity theft. Many websites pose as legitimate sites offering goods for sale. When a credit card is entered, the transaction appears to be processed, but the card details are used by criminals to obtains good of their own.
One of the most common scams involves the sale of cut price match tickets. FIFA sells tickets directly and via a number of authorized retailers, but tickets are in short supply. A stadium may hold 80,000 people, but tickets sell out very quickly.
Tickets are bought by touts and sell for as much as $30,000 including travel and accommodation. Many people are happy to pay this. Unfortunately, they will not get a real ticket. FIFA only releases them for sale in April. Any early purchaser will have fallen for a scam. FIFA has announced that only individuals who buy a ticket through an authorized retailer will be allowed to see the game. Investigations are underway in 130 countries after scams and black market ticket vendors have been discovered.
Perhaps more worrying are the scams that convince people to click on a link to a malicious website containing malware. If the user can be convinced to download a file or take an action online, malware will be delivered to their computer, tablet, or mobile phone.
One of the latest scams informs email recipients that they have won World Cup final tickets. All they need to do is click a link to a website where they are told they can print their tickets. Unfortunately, clicking the link to print will deliver a particularly nasty malware called VBS.Dinihou. This is a worm allows a criminal to download files to their computer without authorization. It also infects any USB drive plugged into the computer.
Brazil is home to one of the world’s largest cybercriminal groups
Russia, Ukraine, China and Vietnam are all known to be home to many cyber-criminal gangs, yet one of the world’s largest is based in Brazil, according to a recent report in The Guardian newspaper.
Many Brazilians are unhappy about the World Cup being hosted in the country due to the huge expense involved in staging such a tournament. The cost is astronomical and many believe that those costs will not be recovered, let alone any profit made. They feel the money should have been spent improving services for locals, not for tourists who will visit over a 4-week period. Cybercriminals have taken up their cause and are disrupting the sale of tickets.
Anonymous has also made announcements that it will be active during the World Cup and may attack FIFA and World Cup sponsors. Banks in Brazil were targeted by Anonymous in 2012, and cybersecurity protections in the country are poor. Many companies will be targeted and will be able to put up little resistance to the attacks.
World Cup fans are also being sent spam and phishing emails. Links to websites containing malware are being sent, along with file attachments containing viruses and malware. Any World Cup spam emails should be treated as suspicious and attachments not opened unless they can be confirmed as genuine. Fall for one of these scams and you could suffer major financial losses, and have your computer infected with a virus or malware. Worse still, the network that your computer connects to could be compromised.
Is malware really so bad? What does malware actually do?
Criminals use malware to achieve a number of aims. Not all criminals want to steal bank account and credit card data. Listed below are some of the common uses of malware.
Not all criminals are after money, but a large percentage certainly are. If a hacker or cybercriminal is able to gain access to credit card number, the card can be used to make online purchases or fake cards can be created and used until the card is blocked. Bank account details can be used to make transfers. Entire accounts can be emptied before the victim even becomes aware of any losses. Malware is used to log keystrokes, which will reveal online banking credentials and other account logins and passwords.
Personal information can be used to create fake IDs. With a fake ID, loans, credit cards and store cards can be obtained. With a stolen identity, criminals can run up thousands, or even tens of thousands of debts. In some cases, the losses can be even higher. One girl in the U.S. discovered she was the proud owner of a million-dollar yacht when she turned 18. On paper at least. In reality all she had was the debt. Malware allows files to be downloaded and control of devices to be obtained by hackers. Any data stored on the device, or accessible through it, can be stolen.
Even a powerful computer cannot perform the necessary calculations to crack billions of passwords quickly. It would take years for a computer to be used to decode every possible combination of password. However, botnets on thousands of computers make the task much quicker. Botnet infections are also used to send out millions of spam emails. Email spammers do not use their own computers for this.
Sabotage is a common aim and it is often indiscriminate. Many viruses and malware delete or corrupt files, and even wipe entire hard drives. This may not occur immediately. Viruses lay dormant for weeks or months until a set date: Valentine’s Day is common. Kaspersky Labs, one of the AV engines used by SpamTitan, has identified a number of such viruses, including “The Wiper”, “Shamoon”, “Narilam”, “Maya”, “Groovemonitor” and “Dark Seoul”. These will delete data from computers or may wipe the entire hard drive.
How can you protect yourself from viruses, malware and scams?
- Don’t open emails from people you do not know
- Do not visit links contained in emails if you are not sure that they are genuine
- Delete emails containing attachments unless you are sure that they are legitimate
- Use an Anti-Spam solution such as SpamTitan to block spam emails and malware
- Keep AV definitions up to date
Perform software upgrades promptly and install patches as soon as they are released.
How long are computer viruses active before they are discovered? A few months? A year? In the case of the Russian Snake Virus, Uroboros, it has been stealing data for 8 years. It has been detected, but that doesn’t mean that the threat is over. The virus will be present on many systems, and will continue to steal data as it is incredibly difficult to detect.
Where did the virus come from?
It has been called the Russian Snake Virus, as many researchers believe the virus was created in Russia. Snake because some believe the Russian government had a hand in its creation. Why? Because of the sophisticated nature of the virus. A malicious program as complex as Uroboros is believed to have required state sponsorship. Foreign governments have been known to create viruses before. China was behind the APT1 virus. Links have been uncovered that tie the virus to the Chinese military. However, so far no link has been proven between the Russian government and Uroboros.
The virus was not created to steal data from individuals. The creators had other loftier aims. The International Business Times reported that the virus was created to steal government secrets and strike at telecoms systems.
The exact targets have not all been announced by the researchers who discovered the virus, but another link to Russia comes from the fact that Ukraine was attacked 14 times by Uroboros. It would appear that the Department of Defense of the United States was also attacked by the Russian Snake Virus in 2010.
The virus is currently being analyzed by UK firm BAE and German company Gdata. As for the level of sophistication, it is reportedly equivalent to Stuxnet. For anyone unaware of Stuxnet, it was developed and used by the U.S. and Israel to destroy Iranian nuclear reactors. It caused them to spin out of control until they were destroyed. Very James Bond, but in this case very real.
Uroboros is a rootkit and hides inside kernel-level processes. Because of this it has remained undetected. Anti-Virus engines do not scan there, allowing it to remain undetected for so long.
The analysis of Uroboros by BAE is secret and, while more is now known, since the virus is part of an ongoing operation few details have been released. The virus is still in operation and may be attacking or monitoring foreign government systems right now. What is known is Uroboros targets a vulnerability in Windows in addition to software running on the Windows platform. The virus has managed to continue working despite new security features being incorporated into the operating system.
How does Uroboros work?
From the information released so far it is known that Uroboros hijacks a running process. It hides inside of processes that are part of Windows so evades detection. Because of this, AV engines do not detect it. The AV software assumes it is part of Windows, and fails to flag the virus or hijacked service as being malicious. The virus is understood to inject DLLs into the running process.
It sends data at the user and kernel level. When a user fires up their browser, the virus launches a GET request and obtains instructions from the hacker’s command and control center. Since hundreds of legitimate requests are usually made, the GET request from the virus remains hidden. The use of HTTP also allows it to bypass firewalls. Uroboros is not always active either. It may be for a short period of time before going to sleep. It is told to do this by the hacker in control of the virus, and may sleep for months if required.
One question that has not been answered is how the Russian Snake Virus infects a computer. According to BAE, Uroboros is installed by a USB plugged into a computer, but it may also be installed via a phishing email. It is known to hack network processes, and monitor and intercept inbound and outbound traffic. It is capable of exfiltrating data and logs and can receive inbound commands.
A security vulnerability in Oracle Virtualbox has been exploited by the virus, allowing access to be gained to the kernel memory. It updates a variable indicating Windows was started in WinPE mode. Unsigned DLL files can then be loaded. These files do not have their owner and integrity verified. The Russian Snake Virus is capable of mounting virtual and physical drives, and different versions exist allowing it to be installed on different operating systems.
How can an attack of this nature be avoided?
Unfortunately, with malicious software such as the Russian Snake Virus it is difficult to totally protect a computer. There are steps that can be taken to reduce the likelihood of infection:
- The virus may be transmitted via phishing and spam emails: Block these using Anti-Spam software
- Issue training on anti-phishing strategies to employees
- Ban the use of all USB drives in your organization
- Keep software systems up to date with patches and, better still, upgrade Windows to the latest version
- Use diskless devices such as Chromebooks as much as possible
- Ensure packet-level inspections read HTTP traffic to look for signals that malware or viruses are communicating with command and control servers
- Data encryption can be used to protect stored data, but unfortunately not the memory
The Russian Snake virus: A risk for everyone or just foreign governments?
At present, the virus is believed to be used to attack foreign governments. Unfortunately, when details are released they can be used to create variants. Non state-sponsored hackers may not have been able to create the virus, but the techniques used to exploit computers and networks can be copied. This may already have occurred.
The next few years may see a number of different versions of the virus discovered, which may be used for many different reasons. Specific data may be targeted and stolen, or systems sabotaged. Only time will tell.
The discovery shows the lengths that some individuals and groups will go to in order to steal data, and why it is essential to implement multi-layered security systems to protect computers and computer networks, and always to use controls to prevent phishing emails from being delivered, and responded to.
The expert researchers at Kaspersky Labs have been hard at work this winter uncovering new malware threats, viruses and malicious code that threatens computers, mobile phones, servers, and corporate networks. However, what has recently been discovered is very worrying indeed. A new and highly malware named the Careto virus.
This is not a run-of-the-mill virus. It is nasty, very sophisticated, and consequently, probably the work of government-backed hackers. The Careto virus came from a previously known location, one that has produced a similar virus not so long ago. Kaspersky discovered the new virus and took rapid action to neutralize the threat.
Kaspersky Labs has already produced a detailed description of their discovery after conducting a detailed forensic analysis. That said, some techniques used to explore the nature of the virus were not particularly sophisticated and could be performed by any IT professional.
Kaspersky used “strings” – a Linux program that can be used to explore executable files – to extract text from the file. What they found was a series of instructions in Spanish, together with the name assigned to the new virus: Careto.
The name “Careto” is colloquial Spanish for “ugly face”, the corresponding name in English being “ugly mug”. It doesn’t translate as disaster, but it might as well do. This virus wreaks havoc.
Hidden inside this virus is a rootkit and a bootkit. The malware is particularly nasty and versatile, containing a Linux version, Mac OS X, and it is presumed it would also work on Android phones and the iOS system. It is very sophisticated in nature, and because of its complexity it has been suggested it is not the work of a bored, skilled teenager coding away in a bedroom. The complexity suggests that a considerable amount of time and effort has been put in to developing the virus. The Careto virus is capable of working on multiple systems at once, which Kaspersky suggests makes it the work of a team of hackers, not one individual.
Kaspersky investigated the Careto virus and started monitoring command-and-control (C&C) servers that were known to be used by hackers. This enabled the researchers to determine that the virus is proving to be effective. It has already infected over 380 computers, with those infections discovered in 31 countries around the world. The Careto virus appears to have been used to target specific organizations, and has been discovered in government organizations around the world, in particular, foreign embassies. Oil companies, gas companies, private equity firms, and research institutions have also been targeted.
The virus is primarily being spread by spear phishing campaigns. The targets have been sent links to fake versions of popular newspapers, including The Washington Post, as well as the Spanish Newspapers, El Pais, El Espectador, Publico and El Mundo.
The link contained in the phishing email has been masked, with users fooled into thinking they are actually visiting the genuine periodicals. The virus has also been discovered to have been used to infect computers via a security vulnerability in Adobe Flash (The 2012 version). Flash is used on a number of (typically older) websites to display advertising and video files.
Users may be wary of double clicking on emailed executable (.exe) files, but what about harmless picture files such as JPEGs. The executable file was found to reside in apparent JPEG files. The names, chef.jpg, waiter.jpg and dinner.jpg having been used to make them appear innocent.
What Does the Careto Virus do?
The types of individuals targeted thus far gives a clue as to what the Careto virus does. Its aim is to collect highly sensitive information, which it does by intercepting all communications channels used on the victims’ computers.
It “listens” in on Skype calls, chat sessions, and records and exfiltrates data from the infected device. Passwords are stolen, and encryption keys, bank account numbers, email addresses, phone numbers, and all manner of sensitive information obtained by hackers. This data is sent to the hackers’ command and control servers, one of which was discovered to reside on one of the IBM-owned Softlayer cloud service provider’s servers.
Unfortunately for the infected, detecting the virus is difficult. This is because it has stealth rootkit capabilities, cyber-espionage modules and other functionalities to help it avoid detection. After discovering and analyzing the virus, Kaspersky was able to track infected computers.
Fortunately, AV definitions have now been updated to spot the Careto virus, which incidentally, is blocked by SpamTitan Anti-spam software. SpanTitan is able to prevent this nasty virus from being delivered to your inbox.
The Sochi Winter Olympics is a major event in the sporting calendar, and we are looking forward to witnessing the spectacle of winter sports as much as everyone. However, as with any major sporting event, the Winter Olympics has attracted the interest of cyber criminals. Major sporting events tend to see spammers and scammers take advantage of the media frenzy, and Sochi Winter Olympics spam campaigns have already been discovered.
Sochi Winter Olympics Spam Warning Issued by US-CERT
The high threat level has prompted the United States Computer Emergency Response Team (US-CERT) to issue an alert warning of online scams and phishing campaigns, in particular emails with the subject of “Winter Olympics” or “Sochi”. Spammers are aware that these emails are likely to be opened by winter sports enthusiasts.
Sochi Winter Olympics spam emails are expected to be sent in the millions, and phishing campaigns have been devised with attachments related to winter sports schedules, medal winners and alike. It doesn’t stop there. Many emails will contain links to fake websites enticing users to click for up to date Sochi news. However, those links will direct the unwary to sites that are loaded with malware. Clicking the link will result in malware being downloaded to the visitor’s computer or mobile device.
US-CERT says links to unfamiliar websites should be avoided. However, there is worse news for any individual traveling to Russia to view the winter sports spectacle in person. NBC anchor, Brian Williams, recently announced that ”visitors to Russia can expect to be hacked.”
The news report warned of a high risk of cyber-attacks on innocent sports lovers who take internet-enabled devices on their travels. He said cyber-attacks are “Not a matter of if, but when.” Based on the news report, users can all but guarantee they will have their devices hacked, simply by turning them on in Russia.
Visit Russia and you will be hacked?
An NBC reporter, Richard Engel, investigated the risk as part of the report. The NBC test involved turning on a laptop computer and mobile to show how easy it was for hackers to take advantage. Once the devices were turned on and connected to Russian networks, they were attacked in minutes. Engle said, “Before we even finished our coffee the bad actors had hit.” He said that information had been stolen and malware downloaded, and issued a stern warning saying visitors were “entering a minefield the instant they log on to the Internet.”
However, the test was not all it appeared to be. It involved the reporters visiting a fake Olympics website, such as those used by phishers. These websites contain malware and automatically download it to the visitor’s device. The risk appears not to be as high as the report made it sound. According to internet security expert, Robert Graham, the test was conducted on devices that were likely not to even have basic controls to prevent malware from being installed, such as up to date antivirus software.
In fact, internet users in the United States, UK, or any location around the world would be infected by malware by visiting such sites. If the test was conducted from the United States, it would likely produce similar results.
Graham decided to put this to the test, and set out to deliberately get his phone hacked. As it turned out, it was not quite as easy as the reporters suggested. The security features installed on his phone prevented malware from installing. He persevered and disabled the security software installed on his Android Smartphone. He also masked his IP address to make it appear that he was actually in the Russian Federation. After finally finding a virus, he was issued with a warning on his phone, which he had to ignore to finally get his device infected.
That is not to say that internet users – visiting Russia or staying at home – should not be wary. Quite the opposite. It is essential to be security aware, not take unnecessary risks, and implement controls to block Sochi Winter Olympics spam and phishing emails. Basic security controls must be installed on all internet enabled devices to prevent cyber-attacks, and it is essential to be vigilant, avoid unfamiliar links, and not open attachments unless certain of their authenticity.
Whether you visit Russia or stay at home, it would be a wise precaution to use a VPN to access sensitive websites – online banking websites for example. Installing a spam filter will also help to protect against phishing campaigns.
What is a high risk country? These days there are no low risk countries. It is the websites you visit, not the country you live in, that determines the risk of cyber attack!
If you can be certain of one thing in life apart from death and taxes, it is the impossibility of winning a lottery that you have not bought a ticket for. Surprisingly, some people do fall for scams like these.
Over the past few weeks we have received reports of emails and letters being sent advising the recipients they have almost become a Euro millionaire: Their numbers have been drawn and a prize of €915,810 has been won.
The reason the emails have been sent to people who have not even bought a ticket is because these campaigns are sent randomly. The perpetrators of the campaign do not know who has bought a ticket, but a percentage of lottery ticket holders will receive the email if enough are sent.
A holder of a ticket may respond even if an email address was not provided when buying a ticket. Hope gets the better of common sense sometimes. The thrill of potentially having won over €900,000 helps in this regard.
The Spanish lottery scam nets criminals millions of Euros
A check for this sum is not issued for security reasons. The money can only be claimed by supplying bank information. The lottery company must use a bank transfer to provide the winnings. Sometimes, the lucky winner will have to cover some “administrative costs” in order to receive their prize. A charge of a few Euros is nothing compared to a €915,810 payout. Those charges are often more than just a few Euros, but the money is still paid.
This particular scam, or variants of it, are commonly sent by Nigerian criminal gangs. In the case of the postal version, a Nigerian postmark would be a giveaway. The letters are naturally all emailed from Spain. In fact, Spanish criminals have also started using this type of scam to defraud victims. The Guardia Civil recently took down a large gang of criminals who were running scams of this nature. Millions of Euros were recovered.
If you receive an email telling you that you have won a large sum of money, here are some easy ways to tell if the email is not genuine:
- You did not buy a lottery ticket
- You did not supply an email address
- You have never heard of the company you are asked to contact
- The email contains grammatical errors and spelling mistakes
- You are given a strict, and short, time limit for claiming your prize
- You are asked to supply sensitive information to verify your identity
- You need to pay an administration fee in order to claim your prize
- You are asked to click on a link contained in the email to confirm your identity
We wish you the best of luck. And if you want to win a prize, remember to buy a ticket and check the numbers personally!
Security technologies are some of the most advanced technologies, but security itself must be combined with good business and user practices to work effectively. No matter how advanced and well implemented the technology is, it is only as good as the methods used in using and managing it.
Acceptable use policy – what network activities are allowed and which ones are not
To protect employees, customers and suppliers all members of staff should be given a copy of the company’ s policy for acceptable use of IT resources including Internet and email. Often this forms part of the contract of employment. Having an acceptable usage policy in place helps protect the organization from exposure to malware and web threats as well as helping in disputes with employees.
E-mail and communications activities
To help minimize problems from e-mails and attachments, informing user behavior is key. Robust email and web security, coupled with appropriate user training and security procedures, are absolutely essential to the protection of corporate data, financial and other electronic assets. Without adequate solutions and controls, cybercriminals can exploit gaps in security defenses and cause serious damage to an organization.
- On Christmas Eve and again on December 26th, 2012, cybercriminals used malware installed on a local PC at Ascent Builders to transfer $900,000 from the company’s Bank of the West account. The theft was followed shortly after by a major distributed denial-of-service (DDoS) attack on the bank, presumably to conceal the theft of funds.
- In December 2012, cybercriminals added 11 bogus employees to the payroll of Niles Nursing, Inc. by using the company controller’s login credentials. Using ACH payments from Niles’ bank account, the criminals initially transferred $58,000 in funds to these individuals, who were to wire the funds to contacts in Russia and Ukraine. In total, approximately $170,000 was stolen from the firm.
- A study conducted for the UK Cabinet Office found that the loss of intellectual property – much of it the result of malware and other forms of cybercrime – costs British organizations upwards of £9.2 billion annually.
To help protect networks against threats such as viruses, worms, and Trojan horses, companies need to implement anti-virus protection on all company devices – specifying what anti-virus software is installed and what interval they are scheduled to run at. In addition, the anti-virus software and the virus pattern files must be kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. System Admins are usually responsible for creating procedures that ensure anti-virus software is run at regular intervals and computers are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into the company (e.g. viruses, worms, Trojan horses, e-mail bombs, etc.) should be clearly stated as prohibited, in accordance with an Acceptable Use Policy. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
To help safeguard the network from unauthorized users, current corporate policies surrounding network security often neglect the most critical and weak security component: the human element. An organization’s overall security is only as strong as its weakest link – the user. Environments with disparate sources of identity information have different approaches for organizing user entries, security practices and access control. Internal identity issues can be complicated and need clarifying in a policy format.
Password policy, to help employees select strong passwords and protect them
A complex security system won’t matter if a hacker or phisher gets a hold of an employee’s password. If you take a laissez-faire approach to creating and protecting passwords these type of security breaches are more likely to happen. Smart password practices require next to no budget. They don’t need to take up much time either when formalized in a company policy. Password policy is often overlooked, but it’s a very important part of keeping secure in an online world.
Encryption policy, to provide guidance on using encryption technology to protect network data
A common scenario occurs when a company with a security policy in place directs the use of encrypted USB storage and distributes these devices to its users. After time it becomes apparent the company is still at risk from a data breach because users continue to use unencrypted USB keys. This company had a security policy in place and they issued encrypted devices yet still there’s a data breach that they must deal with. An encryption policy will not work unless users understand their role in protecting company data. It’s important to have an encryption policy but it’s just as important to have an encryption policy that can be enforced and is easy for the end user to adhere to. The hard part in this process is that it often requires a behavior change, the secret to success is showing employees how they benefit from tighter network security. Cybercrime and phishing attacks most commonly originate with an employee clicking a link to a website hosting malware, opening a file attached to an email that contains malware, or simply just giving up corporate information when asked via a phishing email or website. Such information can then be used as the basis for a sophisticated phishing attack or may be sufficient to get the scammer what they need. There is no silver bullet, but these threats can be mitigated against by training the workforce to identify, prevent, and report such attacks in a timely manner.
Phishing is not a problem that must only be dealt with by consumers. Businesses are being targeted based on the financial organizations they use, according to the latest research conducted by Kaspersky Labs. The Anti-Virus software provider has been investigating the evolution of phishing. The study looked at the attacks that had taken place between May 2012 and April 2013. The survey revealed that phishers are changing tactics, and are attempting to obtain bank account information. If business bank accounts can be obtained, so much the better. They usually contain much more money than personal accounts.
Hackers often target businesses they despise. Their intention is not always to make money but to cause harm. If bank accounts can be obtained they can be sold to cybercriminals. Accounts are plundered, and sometimes businesses go bust as a result. You may not have offended any hackers, but that doesn’t put you in the clear. Some hackers are involved in organized crime and they will not care who they target as long as money can be obtained.
If a bank is targeted and you lose funds, can you sue them?
A bank is attacked and a business loses money from its account. Can a business sue a bank for a cyberattack? Some are now trying.
EMI has filed a lawsuit against Comerica, in which it claims that the financial institution failed to implement appropriate security defenses which directly led to one EMI employee falling for a phishing campaign. An employee was tricked into revealing EMIs bank account details. As a result, over $500,000 was rapidly transferred out of EMIs accounts. Protections were not in place at the bank to stop this.
Unsurprisingly, the bank has claimed that this was the fault of EMI. It is EMIs responsibility to ensure its employees are trained, and do not fall for phishing campaigns. The bank could have done nothing to prevent that employee from falling for the phishing scam. EMI could have taken action though. It is unlikely that the lawsuit will result in the bank having to cover the losses of EMI.
Phishing prevention starts with staff training
If you want to protect your company’s bank balance, and stop phishers making transfers, the first step to take is to provide all staff members with cybersecurity training. One response to a phishing email is all it takes to see a bank account emptied. It therefore makes a great deal of sense to instruct members of staff about phishing emails. In the above case, the provision of such training may have saved $500,000.
The FBI estimates that these schemes, and other cyberattacks, net online criminals around $100 billion a year. These funds are obtained from large corporations and individuals, but small businesses are now being increasingly targeted. They lack the security software used by large corporations and their bank accounts contain more money than consumer accounts.
Unfortunately for SMEs, the same protections are needed as those used by large corporations. Unfortunately, IT budgets are not nearly as large. SMEs must therefore choose the best protections to put in place that will offer the greatest protection for the least outlay. Many do not even employ dedicated cybersecurity staff, so the products they choose must be easy to install, operate and maintain.
To protect against phishing, businesses must concentrate not on protecting their network with firewalls, but protecting end users. They are the ones who will be targeted by a phishing attack.
There are two methods that can be used in this regard (apart from staff training): The use of a spam filter to prevent phishing emails from being delivered, and a web filter to stop users visiting phishing websites.
The number of phishing attacks has increased significantly over the course of the past year. Because the tactic is proving to be so profitable, 2013 and 2014 are likely to see even more attacks take place. Any business that fails to take action to address the risk is likely to become a victim. Maybe not today, maybe not tomorrow, but soon.
Cyber criminals often take advantage of major news stories to launch new spam and phishing campaigns. Email subject lines containing news headlines are more likely to be opened by email users. A percentage of individuals who open the emails will click on the links contained in those emails or open the attachments.
One of the latest email scams uses the death of Hugo Chavez to get users to open spam and phishing emails. Unfortunately, curious individuals are likely to end up compromising their computer, and even the network to which it connects.
The latest spam campaign takes advantage of users’ curiosity with a good old conspiracy theory. In this case, the theory is that the FBI or CIA were behind the death of Venezuelan president, Hugo Chavez.
Researchers at Kaspersky Labs intercepted one of these spam emails and investigated. The email directed users to a website containing malicious software. Visiting the link would result in the user’s device being infected using the BlackHole 2.0 exploit pack. This would happen without the users’ knowledge. In this case, the malware was widely known. According to Kaspersky Labs, when the link was clicked “The payload dropped was not disclosed; however, 8/46 antivirus programs were able to detect the exploit code.”
The Aim of Many Spam Emails is to Infect Devices with Malware
Kaspersky Labs AV engine is used by SpamTitan to detect emails containing malware or malicious links. The anti-virus giant keeps its virus definitions database up to date and checks for the signatures of the latest malware and viruses to be discovered. The company has already identified a number of Hugo Chavez email scams doing the rounds, all of which have the purpose of delivering malware to unsuspecting email users.
The emails take advantage of people’s curiosity and direct users either to fake websites or genuine websites that have been hijacked and loaded with malware. Oftentimes the emails contain attachments containing malicious code. Opening those attachments will similarly result in users’ systems being compromised.
The latest emails are nothing new. Spammers and hackers often take advantage of major news events to get their malicious emails opened. Major sporting events, celebrity news, weddings, deaths, elections and natural disasters usually spawn a wave of new spam emails. Cyber criminals are devising ever more complex campaigns to fool users into installing malware or revealing their sensitive information.
Unfortunately, the problem is likely to get worse. As long as it proves profitable to send these spam email campaigns and phish for information, there will be criminals who are more than happy to commit time to developing the campaigns.
Fortunately, it is possible to lower the risk of becoming a victim of the spammers by following some simple rules and being vigilant.
Guidelines to Avoid Becoming a Victim of a Phishing Attack
- If you don’t know the sender of the email, don’t open it. Mark it as junk or delete it
- Never open an attachment sent by someone you do not know
- Never click on a link in an email unless you are sure it is genuine
- Never unsubscribe from an email newsletter or service that you have not subscribed to – Doing so will just confirm to hackers that your email address is valid. This will likely see you targeted by even more spammers
- If you receive a special offer that you are interested in, visit the website of the vendor directly to check the validity of the offer. DO NOT use the link contained in the email
- Ensure your anti-virus and anti-malware definitions are up to date
- Develop a culture of security awareness in your organization – The majority of security breaches come as a result of employees falling for a phishing campaign or responding to spam emails
- Install a robust spam filter to prevent spam from ever reaching inboxes
- Use web filtering to prevent users from visiting known malware and phishing websites
Being forewarned is being forearmed, which is why SpamTitan has issued five network and email security predictions for 2013. Over the course of the next 12 months, mobile applications and social media networks are likely to have a major impact on businesses, especially small to medium-sized enterprises. However, both have potential to introduce new security risks. These will need to be addressed.
Last year the volume of cyberattacks increased, as did the variety of new malware identified. More sophisticated cyberattacks were conducted in 2013 than in previous years, and they have proven to be even more damaging.
Last year was difficult for IT security professionals. Unfortunately, the coming year is unlikely to be any easier. If you want to keep your network secure and your data protected, a considerable effort will be required over the next 12 months!
SpamTitan Network and Email Security Predictions for 2013
1. Social media monitoring will become essential to keep networks secure and staff productive
The popularity of social media websites is growing, and people are now spending an extraordinary amount of time connecting with people online, sending messages, reading and writing posts, uploading photographs, friending and poking. People crave interaction so this should be no surprise. With even more social media sites to choose from, and the use of the sites now ingrained, employees will want to use the sites more frequently at work. It is up to employers to harness the power of social media and prevent abuse.
Managers who have yet to tackle the issue of social media website use at work will need to take action in 2013. Whether it is implementing a ban or policies covering usage, the issue will not be able to be ignored any more. Since employees will use the sites even if a ban is implemented, we expect more companies to start adopting ways to curb usage, as well as taking action to address the network security risks the sites pose.
2. BYOD is here to stay and the trend will continue
BYOD is driven by employees, not by employers. Employees want to bring their own devices to work, and employers can reap the benefits. The problem that must be addressed is how to manage the considerable security risks. Many companies will decide the risks posed by the devices outweigh the benefits, and many will look to harness the power of web tools and cloud based applications.
We expect security polices will need to be put in place by organizations in 2013. Employees who are permitted to bring their own devices to work are likely to have more restrictions put in place on the use of those devices. Additional security measures to enforce policies will also be installed.
3. Cybercriminals will start to use social media as the main way of profiling targets
As the use of social media networks grows and consumers spend more time on the sites, cybercriminals will start to use the websites as a way of identifying and profiling their targets for spear phishing campaigns. Malware attacks via Facebook and other social media platforms are also likely to increase over the next 12 months. Criminals will also become more skilled at using social media networks to obtain the information necessary to defraud their targets.
Email spam volumes should continue to fall as criminals find it harder to profit from spamming campaigns. The past 2-3 years have seen spam volume decline and this is likely to continue in 2013. 3 years ago, the volume of spam emails stood at around 90% of all emails sent. Now the figure is around 70%. We expect the total to fall to around 60% this year.
4. Phishing attacks will primarily be conducted via social media websites
Phishing campaigns have been found to be highly effective on Facebook and Twitter. These two social media platforms were the most popular with phishers last year, and that is likely to continue in 2013. Social media campaigns can be conducted rapidly, and require little outlay. As the threat grows, we expect organizations to take action and implement defenses to reduce the risk of their employees falling for phishing schemes. They will be given little choice if they want to keep their networks protected.
5. Market consolidation to continue and businesses will increasingly consider alternative solution providers
The information security industry is likely to see even more market consolidation in 2013. Smaller companies will merge, with numerous takeovers expected. Last year, Trustwave bought out M86 Security, and Eleven GmbH was acquired by Commtouch.
However, end user businesses should find they can stay competitive if they concentrate on niche products. Specialist products will continue to be developed and fine-tuned, offering consumers more powerful security solutions for specific areas of network security.
Do you agree with our network and email security predictions for 2013? We expect, as an IT professional, you will have your own security predictions for 2013. What do you think the next 12 months have in store for IT security pro’s?
Cyber Monday is one of the busiest online shopping days of the year, in fact the four days from Black Friday to Cyber Monday see huge volumes of people head online rather than travel to the shops.
This period is the busiest time of year for online shopping, with millions of shoppers going online to buy presents for Christmas. Over $1.5 billion is expected to be spent online on this single day, according to figures from ComScore. That represents a 20% increase in spending year on year. Ever since 2005 – the first Cyber Monday – online criminals have taken advantage of the unsuspecting. This frenetic period of shopping sees many internet surfers and bargain hunters let their guard down.
There are bargains galore, huge discounts to be had and a small fortune can be saved. However, it is a time when users and businesses need to be particularly vigilant. Financial ruin awaits the unwary. Spammers, scammers, phishers and other cyber criminals are very active during this four-day period and are waiting to take advantage of Internet users that do not take precautions.
Retailers do tend to concentrate efforts on Cyber Monday, but that is not to say that the remaining days in the run up to Christmas will not be busy. Cyber Monday is just the start of a long spell of intensive online shopping. Cyber criminals are aware of this. Individuals failing to take care could well become victims of fraud and identity theft. A high percentage of victims are created during the period from Black Friday to Christmas Eve.
A cybercrime report issued earlier this year suggests that 431 million adult victims have become victims of cyber crime in the past 12 months. The global losses from online criminal activity have now reached an incredible $114 billion a year.
Shopping Frenzy Sees Basic Email Security Measures Forgotten
Cyber Monday is not a holiday. It is just a particularly busy day for online shoppers. Since people are at work, the time available for online browsing is therefore limited. Time pressures combined with amazing bargains is only a good mix for online scammers. They take advantage of lapses in security precautions that inevitably occur when shoppers are concentrating on special offers and discounts.
Scammers use this time of year to send huge volumes of spam emails containing links to exclusive deals and special offers. Email attachments are commonly sent containing vouchers providing even greater savings. This is not just a problem for shopping addicts. Employers face an elevated threat of having their networks compromised during this busy period. According to recent research, 80% of all online shopping occurs during working hours, with employees sneaking online while at the office.
Employers must therefore ensure that their employees are not taking unacceptable risks that could compromise their computers and networks. Should malware be downloaded, or phishing links clicked, the consequences could prove to be catastrophic.
Should Access to Shopping Sites Be Banned at Work?
Human resource consulting firm, Robert Half Technology, recently conducted a survey that showed CIOs do not typically block access to internet shopping sites from the workplace. 77% of CIOs allowed fairly free access to the internet from work, with only 23% of CIOs banning online shopping. However, that said, internet access is closely monitored and action taken against employees found to be excessively surfing and shopping from work computers.
By permitting casual internet surfing and online shopping at work, CIOs are allowing employees to potentially engage in risky behavior. Many choose to reduce the risk of users visiting phishing sites by restricting access to the internet to secure websites only. This is often achieved by implementing a web filtering solution, which prevents employees from visiting specific websites or certain types of websites.
This is arguably one of the best methods of protecting business networks, without placing too many restrictions on the staff. Internet access can be allowed, which leads to happier staff, yet networks can be protected from phishing websites, viruses and malware.
The use of anti-spam filters will similarly prevent spam emails from being delivered to inboxes, further reducing the risk of employees clicking on links and opening attachments that could compromise a network. If these email security measures are employed and security awareness training is provided, the Black Friday to Cyber Monday period can be enjoyed safely. Many data security headaches will also be prevented.
Halloween has been and gone, and with it the threat from Halloween-related spam and phishing campaigns. Unfortunately, the ghoulish behavior of cybercriminals will not stop. They will just work on Thanksgiving-related scams, or target the millions of online shoppers on Black Friday, Cyber Monday and Free Shipping Day. They will also be preparing for Christmas, which is another excellent time to target the unwary and gullible. All of these holiday times see millions of spam emails sent, new phishing campaigns developed, and many old ones dusted off and used again. Internet users must therefore always be constantly vigilant for the next cyberattack or scam.
Internet security risks increase in the run up to Christmas
Employees lead busy lives and often do not find the time to do all of their Christmas shopping at home. Some do not have home computers so are unable to access the Internet outside office hours. Many just prefer to keep their free time free, and be paid by their employers to do their Christmas shopping.
Unfortunately, those employees are taking big risks that could seriously jeopardize the security of their corporate computer systems, according to the Information Systems Audit and Control Association. This risk naturally increases at times of the year when internet shopping increases.
The risk has also increased in recent years with the rise in popularity of BYOD. More devices are being used to access networks, many of which do not have the level of security of the desktop computers supplied by employers and configured by IT departments. These devices make it much easier for employees to bypass security and spam protection controls.
The bad news is the risk is not going to decrease. As more users take part on BYOD, and even more devices are allowed to connect to corporate networks, the risk of suffering network security breaches will also increase.
Many companies find the number of employees using computers for personal use, especially in the run up to Christmas, has reached a level where it is simply not possible to take action against each employee. The threshold for disciplinary action has had to be increased. Others target this by taking a much harder line, due to the amount of time that is being wasted by employees. HR departments are then run ragged.
It is no surprise that many employers opt for an easy solution and implement a web filter to block access to certain internet sites. The burden is eased on HR staff and employees waste less time and become more productive. They are also used to cut back on other time wasting activities, such as accessing social media sites and playing online games.
A web filtering solution, such as WebTitan, can be invaluable at this time of year. It will reduce risk to network security and improve productivity; however, risk cannot be totally eliminated especially with the volume of email spam campaigns and Christmas-related scams seen at this time of year.
Holiday season scams that threaten network security
The usual suspects come out at this time of year but, after 10 months’ “holiday” from Christmas scam emails, it is useful to remind employees of the spam and phishing emails that do the rounds at this time of year.
‘Must Have’ Gift Scams
Every year there are some gifts that every child wants. They are in short supply and usually sell out well before Christmas. Be late buying Christmas gifts and your child will have to make do with second best. UNLESS…… someone has a spare one or some excess stock. You will find offers of the latest gadgets or hot new products flood inboxes. Links take users to shopping websites that have just one or two left. A purchase is made and the gift is mailed. Unfortunately, many of these websites are fake, and all that happens is a credit card number is divulged to a criminal.
Christmas Phishing Scams
The run up to Christmas is a busy time and short cuts are taken by employees who are under pressure or daydreaming about roast turkey. People are less cautious and take more security risks. They forget to check that a website has a valid SSL Certificate or shows a padlock next to the URL. People are more likely to click on links to malicious websites and, when full of Christmas spirit, Christmas-related social media posts are visited more frequently. Users tend to reveal personal information at this time of year. A post asks you to create your Elf name by using the name of your first pet and the street where you grew up. Users unfortunately divulge the answers to their online banking security questions all too easily.
Fake Special Offers and Competitions
Everyone would like a free Christmas gift, and scammers know it is easy to obtain sensitive information via fake competitions if there is a cool prize on offer. It is a time to be very cautious about surveys or competitions that ask for personal information. Facebook is one of the preferred websites to launch a fake contest, and it is surprising how much personal information is disclosed. Once personal information has been divulged, an email often arrives offering a prize. Just a few more data fields need to be entered to claim the top prize. That prize is identity theft, not a shopping voucher or an Xbox.
How to avoid these Christmas scams
Vigilance is key. Employers must be particularly careful that their staff members do not fall for these scams. It is a great time for refresher training to be conducted or for an email bulletin to be sent. Be sure to warn the staff of the following:
- Never to click on a link contained in an email unless they are 100% sure of the identity of the sender
- Never open an attachment in an email from someone they don’t know
- Change passwords and make sure they are impossible to guess
- Be very careful about divulging sensitive information to anyone
- Social media websites contain many scams. Make employees aware of scam competitions or surveys that request personal information
- Be careful about installing mobile apps – they may not be as harmless as they appear
- Password protect Smartphones and use a lock screen – if stolen, criminals will not be able to access online accounts and company data
Stop and think before clicking any link, visiting a website or opening an email – Could it be a scam or phishing attempt?
The SC Magazine Awards 2013 will soon be announced. Each year the periodical assesses the best IT security products and issues awards to the companies supplying the best, most innovative, and effective security products. Competition is fierce in the industry, and many companies have released new products this year. Others have released new versions of security products with even better protection.
This year SpamTitan Technologies has been selected and named as a finalist in the best Anti-Malware category. The provider of Anti-Spam and web filtering security products is one of the leading providers of security products that protect organizations from email and web borne threats.
SpamTitan Technologies Anti-Spam solutions incorporate dual AV protection; using the anti-virus engines of two leading providers – Kaspersky Labs and Clam Anti-Virus. The spam-busting software conducts a heuristic scan analysis offering excellent protection. Potentially harmful and suspicious emails are caught in its spam filter and are quarantined rather than being delivered to end users’ email inboxes. The software has been shown to trap spam emails before patterns have even been identified, and even provides a zero-hour response to new email threats.
The inclusion in the best Anti-Malware category is the result of the hard work by the entire team at SpamTitan Technologies. A considerable amount of research and development has gone into the latest version of the spam-fighting software. The new version is even better, more efficient, and more effective than ever before.
The Readers Trust Anti-Malware finalists will be assessed by a panel of readers who have volunteered their time to vote for the best products on offer. These individuals have a high level of skill and will use their expertise in the area of IT security to determine which product will be voted the best Anti-Malware product of the year. The panel of judges have come from a wide range of organizations of all sizes and from all major market verticals.
The results of the final vote are eagerly awaited by all participants. The annual awards can be used as a guide to the best Anti-Malware, Anti-Virus and IT security products to install to protect users and computer networks from attack.
Have you tried SpamTitan’s Anti-Malware solution? Are you happy with the software and the catch rates?
If so, register your vote for the SC Magazine Awards 2013 today!
Cybercriminals are intent on breaking through security defenses to gain access to corporate databases. Once access has been gained, they steal data to sell on to other criminals to use for fraud and identity theft. There are some exceptionally talented individuals out there who are doing this, but there are many less talented individuals as well who are doing the same. In fact, there are individuals with next to no talent or skill who are doing who are making big money because it is so easy.
It doesn’t actually take a genius to steal data from companies, even when robust security measures are put in place. That is because massive security holes are left unplugged. The door is being left open, and cybercriminals are just walking through it.
To prevent major data breaches and cyberattacks it is essential to make hard for cybercriminals. If it is hard, they are likely to look for easier targets. There are plenty out there, you must just make sure you are not one of them. It is much easier for them to take the path of least resistance or, in many cases, they take the path of no resistance. Some companies make it ridiculously easy for hackers and criminals to steal their data.
How easy is it? The global information group Experian took a close look by conducting its “life in a box” experiment. That study produced some very interesting results. First of all, the study quantified the extent of the current problem.
Between the start of January and the end of June 2012, a period of only 6 months, 19.7 million pieces of information were illegally traded online. To put that figure into context, 19.04 million pieces of information were traded in 2011. That’s the whole of 2011, BTW, not just the first 6 months.
The Life in a Box Experiment
Meet Steve. He knows his stuff. He is a typical web user who is quite knowledgeable on security matters. He takes precautions when using the internet, holds down a normal job and pays his taxes. He is also in a hurry most of the time because he has a lot to get done. Consequently, he makes some mistakes. Basic security errors, even though he believes he is quite security conscious.
Steve was presented with a few challenges for the study. These online tasks were set to find out just how easy he was making it for criminals to steal his personal data. During the study, this reasonably security conscious guy made three fundamental security mistakes.
- He was found to be sharing his passwords across a number of different online accounts
- He did not bother to check that a website was secure (had a padlock next to the URL) before disclosing personal information
- He did not update his web browser to the latest version when a security update or critical patch was released
Steve had set up 8 temporary email addresses during the study. It took only 5 hours for all 8 to be hijacked. His data were actually in the hands of criminals in multiple countries around the world within 5 minutes of the study commencing. Mr. “Reasonably Security Conscious” was not making it difficult for cybercriminals at all. Most of his fellow employees would have performed equally badly, and many a whole lot worse.
A vast amount of personal data is uploaded to the Internet
An incredible amount of data about individuals’ lives are uploaded to the Internet. Names, dates of birth, passwords, usernames, answers to security questions, bank account details, Social Security numbers, credit card numbers, medical information, consumer information, likes and dislikes. The list goes on and on.
If you are a little sloppy and are not particularly security aware, this information can easily be accessed by criminals. With just a little information it is possible to commit identity theft. Criminals use that information to create or obtain fake IDs that can be used to obtain further proof of identity. Then credit cards, loans, prescriptions, medical services and much more can be obtained. Bad security habits at work can see employers’ systems compromised and corporate bank accounts plundered.
There has never been an easier time to get into online crime
Personal information can be obtained using a number of very straightforward techniques. It is not necessary to be a hacker to do this. Any would-be criminal could pay to use an exploit kit and even be instructed how to use it. Phishing campaigns can be easily launched, social engineering scams developed, viruses and malware sent via email, and malicious code loaded onto pages and adverts on social media networks.
As long as web users continue to make it easy for criminals to take advantage, there will not be a shortage of individuals willing to try to defraud them. It may not be possible to prevent all cyberattacks but it is possible to make sure that only the most skilled and creative cybercriminals will have a chance of success.
Security awareness must improve in order to prevent corporate cyberattacks
Unfortunately, even with excellent security defenses installed, the sloppy security habits of employees can result in networks being compromised. All it takes is for an employee to respond to a phishing campaign, visit a website containing malicious code, install malware by mistake, or hand over sensitive information to a scammer and the door can be opened.
The Life in a Box study shows just how easy some people are making it for cybercriminals to take advantage. You can tell employees to only use websites that have a SSL certificate in place, or to look for a padlock next to the URL before disclosing personal or company information, but they will continue to make basic security errors.
They must be instructed on the risks, trained how to avoid risky behavior, and told about the methods cyber criminals use to obtain data, steal identities, and break through corporate cybersecurity defenses. They do not need to be turned into IT security experts, they just need to be taught how to act responsibly online.
You also need to put additional security defenses in place because everyone will make mistakes from time to time. You need to make it harder for cybercriminals to take advantage, and you need to reduce the number of times your employee’s security skills are put to the test. A Spam filter is a good place to start, and a web filter is also wise protection. Alongside security training, your network will be much better protected from attack.
The news that Google will pull the plug on Postini spam filtering software may not come as a shock to the 26 million businesses and consumers who use the product to keep their inboxes clear of email spam. There have been rumors circulating for a while now about the Postini Anti-Spam pull out. However, now it is time to actually start looking for an alternative email spam filtering provider, as the rumor has been confirmed as being true.
Google is attempting to move all Postini customers over to Google Apps, which the search engine giant hopes will be a smooth process. Not all Postini customers will welcome the move. For them, they will need to put effort into assessing the alternative spam filtering to Postini and will need to choose another vendor.
Google Apps may offer email security solutions but there are drawbacks, the main one relating to privacy. Google does like to know everything about its customers and many organizations are unhappy about giving Google so much information about them and their business.
A new Anti-Spam solution is critical
Since email spam filtering is a critical business system, there cannot be a gap between the termination of the Postini service and the implementation of a new spam filter. Due to the volume of spam emails now being sent, inboxes are likely to be swamped with spam the second the Postini service expires. Spammers are likely to seize the opportunity and send out even more emails hoping to capitalize on the gap in service that many companies may experience.
Changing provider is a pain. Small enterprises are typically short staffed and switching any service provider means a lot more work needs to be done. When staff are already stretched and overworked, the time needed to assess new service providers and install and test a new Anti-Spam system must be found from somewhere.
It doesn’t take a long time to change an MX record, but changes allow errors to creep in. If a period is entered in the wrong place it could result in the email system grinding to a halt. Email crashes can take a long time to resolve.
Postini’s exit from the email filtering market may not be a shock, but Webroot customers are likely to have one. They too will have to find a new Anti-Spam service provider. It would appear that by the end of 2013, Webroot will also be pulling the plug on its anti-spam products.
SpamTitan is the natural choice for soon to be ex-customers of Webroot and Postini
SpamTitan email filtering solutions are an ideal alternative for Webroot and Postini customers. SpamTitan is an up and coming company that is growing at an impressive rate. The company has now topped the honors list in recent industry awards – SpamTitan has just been voted the Number 1 Anti-Spam solution in July’s Virus Bulletin Test – and in addition to an impressive catch rate and low false positive rate, its anti-spam solutions represent excellent value for money.
Businesses located in over 100 countries around the world have adopted SpamTitan as their preferred Anti-Spam solution. The company’s products are highly effective at blocking spam email, with SpamTitan filters preventing 99.97% of spam emails from being delivered thanks to the powerful dual AV engines at the heart of the software. Tests have shown a false positive rate of virtually 0%, and additional protection is also provided by an anti-phishing module.
Summary of benefits of SpamTitan Anti-Spam solutions
- Catch rate of over 99.97% – Fewer spam emails will be delivered
- Virtually 0% false positive rate – Genuine emails will not be caught in its filter
- Dual AV engines employed– Kaspersky Labs and Clam Anti-Virus stop more spam
- Anti-phishing capability – Anti-phishing protection to prevent malware infections
- Multiple deployment choices – Choose from ISO, SpamTitan on Demand, and VMware
- Competitive prices offer cost savings over competitors
- Seamless migration from existing Anti-Spam service providers
- Excellent customer service
For further information on migration, pricing, and implementation timescales, just give the SpamTitan team a call.
If you have a Facebook account and follow the news, you are likely to already have heard of a new Facebook chat phishing scam that has been devised by online criminals in an effort to get you to part with your credit card information.
It is no surprise that another Facebook chat phishing scam has been uncovered, but what is particularly interesting is the amount of effort that has gone into the latest scam. The latest Facebook chat phishing campaign shows how sophisticated the campaigns are becoming, and how easy it is to fall for one of these scams.
Convincing Facebook Chat Phishing Scam Uncovered
The criminals behind the latest Facebook phishing scam are trying to obtain a considerable amount of data and, if successful, will obtain credit card numbers, expiry dates, CSC codes and login names and passwords. The scam was discovered by Kaspersky Labs, and it operates via the Facebook chat function. Phishing is more commonly associated with randomly sent spam emails, targeted emails, and malicious websites, yet the techniques work equally well on social media websites. Perhaps even better.
In this case, the Facebook chat phishing scam is not just convincing, it is scarily good. The scammers compromise a Facebook account, and alter the account name to ‘Facebook security’. They then use the chat function to send a message to the entire contact list of that person, warning them that their account has been compromised. If login details are not confirmed, their account will be shut down. Since the message comes from “Facebook Security”, it appears legitimate.
The message also contains a link that must be used to confirm the account details. Clicking on that link will direct the soon to be victim to a mock up Facebook site that looks reasonably legitimate. The victim then enters their login credentials to access that site and, by doing so, gives the scammer access to their entire account, including their contact list. In this case that is not all. The fake website then asks the user to confirm their email password, compromising that account as well. Since users often share passwords among many different online sites, other accounts could all to easily also be compromised as well. Kaspersky Labs has also reported that this Facebook chat phishing scam then requires users to make a payment, for which they will need to divulge their credit or debit card number, expiry date and CSC code.
Of course, this last step should get alarm bells ringing, as Facebook does not charge users for the service it provides. However, many will fall for this scam out of fear of loss of their account. Sometimes, reason flies out the window and only after information has been divulged do users wonder if they may have been scammed. Even if credit cards are not provided, the scammers will have access to contact lists to try the scam on others
This scam is complex, but it relies on the user falling for the initial Facebook security message. However, it is important to remember that Facebook or any other reputable company, will not ask for a credit card (plus expiry date and CSC code) to verify identity. You should also bear in mind, that it is not in Facebook’s interests to shut down your account, and highly unlikely that they would do so and prevent you from gaining access to it again.
Be Wary Online – Criminals are Devising Ever More Complex Ways of Obtaining your Data
Phishing is used by online criminals to obtain your data, and the campaigns take advantage of technical and social vulnerabilities. The situation is only likely to get worse, yet even with the current high risk of attack, not everyone is implementing measures to protect themselves, in fact many are leaving themselves wide open to identity theft and fraud. All it takes is one successful phishing scam and everything can be lost. For businesses the problem is just as bad. Fraud and network damage can be considerable, and in many cases catastrophic.
Unfortunately for businesses, all it takes is for one employee to fall for a phishing scam and a network can be compromised, and that can come from a Facebook chat phishing scam just as easily as a bogus email attachment. Once access to a PC has been gained, a network can be accessed and sabotaged, or data and corporate secrets can be stolen.
It is therefore vital for companies to take precautions. Training staff about phishing avoidance is advisable, and continued training essential, but to reduce the risk of employees’ phishing identification skills being put to the test, it is worthwhile installing powerful web filtering software as well as email security software.
Ransomware is all the rage these days. Employees are fooled into downloading malware onto work computers, and hackers lock company data with powerful encryption software. Once encrypted, the data can only be accessed by using a security key. Unfortunately, they are all held by the hackers and will not be released unless a ransom is paid. Agree to pay the ransom and the data will be unencrypted. There is no guarantee that this will happen of course, but companies are often given no choice.
Ransoms are also demanded following the theft of corporate data. The criminals responsible are not looking to use the data personally. They just want a quick and easy payout. AmeriCash Advance, a well-known U.S. Pay Day loan provider, was recently attacked and had customer data stolen by a hacking group called Rex Mundi.
The group asked for a ransom to be paid, but AmeriCash refused to give in to the demand for $15,000. The company had been warned that if it didn’t pay up the stolen data would be posted online. Loan applicants and the company’s customers would then have their financial information sent out via Twitter and social media networks. This would place those individuals at a high risk of suffering fraud, having their identities stolen, or being targeted by phishers and scammers. That would likely result in customers taking their business elsewhere.
The refusal to pay means that is likely to now happen. Previous applicants for loans and AmeriCash customers must therefore be on their guard.
How much risk do victims face?
The level of risk depends on the data that have been stolen. If credit card numbers, full bank account information, Social Security numbers and account logins have been compromised, the risk of identity theft and fraud being suffered will be very high.
Any individual affected would need to put a credit freeze on their accounts, register for credit monitoring services and be extremely careful responding to emails and divulging any information. In the case of the latest attack, individuals had the last four digits of their Social Security numbers exposed, the amount of money they requested or had had loaned, and their names and email addresses. In this case only a small quantity of data was stolen and, although customers are still at risk, it could have been a whole lot worse.
Any person in possession of the data is unlikely to be able to steal the identities of the victims without obtaining further information. The first 5 digits of the Social Security number for example along with a date of birth. Criminals who have purchased data will likely attempt to obtain the further details they need. For that they will use phishing scams. These aim to fool users into revealing sensitive information and the campaigns can be very convincing.
What can be done to reduce risk following a successful cyberattack?
According to a report on CNet, AmeriCash did what all companies should to. The company made sure that its systems were secured to prevent further attacks. The relevant authorities were contacted and law enforcement agencies were notified.
Customers also needed to be advised that their data have been compromised and warned of the risk of phishing campaigns. That process was also performed.
Offering affected individuals free credit monitoring and identity theft resolution services can help reduce fallout. Some state laws demand that this is offered if Personally Identifiable Information (PII) or Protected Health Information (PHI) is exposed.
It is also wise to increase security measures to prevent future attacks. Web filtering solutions and anti-spam protection can reduce the risk of suffering data breaches. It can also prevent employees from falling for phishing campaigns that give hacking groups the information needed to gain access to corporate networks.
The European Football Championships are almost upon us, which is fantastic news for football (soccer) fans, but terrible news haters of ‘The Beautiful Game’. It is also something of a nightmare for employers.
It is easier to manage than the World Cup of course. There are only a very limited number of time zones across Europe, so no matter where the games are played, most kick-off times are outside of normal business hours. Unfortunately, standard business hours are becoming a thing of the past for many workers and not all qualifying games are played in the evening. Many employees will face a dilemma. Watch the game at work and risk the ire of an employer, or miss out on some live football action. A great many will choose the former and will use streaming websites to see the games live.
IT security risks are introduced during major sporting events
Major sporting tournaments have a knock on effect on productivity, but that is actually a relatively minor issue compared to the increased network security threat that comes from sports streaming websites. Streaming websites breach copyright laws. The owners of websites showing live sports games run a risk of arrest, heavy fines and even prison terms for their deeds. They must therefore make enough money to make it worthwhile.
To do this they show adverts on their sites. However, few people click on standard adverts. They go on the sites to watch sports, not click on links. The site owners therefore have to be sneaky. They make it hard for the adverts to be closed. The put multiple X’s in the adverts, which launch pop ups. This means that your standard football addict will end up clicking on multiple adverts in an attempt to close them.
Cyber criminals are well aware of the tactics used by the site owners, and know that ad’s will be clicked by everyone using the sites. If they are able to get their adverts on ad networks, getting visitors to their malicious websites could not be easier. That means more individuals will inadvertently download their malware, more computers will be infected, and they will make more money.
So are the European Football Championships all bad news for employers?
The European Football Championships mean owners of streaming websites will make money, it’s a win for cyber criminals and hackers, and great for Football fans. Employers don’t fare too well, and neither to IT security professionals. Bandwidth is chewed up by employees streaming games, the malware risk increases and it is a potentially unproductive time for a few weeks.
That said, it’s not all bad for employers. Research conducted by Robert Half Technologies shows that there are positives. In a poll of HR directors, 44% thought that the European Football Championships would actually have a positive impact on morale and employees would be more motivated. This happened during the Olympics. IT professionals were not so complimentary about the benefits. In fact, 57% will be banning access at work due to the high network security risk and bandwidth issues.
A ban can be implemented easily. All it takes is an email, or a mention in a staff meeting. But how can the ban be enforced?
How can you block streaming websites, control Internet usage at work, and manage risk?
There are many ways to block website access, but it can be time consuming to set up. It is also hard to block access to ALL websites used for streaming. These often change or are shut down and new ones opened. Blanket bans can result in legitimate websites being blocked, and setting rules on individual browsers is just not an option. It is far too time consuming, and too easy for users to change their own settings to allow temporary access.
The best solution is to use web filtering software. This allows internet usage to be centrally controlled by a system administrator. You could even block all games apart from those involving those played by your home country. It really is very simple to have that level of control (if you have the right web filter installed).
SpamTitan Technologies web filtering solutions have highly granular controls, which will allow you to:
- Block websites by domain, category, URL pattern, or content
- Prevent users from downloading certain file types
- Block or permit certain websites for specific groups or individuals
- Set restrictions based on time-frames – i.e. allowing workers to stay after work to watch games, but block access during working hours for groups or individuals
- Prevent end users from visiting links to malicious websites
- Block malicious adverts from being displayed
- Blocking all streaming services, including music and video
- Block online gaming websites
- Compile reports to see who is trying to access banned sites.
Add a SpamTitan Technologies Anti-Spam solution and you can also block the barrage of spam and phishing emails that are sent whenever major sporting events take place.
The 2012 London Olympics spam email campaigns have already started to be sent, even though we are still months away from the opening ceremony. That has not stopped cybercriminals from starting their phishing campaigns and cyberattacks. The run up to a big sporting tournament can be an even better time to get the unwary to download malware to their devices and reveal sensitive information. When people are excited they tend to take more risks, and people are very excited about the Olympics, especially those living in the British Isles.
2012 London Olympics spam email ticket scams
How often do the Olympics come to a country close enough for it to be feasible to actually attend an event or two? For most people that is very rare occurrence. People living in Britain or Ireland will see the 2012 sports extravaganza as finally being within reach. Unfortunately, the combined population of the UK and Ireland is around 68 million people, which is a few too many to fit into the London Olympic stadium and the other venues housing this year’s Olympic events. Tickets are therefore difficult to obtain.
A ticketing system exists that allows people to enter their names for the events they want to see; however, it is something of a lottery as to whether a ticket can be purchased. Only a lucky few will get to see their preferred events. Everyone wants to see the 100M final, but not so many are interested in the early handball heats. Where there is high demand there is money to be made, and criminals use the huge popularity of the sports events to launch Olympics ticket scams. Many of these scams are delivered by email.
Unwanted tickets are being offered online, touts are pushing their over-priced tickets, and cybercriminals are selling fake tickets to popular events. It is a time to be cautious. It is important that tickets are not bought from anywhere other than an authorized seller. If that means you cannot see an event, that is unfortunately just the way it is. If you are being offered a ticket via email by a stranger, chances are it is a scam.
That scam may not just be designed to get you to pay £1,000 for your fake ticket. In many cases, the purpose of the spam email is to get you to reveal your bank account details, credit card number, or install malware on your computer or portable device.
Phishing attacks are popular with cybercriminals, and 2012 London Olympics spam email campaigns are one of the preferred methods of launching attacks. Individuals are also being targeted with spear phishing emails. Instead of sending millions of emails offering tickets to the 100M final or opening ceremony, some scammers are researching their targets to maximize the probability of getting a response.
There is no point offering 3-day event tickets to your average soccer fan. They are unlikely to respond. However, if you know a soccer fan is planning to travel to London from France, offering that person a ticket to see a France soccer game is likely to get a better response. Especially if they are known to be in the UK at the time, and have said on social media they are trying to get a ticket. Criminals research individuals on social media and create highly targeted phishing emails.
Employers must be particularly careful as Olympic fever will grip many workers. They may respond to a 2012 London Olympics spam email at work and inadvertently download a virus or nasty malware. Protecting the network is going to be harder over the coming months.
Now is therefore a good time to issue warnings to the staff to be wary. Advise employees of the methods that can be used to identify a spam email and you will minimize the probability of an employee responding. Such tactics are reasonably effective at preventing malware infections and accidental disclosures of confidential company information.
Unfortunately, all it takes is for one individual to respond to a 2012 London Olympics spam email for a network to be compromised, so other tactics should also be employed. We recommend installing an Anti-Spam solution to stop the 2012 London Olympics spam email campaigns from ever reaching end users.
As for Anti-phishing protections, a web filter is the solution. This will prevent users from visiting Olympics-themed websites that have been infected with malware, contain malicious code, or featuring ads that have been placed by cybercriminals.
Following the news that Boulder-based Internet security company, Webroot, is set to leave the email security market, many IT security professionals have started looking for an alternative solution to deal with their organizations’ spam problems. A great many IT security professionals will be sorry to lose Webroot email security products, having relied on their protection for a number of years. Webroot email security solutions were popular and effective.
Two months previously, Webroot was reported to be looking to leave the email security market, and is to retire support for its products as 2013 comes to a close. A lack of support means a change will be necessary for any company currently running Webroot email security solutions if they are to keep their email systems protected. Fortunately, SpamTitan is well positioned to take up the reins.
The company offers industry leading anti-spam solutions tailored to the needs of individual businesses. Not only do the company’s products boast a high success rate – blocking over 99% of spam emails – they also have a very low false positive rate.
SpamTitan also boasts one of the most competitive pricing models of any anti-email spam solution. With IT security budgets stretched to breaking point already, this will come as very welcome news to CIOs, CISOs and IT security professionals.
SpamTitan Enterprise Anti-Spam Solutions
To date, SpamTitan has been deployed in over 100 different countries around the world, with IT security professionals choosing the company’s products for their exceptionally high spam catch rates. The products have consistently scored highly in independent anti-spam tests, and boast a catch rate in excess of 99.97%. The high catch rate is achieved, in part, by using dual AV engines. This ensures that if one engine fails to catch a spam message or phishing email, there is an excellent chance that the second engine will. The two industry-leading AV engines used by SpamTitan are those developed by Kaspersky Labs and Clam Anti-Virus.
Additionally, the products have a false positive rate of virtually 0%, with next to no genuine emails mistakenly caught up in the spam filters. Businesses can therefore use the products with confidence, knowing that important, genuine emails will be delivered to the correct recipients. As a result, IT professionals will not be bombarded with requests by employees to look for expected emails that have not been received.
SpamTitan is much loved by users because of the ease at which the company’s solution can be implemented. System administrators love the products for the easy-to-use interface and level of customization possible. This allows tweaks to be made to suit each organization’s needs and requirements. Multiple deployment options are also offered, such as ISO, Vmware, in addition to the ever popular SpamTitan On Demand.
The products also boast excellent protection from phishing emails thanks to a powerful and robust anti-phishing email module. Phishing emails are a growing threat to network security, and with higher volumes of malicious emails now being sent, this is a very important feature to help ensure network security.
Need to Switch from Webroot to Another Anti-Spam Service Provider?
Any organization looking to make the switch from the soon-to-be unsupported Webroot to a new anti-spam solution provider should contact SpamTitan to discuss the options available. Advice can be offered on migration from Webroot and other anti-spam providers to ensure a seamless transition.
New SpamTitan customers also benefit from a totally free 30-day trial period, with prices starting from as little as $395 per month.
Further information on anti-spam, anti-phishing, and web-filtering solutions can be obtained by emailing the Customer Service team on email@example.com
There are only two days to go before the red roses arrive, you get a box of chocolates, are taken out for a meal and treated to a night of passion (well, we hope so!). You may therefore want to start preparing. Maybe get a nice dress or a swanky new suit so you can look at your best.
You should also prepare for the onslaught of spam and phishing emails that are likely to be heading your way. Cyber criminals, spammers and scammers have fallen in love with St. Valentine’s Day. They take advantage of the human need to be loved and send out just the type of email people are hoping to receive.
Unfortunately, if you respond, you will not be treated to a night of passion and you will not discover a new secret admirer. You are likely to have malware installed or your bank account emptied.
Beware of scam emails and St. Valentine’s social media scams
In years gone by, scammers primarily used email or the telephone to fraudulently obtain money from the unwary or gullible. The meteoric rise in popularity of social media networks has given criminals a much easier opportunity to make money. There are phishing scams aplenty on social media networks.
However, email continues to work well for the scammers. Many people look for ways to save money on St. Valentine’s Day, and respond to emails offering discounts on flowers, chocolates, gifts, and holidays.
Spam emails typically sent by criminals tend to have subject lines such as “Will you be my Valentine?”, “Valentine’s Day Jewelry”, and “Cheap Flowers for Valentine’s Day”. The same subject lines that could possibly be sent by legitimate retailers or potential lovers. This is why the emails are opened by so many people.
In March, 2010, the results of a new study were published by the Messaging Anti-Abuse Working Group. The study looked at why people fall for email scams. The study was conducted on 3,716 individuals and they were asked questions about their response to spam email.
In some cases, it was not a failure to identify an email as spam that resulted in the email being opened, but because the recipient was genuinely interested in the products or services being offered. 11% of respondents opened the messages, knowing that the email was spam and 15% of those individuals did so because they liked the sound of the offer or product.
Scammers are aware that a percentage of their emails will be opened, and also that many people will respond and disclose information. The more emails that can be sent, the bigger the response will be and the more money will be made. The volume of spam emails being sent is therefore unlikely to decrease. The only thing that will stop the emails is when it is no longer profitable to send them.
How to avoid becoming a victim of a scam or phishing campaign this Valentine’s Day
Businesses need to be particularly wary this Valentine’s Day. If these malicious emails are delivered to employees’ inboxes, a percentage (11% according to the study) of those employees will open them. Many may visit malicious websites as a result – a link to a malicious website offering cut price jewelry with free next day delivery. They may even open malware-infected attachments – a JPEG picture of an admirer for example that is really a cunningly masked executable file.
By installing a spam filter with an anti-phishing component, the vast majority of these emails will be caught and quarantined and, if one does get through, the user will be prevented from visiting a malicious website. In the case of SpamTitan, 99.97% of those emails can be blocked. This is one of the best steps that can be taken to protect networks from malware delivered via email.
Additional protections include:
- Instructing employees how to identify a phishing attack, and teaching best practices to follow to avoid compromising a network or becoming a victim of a scam.
- Develop a culture of security awareness. Get employees to stop and think before taking an action and always to suspect that an email may be a phishing attack
- Never to unsubscribe from an email mailing list they haven’t joined. The email can be marked as junk and all future emails will be delivered to the spam folder, or caught in an Anti-Spam filter if one has been installed
- If an offer is interesting enough to warrant a response, contact the company via its official website or use the telephone. The contact details can be found in the phone book or through the search engines. Do not contact the company using the details supplied in the email
- Keep all Anti-Virus, Anti-Malware, and Anti-Spam definitions up to date
- Tell staff not to trust any unsolicited email they receive
The network security nightmare that is Black Friday to Cyber Monday has now passed, but Free Shipping Day is not much better for IT security professionals. They now have to cope with another of the busiest online shopping days of the year.
Fortunately, Free Shipping Day is tomorrow, Friday 16th December. That means the weekend starts the day after. It will be needed. Free Shipping Day means long hours need to be put in by IT security professionals! Spam emails are likely to arrive by the bucket load as the scammers take advantage of so many consumers buying online.
The cost of shipping can be expensive. Even very low priced items are not such a bargain when postage and packaging charges have been added. Shoppers finally find an ideally priced gift item for Christmas that is still in stock, available in the right color and size, and then they are hit with a massive shipping charge. Free Shipping Day removes any uncertainty.
Purchase from any of the 2,000+ U.S. retailers who take part, and you can forget about shipping charges. You can purchase in confidence knowing that the price displayed next to the product is all you will have to pay.
The day is a fairly new initiative to get consumers to spend more, but tomorrow is not a holiday. That means online shopping will have to take place from work. Wait until the evening and you will not pay postage charges, but will there be anything left to buy?
Many employees are banned from online shopping websites at work but, even with a ban in place, Free Shipping Day often proves too much of a temptation. Research shows that more money is spent online during working hours than any other time, so many employees are using work computers for online shopping – even if it is not allowed by employers.
Interestingly, research from AOL suggests 20% of workers use work time to do shopping or view pornography. Employers may allow a little of the former, but certainly don’t permit the latter. Yet that still happens.
Regardless which is chosen, both are a nightmare for network security professionals. Shopping websites and adult sites are targeted by malvertisers who are attracted by the high traffic that the sites receive. Malvertisers place adverts on the sites through legitimate advertising networks. They then direct users to malicious websites. A busy online shopping day means a busy day for online criminals.
Employers and their IT departments must be particularly vigilant for inappropriate Internet use and must keep a close eye on the websites that employees are visiting. A malware infection acquired from a malicious website could compromise a computer or, worse still, the network.
A recent survey conducted by Robert Half Technology indicates 23% of CIOs do allow employees some online shopping time at work; although those employers often monitor the visited sites and check to make sure staff are not wasting an excessive amount of time on personal matters.
Employees are happier without Draconian bans on Internet use and happy employees are generally more productive. However, to make sure this privilege is not abused and networks are not placed at risk, companies need to implement web filtering solutions.
This is an important precaution. Over 431 million adults became victims of cybercriminal activity this year. The cost to business is estimated to be $114 billion per year.
Halloween brings out the ghouls, ghosts, and trick or treaters – and also plenty of cybercriminals. The latter use All Hallows Eve (and the run up to Halloween) to launch new cyberattacks and scams to trick internet users into revealing their personal information. Their treat is the emptying of a personal or business bank account and they reap the rewards that can be gained from identity theft. Halloween-Themed spam attacks are common in the run up to Halloween.
For SpamTitan, Halloween is a busy time with numerous new Halloween-themed spam and phishing scams uncovered. This holiday time is expected to be no exception. Many new Halloween phishing scams can be expected to be launched this year as cybercriminals try to take advantage of the unwary.
Halloween-Themed Spam Warning!
So far we have seen a number of new spam emails being sent, as well as some old favorites from years gone by. One of the most common themes is a “Halloween Sale,” which exploits the human need to find a bargain. This year pirated goods are being advertised in the thousands, along with cut price Halloween costumes, free gifts, special offers, Halloween-themed surveys and links to online videos.
The aim of all of these spam emails is to get users to reveal their personal information, such as account login details and credit card numbers. Often the emails deliver malware and viruses to inboxes, other times they send links to phishing websites that harvest information. It is not always credit card details that the scammers seek. Social Security numbers, dates of birth and other personal information are highly valuable; as are telephone numbers which can be used by scammers to make bogus phone calls.
New Halloween-Themed Spam Doing the Rounds
Some old favorites are seen year after year, yet they prove to be just as effective second, third and fourth time around. One of these scams was first launched in 2007 and involves scammers sending a link to a video of a dancing skeleton. By clicking the link users do not only get to see the video, they are also delivered a Halloween package of malware.
The malware-ridden web archive file in this campaign is automatically downloaded to computers. It has been estimated that millions of individuals have already fallen for this campaign and have infected their phones, laptops, tablets, and desktops.
It is not just links to infected websites that are the problem. Scams are sent via Facebook, Twitter and other social networking sites. These social media spam campaigns are proving to be highly effective. Emails are often sent containing Halloween-themed attachments, which appear genuine with file suffixes look safe. PDF files and word documents for example do not tend to arouse suspicion, yet they can easily contain malware and hidden malicious code.
It is all too easy for the unwary to accidentally click and open these attachments. The result of doing so could prove very expensive indeed. The malware contained in these email attachments can log keystrokes or even give hackers full access to the computer used to access the messages.
With so many elaborate email phishing scams now being devised, it is essential that all computer users take precautions. One of the best methods of protecting against phishing campaigns, and spam emails in general, is to block them and make sure they never arrive in an inbox. For that, a spam filer is essential. The cost of not using an effective spam filter does not even bear thinking about.
The Huge Cost of Halloween-Themed Spam and Phishing Attacks
You may be thinking “I would never fall for a phishing campaign,” but millions do. Can you be so sure that your employees will be able to identify a fake email or website, or a sophisticated phishing campaign? Will they be able to identify these scams 100% of the time?
Even if one email proves to be successful, the damage caused can be considerable, as Sean Doherty, senior engineer with SpamTitan Technologies explains. “To date it is estimated that over $40 billion has been lost to 419 scams alone.”
Given the huge sums of cash that criminals can obtain from these emails, it is clear why the threat is growing and more and more campaigns are launched every year. If a scheme is profitable, it will be repeated and new campaigns are sure to be developed.
If criminals did not profit from these types of scams, they would very rapidly stop using them. However, the reality is they do, as Doherty points out, “These scam emails continue to exist and grow in frequency and ferocity. The simple fact is that these scams wouldn’t be repeated if they didn’t reap rewards for the cybercriminals.”
All it takes is for an absent minded employee to click on a Twitter link that directs them to a phishing website, and malware can be automatically downloaded to their computer. After that, a network can be compromised. Data is then stolen, deleted, or encrypted and only released when a ransom is paid. The cost of cyber attack resolution can be considerable. If all of your company data was suddenly encrypted, would you pay a ransom to get it back? Would you have a choice?
Holiday season is a time to enjoy, but it is also a time when everyone needs to be vigilant. Be on the lookout for scams, phishing campaigns, and unknown email attachments, and make sure all of your security software is up to date. Be careful, and you will be able to enjoy the holiday period.
The death of Muammar Gaddafi has dominated the news headlines and as is typical following such a major news event, cybercriminals have taken advantage, and have launched a number of Gaddafi phishing attacks.
Analysists at SpamTitan Technologies have uncovered many new malicious emails in the past few days. The emails were caught by the SpamTitan Anti-Spam filter and placed in quarantine to prevent users from clicking on malicious links or opening infected email attachments.
The emails contain links to websites containing videos of the death of Muammar Gaddafi, including well as “previously unseen footage” of the colonel and his family. Some emails contain attachments which users can open to view new and grisly videos or pictures. When the do this they will also install malware on their computers.
New Gaddafi phishing attacks uncovered
Two of the emails that have been captured recently have the titles “Gaddafi death video – I shot and killed him”, and “Inside Aisha Gaddafi’s bathroom.” A number of similarly themed emails have also been intercepted and quarantined by SpamTitan.
The Advance Free Fraud scheme commonly used by Nigerian criminal gangs (419 scams) have been tailored and used to piggyback the news of Col. Gaddafi’s death. These schemes are used to try to get victims to reveal their bank details to criminals. Private and confidential information is disclosed in the belief that a large sum of money will be deposited in the victim’s account. They receive a transfer of cash, it is then moved on, and in exchange for this they are given a very healthy commission.
One of the latest Gaddafi phishing attacks involves an email request from Mrs. Gaddafi who requires assistance moving a considerable amount of the colonel’s capital. She reportedly has gold reserves stored in secret locations, which she needs to cash in. In order to do that undetected, she needs European and American bank accounts. Money will be transferred and then moved on, and a sizeable payment will be offered to anyone who is able to offer her help. Needless to say, no funds will be deposited, at least not in the victims’ accounts.
These scams net criminals millions of dollars because many people fall for these phishing attacks and scams. The FBI estimates that around $40 billion has been obtained from 419 scams such as this. Because spamming is so profitable, many criminals are getting in on the act. The more spam that is delivered to inboxes, the greater the chance of people responding to the scams and handing over control of their bank accounts. Spamming is a numbers game.
Consumers need to be wary and should never respond to requests such as these, as tempting as it may be to be paid tens of thousands of dollars for receiving a transfer of cash. Businesses need to be particularly careful too. Employees may not reveal company bank account information, but many campaigns result in malware being installed on the victim’s computer. If employees respond to the emails at work, this could result in malware being installed on a work computer or worse still, the access could be given to a company network.
Fortunately, SpamTitan’s Anti-Spam solutions will capture these scam emails, preventing them from being delivered. WebTitan will protect businesses from phishing attacks and stop end users from visiting phishing websites. Staff training can help to reduce the risk of malware infections; however, for total peace of mind anti-spam and anti-phishing solutions should be installed. There will always be one individual who believes they can get rich quickly by responding to one of these 419 scams.
Out of curiosity I decided to take a look at some of the emails that were blocked by the SpamTitan filter this morning. Boy am I glad I did. There was an amazing opportunity to be had! I had been selected by a very generous individual who wanted to give me a percentage of an enormous pot of cash if I could just spend a few minutes of my time helping him out.
A large amount of money needed to be sent to Col. Muammer Gaddafi, but there was an issue with the transfer to his account. Sometimes, it can be hard to transfer £17,500,000 from South African bank accounts into Libya. It had taken this guy almost four years of trying and he still hadn’t been able to move the funds. Fortunately, he had found a way to do it, and a percentage of that money would be coming my way if I could help him.
The problem, you see, is the authorities are trying to rob the colonel of all of his cash. They are doing a good job of it too, but have not found this South African bank account yet. That money is safe for now, but not for long. The money couldn’t be easily accessed from Libya as the authorities were watching. The money would therefore need to be transferred into a holding account to get it out of Africa. That holding account could be my account. Once the authorities stop sniffing around, the money could be moved on, minus my cut for just supplying my account details for the transfer.
I was even thanked in advance for my kindness. What a very nice and generous man he is. I have summarized the email because as nice as he was, his spelling and grammar were atrocious. Well, he is foreign and English is not his first language! He also pointed out he was not a criminal. Boy, that was a relief. I would have hated to get involved in any sort of crime. I wonder what my cut will be? He failed to mention it in the email!
Some people will fall for it!
Of course, it doesn’t take SpamTitan’s dual Anti-Virus engines to figure out that this offer is a bit suspect. But you would be surprised how many people fall for these scams. Criminals net a huge amount of money from campaigns such as this. Sometimes, people are even willing to take a chance when their common sense tells then that something isn’t right.
These types of emails are known as 419 scams. You will not be surprised to find out that there is no £17,500,000 fund, and by supplying bank account details your balance will not suddenly increase. It is just a scam to get you to reveal your bank account information and other personal details. Criminals will then steal your money and your identity.
I say there is no £17,500,000 fund. That is because it is actually a lot closer to $40 billion. That is the amount of money that is estimated to have been made by criminals operating these 419 scams. Believe us. They do work. They are effective, they are incredibly lucrative, and people do fall for them. They are also increasing in number and complexity.
If you want to ensure your organization is protected from 419 scams, and your employees do not end up falling for these and more harmful spam campaigns, it’s time to start using SpamTitan’s Anti-Spam solutions. Not all 419 scams are this obviously fake, and greed often gets the better of common sense. Oftentimes it is not personal bank accounts that the criminals want access to. There is much more money to be made from accessing corporate accounts.
Firefox is a popular web browser created by a global non-for-profit organization. It boasts excellent controls against viruses and has proved popular for its security features, anti-tracking functionality, and its speed. However, as with all web browsers, it requires frequent updates to remain 100% virus-free.
Updates must be installed promptly to keep the browser secure. Users are alerted to these new updates as and when they are released, and installing them is a quick and simple process.
These updates are announced via the browser. Users of Firefox are not emailed reminders to update their browser to the latest version. That said, a number of emails have recently been received by users of Firefox alerting them to the urgent need to download the latest version of the browser. These emails are part of a fake Firefox update scam.
Fake Firefox Update Scam Discovered
If you receive an email telling you to update your Firefox version “for security reasons” you will not be alone. Many other users have received similar emails. These are not genuine. They are part of a new email spam campaign that attempts to fool recipients that their browser is out of date and an update is essential.
To make it as easy as possible to install the necessary security protections, a handy link is included in the email. This will take the user to the Firefox website where they can download the latest version of the web browser. However, be warned. The link is fake, and by clicking the link and attempting to improve security, all you will be doing is downloading a Trojan to your device. That Trojan will be used to steal your passwords.
This is a common tactic used by email spammers. Emails are sent which contain important information on security updates to fool the unwary into downloading malicious software. The emails play on data security fears and warn of repercussions for not taking the requested action. Many email recipients are fooled into clicking links or opening infected attachments as a result.
SpamTitan regularly issues warnings about the latest spam campaigns, fake emails and new malware as they are discovered. Internet users are instructed to take precautions to protect themselves against these attacks.
Fortunately, there are some very easy steps that can be taken to reduce the risk of attack via email. Receiving a spam or phishing email will not compromise your system (generally speaking) unless an action is taken, such as opening an email attachment or clicking on a link supplied in the email. Consequently, protecting yourself from attack can be quite straightforward.
SpamTitan Financial Preservation Tips
Don’t give hackers the data they need to empty your bank accounts and max out your credit cards. Follow the simple instructions below and you can protect your hard earned cash.
- Do not open any suspicious attachments sent to you by email and do not download them to your computer. You must be sure of the genuineness of an attachment before you open it
- Do not click on links to websites that you do not know
- Check all links before clicking as they may have been faked. Hover your mouse arrow over the link and you will find out where that link will direct you. If you are unsure, never click
- Check the ‘From’ field. The name may be familiar, but the email address from which the email has been sent may not be. Do not take any chances. The ‘From’ field can easily be faked
- If you have not requested a new password, never click on a link that asks you to reset it
- Never divulge sensitive information in an email, even if requested to do so. IT departments and legitimate web service providers will never ask for your login details and passwords to be sent by email
- Always keep your anti-virus and anti-malware definitions up to date. They are released on a daily basis and sometimes every few hours. Set your software to download these automatically
- Install a spam filter to prevent spam and phishing emails from being delivered to your inbox