It’s just a fact of life: If there’s email, there will always be spam. Now, how much spam you have to deal with will depend on how good your spam filtering solution is. Here at MDaemon Technologies, we use our own products – MDaemon and Security Gateway, to filter out spam, malware, phishing attempts, and all of the other junk that often floods inboxes of users whose email server or hosted service isn’t as effective.
“If I have a good spam filter, do I REALLY need to know how to recognize phishing scams?”
If an email security company or hosted provider tells you their spam filter will catch 100% of spam, they’re not being completely honest. Most companies say their products catch 99% or 99.5% in their SLA (Service Level Agreement), with a false-positive rate of %.0001 or less. That’s reasonable and to be expected, especially considering the statistics.
According to public data, spam made up over 71% of global email traffic in April, 2014. As of September, 2018, spam volume had decreased to 54%, but considering that over 281 billion email messages are sent per day worldwide, that’s still over 151 billion spam messages sent every day, and while spam may be decreasing in total volume, it’s becoming more dangerous, with cryptojacking overtaking ransomware as the attack vector of choice for cybercriminals, and malware-as-a service turning cybercrime into a commodity for the masses,
So no matter how good an email security product is, there is always that chance that new and emerging (and sometimes tried-and true) social engineering techniques will succeed in tricking the next unsuspecting victim to part ways with his or her company’s bank account details.
And that brings me to the point of today’s post. It bears repeating that companies of all sizes and industries should consider ongoing training with their employees on how to recognize phishing attempts.
In today’s example, the scammer is using a classic BEC (Business Email Compromise) attack to try to get the recipient to open a malicious ISO file.
Because the threat of phishing and Business Email Compromise will continue well into the future, I will revisit this topic regularly throughout the year.
Businesses of all types must maintain records containing personal information about their employees and customers, and executives and clients alike have a mutual interest in protecting that data. But there’s no guarantee that every employee will treat confidential account numbers, Social Security numbers, passport numbers or other personal data with the same amount of care. So how can we prevent this sensitive data from getting into the wrong hands?
We’ll show you how and give you a sneak preview of upcoming new data leak prevention rules in our latest Security Gateway for Email Servers video!
As we continue to bring awareness to these threats, new ones emerge almost daily. In the past three months, a cyber-espionage group known as Seedworm (aka MuddyWater) has used spear-phishing attacks to infect 131 individuals with the Powermuddy backdoor (a new variant of their Powermud backdoor). Once a system has been compromised, this malware runs a tool that steals passwords from a user’s browser and email, often leading to access to the victim’s email and social media accounts.
Protect Yourself from the Latest Threats
Over the years, I’ve posted many times about phishing, spear-phishing, and other threats, with a variety of suggestions for protecting yourself and your business from becoming the next victim. Throughout these posts (from oldest to newest), you’ll find lots of tips to avoid being tricked by these email-borne scams.
As the threat landscape continues to evolve, businesses of all sizes must maintain awareness of the latest email-borne threats and educate staff at all levels, from entry level to C-suite. After all, without the right tools and procedures in place, it only takes one misguided mouse click to damage a business’ reputation or send it into bankruptcy.
In part one of our three-part series on Business Email Compromise (BEC), I explained what a BEC attack is and provided examples and statistics. As you’ll recall from the examples discussed, businesses have suffered staggering losses to these attacks, and while users are becoming more aware of them, their own human nature dictates that these threats will continue. In fact, a recent report by Get Safe Online indicated that over a third (37%) of employees don’t know what to look for to identify common email scams. The report also stated that one in 20 email fraud victims were so ashamed that they hid their mistakes from their colleagues.
In part two, I discussed the following 4 steps cybercriminals take to conduct a BEC attack.
Identify the target victim
Exchange of information
Businesses can make Step 1 more difficult by carefully crafting and monitoring online content such as company websites, LinkedIn profiles and other publicly available information, but as long as employees can be influenced by excessive trust, intimidation, or simply lack of awareness, businesses will need to implement additional preventive measures to avoid potentially devastating losses. After all, once a credible target has been identified, the best defense is a well-informed workforce.
Top 10 Business Email Compromise Protection Tips
Train Users to recognize these Common Impersonation Tactics used by Cybercriminals
Domain Name Spoofing – Domain name spoofing involves either spoofing the sender’s “Mail From” to match the recipient’s domain in the message envelope, or using a legitimate domain in the “Mail From” value but using a spoofed “Reply-To” domain in the message header.
Here is an example that has been spoofed to look like it was sent from HSBC Bank:
A quick examination of the message headers reveals a return-path address that is not associated with the From address. A reply to this message would go to email@example.com.
Display Name Spoofing – Most BEC attacks use this technique. With display name spoofing, the attacker will register a free email account that may contain the name of a company executive. The attacker would then configure the display name to match your CEO or some other executive, and then send phishing messages from this account. This technique works because recipients often only look at the display name and not the actual email address. In fact, many email clients (particularly on mobile devices) will only show the display name when viewing the message, making it easier to hide the sender’s real identity. Because the sender’s email address is not forged, messages using this spoofing technique are often more difficult to block than those using domain name spoofing, where the addition of three DNS records (DKIM, SPF and DMARC) have been shown to be more effective at blocking spoofed emails.
Here is an example showing a spoofed display name of HSBC Bank. To help users identify suspect emails, MDaemon Webmail has a handy security feature that displays the actual sender address as well as the display name.
Lookalike Domain Spoofing – Lookalike domain name spoofing involves registering fake domains that contain characters that look similar to others and sending phishing emails from them in an attempt to trick the recipient into thinking the message is from a legitimate domain. An example would be using an upper-case I in place of a lower-case L.
Compromised Email Account – Another common tactic is the use of legitimate email accounts that have been compromised through malware or social engineering to steal data or funds.
Secure your domain
Register domain names similar to yours to protect against lookalike domain spoofing.
Don’t over-share on social media
Be careful what you post on social media, especially job titles and responsibilities, corporate structure information, and out-of-office details.
Use SPF, DKIM and DMARC
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) are anti-spoofing and email authentication techniques that use DNS records to validate the sender of an email. Make sure your domain has valid SPF, DKIM and DMARC records, and make sure your mail server/provider is analyzing all inbound email traffic using these tools. For more information, refer to this blog post.
Use two-factor authentication
With two-factor authentication, users must provide two forms of authentication – a password and another form of verification such as a unique verification code or a fingerprint. Two-factor authentication is discussed further in this blog post.
Use strong password policies
Use strong passwords and require regular password changes. Strong passwords must meet the following criteria:
Must meet a minimum length requirement.
Must contain both letters and numbers.
Must contain both upper and lower case letters.
May not contain the account mailbox or full name data.
Never use commonly guessed passwords such as Password1 or Letmein.
Don’t trust unknown sources
Never open emails, click on links, or download files from unknown senders. To help users verify the identity of a message sender, MDaemon Webmail displays the full email header in addition to the display name.
Establish strict processes for wire transfers
You may recall from my previous post that cybercriminals have been known to target all parties in a real estate transaction. If you receive a request to change the payment type or the original recipient’s financial information, be sure to verify the information through already-established channels of communication.
Before responding to wire transfer requests, verify the identity of approved vendors and the authenticity of their invoices. Confirm in person or by phone using previously known numbers. Don’t trust the phone number on the invoice.
Provide regular end-user training
User education must be reinforced on a regular basis for stronger awareness. Every employee who uses email should know how to recognize a spoofed email or a phishing attempt.
Run antivirus software often
Make sure your antivirus software is up-to-date and run it regularly.
While traditional security measures such as network defenses and email gateways can be effective at blocking most varieties of spam, the bottom line is that user awareness and education are critical to avoid falling victim to BEC attacks.
This week, we continue our series on Business Email Compromise. Click here to read Part 1, which includes an overview and various statistics on this growing threat.
It takes time and effort to launch a successful Business Email Compromise (BEC) attack. In a typical attack, several messages are exchanged in an attempt to convince the target to authorize large payments to the attacker’s bank account. From start to finish, the steps involved in a BEC attack consist of identifying a target, grooming, exchanging information, and finally, transfer of funds.
Let’s go over these four steps in detail.
Step 1 – Identify the Target Victim
The first step in a BEC attack may be the most time-consuming. During this step, a criminal organization researches the victim to develop an accurate profile of the company. Through publicly available information, attackers look for the names and positions of company executives, especially those on the finance team. They scour social media, online articles, and anything else that will provide specific details about the company and its employees. Scammers who are able to infiltrate a company’s network with malware may spend weeks or months monitoring information on the company’s vendors, billing and payment systems, and employee vacation schedules. They have also been known to monitor the executive’s writing style in order to craft a convincing email using a spoofed email address or lookalike domain claiming to come from the CEO.
Step 2 – Grooming
Armed with the information obtained in Step 1, the scammer moves on to Step 2. During this step, the scammer uses spear-phishing, phone calls or other social engineering tactics to target employees with access to company finances. The grooming phase often takes several days of back and forth communication in order to build up trust. During this phase, the scammer may impersonate the CEO or another company executive and use his or her authority to pressure the employee to act quickly.
Here is an example sent to one of our Finance executives in which the sender used display name spoofing to spoof the name of our CEO. Cybercriminals will often use a free email address (notice the comcast.net domain), which can be easy to miss if you’re using a mobile device or some other client that doesn’t display the full email header.
Step 3 – Exchange of Information
During step 3, the victim is convinced that he is conducting a legitimate business transaction, and is then provided with wire transfer instructions.
Step 4 – Payment
And finally, funds are transferred and deposited into a bank account controlled by the criminal organization.
What to Do if You Are a Victim
If you’ve suffered losses due to Business Email Compromise schemes, it is important to act quickly.
Contact your financial institution immediately.
Request your financial institution contact the institution that received the fraudulent funds.
Contact your local FBI office and report the incident.
This week, we begin a three-part series on the threats posed by Business Email Compromise (BEC) attacks. In Part 1, we’ll explain what BEC is and discuss various types of BEC scams. In Part 2, we’ll explain how cybercriminals launch a BEC attack, and in Part 3, we’ll discuss best practices for avoiding these types of threats.
Email is the preferred communication method for businesses around the world. It’s also the preferred attack vector for cybercriminals due to its ease of use and low cost, and since the beginning days of email, spam techniques have continued to evolve into a variety of sophisticated threats.
One particularly menacing threat that is continuing to grow in popularity is Business Email Compromise (BEC).
BEC attacks (also known as whaling, spear-phishing or CEO fraud) use various deception tactics to impersonate a trusted contact. They employ a combination of research and social engineering techniques to impersonate business executives, real-estate firms, title companies, law firms, and even the FBI in an attempt to elicit transfers of large sums of money or the exchange of personally identifiable information (PII), which can be used in future BEC attacks and other types of cybercrime. Victims of BEC attacks are often tricked into believing they are carrying out a routine transaction, such as filling an order with a supplier, transferring funds for an executive, or sending sensitive data to an HR representative.
With the exception of those with spoofed sender addresses, many BEC attacks are sent from valid email addresses using credentials obtained through phishing, brute force attacks, or data obtained in a database breach like the one that hit Yahoo in 2013.
BEC attacks often contain no malware, malicious links, or suspicious code. As a result, in many cases they are able to bypass traditional security measures, which makes them especially dangerous.
Watch Out for These Common Scams
Some of the most common examples of Business Email Compromise include:
Real Estate Transactions: During a real estate transaction, criminals may impersonate sellers, realtors, title companies, or law firms to trick the home buyer into transferring funds into a fraudulent account.
Data and W-2 Theft: Criminals use a spoofed or compromised executive email account to send fraudulent requests for W-2 information or other personally identifiable information to HR staff or others within the business who maintain confidential employee records.
Supply Chain: Criminals send fraudulent wire transfer requests to redirect funds during a pending business deal, transaction, or invoice payment to an account controlled by organized crime groups.
Law Firms: Criminals discover information about pending litigation or trusts and impersonate a law firm’s client to change the recipient bank information to a fraudulent account.
Over 41,000 Victims and Growing
The statistics are staggering. In July, 2018, the FBI released a public service announcement indicating that victims lost over $12.5 billion to BEC attacks between October 2013 and May 2018. In the United States, BEC attacks claimed over 41,000 victims during this five year period at a total loss of over $2.9 billion. In 2017 alone, the Internet Crime Complaint Center (IC3) received over 15,000 reports of BEC attacks with estimated losses of over $675 million.
Based on victim complaint data, BEC scams targeting the real estate industry are on the rise. From 2015 to 2017, there was over an 1100% rise in the number of victims of real estate BEC scams and an almost 2200% rise in financial losses. May 2018 had the highest number of real estate victims since 2015, and September 2017 reported the highest victim loss.
Recent High-Profile Incidents of BEC Scams
In 2013, Google and Facebook lost over $100 million in a scheme that impersonated a large Asian manufacturer.
In August, 2017, MacEwan University lost almost $12 million to a spear-phishing campaign that impersonated a construction and contracting company.
In June, 2017, a New York judge lost over $1M in Real Estate Scam that began as an email claiming to come from her real-estate lawyer.
Despite efforts to raise awareness of these scams, a recent Gartner Research report indicated that BEC attacks will continue to be persistent and evasive, leading to large financial fraud losses for businesses and data breaches for healthcare and government organizations.
Why are Business Email Compromise threats so dangerous?
Business Email Compromise attacks are designed to bypass standard security mechanisms such as spam filters and anti-virus software, and are dangerous for a variety of reasons.
They contain no malware. BEC attacks normally don’t contain malware. Instead, they use crafty social engineering to trick users into thinking they are legitimate.
They are able to bypass many spam filters. BEC scams are often well-crafted with no spelling or grammatical errors. As a result, they are often able to bypass many spam filters.
They are highly personalized. Scammers take their time researching the victim long before an attack is launched. They scour public websites, social media, and even the dark web to find specific information, including names and background information of company executives. Armed with this information and with knowledge of an executive’s writing style, their emails appear authentic.
What is being done to stop BEC attacks?
Recently, multiple countries launched a coordinated effort to dismantle international BEC schemes. This effort, known as Operation WireWire and involving the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Service, resulted in 74 arrests across multiple countries. Unfortunately, these attacks will continue as long as human nature can be exploited for personal gain. In fact, a recent report by Get Safe Online indicated that over a third (37%) of employees don’t know what to look for to identify common email scams. The report also stated that one in 20 email fraud victims were so ashamed that they hid their mistakes from their colleagues.
Businesses of all sizes must remain vigilant against these threats. As the old saying goes, knowledge is power, and knowing how BEC attacks are launched and how to identify and avoid them is key. We’ll discuss these topics in parts 2 and 3 of this series, so stay tuned!
Before the invention of email, mail that arrived in your physical mailbox often contained pamphlets, sales brochures, credit card offers, and product catalogs. Much of this waste was thrown away and ended up in a landfill somewhere. Today, the equivalent and often more annoying nuisance is spam. Spam comes in many forms, and has evolved from dubious product claims, miracle supplements, conspiracy theories, and offers of easy money to more malicious threats such as ransomware attacks and targeted spear-phishing.
While the amount of spam as a percentage of total email traffic has gone down recently, the severity of email-borne threats has increased.
So how can users protect themselves from becoming the next victim to these malicious threats? There are numerous spam fighting tools in MDaemon and other mail servers, but server-side tools are only half of the spam-fighting equation. The other half is user education. With this in mind, here are 10 things users can do to reduce the amount of spam they receive.
Unsubscribe – How often have you been asked by a store clerk for your email address or placed an order online? In either of these situations, chances are you may have ended up on a company’s mailing list. When you receive email from these companies, take the time to open the message and click on the Unsubscribe link. But first, make sure the email is in fact coming from a reputable company (Here’s how). If you’re not completely sure where the email came from, then report the message as spam instead of unsubscribing.
Create a secondary email account – While we’re on the topic of retailers having your email address, you might also consider having a second email address that’s used solely for the purpose of store records or placing orders. This allows you to keep solicitations from these vendors out of your primary inbox.
Keep your email address private – If your email address is visible on social networking sites like Facebook or Twitter, then it’s also visible to spammers. Spammers have tools that can easily detect visible email addresses and add them to their mailing lists. This is why it’s often recommended that, if you MUST use your email address on one of these sites, you mask it by changing its format. For example, type out “at” instead of using the “@” symbol. With the prevalence of Business Email Compromise (BEC) attacks, it’s even more important for executives to be mindful of posting their email address or other personal information, as scammers will use this information to send out well-crafted spear-phishing emails.
Don’t reply to ANY spam or unsolicited marketing messages – Most spam messages use forged sender (return-path) addresses, so replying to a spam message will almost never result in the spammer getting your message. Replying to legitimate marketing messages tells the sender that your email address is valid, and thus, they may continue to send you spam.
Never click on links – Often, when you click on a link in a spam email, it specifically identifies you to the spammer as having received the message. Not only can clicking links in spam messages identify you to the spammer; you can also end up getting infected with malware.
Block Images – Even if you don’t click any links, an image opening in your email can alert spammers to a valid address. Spammers often try to be stealthy by inserting images that are only one pixel wide. If your mail client is configured to automatically open images, spammers can be alerted that your email address is valid. We recommend configuring your email client to automatically block images to reduce spam. You can always choose to view images in specific emails if you are sure the sender and content are legitimate.
Make your email address unique – Spammers often use common names to try to guess email addresses. If your email address is unique, it makes it harder for spammers to guess your email address.
Don’t fall for scams – If you receive an anonymous email from someone who appears to be in dire need, who promises you large sums of money for your small up-front investment, you may be witnessing the familiar Nigerian email scam, or one of many other variants. What are the odds that someone you’ve never met, who’s in a desperate situation, would contact you for help? Don’t fall for this scam.
Never forward email from someone you don’t know – I often see email messages with some type of public service announcement, petition, or other bit of advice, and often, there’s a request to forward the message to your friends. Don’t fall for this, as it’s a prime opportunity for spammers to harvest email addresses.
Blocking junk email is not just the job of the mail server administrator. A well-informed email user can mean the difference between spam that is manageable and spam that is out of control. These ten tips will help you reduce spam, and help prevent you from becoming a victim to phishing or malware.
Many businesses are responsible for maintaining large amounts of confidential data, including customer records, medical records, financial reports, legal documents, and much more. It’s very common for these types of information to be transmitted via email. So how can you ensure confidential data transmitted via email is kept private? How can you ensure the integrity of transmitted data?
Businesses need to ensure confidentiality, data integrity, message authentication (proof of origin), and non-repudiation (proof of content and its origin). These goals can be accomplished using MDaemon’s OpenPGP message encryption and signing services. Read on to learn more about the differences between encrypting and signing, and when each is used.
The Need for Encryption
Businesses need to protect sensitive data and preserve confidentiality and privacy. Whether you work in healthcare, finance, legal, HR or education, chances are you’re familiar with the terms GDPR, HIPAA or FERPA (among others). Businesses that fail to meet these regulations risk data breaches that can lead to lost revenue or legal action, as well as steep fines. To address these issues, businesses can use encryption to make their sensitive data unreadable to unauthorized parties.
The Need for Signing
In addition to data privacy, businesses may need to verify a message’s authenticity. This can be accomplished with message signing (adding a digital signature) using OpenPGP.
Signing a message helps ensure the following:
Data Integrity – That the message was not altered from its original form.
Message Authentication (Proof of Origin) – That the message actually came from the purported sender (if the sender is the signer of the message).
Non-repudiation – That the signer cannot deny the authenticity of the message they signed with OpenPGP.
Encrypting vs. Signing – What’s the Difference?
So what are the differences between encrypting & signing? Let’s discuss each.
What is Encryption?
Encryption is the act of converting plain text to cipher text. Cipher text is basically text that has been scrambled into non-readable format using an algorithm – called a cipher. MDaemon’s implementation of OpenPGP encryption uses public key encryption (also known as asymmetric key encryption) to encrypt email messages and attachments.
So How Does Public Key Encryption Work?
Public key encryption uses public/private key pairs. If you want me to send you an encrypted message, you send me your public key, which I import into my encryption software (using the OpenPGP configuration screen in MDaemon, in this case). I encrypt the message with your public key. When you receive the message, you decrypt it with your private key. Even though your public key can be freely distributed and used to encrypt messages addressed to you, these encrypted messages can only be decrypted with your own private key. This private key must always be kept secret. Data encrypted with the public key can only be decrypted with its corresponding private key.
In our latest release of MDaemon, we’ve added the ability for MDaemon Webmail users to encrypt messages from within the message compose window. This procedure is explained in this blog post.
Check out the following video to see this process in action!
Encrypting a message helps ensure that the message is kept confidential. The message remains in its encrypted format until it is decrypted with the recipient’s private key.
What is Message Signing with OpenPGP?
As I mentioned above, messages are encrypted with the message recipient’s public key and decrypted with the corresponding private key. Message signing, on the other hand, uses the sender’s private key to sign the message, and his public key is used to read the signature. Message signing helps ensure data integrity, message authentication, and non-repudiation.
For example, if John wants to digitally sign a message to Michelle, he uses his private key to sign the message, and sends it (along with his public key if it hasn’t already been sent) to Michelle. John’s public key is the only key that can verify the message signature.
More information on using MDaemon’s PGP encryption & signing features can be found in the following knowledge base article:
How to enable MDaemon PGP, configure who can use MDPGP, and create keys for specific users
On Monday, May 14th, the Electronic Frontier Foundation (EFF) reported that European researchers had discovered core problems and commonplace implementation flaws in the S/MIME and OpenPGP protocol specifications. The vulnerability, which the researchers have described as EFAIL, can reportedly expose the content of encrypted emails (even messages sent in the past) to be viewed. The EFAIL vulnerability affects many email clients that use S/MIME and OpenPGP. There is a list of email clients with vulnerabilities by protocol in an article posted at thehackernews.com.
It’s very important to understand that to be at risk for this vulnerability, attackers would need access to your emails. This means that your email system has been compromised by an attacker who has access to the encrypted emails through tactics such as eavesdropping on network traffic (also known as a man-in-the-middle (MITM) attack), compromised email accounts, access to email servers, backup systems or client computers, usually achieved through social engineering attacks, such as Phishing and other tactics.
We have checked our own web-based email client (MDaemon Webmail) and our MDaemon OpenPGP-based encryption feature. Our results show that MDaemon Webmail is not vulnerable. However, the MDaemon email server OpenPGP feature is partially vulnerable to one implementation flaw. We have released a patch for affected versions of MDaemon email software, which can be found here. The current version of the MDaemon email server, v18.0.1, includes this fix.
A Reminder on the Best Email Security Practices
This latest issue should remind us all about the importance of email security practices as a whole. Implementing strong passwords, two-factor authentication, location screening, SSL/TLS, SMTP AUTH, IP Shielding, dynamic screening, freezing accounts after failed authentication attempts, all play a role in helping to keep your accounts and your email safe. You can review a list of email security features in MDaemon here.
If you’ve implemented security to help protect malicious people from accessing your email accounts, then you are less likely to have an account compromised and you will be better protected against these types of attacks and vulnerabilities.
While the researchers go into some depth to expose issues deep within the S/MIME and OpenPGP specification documents, these encryption protocols may need specification changes to address the longer-term issues mentioned in the initial report. MDaemon Technologies will continue to monitor this issue.
We have provided links to past blog posts that cover a number of email security topics to provide additional information:
Whether you work in healthcare, finance, education, or another highly regulated industry, it’s likely that you’re required to meet increasingly stringent regulations on email security and privacy, such as the General Data Protection Regulation (GDPR). But even if these strict requirements do not apply to your industry, you still want to maintain customer trust by ensuring their confidential data is safe.
To address these concerns, MDaemon offers email encryption using OpenPGP.
In the past, implementations of OpenPGP have been cumbersome, requiring users to manually exchange encryption keys or to take complex steps to send encrypted messages. With MDaemon, in addition to providing various ways to automate the encryption key exchange and server-side encryption processes, MDaemon Webmail users can easily enable per-message encryption right from within the message compose window.
Here’s a quick video to demonstrate how easy it is to encrypt messages in MDaemon Webmail.