10 Tips to Identify a Phishing Email

Don’t Risk Losing your Life Savings to Scammers. Follow these 10 Tips to Identify a Phishing Email.

Whether you run a Fortune-500 organization or a small boutique, by now you should be aware of the threats posed by cyber criminals to trick you into clicking a link, downloading an attachment, or parting ways with your money.

Modern day email scams are getting more sophisticated, leading to staggering losses for businesses of all sizes. According to the 2018 Verizon Data Breach Investigations Report, phishing was used in 93% of all reported breaches, with email being the main attack vector in 96% of reported cases.

While these figures are staggering, they continue to rise as scammers reap huge payouts from BEC (Business Email Compromise), CEO fraud and other phishing scams.

The real estate industry is a prime target for phishing because large sums of money change hands and there are various weak links in the transaction process. If any step within the transaction process becomes compromised with a successful phishing email, the attacker could gain access to a legitimate email address from which to launch other attacks. The fraudster could then lie in wait, scanning email messages for financial or transaction related details, and then send off fraudulent wire transfer instructions to an unsuspecting buyer, seller, or agent. For example, this happened to a 31 year-old first-time home buyer in San Antonio, Texas. You can read details about this case here, but the short version of the story is that she felt that she was in a time crunch to send in her down payment and finalize other closing tasks, and felt that the title company was dragging its feet. This state of high anxiety made her a prime target for a phishing email she received stating that she had previously been given the wrong wire transfer information, and that she needed to wire her down payment to a new account. With 5 hours left to get everything done, she attempted to contact her title company to confirm the change, but no one responded, so in a panic, she hastily ran to the bank and wire transferred her $52,000 down payment. Unfortunately, she sent her life savings to scammers.

The phishing industry is so lucrative for scammers because the barriers to entry are low relative to potential huge payouts. With botnets-for-hire and Malware as a Service (Maas), spammers have an impressive arsenal of tools at their disposal to propagate their campaigns, so to fight this scourge, an educated user is the best defense against phishing scams. With this in mind, here are my top 10 tips on how to identify and protect yourself from phishing attacks.

  1. Watch out for messages disguised as something expected, like a shipment or payment notification. These often contain links to malware sites. Hover your mouse over any links to make sure they’re safe. Think before you click! Here’s an example using a phishing email I received claiming to come from HSBC.

    Payment notification phishing email
    Watch for unexpected payment or shipment notices
  2. Watch for messages asking for personal information such as account numbers, Social Security numbers, and other personal information. Legitimate companies will never ask for this over email.
  3. Beware of urgent or threatening messages claiming that your account has been suspended and prompting you to click on a link to unlock your account.
  4. Check for poor grammar or spelling errors. While legitimate companies are very strict about emails they send out, Phishing emails often contain poor spelling or grammar.
  5. Hover before you click! Phishing emails often contain links to malware sites. Don’t trust the URL you see! Always hover your mouse over the link to view its real destination. If the link claims to point to a known, reputable site, it’s always safer to manually type the URL into your browser’s address bar.
  6. Check the Greeting – Is the message addressed to a generic recipient, such as “Valued customer” or “Sir/Madam?” If so, be careful & think twice! Legitimate businesses will often use your real first and last name. In our HSBC example, notice the generic greeting.

    Watch for generic greetings in email messages
    Watch for generic greetings in email messages
  7. Check the Signature – In addition to the greeting, phishing emails often leave out important information in the signature. Legitimate businesses will always have accurate contact details in their signature, so if a message’s signature looks incomplete or inaccurate, chances are it’s spam. In our HSBC example, the sender’s name and contact information are missing from the signature.

    Watch for generic signatures in phishing email messages.
    Watch for generic signatures in phishing email messages.
  8. Don’t download Attachments – With the proliferation of Ransomware as a Service (Raas), spammers have an easy mechanism for distributing malware-laden spam messages to thousands of users. And because the payout for ransomware can be quite high, even one successful ransomware infection could net the spammer large amounts of money. If there’s ANY doubt about the identity of the message sender or the contents of an attachment, play it safe and don’t download the attachment.
  9. Don’t trust the From address – Many phishing emails will have a forged sender address. The From address is displayed in two places. The Envelope From is used by mail servers to generate NDR messages, while the Header From is used by the email client to display information in the From field. Both of these headers can be spoofed. MDaemon Webmail has built-in security features to help users identify spoofed emails. Many mail clients hide the From address, only showing the From name, which can be easily spoofed. In MDaemon Webmail, the From address is always displayed, giving users a clearer view into the source of the email and helping them identify spoofed senders. Using our HSBC example, I’ve highlighted the actual sender.
    Phishing email highlighting the actual sending address
    Phishing email highlighting the actual sending address

    MDaemon Webmail will also display information in the Security tag to help users identify messages from verified senders, as shown here.

    MDaemon Webmail - DKIM-Verified Sender
    MDaemon Webmail – DKIM-Verified Sender
  10. Don’t Enable Macros – And while we’re on the subject of ransomware, another common vector for ransomware infections is through macros in Microsoft Word documents. These documents often arrive in phishing emails claiming to have important content from HR, Finance, or another important department, and to trick the user, they request the user to enable macros. Never trust an email that asks you to enable macros before downloading a Word document.

While anti-spam and anti-malware tools are quite effective at filtering out the majority of scams, there’s really no substitute for good old-fashioned user education. Know the potential costs to your business and don’t become the next victim!

If you’re the MDaemon or SecurityGateway administrator and need help with your security settings to help block as much phishing as possible before it reaches your users, give us a call or drop us an email support request.

 

 

 

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Is spam being sent out from a local machine on your network? Follow these steps to track down a spambot.

Has this happened to you? Let’s say you’re the MDaemon administrator for your company, and you’ve noticed that somewhere, somehow, spam messages are being sent from within your network. Perhaps one of your PCs has been compromised. What do you do? Here are some tips to help you track the issue down.

First, make sure you have the option “Authentication is always required when mail is from local accounts” enabled (Security | Security Settings | SMTP Authentication). Also enable “Credentials used must match those of the return-path address” and “Credentials used must match those of the From header address.” Then, make sure “…unless message is sent to a local account” is unchecked to prevent intra-domain spam (between local domain users).

SMTP Authentication in MDaemeon
Make sure the appropriate boxes are checked to require SMTP authentication

Next, find out if the spam messages are coming in from an authenticated session. To do this, locate one of the spam messages & open it up in Notepad to view its headers (or you can open it in Queue & Statistics Manager). Does the message have an X-Authenticated-Sender header? It will look something like this:

X-Authenticated-Sender: SpammerUser@example.com

If this header is present, then that is the user who authenticated to send the message. The first thing you should do in this case is to change the account’s password via the Accounts menu in MDaemon. Even if the spamming is going through the user’s mail client, until you give the user the new password and they update their mail client the authentication credentials will be rejected and the spamming will be temporarily stopped.

In newer versions of MDaemon, we’ve added Account Hijack Detection, which will automatically disable an account if it sends a specified number of outbound messages via an authenticated session in a given period of time. We recommend enabling this feature. In MDaemon, it’s located under Security | Security Settings | Screening | Hijack Detection.

Account Hijack Detection
Account Hijack Detection

The next step is to look at the Received headers. Find the one where the message was received by your server. Here is an example of what this header would look like:

Received from computer1 (computer1@example.com (192.198.1.121) by example.com (MDaemon PRO v17) with ESMTP id md50000000001.msg for <UserWhoWasSpammed@example.com >, Fri, 13 Sep 2016 21:00:00 -0800

Find the connecting IP (192.198.1.121) in the above example. This is the machine that is sending out spam. Locate that machine to deal directly with the spambot on that machine.

If the message wasn’t authenticated or wasn’t sent from your local network, locate the Message-ID header and copy that value.

Message-ID: <123.xyx.someone@example.net>

Then open the MDaemon SMTP-IN log that covers the time when that message was received by MDaemon (based on the timestamp in the received header) and search for that Message-ID in the log (in the 250 response line when the message is accepted):

Thu 2016-09-12 20:00:00: –> 250 Ok, message saved <Message-ID: <123.xyx.someone@example.net>>

Look at the rest of transaction and see why the message was accepted/not rejected – spam score, DNSBLs, etc.

Also, if your external domain is listed in the Trusted Hosts list (Security | Security Settings | Trusted Hosts), try removing it from this list.

Check back often for more tips & tricks!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Get Aggressive at Fighting Spam by Re-training the Bayesian Learning Process in MDaemon

Fight spam with Bayesian Learning in MDaemon

In certain situations, it may be necessary to retrain your Bayesian Learning database. This can be necessary when spam messages are inadvertently placed in the Bayes non-spam folder, or when non-spam messages are placed in the Bayes spam folder.

To reset your Bayesian Learning and start training it again from scratch, you can perform the following steps:

1. Stop the MDaemon service.
2. Verify that the MDaemon executables (MDaemon.exe, CFEngine.exe, MDSpamD.exe, WorldClient.exe) have all exited memory using Windows task manager.
3. Rename the folder “/MDaemon/SpamAssassin/Bayes/” to”/MDaemon/SpamAssassin/Bayes.old/”
4. Re-launch MDaemon.
5. Go to Security | Spam Filter | Bayesian Classification, then click on the Learn button.

At this point, MDaemon recognizes that the Bayes folder isn’t there when the learn process is triggered, so it builds a new Bayes folder.

You will then need to feed Bayesian learning at least 200 spam and 200 non-spam messages (although the more the better) to start the Bayesian learning process again. Here is a knowledge base article on training the Bayesian learning process in MDaemon.

The Bayesian learning engine won’t process new messages until the administrator has taught it 200 spam and 200 non-spam messages. So even if an administrator were to manually press the Learn button OR have MDaemon learn automatically at midnight, the Bayesian engine  wouldn’t apply itself to new messages even though the new folder is created.

Once MDaemon recognizes that Bayesian learning has learned more than 200 spam and 200 non-spam messages, it will start applying what it has learned to new messages.

You can run a script to determine how many messages the Bayesian filter has learned from. This will come in handy for administrators who need to know how many more messages to feed the Bayesian filter. This process is explained in this knowledge base article.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Training the Bayesian Spam Learning Engine in WorldClient

MDaemon’s built-in spam filter includes a feature known as Bayesian Learning. Bayesian Learning allows MDaemon to “learn” what types of messages are spam and what types are not spam. This allows the spam filter to become more accurate over time.

It is important for users to properly train the Bayes system so that messages are correctly flagged as spam or non-spam. We do not recommend blacklisting the sender of spam messages because this does not help the Bayes engine learn from the message, and thus, has no effect on reducing spam. The easiest way to train the Bayes engine is for users to use the thumbs-up and thumbs-down icons in WorldClient (MDaemon’s webmail client) to feed the Bayes engine samples of spam and non-spam. The more spam and non-spam samples you feed to the Bayes engine, the more accurate the spam filter will become over time, thus, it is very important for users to use the thumbs-down icon on every spam message – whether it arrives in your Inbox or in your Junk Email folder. Likewise, for every false-positive (legitimate, non-spam message that is flagged as spam), you can use the thumbs-up icon to flag the message as non-spam.

This knowledge base article provides a more thorough explanation of Bayesian Learning and how to train the Bayesian Learning engine.

This video explains further.

If you are an end user and you do not see the thumbs-up and thumbs-down icons in WorldClient, the MDaemon administrator can take steps outlined in this video and blog post to make those icons appear.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Are You Receiving Replies to Messages you Never Sent?

Image "Return to Sender"

Have you ever logged into your email to find tons of bounce-back messages (out-of-office replies, NDR messages, invalid recipient messages) in response to messages you never sent? For many users, their first thought is that they need to change their email password. However, changing your email password will not prevent this. Why? Because what you are receiving is known as backscatter, and has nothing to do with your email account being hacked.

Spammers often forge the return-path in their outbound messages to cover up their true identity. If the forged address in these spam messages was your address, then you are likely to receive the bounce-back messages and auto-responders in response to these messages.

So how do you prevent this? MDaemon includes Backscatter Protection. Backscatter Protection works by adding a special key to the return-path of all outbound mail. When MDaemon receives an out-of-office reply or non-delivery message, it looks for that special key. If the key is missing, then we know the bounce-back message is not legitimate and can be discarded.

When Backscatter Protection is disabled, the return-path of a message looks like this:
X-Return-Path: frank.thomas@example.com

When Backscatter Protection is enabled, an extra series of characters beginning with prvs= is added to the return path – like this:
X-Return-Path: prvs=163898ff65=frank.thomas@example.com

It is this extra series of characters that the Backscatter Protection feature looks for in bounce-back messages.

Check out the following video to learn more about Backscatter Protection and how to enable it in MDaemon. If you have questions, please feel free to leave us a comment & let us know!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Ransomware and Banking Trojans are Big Business

Spam is big business. With the proliferation of botnets for hire, it takes very little effort for a spammer to send out thousands of messages at a time. These messages may contain links to websites peddling counterfeit products, or they may be laced with viruses, trojans, and various other forms of malware. The barriers to entry and costs incurred by spammers are very low

There seems to be no end to the global threat of malware spreading via spam and phishing emails and propagated by botnets around the world. Over the past few months, two threats have emerged. One is a banking trojan targeting users in Brazil, and the other is the now-infamous Cryptowall ransomware.

The banking trojans are spread via phishing emails containing CPL files, which are a type of library file that executes code once it is clicked on. Social engineering tactics are used to try to convince the message recipients that the attachment contains valuable information, such as an invoice or banking information.

Click here to learn more about these banking trojans.

The other big player in the malware arena is ransomware. A recent study has shown the proliferation of phishing emails with SVG files attached. These files, when downloaded and executed, open websites with what appears to be the CryptoWall ransomware.

Click here to learn more about CryptoWall ransomware.

The common theme for both of these threats is that the user was not exercising the proper amount of caution before opening email attachments. Both of these threats where spread via phishing emails, which use social engineering tactics to trick end users into opening these messages and clicking on links or downloading attachments.

Spammers know that end users are often the weakest link in fighting spam, so it’s in the best interest of companies of all sizes to educate their users on email safety. While most mail servers and spam gateways, such as MDaemon and SecurityGateway, have numerous tools for blocking spam & malware, no anti-spam solution is 100% fool-proof. Spammers are always seeking out new methods to trick users into opening their messages, so users must learn how to stay safe and recognize potential threats.

For a review of best practices for end users, review my post “Email Safety Tips for End Users.”

Spread the love
  •  
  •  
  •  
  •  
  •  
  •