Beware of New Amazon.com Phishing Scam

Scam AlertThe holidays are upon us, and with all of the giving and sharing come scams aimed at exploiting human nature and stealing our personal information, such as names, addresses and credit card numbers. This year, the scammers are at it again, with a phishing scam designed to look like an email from Amazon.com claiming that there is a problem processing your order. The scam asks you to click on a link to verify your personal information. A good example of this scam email is described on the AARP blog.

As a reminder, here are a few tips to avoid falling victim to phishing scams.

  • Never click on unfamiliar or suspicious links. If a link claims to refer to a familiar website, then manually enter the web address in the address bar.
  • Hover your mouse over images & links to review the URL they refer to.
  • Beware of “Unsubscribe” links in phishing emails. When clicked, these links can let the spammer know that your address is valid, which often leads to more spam.
  • Never reply to spam or unsolicited messages.

For more tips on how to avoid these & other scams, click here to review our post on protecting your email privacy, and stay safe this holiday season!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Using DKIM, SPF & DMARC to Protect your Brand and Customers from Spear Phishing

Introduction

Scammers use a variety of tactics to get users to give out personal information. One very common tactic is known as phishing. Phishing is a scam where tech-savvy con artists use spam and malicious websites to deliver malware, or to trick people into giving them personal information such as social security numbers, bank account numbers, and credit card information. A more targeted (and often more dangerous) type of phishing is known as spear phishing.

What is Spear Phishing?

Spear phishing is a targeted attack that’s usually addressed to a specific individual. With spear phishing, the perpetrator knows something personal about you. He may know your name, email address, or the name of a friend, or he may have information about a recent online purchase you made. While most phishing emails will have a generic greeting such as “Dear Sir or Madam,” a spear phishing email may address you by name, such as “Hello John.” It may also appear to come from someone you know.

According to Allen Paller, director of research at the SANS Institute, 95% of all attacks on enterprise networks are the result of spear phishing attacks. Earlier this year, Symantec issued a warning about an ongoing spear phishing attack targeting small and midsize businesses in the United States, India, and the UK that infects users with a remote access Trojan (RAT). A RAT gives an attacker remote access to a machine & can lead to disclosure of sensitive information and financial losses. Based on campaigns run by Symantec’s Phishing Readiness technology, on average, employees are susceptible to email-based attacks 18 percent of the time.

How can You Protect Yourself & Your Business?

Protecting your company from spear phishing attacks is the responsibility of employees as well as the mail server administrator. For employees, user education is key. This post contains helpful email safety tips for end users. For the administrator, implementing DKIM, SPF and DMARC can help reduce data breaches, financial losses, and other threats to your business. These three methods are described in greater detail below.

How DKIM Works

DKIM (DomainKeys Identified Mail) is a cryptographic email verification system that can be used to prevent spoofing. It can also be used to ensure message integrity, or to ensure that the message has not been altered between the time it left the sending mail server and the time it arrived at yours. Here’s how DKIM works:

  • An encrypted public key is published to the sending server’s DNS records.
  • Each outgoing message is signed by the server using the corresponding encrypted private key.
  • For incoming messages, when the receiving server sees that a message has been signed by DKIM, it will retrieve the public key from the sending server’s DNS records and then compare that key with the message’s cryptographic signature to determine its validity.
  • If the incoming message cannot be verified then the receiving server knows it contains a spoofed address or has been tampered with or changed. A failed message can then be rejected, or it can be accepted but have its spam score adjusted.

You can refer to the following knowledge base article for DKIM setup instructions in MDaemon:

How to enable DKIM signing and configure records

You can refer to this knowledge base article for DKIM setup instructions in SecurityGateway:

http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=496

How SPF Works

Another technique to help prevent spoofing is known as SPF. SPF (Sender Policy Framework) allows domain owners to publish DNS records (SPF records) to identify those locations authorized to send messages for their domain. By performing an SPF lookup on incoming messages, you can attempt to determine whether or not the sending server is permitted to deliver mail for the purported sending domain, and consequently determine whether or not the sender’s address may have been forged or spoofed.

MDaemon’s SPF settings are located under Security | Security Settings | Sender Authentication | SPF Verification. This screenshot displays the recommended settings.

SPF Settings in MDaemon
Recommended Sender Policy Framework Settings

Recommended SPF settings for SecurityGateway are outlined in this knowledge base article:

http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=497

These are the recommended settings for verifying SPF records of other domains. To help protect against spear phishing attacks that spoof your own domain, you should set up an SPF record in DNS. You can find helpful information on SPF record syntax and deployment at www.openspf.org.

DMARC (Domain-Based Message Authentication, Reporting & Conformance)

When a message fails DKIM or SPF, it is up to the receiving mail server’s administrator as to how to handle the message. The problem with this is that if DKIM or SPF is not set up properly, it can lead to problems. DMARC (Domain-based Message Authentication, Reporting and Conformance) takes out the guesswork on how to handle messages from a domain that are not properly aligned with DKIM or SPF.

DMARC defines a scalable mechanism by which a mail sender can express, using DNS records (DMARC records), domain level policies governing how messages claiming to come from his or her domain should be handled when they do not fully align with DKIM and SPF lookup results. In other words, if you perform SPF, DKIM and DMARC record lookups on a message claiming to come from my domain (example.com), and it does not align with SPF, DKIM, or both, my DMARC record can tell you how I want you to handle messages that are unaligned with SPF & DKIM. My DMARC record can specify whether I want you to accept, quarantine, or reject unaligned messages, and I can even go a step further and specify what percentage of unaligned messages I want you to reject or quarantine based on my policy preferences. This is useful when first deploying DMARC, as it allows you to be more lenient with rejection of unaligned messages until you’re sure DKIM & SPF are configured properly.

You can view the following recorded webinar for a more in-depth overview of DMARC, including examples and syntax of DMARC records and deployment strategy.

https://youtu.be/vrMMKmxCmqs?list=PLt-aAHf-ocsYYmpXFABce39b_CgJXXubp

This knowledge base article will also be useful:

How to Enable DMARC and Configure Records

Conclusion

While we must be vigilant against spoofing and phishing attacks, we must also acknowledge that cautious, informed users and properly implemented SPF, DKIM and DMARC policies are the best defense against cybercriminals who are intent on stealing your data and damaging your brand.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Ransomware and Banking Trojans are Big Business

Spam is big business. With the proliferation of botnets for hire, it takes very little effort for a spammer to send out thousands of messages at a time. These messages may contain links to websites peddling counterfeit products, or they may be laced with viruses, trojans, and various other forms of malware. The barriers to entry and costs incurred by spammers are very low

There seems to be no end to the global threat of malware spreading via spam and phishing emails and propagated by botnets around the world. Over the past few months, two threats have emerged. One is a banking trojan targeting users in Brazil, and the other is the now-infamous Cryptowall ransomware.

The banking trojans are spread via phishing emails containing CPL files, which are a type of library file that executes code once it is clicked on. Social engineering tactics are used to try to convince the message recipients that the attachment contains valuable information, such as an invoice or banking information.

Click here to learn more about these banking trojans.

The other big player in the malware arena is ransomware. A recent study has shown the proliferation of phishing emails with SVG files attached. These files, when downloaded and executed, open websites with what appears to be the CryptoWall ransomware.

Click here to learn more about CryptoWall ransomware.

The common theme for both of these threats is that the user was not exercising the proper amount of caution before opening email attachments. Both of these threats where spread via phishing emails, which use social engineering tactics to trick end users into opening these messages and clicking on links or downloading attachments.

Spammers know that end users are often the weakest link in fighting spam, so it’s in the best interest of companies of all sizes to educate their users on email safety. While most mail servers and spam gateways, such as MDaemon and SecurityGateway, have numerous tools for blocking spam & malware, no anti-spam solution is 100% fool-proof. Spammers are always seeking out new methods to trick users into opening their messages, so users must learn how to stay safe and recognize potential threats.

For a review of best practices for end users, review my post “Email Safety Tips for End Users.”

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

SecurityPlus Webinar Added to YouTube

SecurityPlus provides antivirus and anti-spam services for MDaemon. It scans all inbound and outbound mail traffic for spam, viruses, malware, phishing attempts, and other types of malicious activity to catch potential threats before they have had a chance to infiltrate your network. To learn more about SecurityPlus, including how to configure it & how to identify SecurityPlus activity in your MDaemon log files, check out the following recorded webinar.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •