Email & Web Spam

Our news section dedicated to email & web spam highlights many scenarios in which organizations – and individuals within organizations – act on fraudulent communications sent via email or presented to them on a hacked website. The news items report not only cyberattacks launched via email and the web, but also on the damage that is caused and the consequences of the attack.

Trends in email & web spam attacks are also identified within our news items, plus information on how many of the attacks can be avoided – typically with an email spam filter and/or a web content filter. If yours is an organization at risk from email & web spam, we recommended that you speak with one of our technical sales team today.

Retail Industry Data Breaches Most Common with U.S. Companies Heavily Targeted

The healthcare industry has been heavily targeted by cybercriminals, but retail industry data breaches are now the most common according to a recent study by Trustwave. Retail industry data breaches account for 22% of all reported breaches, closely followed by the food and beverage industry on 20%.

In 2016, corporate and internal networks were the most commonly breached systems although there was a marked increase in POS system breaches, which are now the second most targeted systems accounting for 31% of all reported breaches. Last year, POS data breaches only accounted for 22% of the total. POS data breaches were most common in the United States. In 2015, E-commerce platforms were heavily targeted accounting for 38% of all breaches, although in 2016 the percentage fell to 26%.

Healthcare data is in high demand, although it is still credit card numbers that are most commonly stolen. 63% of data breaches involved card data, split between card track data (33% of incidents) – mostly from hospitality and retail industry data breaches – and card-not-present data (30% of incidents) which came from breaches of e-commerce platforms.

The United States was also the most targeted country, accounting for 49% of all breaches – more than double the percentage of Asia-Pacific in second place with 21% of reported breaches. Europe was in third place with 20%.

Zero-day exploits are in high demand, commanding an initial price of $95,000 on the black market, although there were only 9 zero-day vulnerabilities exploited in the wild in 2016 – 5 for Adobe Flash, 3 for Internet Explorer and one for Microsoft Silverlight.

The top two methods of compromise were remote access – 29.7% of attacks – and phishing and social engineering, which accounted for 18.8% of attacks.

Exploit kit activity has fallen since the fall of the Angler, Magnitude and Nuclear exploit kits, although others such as Rig are increasing in popularity. Exploit kits activity could increase further due to the low cost of conducting malvertising campaigns – malicious adverts on third party ad networks that direct individuals to sites hosting exploit kits. Trustwave reports it now costs cybercriminals $5 to target 1,000 vulnerable computers with malicious adverts. Trustwave warns that while exploit kit activity has fallen, it would be wrong to assume it is gone for good. If it is profitable to use exploit kits, more will be developed.

Spam email is still the primary attack vector. In 2016, there was an increase in spam email messages rising from 54% of message volume in 2015 to 60% of total email volume in 2016. 35% of those messages contained malicious attachments, which Trustwave reports is up from 3% in 2015.

The most common malware variants discovered in 2016 data breach investigations attacked POS systems and were PoSeidon (18%) and Alina (13.5%) with Carbanak/Anunak in third place on 10%.

A recent Ponemon Institute study suggest data breaches take more than six months to detect, while Trustwave’s figures suggest the median number of days between intrusion and detection for external incidents was 65 days in 2016, although some companies took up to 2,000 days to discover a breach. Detection rates have improved from 2015, when it took an average of 80.5 days to detect a breach.

Fear of WannaCry Being Exploited to Push Fake Antivirus Apps

Following the massive WannaCry ransomware attacks there has been heightened interest in cybersecurity products. Marketers have capitalized on the fear of an imminent attack to increase downloads of fake antivirus apps.

The apps are sold to worried users promising to protect them from WannaCry and other ransomware threats. In some cases, a free scan is offered that reveals the user’s device is already infected with any number of malicious programs. Installing the app will allow users to rid their device of the malicious software.

In many cases, the fake antivirus apps misreport infections to scare users into buying and installing an unnecessary app. Some of those apps will offer no protection whatsoever, but others are more sinister. Many of the new fake antivirus apps that are sneaking their way into the Google Play store are far from benign. PUPs, Trojans and adware are packaged with the apps. Users download the fake antivirus apps to protect themselves against malware, when the reality is downloading the app results in infection.

A study of antivirus apps has recently been conducted by RiskIQ. The firm discovered almost 6,300 antivirus apps that were either an antivirus solution, reviews of antivirus software or were otherwise associated with an antivirus program. More than 700 of those apps triggered blacklist detections on VirusTotal, with many of the apps coming packaged with malware.

131 of the 655 antivirus apps on the Google Play Store triggered blacklist detections. Many of the apps are no longer active, although 55 out of 508 active AV apps on the Google Play Store were blacklisted. In total, 20% of blacklisted antivirus apps were in the Google Play store with 10.8% still active.

RiskIQ reports that some of the blacklisted apps are false positives and not all of those apps are bundled with malware. However, many of the apps were rated as malicious by multiple AV vendors and were not all they claimed to be.

While it is important to have antivirus software on mobile devices, users should exercise caution when downloading any app. Just because an app claims to protect you and your device, it does not mean that it will do as it says. Downloading the app could even result in infection.

Users can reduce the risk of downloading a fake antivirus app by only using official app stores such as Google Play, but additional checks should be performed. An app should not be installed if the developer is using a free email address such as Gmail or Outlook. RiskIQ recommends checking the descriptions of the apps, specifically looking for spelling mistakes or grammatical errors. The app should ideally be checked against VirusTotal to see if it raises any red flags and users should carefully check the permissions requested.

Fireball Malware: 250 Million+ Infections and Rising

Over the past few days, a new threat called Fireball malware has been spreading rapidly and has allegedly been installed on more than 250 million computer systems. An estimated 20% of corporate networks have been infected with the malware. 10% of infections are in India, 9.6% in Brazil, 6.4% in Mexico, 5.2% in Indonesia and 2.2% in the United States.

The new malware variant was discovered by security researchers at Check Point, who claim the malware campaign is “possibly the largest infection operation in history.”

Fireball malware targets web browsers and is used to manipulate traffic. Once infected, the end user is redirected to fake search engines, which redirect search queries to Google and Yahoo. Fireball malware is being used to generate fake clicks and boost traffic, installing plugins and new configurations to boost the threat actor’s advertisements.

The malware is also capable of stealing user information using tracking pixels and can easily be turned into a malware downloader. Once installed, Fireball malware can run any code on the victims’ computer, making the infection especially dangerous. While Fireball malware is not believed to be dropping additional malware at this stage, it remains a very real possibility. The malware has a valid certificate, hides the infection and cannot be easily uninstalled.

The malware is being distributed bundled with other software such as the Mustang browser and Deal WiFi, both of which are provided by a large Chinese digital marketing agency called Rafotech. It is Rafotech that is understood to be behind Fireball malware.

Rafotech is not using the malware for distributing other malware, nor for any malicious purposes other than generating traffic to websites and serving end users adverts, but Fireball may not always remain as adware. At any point, Fireball could simultaneously drop malware on all infected systems.

The recent WannaCry ransomware attacks serve as a good comparison. Once the network worm had spread, it was used to deploy WannaCry. More than 300,000 computers were infected the worm, which then dropped the ransomware. If a more advanced form of malware had been used that did not have a kill switch, the WannaCry attacks would have been far more severe. Now imagine a scenario where the same happened on 250 million computers… or even more as Fireball malware spreads further.

Fireball could also drop botnet malware onto those computers. A botnet involving 250 million or more computers would result in absolutely devastating DDoS attacks on a scale never before seen. As a comparison, Mirai is understood to include around 120,000 devices and has wreaked havoc. A botnet comprising 250 million or more devices could be used to take down huge sections of the internet or target critical infrastructure. It would be a virtual nuclear bomb.

HTTPS Phishing Websites Increase as Cybercriminals Exploit Trust in Encrypted Connections

Awareness of the additional security provided by HTTPS websites is increasing, but so too are HTTPS phishing websites. Cybercriminals are taking advantage of consumer trust of websites that encrypt connections with web browsers.

The risks of disclosing sensitive information such as credit card numbers on HTTP sites has been widely reported, with more sites now using the Hypertext Transfer Protocol Secure (HTTPS) to prevent man-in-the-middle attacks and improve security for website visitors. However, just because a website starts with HTTPS does not mean that website is safe.

HTTPS phishing websites also secure the connection. Divulging login credentials or other sensitive information on those sites will place that information in the hands of criminals.

A recent report from Netcraft shows more phishing websites are now using HTTPS to communicate, with the percentage of HTTPS phishing websites jumping from 5% to 15% since the start of 2017.

Internet users are now being warned if they are visiting a website that does not encrypt connections. Google Chrome and Firefox browsers have recently started displaying warnings on sites that are not secure.

The problem is that many users automatically assume that if a website starts with HTTPS it is safe and secure when that is far from the case.

Even if a website is genuine and encrypts communications, that does not mean the website cannot be compromised. If a hacker gained access to a website with a SSL certificate it would be possible to add pages that phish for sensitive information. The website would still display the green lock symbol and start with HTTPS.

HTTPS phishing websites may also have valid digital certificates meaning even Firefox and Google Chrome browsers will not flag the sites as potentially malicious. Those sites may also include the brand names of legitimate websites such as Facebook, Amazon, or PayPal. In the case of the latter, a recent report from the SSL Store revealed that there were 15,270 websites that contained the word PayPal which had been issued with SSL certificates.

The rise in HTTPS phishing websites shows that simply checking the protocol used by the site is no guarantee that the site is not malicious. Care must be taken when accessing any website, regardless of the protocol used by the site.

Businesses can improve protection by implementing a web filtering solution capable of reading encrypted web traffic. This will help to ensure employees are prevented from visiting malicious websites on their work computers, regardless of the protocol used by the sites.

WebTitan not only allows organizations to block websites by category, content or keyword, the web filtering solution also decrypts, reads, and then re-encrypts connections and will block phishing and other malicious websites. By inspecting HTTPS websites, WebTitan will also ensure access to any secure website is blocked if the site or webpage violates user-set rules on website content.

Purple Protects Customers with TitanHQ’s WebTitan WiFi Content Filtering Solution

TitanHQ is proud to announce a new partnership with the intelligent spaces company Purple.  Purple has chosen TitanHQ’s WiFi content filtering solution – WebTitan – to keep its WiFi networks secure and to carefully control the content that can be accessed by its clients and their customers.

The importance of securing WiFi networks has been highlighted by recent cyberattacks, including the WannaCry ransomware attacks on May 12. Consumers can be provided with WiFi access, but need to be protected from web-borne threats such as drive-by ransomware downloads and phishing attacks.

WebTitan offers protection against a wide range of web-borne threats including exploit kits, phishing websites, malicious web adverts and drive-by downloads of malware and ransomware. Every day, WebTitan detects more than 60,000 web threats and protects customers by blocking access to harmful webpages. WebTitan also allows businesses to carefully control the content that can be accessed via WiFi networks, filtering out obscene, harmful, and illegal website content.

As a leading provider of WiFi analytics and marketing services, Purple is well aware of the potential risks that come from unsecured WiFi hotspots. The company is committed to securing its WiFi networks and ensuring its customers are protected in the right way. Purple required exceptional protection for its customers, yet not all WiFi filtering solutions matched the company’s unique requirements.

Purple explained those requirements to TitanHQ, which was able respond with a solution that matched the company’s exacting needs. James Wood, Head of Integration at Purple said, “From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”

WebTitan allows companies to manage WiFi content controls in multiple locations from a single administration console, making it an ideal solution for global WiFi businesses. For companies such as Purple, whose clients need to have control over their own filtering controls, WebTitan was ideal. Wood explained that WebTitan “allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”

TitanHQ was able to respond rapidly roll out WebTitan in a matter of days. Purple customers are now protected by the leading WiFi content filtering solution and can access the Internet safely and securely. Wood said, “With demanding timescales involved for the migration, we invested heavily in WebTitan and they have not failed to deliver.”

TitanHQ CEO Ronan Kavanagh is delighted that Purple has chosen TitanHQ has its WiFi filtering partner. Kavanagh said, “Purple is now a valued member of the TitanHQ family and we are delighted to welcome the firm onboard. This is a partnership that illustrates just how well suited WebTitan is to Wi-Fi environments.”

WannaCry Ransomware Attacks Halted… Temporarily

The WannaCry ransomware attacks that crippled hospitals in the United Kingdom on Friday have temporarily halted, although not before infections spread to 150 countries around the globe.  The massive ransomware campaign saw 61 NHS Trusts in the UK affected.

As the NHS was cancelling appointments and scrambling to halt the spread of the infection and restore its systems, the WannaCry ransomware attacks were going global. Organizations around the world were waking up to total chaos, with systems taken out of action and data access blocked. Other victims include FedEx, Telefonica, Deutsche Bahn and the Russian Interior Ministry and around 200,000 others.

The victim count rose considerably throughout Friday and Saturday morning, before a security researcher in the UK accidentally flicked the ransomware’s kill switch, preventing further WannaCry ransomware attacks. Had it not been for that researcher’s actions, the victim count would have been considerably higher.

The researcher in question prefers to remain anonymous, although he tweets under the Twitter account @MalwareTechBlog. While analyzing the ransomware, he discovered a reference to a nonsense web domain. He checked to see who owned the domain and discovered it had not been registered. He bought it and realized that his actions had stopped the ransomware in its tracks. If the domain could be contacted, encryption would not take place. If contact was not possible, the ransomware would proceed and encrypt files on the infected device.

This kill switch could have been put in place by the authors as a way to stop infections getting out of control. However, far more likely is the domain check was performed to determine if the ransomware was running in a test environment.

For now at least, the WannaCry ransomware attacks have stopped, although that does not mean they will not continue. New versions of the ransomware – without the kill switch – will almost certainly be released. In the meantime, IT security professionals have some time to plug the vulnerability that was exploited.

The exploit takes advantage of a vulnerability in Windows Server Message Block (SMB) that allows the attackers to download files onto a vulnerable machine. Microsoft issued a patch to plug the vulnerability on March 13 (MS17-010). Even though this was a high priority patch for which an exploit had been developed (ETERNALBLUE) and released online, many companies failed to update Windows leaving them vulnerable to attack.

Of course, any organization using an unsupported version of Windows – Windows XP for example – would not be able to apply the patch. Many NHS Trusts in the UK still use the unsupported version of Windows even though it is vulnerable to this and other exploits.

The attackers have reportedly made around $50,000 so far from the WannaCry ransomware attacks. That figure will rise, as victims are given 7 days to pay before the decryption keys held by the attackers will be permanently deleted. If payment is not made within 3 days, the $300 ransom doubles.

There are no clues as to who was behind the attack, although it was made possible by the actions of the hacking group Shadow Brokers, who published the exploit used in the WannaCry ransomware attacks in April. The exploit was not developed by Shadow Brokers however. That appears to have been developed by the National Security Agency in the USA. Shadow Brokers allegedly stole the exploit.

Microsoft has responded to the WannaCry ransomware attacks saying they should serve as a “wake-up call.” That’s not just the need to apply patches promptly to prevent cyberattacks, but also a wake up call for governments not to secretly stockpile exploits.

Mac Malware Warning Issued: Handbrake for Mac App Infected with RAT

A Mac malware warning has been issued for any individual who recently downloaded Handbrake for Mac. A server was compromised and a remote access Trojan was bundled with the Handbrake Apple Disk Image file.

A credential-stealing Remote Access Trojan was discovered to have been bundled with the Handbrake video transcoder app for the MacOS, with Handbrake for Mac downloads between May 2 and May 6, 2017 potentially also installing the MacOS Proton RAT.

A Mac malware warning has been issued for all users who recently downloaded the app. It is strongly recommended that any individual who downloaded the app between the above dates verifies that they have not been infected. According to a statement issued by the developers of the app, individuals have a 50/50 change of infection if they downloaded the app between the above dates.

Cybercriminals were able to compromise a server and bundle the malware with the app, with all users who used the download.handbrake.fr mirror potentially infected.

Apple has now updated its OSX’s XProtect to detect and remove the infection although individuals at risk should check to see if their device has been infected. Infection can be detected by looking for the Activity_agent process in the OSX Activity Monitor. If the process is running, the device has been infected with the Trojan.

Any user infected with the malware will need to change all passwords stored in the MacOS keychain. Any password stored in a browser will also need to be changed, as it is probable it has also been compromised.

The Trojan can be easily removed by opening the Terminal and entering the following commands before removing all instances of the Handbrake app:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

The MacOS Proton RAT was first identified earlier this year. It is capable of logging keystrokes to steal passwords, can execute shell commands as root, steal files, take screenshots of the desktop and access the webcam. Once installed, it will run every time the user logs on.

Only Handbrake for Mac downloads were affected. Any user who recently upgraded through the Handbrake update mechanism will not be affected, as checks are performed to prevent the downloading of malicious files.

The compromised server has now been shut down to prevent any further malware downloads. At this stage it is unclear how access to the server was gained and how the Handbrake Apple Disk Image file was replaced with a malicious version.

‘Crazy Bad’ Microsoft Malware Protection Engine Bug Patched

A patch has been rushed and released to address a serious Microsoft Malware Protection Engine bug, termed ‘Crazy Bad’ by the researchers who discovered the flaw. If exploited, the vulnerability would allow threat actors to turn the malware protection software against itself.

If the Microsoft Malware Protection Engine bug is exploited, Microsoft’s malware protection engine could be used to install malware rather than remove it. Instead of searching for infected files that have been downloaded, the system would be downloading malware and infecting end users.

The Microsoft Malware Protection Engine bug affects a number of anti-malware software products including Windows Defender, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, Windows Intune Endpoint Protection and Microsoft Forefront Endpoint Protection.

The remotely exploitable bug could allow a system to be completely compromised, giving attackers full access to an infected computer or server, since the software and all associated processes run at LocalSystem privilege level.

The flaw was discovered by Natalie Silvanovich and Tavis Ormandy of Google Project Zero who alerted Microsoft three days ago. Ormandy said the flaw was “The worst in recent memory.” Microsoft worked fast to patch the flaw and an update was pushed out yesterday.

While extremely serious, Microsoft does not believe any malicious actors have taken advantage of the flaw, although all unpatched systems are at risk.  Threat actors could take advantage of the Microsoft Malware Protection Engine bug in a number of ways, including sending specially crafted email messages. The Project Zero researchers note that simply sending a malicious email would be enough to allow the bug to be exploited. It would not be necessary for the user to open the email or an infected email attachment.  The researchers explained that “writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine.” Alternatively, the flaw could be exploited by visiting a malicious website if a link was sent via email or through instant messaging.

The patch for the vulnerability (CVE-2017-0290) will be installed automatically if users have auto-update turned on. System administrators who have set updates to manual should ensure the patch is applied as soon as possible to prevent the flaw from being exploited. The current, patched Malware Protection Engine is version 1.1.13704.0.

New Locky Ransomware Attacks Use Techniques Similar to Dridex Malware Campaigns

Locky is back. The latest Locky ransomware attacks leverage an infection technique used in Dridex malware campaigns.

It has been all quiet on the western front, with Locky ransomware attacks dropping off to a tiny fraction of the number seen in 2016. In the first quarter of 2017, Locky ransomware campaigns all but stopped, with Cerber becoming the biggest ransomware threat.

That could be about to change. Locky has returned, its delivery mechanism has changed, and the crypto ransomware is now even harder to detect.

The latest campaign was detected by Cisco Talos and PhishMe. The Talos team identified a campaign involving around 35,000 spam emails spread over just a few hours. The researchers suggest the emails are being delivered using the Necurs botnet, which has until recently been used to send out stock-related email spam.

New Infection Method Used in Latest Locky Ransomware Attacks

The latest Locky campaign uses a different method of infection. Previous Locky campaigns have used malicious Word macros attached to spam emails. If the email attachment is opened, end users are requested to enable macros to view the content of the document. Enabling macros will allow a script to run that downloads the payload. For the latest campaign, spam emails are used to deliver PDF files.

The change in infection method can be easily explained. Over the past few months, Word macros have been extensively used to infect end users with ransomware. Awareness of the danger of Word macros has been widely reported and companies have been warning their staff about malicious Word documents containing macros.

If an end user is fooled into opening an email attachment that asks them to enable macros, they are now more likely to close the document and raise the alarm. To increase the probability of the end user taking the desired action, the authors have made a change. Macros are still involved, but later in the infection process.

The emails contain little in the way of text, but inform the recipient that the PDF file contains a scanned image or document, a purchase order, or a receipt. PDF files are more trusted and are more likely to be opened. Opening the PDF file will see the user prompted to allow the PDF reader to download an additional file. The second file is a Word document containing a macro that the end user will be prompted to enable.

The rest of the infection process proceeds in a similar fashion to previous Locky ransomware attacks. Enabling the macros will see a Dridex payload downloaded which will then download Locky. Locky will proceed to encrypt a similarly wide range of file types on the infected computer, connected storage devices and mapped network drives.

The ransom payment demanded is 1 Bitcoin – currently around $1,200. This is considerably more that the ransom payments demanded when Locky first arrived on the scene just over a year ago.

One slight change for this campaign is the user is required to install the Tor browser in order to visit the payment site. This change is believed to be due to Tor proxy services being blocked.

Adding the extra step in the infection process is expected to result in more infections. Many users who would not open a Word attachment may be fooled into opening the PDF.

Businesses should raise the alarm and send out warning emails to staff alerting them to the new campaign and advising them to be wary of PDF files in emails.

Mac Malware Infections Increased by 700% in 2016

Windows-based systems are far more likely to be infected by viruses and malware; however, Mac users are far from immune to malware infections. A new report from McAfee suggests Mac malware infections increased substantially in 2016. Malware instances rose by a staggering 700% in the space of just one year.

The Threats Report by McAfee Labs shows that its anti-virus solutions detected and prevented 460,000 Mac malware infections in the final quarter of 2016 alone. That is a significant jump from the previous quarter when 150,000 Mac malware infections were detected and blocked – a rise of 247% from Q3 to Q4.

Compared to the number of infections of Windows based systems, the number of mac malware infections is still very low. McAfee detected more than 600 malware samples on Windows devices and 15 million attempted virus attacks on Android devices. At its highest, Mac malware infections were at 1.3% of the level seen on Windows-based devices.

However, the rise in Mac malware attacks should not be ignored. While Mac users are far better protected against malware attacks than Windows users, they should not be complacent. Cybercriminals are now developing more malware to target Mac users and they are no longer content with attacking Windows devices.

McAfee reports that malware developers are increasingly tailoring their malicious software to be capable of attacking multiple platforms. As more consumers and businesses use Macs and other Apple devices, attacks become more profitable. When there is potential for profit, malware developers are quick to take advantage.

The Threats Report indicates much of the new Mac malware is adware, with OSX/Bundlore one of the main malware variants discovered in Q4, 2016. Adware usually comes bundled with legitimate apps, especially apps on non-official stores. Downloading apps from the Mac app store is unlikely to result in infection.

Other forms of Mac malware have also increased in prevalence. As with Windows-based malware, the malware has been developed to steal login credentials and banking details. Remote access Trojans have also increased in number as has Mac ransomware – OSX/Keydnap being a notable example. OSX/Keydnap was bundled with the torrent client BitTorrent and even found its way onto the official download site.

To prevent Mac malware infections, businesses and consumers should be security aware and not take unnecessary risks. Apps should only be downloaded from official stores, security software should be installed, updates to software and apps should be applied promptly and strong, secure passwords should be used.

Philadelphia Ransomware Used in Target Attacks on U.S Healthcare Organizations

A new variant of Stampedo ransomware – called Philadelphia ransomware – is being used in targeted attacks on the healthcare sector in the United States. The ransomware variant is being spread using spear phishing emails.

Spear phishing emails have been detected that incorporate the healthcare organization’s logo along with the name of a physician at the organization. The use of a logo and a name adds credibility to the email, increasing the likelihood of the targeted individual clicking the link and downloading the malicious file. Information about organization’s and details of potential targets can easily be found on social media websites such as LinkedIn.

Cyber security firm Forcepoint analyzed Philadelphia ransomware and detected a string called “hospitalspam” in the encrypted JavaScript. A similarly named directory was also found on the ransomware C2, suggesting a campaign is being conducted that specifically targets the healthcare sector. Forcepoint reports that two hospitals – one in Oregon and one in Washington – have already been infected with the ransomware.

In recent months, cybercriminals have favored email attachments for spreading ransomware and malware, with Word documents containing malicious Word macros one of the most popular methods of ransomware and malware infection. The latest campaign, which was identified by Forcepoint, also uses malicious Word documents. However, rather than sending a malicious Word document as an attachment, the emails contain a link to a website where the Word document is automatically downloaded.

As with email attachments, the document must be opened and macros enabled in order for the ransomware to be downloaded.

Philadelphia Ransomware Attacks Likely to Increase

Philadelphia ransomware attacks are likely to increase thanks to a professional affiliate campaign. Would-be attackers are being recruited using a video that highlights the many features of the ransomware. The video calls Philadelphia ransomware “the most advanced and customizable ransomware ever,” and shows just how easy it is for someone with little technical skill to start their own ransomware campaign.

Would-be cybercriminals are able to rent out the ransomware and use it for their own spamming campaigns, provided they pay the author an initial fee of around $400. The one-off payment, so the authors claim, gives a user lifetime use of the ransomware. Affiliates will then be given a cut of any ransom payments they are able to generate.

Affiliate campaigns such as this – known as ransomware-as-a-service – are becoming increasingly popular. They allow non-technical spammers to jump on the ransomware bandwagon and start generating ransom payments. There is likely to be no shortage of takers.

Fortunately, the ransomware is not as advanced as the promotional video makes out. Furthermore, a decryptor for Philadelphia ransomware has been developed and can be downloaded for free via Softpedia. No ransom needs to be paid, although infection with Philadelphia ransomware can still result in considerable disruption. Healthcare organizations should therefore be on their guard.

Sundown Exploit Kit Now a Significant Threat

Researchers have identified changes to the Sundown exploit kit. Sundown is now in transition and is being actively developed. It now poses a significant threat.

Exploit kit activity has fallen over the past year as cybercriminals have turned to other methods of infecting end users. Spam email is now favored by many cybercriminals and exploit kit activity has dropped to next to nothing. However, over the past few weeks there has been an increase in exploit kit activity, with the Sundown exploit kit fast becoming a major threat.

Researchers at Cisco Talos report that the Sundown exploit kit has been upgraded and has now matured. While it was once a relatively unsophisticated exploit kit, that is no longer the case. The researchers point out that Sundown is likely to become one of the most widely used exploit kits, taking the place of the larger exploit kits that were used extensively in early 2016.

A number of upgrades have been made to the Sundown exploit kit in recent weeks. The individuals behind the Sundown exploit kit have removed many of the identifiers previously associated with the exploit kit. The exploit kit is now much harder to identify.

The Sundown exploit kit is one of a very small number that have had new exploits added in recent months. Some of the old exploits have also been removed. The actors behind Sundown have also increased the likelihood of infection. In a recent alert, Cisco Talos researchers explain that the exploit kit does not attempt to gain access to a system via a single exploit, instead the Sundown EK uses an extensive arsenal of malware tools to maximize the chance of compromising a system.

While the payload used to be downloaded via the browser, now the exploit kit uses the command line and wscript. A change has also been made to how the malicious payload is downloaded. The payload is now located on a different server to the landing page and exploit kit. The same root domain is used for both, although the subdomains are different.

The actors behind the kit are also purchasing large numbers of established domains, typically domains that are more than 6 months old. Those domains are used for a short time and are then resold. Using older domains allows the attacker to bypass screening controls that blacklist recently registered domains.

The discovery of major updates made to the Sundown EK could indicate there will soon be a major increase in exploit kit attacks. Angler, Neutrino, and Nuclear may have virtually disappeared, but exploit kits still pose a significant threat.

Businesses can protect their endpoints from malware and ransomware infections via exploit kits by using a web filtering solution. A web filtering solution can be configured to carefully control the websites that can be accessed by end users to reduce the risk of infection, and domains known to host exploit kits can be blocked.

For further information on web filtering and protecting end points from malware and ransomware, contact the TitanHQ team today.

Safari Scareware Used to Extort Money from Porn Viewers

A flaw in the mobile Safari browser has been exploited by cybercriminals and used to extort money from individuals who have previously used their mobile device to view pornography or other illegal content. The Safari scareware prevents the user from accessing the Internet on their device by loading a series of pop-up messages.

A popup is displayed advising the user that Safari cannot open the requested page. Clicking on OK to close the message triggers another popup warning. Safari is then locked in an endless loop of popup messages that cannot be closed.

A message is displayed in the background claiming the device has been locked because the user has been discovered to have viewed illegal web content. Some users have reported messages containing Interpol banners, which are intended to make the user think the lock has been put on their phone by law enforcement. The only way of unlocking the device, according to the messages, is to pay a fine.

One of the domains used by the attackers is police-pay.com; however, few users would likely be fooled into thinking the browser lock was implemented by a police department as the fine had to be paid in the form of an iTunes gift card.

Other messages threaten the user with police action if payment is not made. The attackers claim they will send the user’s browsing history and downloaded files to the Metropolitan Police if the ransom is not paid.

This type of Safari scareware is nothing new, although the zero-day flaw that was exploited to display the messages was. The attackers loaded code onto a number of websites which exploited a flaw in the way the Safari browser handles JavaScript pop-up windows. The code targeted iOS versions 10.2 and earlier.

The Safari scareware campaign was recently uncovered by Lookout, which passed details of the exploit onto Apple last month. Apple has now released an update to its browser which prevents the attack from taking place. Users can protect their devices against attack by updating their device to iOS version 10.3.

Scareware is different from ransomware, although both are used to extort money. In the case of ransomware, access to a device is gained by the attacker and malicious file-encrypting malware is downloaded. That malware then locks users’ files with powerful encryption. If a backup of the encrypted files is not owned, the user faces loss of data if they do not pay the attackers for the key to decrypt their locked files.

Scareware may involve malware, although more commonly – as was the case with this Safari scareware campaign – it involves malicious code on websites. The code is run when a user with a vulnerable browser visits an infected webpage. The idea behind scareware is to scare the end user into paying the ransom demand to unlock their device. In contrast to ransomware, which cannot be unlocked without a decryption key, it is usually possible to unlock scareware-locked browsers with a little computer knowhow. In this case, control of the phone could be regained by clearing the Safari cache of all data.

MajikPOS Malware Used in Targeted Attacks on PoS Systems of U.S. Businesses

A new form of PoS malware – called MajikPOS malware – has recently been discovered by security researchers at Trend Micro. The new malware has been used in targeted attacks on businesses in the United States, Canada, and Australia.

The researchers first identified MajikPOS malware in late January, by which time the malware had been used in numerous attacks on retailers. Further investigation revealed attacks had been conducted as early as August 2016.

MajikPOS malware has a modular design and has been written in .NET, a common software framework used for PoS malware. The design of MajikPOS malware supports a number of features that can be used to gather information on networks and identify PoS systems and other computers that handle financial data.

The attackers are infecting computers by exploiting weak credentials. Brute force attacks are conducted on open Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) ports. A variety of techniques are used to install the MajikPOS malware and evade detection, in some causes leveraging RATs that have previously been installed on retailers’ systems. The malware includes a RAM scraping component to identify credit card data and uses an encrypted channel to communicate with its C&C and exfiltrate data undetected.

MajikPOS malware is being used by a well-organized cybercriminal organization and credit card details are being stolen on a grand scale. The stolen information is then sold on darknet ‘dump shops’. The stolen credit card numbers, which the researchers estimate to number at least 23,400, are being sold individually for between $9 and $39. The gang also sells the credit card numbers in batches of 25, 50, or 100. The majority of credit cards belong to individuals in the United States or Canada.

POS Malware Infections Can be Devastating

A number of different attack vectors can be used to install PoS malware. Malware can be installed as a result of employees falling for spear phishing emails. Cybercriminals commonly gain a foothold in retailers’ networks as a result of employees divulging login credentials when they respond to phishing emails.

While exploit kit activity has fallen in recent months, the threat has not disappeared and malvertising campaigns and malicious links sent via emails are still used in targeted attacks on U.S retailers.

Brute force attacks are also common, highlighting how important it is to change default credentials and set strong passwords.

POS malware infections can prove incredibly costly for retailers. Just ask Home Depot. A PoS malware infection has cost the retailer more than $179 million to resolve, with the cost of the security breach continuing to rise. That figure does not include the loss of business as a result of the breach. Consumers have opted to shop elsewhere in their droves following the 2014 PoS malware attack.

This latest threat should serve as a warning for all retailers. Security vulnerabilities can – and are – exploited by cybercriminals. If inadequate protections are put in place to keep consumers’ data secure, it will only be a matter of time before systems are attacked.

PetrWrap Ransomware: An Old Threat Has Been Hijacked by a Rival Gang

There is a new ransomware threat that businesses should be aware of, but PetrWrap ransomware is not exactly anything new. It is actually a form of ransomware that was first discovered in May last year. PetrWarp ransomware is, to all intents and purposes, almost exactly the same as the third incarnation of Petya ransomware. There is one key difference though. PetrWrap ransomware has been hijacked by a criminal gang and its decryption keys have been changed.

The criminal organization behind PetrWrap ransomware have taken Petya ransomware, for which there is no free decryptor, and have exploited a vulnerability that has allowed them to steal it and use it for their own gain. The attackers have simply added an additional module to the ransomware that modifies it on the fly. After all, why bother going to all the trouble of developing your own ransomware variant when a perfectly good one already exists!

Petya ransomware is being offered to spammers and scammers under an affiliate model. The ransomware authors are loaning the ransomware to others and take a percentage of the profits gained from ransoms that are paid. This is a common tactic to increase overall profits, just as retailers pay affiliate marketers to sell their products for a commission. In the case of ransomware-as-a-service, this allows the authors to infect more computers by letting others do the hard work of infecting computers.

Yet the gang behind PetrWrap has chosen not to give up a percentage of the profits. They are keeping all of the ransom payments for themselves. The module modifies and repurposes the malware code meaning even the Petya ransomware authors are unable to decrypt PetrWrap ransomware infections.

Kaspersky Lab research Anton Ivenov says “We are now seeing that threat actors are starting to devour each other and from our perspective, this is a sign of growing competition between ransomware gangs.” He pointed out the significance of this, saying “the more time criminal actors spend on fighting and fooling each other, the less organized they will be, and the less effective their malicious campaigns will be.”

Petya – and PetrWrap ransomware – is not a typical ransomware variant in that no files are encrypted. While Locky, CryptXXX, and Samsa search for a wide range of file types and encrypt them to prevent users from accessing their data, Petya uses a different approach. Petya modifies the master boot record that launches the operating system. The ransomware then encrypts the master file table. This prevents an infected computer from being able to locate files stored on the hard drive and stops the operating system from running. Essentially, the entire computer is taken out of action. The effect however is the same. Users are prevented from accessing their data unless a ransom is paid. Petya and PetrWrap ransomware can spread laterally and infect all endpoint computers and servers on the network. Rapid detection of an infection is therefore critical to limit the harm caused.

Phishing Attacks on Law Firms Are Soaring

The past few months have seen an increase in phishing attacks on law firms. Cybercriminals are attacking law firms to gain access to the highly confidential data held by attorneys and solicitors. Healthcare industry attacks are often conducted to obtain sensitive patient data that can be used for identity theft and tax fraud. Phishing attacks on law firms on the other hand are conducted to steal data for insider trading. Data are also stolen to allow cybercriminals to blackmail law firms.

Law firms are threatened with reputation-killing publication of highly sensitive client data if sizeable payments are not made. Since law firms hold secret documents, including potentially damaging information on their clients, it is not only the law firm that can be blackmailed. Clients are also contacted and threatened. The profits that can be made from insider trading are enormous. The data held by law firms is incredibly valuable. It is therefore no surprise that phishing attacks on law firms are increasing. Cybercriminals see law firms as perfect targets.

Last year, more than 50 law firms were targeted by Russian hackers using a spear phishing campaign. The aim of that attack was to gather information that could be used for insider trading. The group, called Oleras, attacked some of the best-known law firms operating in the United States, including Cravath Swaine & Moor LLP and Gotshal and Manges LLP.

However, while those attacks were damaging, they arguably caused less harm than the Panama Papers Breach – The largest law firm data breach of the year. That attack resulted in an astonishing 2.6 Terabytes of data being stolen by the attackers – Documents that revealed highly sensitive banking activities of criminals, politicians, athletes and businessmen and women. More than 214,000 companies had data revealed as a result of that law firm data breach.

While law firms must ensure that firewalls are in place along with a host of other cybersecurity protections to prevent their systems from being hacked, all too often data breaches start with phishing attacks on law firms. A simple email containing a link to a website is sent to attorneys’ and solicitors’ inboxes. The links are clicked and users are fooled into revealing login credentials to networks and email accounts. The credentials are captured and used to gain access to sensitive data.

Website filtering for law firms is now as essential a protection as the use of antivirus software. Antivirus software may be able to detect attempted malware installations – although it is becoming less effective in that regard – although it will do little to prevent phishing attacks.

A web filter protects law firms by preventing users from visiting malicious links in emails. A website filtering solution also prevents end users from downloading malware, or accessing websites known to carry a high risk of infection with ransomware or malware. A web filter also prevents law firm staff from accidentally visiting phishing websites when browsing the Internet. Along with a robust spam filtering solution to prevent phishing emails from being delivered, law firms can make their networks and email accounts much more secure.

Further information on recent phishing attacks on law firms, along with steps that can be taken to prevent security breaches, can be found by clicking the image below. Clicking the image will direct you to a useful phishing infographic on this website.

 

Phishing Attacks on Law Firms

US Ransomware Attacks Quadrupled in 2016

According to a new report from data breach insurance provider Beazley, US ransomware attacks on enterprises quadrupled in 2016. There is no sign that these attacks will slow, in fact they are likely to continue to increase in 2017. Beazley predicts that US ransomware attacks will double in 2017.

Half of US Ransomware Attacks Affected Healthcare Organizations

The sophisticated nature of the latest ransomware variants, the broad range of vectors used to install malicious code, and poor user awareness of the ransomware threat are making it harder for organizations to prevent the attacks.

For its latest report, Beazley analyzed almost 2,000 data breaches experienced by its clients. That analysis revealed not only that US ransomware attacks had increased, but also malware infections and accidental disclosures of data. While ransomware is clearly a major threat to enterprises, Beazley warned that unintended disclosures of data by employees is actually a far more dangerous threat. Accidental data breaches increased by a third in 2016.

US ransomware attacks and malware incidents increased in the education sector, which registered a 10% rise year on year. 45% of data breaches experienced by educational institutions were the result of hacking or malware and 40% of data breaches suffered by companies in the financial services. However, it was the healthcare industry that experienced the most ransomware attacks. Nearly half of 2016 US ransomware attacks affected healthcare organizations.

The report provides some insight into when organizations are most at risk. US ransomware attacks spiked at the end of financial quarters and also during busy online shopping periods. It is at these times of year when employees most commonly let their guard down. Attackers also step up their efforts at these times. Beazley also points out that ransomware attacks are more likely to occur during IT system freezes.

Ransomware Attacks on Police Departments Have Increased

Even Police departments are not immune to ransomware attacks. Over the past two years there have been numerous ransomware attacks on police departments in the United States. In January, last year, the Midlothian Police Department in Chicago was attacked with ransomware and paid a $500 ransom to regain access to its files.

The Dickson County Sheriff’s Office in Tennessee paid $572 to unlock a ransomware infection last year, and the Tewksbury police department in Massachusetts similarly paid for a key to decrypt its files. In 2015, five police departments in Maine (Lincoln, Wiscasset, Boothbay Harbor, Waldboro and Damariscotta) were attacked with ransomware and in December 2016, the Cockrell Hill Police Department in Texas experienced a ransomware infection. The attack resulted in video evidence dating back to 2009 being encrypted. However, since much of that information was stored in backup files, the Cockrell Hill Police Department avoided paying the ransom.

Defending Against Ransomware

Unfortunately, there is no silver bullet to protect organizations from ransomware attacks. Ransomware defenses should consist of a host of technologies to prevent ransomware from being downloaded or installed, but also to ensure that infections are rapidly detected when they do occur.

Ransomware prevention requires technologies to be employed to block the main attack vectors. Email remains one of the most common mediums used by cybercriminals and hackers. An advanced spam filtering solution should therefore be used to prevent malicious emails from being delivered to end users. However, not all malicious attachments can be blocked. It is therefore essential to not only provide employees with security awareness training, but also to conduct dummy ransomware and phishing exercises to ensure training has been effective.

Many US ransomware attacks in 2016 occurred as a result of employees visiting – or being redirected to – malicious websites containing exploit kits. Drive-by ransomware downloads are possible if browsers and plugins are left unpatched. Organizations should ensure that patch management policies are put in place to ensure that all systems and software are patched promptly when updates are released.

Given the broad range of web-based threats, it is now becoming increasingly important for enterprises to implement a web filtering solution. A web filter can be configured to prevent employees from visiting malicious websites and to block malvertising-related web redirects. Web filters can also be configured to prevent employees from downloading malicious files and engaging in risky online behavior.

The outlook for 2017 may be bleak, but it is possible to prevent ransomware and malware attacks. However, the failure to take adequate preventative steps to mitigate risk is likely to prove costly.

Why a Restaurant WiFi Filtering Service is Now Essential

A restaurant WiFi filtering service can help to keep customers safe when they use the Internet by blocking access to websites known to contain malware. A restaurant WiFi filtering service will also ensure that patrons can only view website content that is suitable for families.

WiFi networks are often abused and used by some individuals to view pornography or other material that has no place in a restaurant. If one diner chooses to view such material on a personal device while in a restaurant, other diners may catch glimpses of the screen – That hardly makes for a pleasant dining experience.

However, there is another important reason why a restaurant WiFi filtering service should be used. Diners can be protected from a range of web-borne threats while using free wi-Fi networks, but also the computer systems of the restaurant.

Each year, many restaurants discover that their computers and networks have been infected with malware. Malware infections are often random; however, restaurants are now being targeted by cybercriminals.  If a hacker can gain access to a restaurant’s computer network and succeeds in loading malware onto its POS system, every customer who pays for a meal with their debit or credit card could have their credentials sent to the hacker.

Restaurants, especially restaurant chains, are targeted for this very reason. One infected POS system will give a cybercriminal a steady source of credit card numbers. Each year, there are many examples of restaurants that have been attacked in this manner. One of the latest restaurant chains to be attacked was Popeye’s Louisiana Kitchen – A multinational chain of fried chicken and fast food restaurants.

Popeyes recently discovered a cyberattack that resulted in malware being installed on its systems. The attack started on or around May 5, 2016 and continued undiscovered until August 18, 2016. During that time, certain customers who paid for their meals on their credit and debit cards had their card numbers stolen by the malware and passed on to the attackers.

Popeyes only discovered the cyberattack when it received notification from its credit card processor of suspicious activity on customers’ accounts. CCC Restaurant Enterprises, which operates Popeyes, retained a forensic expert to analyze its systems for signs of its systems having been compromised. That analysis revealed a malware infection. The information stealing malware was passing credentials to the attacker and those details were being used to defraud customers. Ten restaurants in the chain were known to have been affected. Those restaurants were located in Georgia, North Carolina, and Texas. The malware infection has now been removed and customers are no longer at risk, although the cyberattack undoubtedly caused reputation damage for the chain.

Malware can be installed via a number of different vectors. Vulnerabilities can be exploited in servers and software. It is therefore essential to ensure that all software is patched and kept up to date. Attacks can occur via email, with malicious links and attachments sent to employees. A spam filter can block those emails and prevent infection. Attacks can also take place over the Internet. The number of malicious websites now produced every day has reached record levels and the threat level is critical.

A restaurant WiFi filtering service will not protect against every possible type of attack but it does offer excellent protection against web-borne threats. A web filtering service can also prevent users from visiting malicious links sent in spam and phishing emails, blocking users’ attempts to click the links. A restaurant WiFi filtering service will also ensure family-friendly Internet access is provided to customers. Something that is increasingly important for parents when choosing a restaurant.

To find out more about how a restaurant WiFi filtering service can be implemented, the wide range of benefits that such a service offers, and for details of how you can trial the WebTitan restaurant WiFI filtering service for 30 days without charge, contact the TitanHQ team today.

Are You Prepared for a Ransomware Attack?

Are You Prepared for a Ransomware Attack?

It doesn’t matter which security report you read; one thing is clear. The ransomware problem is becoming worse and the threat greater than ever.

While ransomware attacks in 2015 were few and far between, 2016 has seen an explosion of ransomware variants and record numbers of attacks across all industry sectors. For every ransomware variant that is cracked and decryption software developed, there are plenty more to take its place.

200 Ransomware Families Now Discovered

As if there were not enough ransomware milestones reached this year, there is news of another. The total number of detected ransomware families has now surpassed 200. That’s families, not ransomware variants.

The ransomware families have been catalogued by the ID Ransomware Service; part of the Malware Hunter Team. The current count, which may well be out of date by the time this article is finished, stands at 210.

Not only are new ransomware being developed at an unprecedented rate, the latest variants are even sneakier and have new capabilities to avoid detection. They are also more virulent and capable of encrypting a far wider array of data, and can delete backup files and quickly spread across networks and storage devices.

More people are getting in on the act. Ransomware is being rented out as a service to affiliates who receive a cut of the ransoms they collect. Campaigns can now be run with little to no skill. Unsurprisingly there are plenty of takers.

Massive Campaign Spreading New Locky Ransomware Variant

One of the biggest threats is Locky, a particularly nasty ransomware variant that first appeared in February 2016. Even though Locky has not been cracked, new variants continue to be released at an alarming rate. This week yet another variant has been discovered. The developers and distributers are also using a variant of techniques to evade detection.

Three separate campaigns have been detected this week after a two-week period of relative quiet. The ransomware is now back with a vengeance, with one of the campaigns reportedly involving an incredible 14 million emails on October 24 alone; 6 million of which were sent in a single hour.

There have been some successes in the fight against ransomware. Earlier this year the No More Ransom project was launched. The No More Ransom Project is a joint initiative Europol and the Dutch National Police force, although a number of security firms have now collaborated and have supplied decryptors to unlock files encrypted by several ransomware strains. So far, decryptors have been uploaded to the site that can unlock several ransomware variants: Chimera, Coinvault, Rannoh, Rakhni, Shade, Teslacrypt, and Wildfire.

Ransomware Problem Unlikely to Be Solved Soon

Despite the sterling efforts of security researchers, many of the most widely used ransomware strains have so far proved impossible to crack. The authors are also constantly developing new strains and using new methods to avoid detection. The ransomware problem is not going to be resolved any time soon. In fact, the problem is likely to get a lot worse before it gets better.

Last year, an incredible 113 million healthcare records were exposed or stolen. This year looks like it will be a record-breaking year for breaches if incidents continue at the current rate. The sheer number of healthcare records now available to cybercriminals has had a knock-on effect on the selling price. Whereas it was possible to buy a complete set of health data for $75 to $100 last year, the average price for healthcare records has now fallen to between $20 and $50.

Cybercriminals are unlikely to simply accept a lower price for data. That means more attacks are likely to take place or profits will have to be made up by other means. The glut of stolen data is seeing an increasing number of cybercriminals turn to ransomware.

Are you Prepared for a Ransomware Attack?

With the threat from ransomware increasing, organizations need to prepare for an attack and improve defenses against ransomware. Policies should be developed for a ransomware attack so rapid action can be taken if devices are infected. A fast response to an attack can limit the spread of the infection and reduce the cost of mitigation; which can be considerable.

Defending against ransomware attacks is a challenge. Organizations must defend against malicious websites, malvertising, drive-by downloads, malicious spam emails, and network intrusions. Hackers are not only stealing data. Once a foothold has been gained in a network and data are stolen, ransomware is then deployed.

An appropriate defense strategy includes next generation firewalls, intrusion detection systems, web filtering solutions, spam filters, anti-malware tools, and traditional AV products. It is also essential to provide regular security awareness training to staff to ensure all employees are alert to the threat.

Even with these defenses attacks may still prove successful. Unless a viable backup of data exists, organizations will be left with two options: Accept data loss or pay the ransom. Unfortunately, even the latter does not guarantee data can be recovered. It may not be possible for attackers to supply valid keys to unlock the encryption and there is no guarantee that even if the keys are available that they will be sent through.

Since Windows Shadow copies can be deleted and many ransomware variants will also encrypt backup files on connected storage devices, backup devices should be air-gapped and multiple backups should be performed.

With attacks increasing, there is no time to wait. Now is the time to get prepared.

Top Websites Fail to Prevent Email Spoofing

Many top companies have not done enough to prevent email spoofing using their domains. A new study conducted by security firm Detectify has revealed that many top website domains are wide open to abuse because email servers have been misconfigured or do not use authentication.

Website Owners are Not Doing Enough to Prevent Email Spoofing

Detectify conducted the study to determine how widespread the problem really is. The top 500 Alexa ranked websites were scanned to determine whether vulnerabilities existed that would allow spammers to send spoofed emails from the domains. The Swedish security firm found that fewer than half of the websites tested had configured their email servers correctly. The majority had either misconfigured their email servers or had failed to use authentication, which could prevent email spoofing. 276 of the domains were discovered to be vulnerable. More than half of the most visited websites could therefore be used by spammers to send spoofed emails.

Email spoofing is the sending of emails using a forged email address. This can either be the sending of an email that appears to come from a particular domain – Using a very similar domain name for example – or sending fake emails from the domain itself. In the case of the former, there is little companies can do to prevent this and it is largely down to email recipients to carefully check the sender’s address.

However, organizations can take steps to prevent spammers from sending emails from their own domains. If fake emails are sent from their domains customers may be fooled into thinking the messages are genuine. Criminals use email spoofing for phishing, spearphishing, and malware/ransomware campaigns. It is easier for them to achieve their objective if the message recipients trust the domain from which the email is sent.

How to Prevent Email Spoofing

There are three main ways that companies can address vulnerabilities and prevent domain spoofing. The most common method is to use the Sender Policy Framework, or SPF.  By using this setting the website owner can specify which servers are permitted to send emails using the domain. There are three possible settings – hardfail, softfail, and neutral. To prevent email spoofing, hardfail should be selected. This will reject suspected spam emails and will ensure they are not delivered. If the softfail setting is used, emails will still be delivered although they should be marked as suspected spam. If neutral is used there is no control and all emails will be sent and delivered.

The 276 domains that Detectify discovered were vulnerable had used the softfail or neutral settings. Softfail is often used instead of hardfail to prevent the loss of emails that are incorrectly flagged. However, many free email providers such as Gmail fail to mark messages as spam if the softfail setting has been used.

Detectify recommended that websites use the hardfail setting and also use DMARC – Domain Based Message Authentication Reporting and Conformance. DMARC is a much more reliable way to prevent spoofed emails from a domain.  DMARC creates a link between the email and the domain name. This makes it easier to determine whether an email is genuine or if it just looks real. DMARC also sends reports to advise the domain owner who is sending emails from their domain.

However, only 42% of the websites tested used DMARC, and in many cases, the settings had been configured incorrectly. While SPF and DMARC are not infallible, they can make it much harder for spammers to send spoofed emails.