ESP attacks, again. Be wary.

There seems to be an uptick in phishing attacks that have an impact on ESPs recently.
Your CEO
The most critical one is targeted spear-phishing attacks that claim to be internal documents sent by senior staff within the company, e.g. from the company CEO.
It’s likely that the attached documents will compromise and backdoor your machine, and from their most of your internal network, using an infected document to load a remote administration tool (RAT) such as Netwire.
Be very, very wary of document attachments, especially in generic looking emails that you weren’t expecting, from senior people. Making sure your antivirus signatures are up to date is a great idea, but nothing will protect you as effectively as not opening the infected documents.
Your domain registrar
The other campaign I’m aware of is emails that claim to be abuse reports from registrars (e.g. opensrs, tucows, etc) aimed at domain registration contacts, claiming that a domain has been suspended and that the recipient should click on a link to “download a copy of complaints received”.
e.g.

Dear Steve Atkins,
The Domain Name ABUSEMONKEY.COM have been suspended for violation of the TUCOWS, INC. Abuse Policy.

or

Dear Sir/Madam,
The following domain names have been suspended for violation of the TUCOWS, INC. Abuse Policy:
Domain Name: KNOWYOURDELIVERY.COM
Registrar: TUCOWS, INC.
Registrant Name: Steve Atkins

Related Posts

Return Path partners with Symantec

Today Return Path announced a partnership with Symantec to improve their anti-phishing product. Return Path is incorporating the Symantec Trusted Domain List into their authentication and filtering product to help customers protect their brands. Press Release
Phishing scams affect everyone, and having a brand that is used in phishing can reduce consumer trust in that brand. Protecting brands in email has been one of the more difficult challenges facing the email community. With the adoption of DKIM and DMARC by major brands and ISPs it has become easier to track and address phishing.

Read More

We're all targets

Last week, another email provider announced their systems had a security incident. Mandrill’s internal security team detected unusual activity and took the servers offline to investigate. While there’s no sign any data was compromised or servers infiltrated, Mandrill sent an email to their customers explaining the incident was due to a firewall rule change.
Email service providers are a high value target for hackers, even if all they have is email addresses. Selling the email addresses is extremely profitable for hackers who can either sell the list outright or sell access to the list. In addition to gaining access to the email addresses, hackers often use the ESP to send these messages essentially stealing the ESP’s reputation to deliver the spam.
It was just over four years ago when a number of major ESPs were targets of a large attack and multiple ESPs were compromised. Earlier this month, three people were arrested for their roles in the attack. While the attacks four years ago were primarily spear phishing attacks, the security incident at Mandrill shows that hackers and botnets are actively probing the ESP’s network looking for access or known vulnerabilities. Spear phishing is an attempt to gain unauthorized access to a system by specifically targeting an individual, group, or organization. The scam attempts to have the user to click a link to infect their computer and network or capture their user id and password via a fake website. The scam email may appear to be sent from the company’s security or human resources department, but the email is either forged or another user’s account has been compromised.
Just because recent arrests have been made does not mean the threat is over. Systems often change, are upgraded, and are integrated with many additional services and systems can become vulnerable.  Security will never be a set and forget policy. In the last 12 months there has been two significant vulnerabilities discovered, first Heartbleed and second was POODLE. Security professionals from all industries had to react quickly to secure their systems and hackers immediately began probing for systems that were unpatched. GFI reports there were over 7,000 vulnerabilities discovered in 2014 with 24% of them being rated as high severity. Security must not only cover servers, but the transmission of the data internally and with third-party vendors, and the workstations of employees.
IT and security professionals must be ever vigilant in protecting their network and their customers data. SANS Institute provides a number of security control best practices including a document on Data Protection. The control recommendations range from quick wins to advanced considerations such as monitoring all traffic leaving the organization and being able to detect any unauthorized or unusual transfer of data, blocking access to file transfer protocols and file sharing websites, performing annual reviews of all keys, certifications, and security procedures.
One of the best ways to help the entire industry to be secure is to be transparent and open when incidents happen. Mandrill has published a blog post with the results of their investigation.

Read More

Aetna, phishing and security

We’ve just gotten home from M3AAWG and I’m catching up with a lot of the administrative stuff that’s gotten ignored while we were soaking up the tons of information from some of the smartest Internet security folks around. One of the tasks I’m working on is checking on our recent bills from our health insurance provider. Their website seems to be down, so I called them up and asked them if it was down or if something was broken on my end.
They did confirm there was a problem with the site “earlier today” but then started asking me for my account information. They’ve promised to email me a new password because of reasons.
One of the things about M3AAWG is that concentrated discussions about spam and online criminals and security can make everything feel so fragile and security so inadequate to protect us against criminals. I start thinking that everything is compromised. It doesn’t help that websites fail just at the time when I start trying to figure out if my personal information leaked out.
In the course of trying to figure out if there is something wrong at Aetna and if my personal information is safe, I find an article about how poor security is for health companies. “Health companies flunked an email security survey—except Aetna.” Apparently, out of all the health companies out there, Aetna are the only ones fully implementing DMARC on all their mail streams.
The problem is that for the mail I received from Aetna, the visible From: address is AetnaeBilling@aetnagroupbilling.com. This is one of the major vulnerabilities of DMARC. How can I, as a recipient, tell that this is officially mail from Aetna? Any phisher could register “aetnabilling.com” or “aetnagoupbilling.com” or “aetnaebilling.com” and publish DMARC records and use those records to phish customers. Even worse, aetnagroupbilling.com isn’t a SSL registered website.
This is exactly the type of setup a phisher would use to gain access to people’s health insurance accounts. And Aetna offers the ability to draft payments directly from a business checking account, so breaking into the billing account also offers some level of access to the business money.
Do I think this is a phish? No.
Do I think the average person would be able to tell that? No.
There’s got to be a better way to secure folks online.

Read More