SaaS systems are spammer targets

There are probably hundreds of thousands of really awesome SaaS products out there. They provide a framework to do all sorts of stuff that used to be really hard to do. Almost all of them include some email component. They dutifully build the email piece into their platform and, because they’re smart, they outsource the actual sending to one of SMTP providers. They’re happy, their customers are happy, and spammers are happy.

SaaS providers focus on their core competencies, which is their platform. Their focus is building a product that meets the needs of their customers. They’re not an email service provider, so they think, and they don’t really pay much attention to email. They send mail by handing it off to their provider and assume all will be well with delivery because their customers are small businesses and are not sending lots of mail and aren’t spammers.

The problem is, spammers have recognized these SaaS companies are a way to access high powered sending infrastructure that have banned them from sending directly. Many of these bad guys take advantage of freemium models and simply send low volumes of email through multiple accounts. Because they’re hiding in the middle of real customers, they can often go undetected for months or years.

Eventually, though, someone notices and the SaaS provider experiences a blocklisting or other delivery problem. At that point, there’s a scramble to figure out why delivery is horrible or they’re listed on Spamhaus or their provider is sending them compliance notices. Often responding to these problems can take months and require some business processes to be rethought from the ground up.

There’s no easy fix for this problem. But just as SaaS providers need to think about application and data security, they also need to think about email security. How can they detect and prevent spammers from abusing their system and hurting them and their customers.

 

Related Posts

Gmail reports spear phishing attack

No one, it seems, is immune from account compromise attempts. Today Google reported they had identified a systemic campaign to compromise Gmail accounts belonging to “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.”
Google offers a number of solutions for users, including the ability to add 2 factor authentication to your Gmail account. I strongly recommend anyone who uses Gmail to do this.
This isn’t a security blog, but email is one of the major vectors used to infect machines. We’ve seen numerous break ins targeting email senders and ESPs, resulting in customer and recipient data being stolen and then used for spam. Everyone who uses email needs to be aware of the risks and maintain their email account integrity. Be careful clicking links in emails. Be careful opening webpages. Keep your antivirus software up to date.
Everyone is a target.
 

Read More

We're all targets

Last week, another email provider announced their systems had a security incident. Mandrill’s internal security team detected unusual activity and took the servers offline to investigate. While there’s no sign any data was compromised or servers infiltrated, Mandrill sent an email to their customers explaining the incident was due to a firewall rule change.
Email service providers are a high value target for hackers, even if all they have is email addresses. Selling the email addresses is extremely profitable for hackers who can either sell the list outright or sell access to the list. In addition to gaining access to the email addresses, hackers often use the ESP to send these messages essentially stealing the ESP’s reputation to deliver the spam.
It was just over four years ago when a number of major ESPs were targets of a large attack and multiple ESPs were compromised. Earlier this month, three people were arrested for their roles in the attack. While the attacks four years ago were primarily spear phishing attacks, the security incident at Mandrill shows that hackers and botnets are actively probing the ESP’s network looking for access or known vulnerabilities. Spear phishing is an attempt to gain unauthorized access to a system by specifically targeting an individual, group, or organization. The scam attempts to have the user to click a link to infect their computer and network or capture their user id and password via a fake website. The scam email may appear to be sent from the company’s security or human resources department, but the email is either forged or another user’s account has been compromised.
Just because recent arrests have been made does not mean the threat is over. Systems often change, are upgraded, and are integrated with many additional services and systems can become vulnerable.  Security will never be a set and forget policy. In the last 12 months there has been two significant vulnerabilities discovered, first Heartbleed and second was POODLE. Security professionals from all industries had to react quickly to secure their systems and hackers immediately began probing for systems that were unpatched. GFI reports there were over 7,000 vulnerabilities discovered in 2014 with 24% of them being rated as high severity. Security must not only cover servers, but the transmission of the data internally and with third-party vendors, and the workstations of employees.
IT and security professionals must be ever vigilant in protecting their network and their customers data. SANS Institute provides a number of security control best practices including a document on Data Protection. The control recommendations range from quick wins to advanced considerations such as monitoring all traffic leaving the organization and being able to detect any unauthorized or unusual transfer of data, blocking access to file transfer protocols and file sharing websites, performing annual reviews of all keys, certifications, and security procedures.
One of the best ways to help the entire industry to be secure is to be transparent and open when incidents happen. Mandrill has published a blog post with the results of their investigation.

Read More

Social media connections are not opt-ins

It seems silly to have to say this, but connecting on social media is not permission to add an address to your newsletter or mailing list or prospecting list or spam list. Back in 2016, I wrote:

Read More