Zoho, phishing and who’s next?

ZDnet reports that Zoho’s problems with phishing aren’t over. Their report states that Zoho is being used as a pipeline to exfiltrate data from phished accounts.

The software platform’s email address service, on both zoho.com and zoho.eu domains, is being exploited in 40 percent of phishing campaigns in which email “is the primary exfiltration vehicle.”

That’s some serious problems.

Look, managing abuse and security is hard. Every online service is at risk and companies need to think not only about how they might be attacked but also how they may be a vector for attacks against others. Email is even more vulnerable than most services. Not only is email the key to online identity it’s also the vector for the majority of online attacks.

Companies running email services for customers must have two things.

  1. A security team that monitors infrastructure for attacks from bad actors. These attacks include “customers” attempting to identify vulnerabilities in your system so they can spam or phish through the system.
  2. A compliance team that monitors customers and acts on those “customers:” that managed to sneak through the automated defences.

Every company that provides an email module in their platform is vulnerable. Every one. The big ESPs, the ISPs and the cable companies have pretty good defences these days. They’ve made spamming and phishing through their services hard enough that the bad guys are looking at much smaller companies.

No service is too small for them to look at. In fact, the smaller companies are ideal. Often the smaller companies outsource their infrastructure to a larger company, like SendGrid, Mandrill or Sparkpost. The spammers have been kicked directly off their platforms, but they can still spam through them, by abusing their customers.

The bad guys are getting smarter. They work hard to make themselves look like somewhat confused customers to extend any time on a platform. In every case they know they’re going to get cut off, at some point, they’re just trying to abuse the platform a little longer.

Compliance and security are hard. Being small is no excuse to ignore either.

Schroedinger’s email
DNS Flag Day

Related Posts

Let's talk CAN SPAM

CheckboxEarlier this week I posted about the increased amount of B2B spam I’m receiving. One message is not a huge deal and I just delete and move on. But many folks are using marketing automation to send a series of emails. These emails often violate CAN SPAM in one way or another.
This has been the law for 13 years now, I find it difficult to believe marketers are still unaware of what it says. But, for the sake of argument, let’s talk about CAN SPAM.

Read More

Permission trumps good metrics

Most companies and senders will tell you they follow all the best practices. My experience says they follow the easy best practices. They’ll comply with technical best practices, they’ll tick all the boxes for content and formatting, they’ll make a nod to permission. Then they’re surprised that their mail delivery isn’t great.

Read More

Shibboleet

Using unique addresses for signups gives me the ability to track how well companies are protecting customer data. If only one company ever had an address, and it’s now getting spam or phishing mail, then that company has had a data breach. The challenge then becomes getting the evidence and details to the right people inside the company.
In one case it was easy. I knew a number of people inside the company and knew they would take it seriously and pass it on to the folks in the best place to deal with it. I did. They did. They got their systems secured and notified customers and it was all taken care of.
Other cases aren’t as easy.
Many years ago I got mail from my credit card company to a unique address. This was long before SPF or DKIM and the mail contained links different from the company’s main domain. I called them up to see if this was real or not. They told me it wasn’t, because tier 1 support are trained to tell users everything is suspicious. Eventually, though, it became clear this wasn’t a phish, it was just bad marketing by the company.
A few years ago I reported a possible breach to representatives of a company while at a meeting. Coincidentally, the address only their company had started getting phishing and spam during the conference. I brought it up to them and followed their directions for reporting. They asserted the leak wasn’t on their end, but to this day I get multiple spams a day to that address. They claimed that the spammer was someone I was friends with on their website, but they could never quite demonstrate that to my satisfaction. I treat that site as only marginally secure and take care with the information I share.
After Target was breached they emailed me, out of the blue, to the address I use at Amazon. There was some level of partnership between Amazon and Target and it appears Amazon shared at least part of their database with Target. I talked with security folks at Amazon but they told me they had no comment.
Of course, on the flip side, I know how challenging it is to sort through reports and identify the ones that are valid and ones that aren’t. When I handled abuse@ we had a customer that provided a music sharing program. If a connection was interrupted the software would attempt to reconnect. Sometimes the connection was interrupted because the modem dropped and a new person would get the IP address while the software was trying to reconnect. This would cause a flood of requests to the new person’s computer. These requests would set off personal firewalls and they’d contact abuse to tell us of hacking. There wasn’t any hacking, of course, but they’d still argue with us. One of my co-workers had a nickname for these folks that was somewhat impolite.
We had to implement some barriers to complaints to sort out the home users with personal firewalls from the real security experts with real firewalls that were reporting actual security issues. So I get that you don’t always want or need to listen to J. Random Reporter about a security issue.
Sometimes, though, J. Random Reporter knows what they’re talking about.

Yeah, I spent the morning trying to get support at a company to connect me to security or pass a message along. Too bad there isn’t a security shibboleet.

Read More