According to most reports, the amount of email spam is diminishing.

Experts credit the takedown of massive botnets like Rustock, a more educated user base and advancements in spam fighting technologies for this trend. However, even though one of the most annoying, and troublesome, threats to email accounts is on a downswing it doesn’t mean for one second that email is no longer a part of the IT infrastructure that is vulnerable to threats.

Understanding the different ways cyber criminals and script kiddies can use vulnerabilities in email clients and servers to attack a system will help any email administrator keep email services running smoothly, and the entire infrastructure safe from a great number of exploits that can do some serious damage.

Listed below are three of the most serious problems that, if ignored, can cause some serious security problems with your email systems.

1. Malware being spread via email

To say that spam levels are dropping dramatically is almost a half truth. While users are seeing less spam advertising pharmaceuticals, financial services, pornography and work at home schemes it doesn’t necessarily mean that spam itself is being beat back.

Actually, while the use of spam for advertising and marketing may be down the numbers are increasing for spam messages that carry something far worse than the Nigerian prince scam. These messages actually contain malware or links to malicious sites.

Knowing full well that many users have been taught not to download attachments they don’t trust, cyber criminals have turned to simply inserting a link to a web site in their emails. When the victim clicks the link, they are taken to a site that runs scripts to infect their computers with Trojan horses, keystroke loggers and other types of malicious software.

2. Information leaks

Not all threats come from outside. Anyone who has worked to secure confidential data knows all too well that one of the biggest areas of concern is information being leaked from an inside threat.

Inside threats happen through a variety of means. You could have a disgruntled employee who is looking to hurt the company or you could have an employee who is looking to make a little extra money moonlighting as a corporate spy. There have even been instances where someone lands a job with a company for the sole reason of stealing confidential or proprietary information.

While these scenarios seem like they came from a Hollywood studio, they do happen – just not that often.

Most likely, you will find that information is leaked by accident. An employee includes something in an email message that is considered sensitive. That email, once it leaves the protection of your company, can now be forwarded on or even intercepted in transit. The contents can then be easily exposed revealing trade secrets, private information or even embarrassing content.

3. Go phish

Phishing is a threat that has been on the radar of most IT administrators for some time. And with recent data breaches, like the recent attack against Epsilon, millions of corporate email addresses have been compromised and are ready to be used in phishing attacks.

The scary part of phishing attacks nowadays is that it is becoming harder to tell them apart from legitimate emails. Take a look at recent PayPal and banking emails that have been sent out requesting people to reset their account passwords or log in to address some issues with their account.

It is becoming tough for people to tell the difference between a real request from their financial institution and one aimed at compromising their login details.

Of course, financial data isn’t the only thing that phishers chum the waters for. They know full well that a majority of people use the same user name and passwords for a majority of web sites. If they can capture a password, they can usually recreate the username for your businesses network resources to allow them free reign over anything the victim has access to.
Safeguarding against email based attacks is something that every IT admin needs to take seriously if they want to protect their network. Employing a solution that addresses the mail servers, mail client, users and other network resources is one of the key steps to protect against as many points of attack as possible.

Addressing Three Major Email Threats

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

For those of you who haven’t heard of Loggly, Loggly is cloud based service for complete application intelligence for app developers.  Loggly uses log data to collect, analyze, troubleshoot and monitor your applications. They are a heavy user of Amazon’s Web Service hosting, and recently experienced a truly stellar outage of massive proportions. You can read about that on a Loggly blog post here which I encourage you to do. However, I am not here to talk about lessons learned about hosting and availability, and putting eggs in consolidated baskets. Nor am I planning to talk about on premise versus hosted, and the perceived dangers of the cloud. It’s what happened to Loggly and how they went unaware of the impending freight train heading their way that I want to discuss, because there are some great lessons to learn from that little subset of their blog post.

Here’s the bit that prompted this post:

Originally we stated we had not received reboot notices from Amazon, but the truth is that (4) of the staff here, myself included, received two separate vague notices, one from about 10 days ago, and another from 3 days ago, which stated ‘some or all’ of our instances were scheduled to be rebooted.  These notices were found in our spam folders on Gmail, placed there with a very large red notice reading: “Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.”

In summary, AWS did send notice in advance, but those notices went unread. One of my favourite John Wayne movies is “Big Jake” and one of my favourite quotes comes from that movie. It is quite appropriate here, if somewhat shortened for context.

Anything goes wrong, anything at all…your fault, my fault, nobody’s fault…it won’t matter

And the fact is that it won’t matter at all that AWS notifications to Loggly got flagged as spam and therefore filed in the next best thing to the bit bucket. It doesn’t matter that Loggly is using Gmail, which strikes me as somewhat strange for a business, though perhaps they meant Gmail for Domains. It also doesn’t matter at all that whatever AWS sent in those email notifications, it caused some spam filter somewhere to flag the messages as spam, and even worse, as a potential phishing message. What matters is notice of reboots were sent, they weren’t read, and full outage resulted. Oops.

So here’s where I think the fix lies. With Amazon. NOT THE BLAME, just the fix, and this is the lesson I want us all to take away from what happened to Loggly and with the perspective that as a service provider, we should do better for our customers.

1. Establish a single email address to send out service notifications from.
2. Ensure it is monitored and checked regularly for replies, NDRs, etc.
3. Encourage customers to use a D/L for our notifications that helps ensure key personnel within our customers’ orgs receive all notifications.
4. Monitor the popular DNSBL services to make sure we’re not listed by mistake.
5. Follow up on any NDRs to make sure customers are able to receive notifications.
6. Test that by making new customers receive and acknowledge they have received a test notification email.
7. Make sure that the email address is properly formatted and from your domain.
8. Use valid SPF and DKIM and ensure that alert emails are sent from a compliant system.
9. PGP or GPG sign all messages sent from this account to provide further authenticity.
10. Keep links and additional content that could be misinterpreted as spam to a minimum.
    Okay the above make a lot of sense, and are probably already being done by most of you, but here’s where we as service providers should take things to the next level.
11. Maintain an email account on the popular services (Hotmail, Gmail, Yahoo, AOL, etc.) and send notifications to those accounts regularly to test for deliverability.

That last step is where I think Amazon should take a closer look, and any of us who are service providers should too. I like Gmail, and I trust Gmail, and if they find something in an email that makes them flag it as a phishing message (indicated by the Loggly blog post when they copied the “Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information”) then there is something in that email that set off all the alarms, failed the sniff tests, and was probably just a bad idea not really adding any value to the notification. Maybe the source address was different from the reply to (and in a different domain) or maybe the notification had links to a number of obsfucated URLs. Whatever the reason is, if I had seen a message in my spam folder that was flagged like that, I would have ignored it too.

When we, as service providers, need to notify our users of important things, like maintenance windows, changes to our terms of service, our outages, we need to make darn sure that users get them.

What about you? Have you ever missed a key notification because it fell victim to a false positive, or do you have any better ways to keep communications open with your customers?

Lessons Learned from the Loggly Outage

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Every year, the Online Trust Alliance publishes its Online Safety Honor Roll and Scorecard to measure the adoption of security measures across the Internet.

Basically, it is a report card of measuring the steps public and private companies, as well as government agencies, are taking towards cyber security.

This year email made some promising gains when it comes to authentication.

“Domain level email authentication is a potent weapon in the fight against spam and phishing attacks.  But, for it to work, legitimate emailers must authenticate the messages they send and receiving domains must refuse delivery of unauthenticated messages,” according to David Vladeck, Director of the FTC’s Bureau of Consumer Protection.

According to this year’s scorecard, more than 56 percent of all those surveyed are using either Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM). For the first time, email authentication has gone beyond 50 percent showing a marked improvement when it comes to email security.

The report, which breaks down results by segment, shows that:

• Social media sites lead with 92 percent adopting email authentication
• Internet retail coming in second with 84 percent adopting standards
• FDIC banks just making the grade at 59 percent
• Government agencies falling behind at 38 percent

However, while government still lags behind the average, they did make an 18.8 percent increase from last year’s numbers – so they are getting better.

So if your organization is one of those lagging behind there are a few things you can do when it comes to email authentication.

Sender Policy Framework

Sender Policy Framework is an IP based solution to prevent spammers and attackers from spoofing your email addresses. By creating an SPF record for your email’s Domain Name System, recipients can be assured that email with your domain actually comes from your organization.

To set this up the email administrator needs to follow these steps:

1. Inventory the IP addresses that send emails from your company. This needs to include remote workers, email service providers and third parties.
2. Once you have a collection of all the necessary IP addresses you would need to create the authentication records, TXT files, for your organization using the Microsoft Sender ID Framework Wizard (http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard)  or the SPF Record Wizard (http://www.openspf.org). These records are then published by your team.
3. Now using the tool from OpenSPF (http://www.openspf.org/why.html) your team needs to validate that the records published are error free.

Once the records are published your email administrative team will need to maintain these records and make changes as necessary.

DomainKey Identified Mail

DKIM, used in conjunction with SPF, is considered to be the best way to authenticate your email messages.

Essentially, when using DKIM, a certificate is created and added to the txt field on a specific DNS server.

When the recipient receives the email, it verifies the signature in the DKIM header against the certificate that is on the DNS server of the signer’s domain preventing it from being spoofed.

Unfortunately, setting up DKIM is not as simple as SPF as it varies based on your infrastructure. Working with your email provider and IT department you will be able to set up this complimentary piece to the Sender Policy Framework. More information can be found at http://www.dkim.org.

Even though using DKIM and SPF together are considered one of the most effective ways to prevent spoofing and phishing attacks using your email addresses it is not foolproof.

Whenever there is money to be made through illicit means, there will be people out there one step ahead of the game. This is certainly true when it comes to email.

In addition to employing solutions like those mentioned here, it is more important than ever for organizations to monitor their brand to make sure that nothing is being done to compromise the level of trust that customers, and constituents, have for them.

As email security measures grow increasingly complex, so do the attacks against these systems. Using trusted methods and professionals is the only way that security can stay out in front.

Email Authentication More Important Than Ever

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

So you have been tasked with securing your organization’s email services.

There are quite a few guides available on the Internet and in different computer bookstores that can take you through the basics – and if you are ahead of the game you may have already done your homework.

So you have looked at your email server, or servers, and taken the recommended steps of:

• Installing a commercial email security solution,
• Updating the server’s operating system,
• Patching all required software,
• Turning off all unnecessary services,
• Configuring your email server to sit behind the external firewall,
• Encrypting your email storage,
• Setting a back up schedule,
• Testing the recovery portion of your back up,
• Training your users on your company email policies.

Confident that your email services are now secure, you can roll up your sleeves and attack the next item in the pile of projects that is sitting on your desk, right?

Not just so fast. Unfortunately, there is still quite a bit of work to do.

What am I missing?

Like any other computer service, email requires many different users to share information with the email server or cluster of servers. Each user connects via a desktop computer, a laptop, tablet, or smart phone; as result, there is a two way communication going on between them where data is exchanged. Can you see where we are going with this?

That’s right. Even if the servers that drive your company’s email are secured, there still remains that one variable that is often the root of so many security problems – the user.

If just one of those many users connects to the company’s email servers with an unsecured or infected device, it could mean disaster for your organization’s email. Considering the fact that email is still the preferred method of business communication and you could have some serious problems on your hands.

Securing the endpoint

Your company can buy the top of the line security tools, train users until they can recite policies in their sleep and keep everything under a watchful eye, but all it takes is one zero-day vulnerability to be exploited on a device that a user connects to your network with and you can consider yourself compromised.

You see, attackers know that the weakest point in any organization is the user and his or her computer. Servers are often guarded with firewalls, intrusion detection and prevention devices, and diligent operators. The low hanging fruit is the user so that is where the attackers concentrate.

Training is always considered the best way to enforce security in an organization. The thought is that if people are aware of what the threats are and what they can do to stop them, then most attacks can be mitigated. We know that’s not the case. Training and education works, but only so much. Instead of being looked at as the solution, it should be considered a part of a larger plan to stop threats against your email. Other elements of the overall strategy should include:

Check your computers for malware

No solution is going to stop 100 percent of all malicious software from infecting computers on your network. However, having a solution in place that constantly scans your network devices for malicious software is a crucial part of your overall security because believe me, something is better than nothing. However, this means running anti malware software that will be automatically updated. Even better, make sure you can configure the solution so that users can’t opt to postpone the updates.

Update the OS and all software

After you have tested the updates and patches published for your computers’ operating systems and software, make sure that they are installed. Most patches are released to fix problems and plug up exploits found in the software code. Not updating your machines leaves them open to attack.

Update the browser

As email moves to the cloud, it is essential that the browser used in your organization is updated as regularly as any other software. This includes any plug-ins or extensions used by the browser. Even if you are still hosting mail services yourself, websites continue to grow as a method of delivering malware to computers, using a secured browser is essential to protect users from being infected by seemingly harmless sites that they visit.

Email security is not easy. As with any other portion of your infrastructure’s security, it takes diligence, knowledge and skill. However email security cannot be avoided because it is simply too hard of a task to complete. You can certainly look into solutions that help ease the workload and make up for any deficiencies when it comes to this job.

Secure Your Desktop – Protect Your Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Advanced persistent threats make email security a necessity

Most email administrators consider security to be a large part of what they do. With so many laws and regulations governing the storage, discovery and retrieval of email messages, security has become a second job to many.

Unfortunately, many administrators either forget, or simply aren’t aware, that securing email requires much more effort than hardening the email servers against attack. In order to fully protect your organization’s email and their contents the mailbox also needs to be defended. Especially when you consider how popular Advanced Persistent Threats are becoming with large cyber crime syndicates who use email not only as a way to harvest sensitive information, but also as a method of attack through phishing and social engineering.

By implementing the following tips into your security plan you can help protect against these, and the many other threats that your organization may face:

Create email policies to regulate the communication of confidential information

Email communication has become second nature in the workplace. It is quick, easy and it gives us a record of our conversation so we can refer back to any information at a later date. However, if the conversation contains sensitive information like login credentials, financials, personal information, and the like, then it can be extremely valuable to anyone who may harvest those emails.

By simply setting up, and enforcing, policies that restrict certain information from being sent via email you can mitigate the damage done if emails are exposed. At the very least, your policy should state that user logins and passwords (and/or PINs) not be communicated via email.

Teach users to encrypt their messages

One of the best analogies I have seen to describe the need for encrypting emails is one that compares email to a postcard. Basically, anyone who comes across it can read the contents if they want. This can be stopped by encrypting emails to prevent eavesdropping.

Encryption is a hard thing for many people. It requires additional steps, training and, in some cases, third-party software (such as PGP) yet it is really the only way to keep your messages private in transit.

Encryption shouldn’t be limited to sending and receiving messages alone. Any email that is stored on a hard drive (think personal folders), a network drive, backup servers or archive systems should also be protected from any prying eyes.

Get rid of old email

A long time ago, storage space was a precious resource. Nowadays inboxes can be easily scaled to hold enormous amounts of data. Unfortunately that provides a greater possibility that an attacker will find something valuable.

Email should be moved, or deleted, when their life cycle is up. Make sure to check with any regulations regarding discovery and archiving before getting rid of the old stuff, but if you combine this with encryption you will be taking great strides to protect older emails.

Practice good network security habits

Make sure that desktops are continually scanned for malware that could possibly expose email login credentials, filter Internet content to protect against malicious websites, understand how to properly use a firewall and update server and client software as needed.

In addition to the employing technology to help secure your email systems you should also consider human factors as well. One of the ways that people first discover that their systems have been compromised is by noticing an anomaly. Be on the lookout for log-ins that just don’t seem right whether it be the IP address, the time of day or even the length of time.

This can be one of the most tedious tasks to undertake when it comes to security but it is by far the most important.

Put the right solutions in place

In many small and medium-sized enterprises, the email administrator alone cannot be as vigilant as he or she would like. Even in organizations where there is team of professionals dedicated to security use necessary security tools to help them do their jobs. Smaller companies need to understand this as well.

By employing technologies that help manage email, backup and recovery, archiving and security, you are plugging the little holes that provide that chink in the armor most attackers are looking for.

No one said that email security is going to be an easy task, but it is one that cannot be ignored just because it’s too hard or it costs too much.

Tips for Better Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

It is never good news to have servers compromised by hackers or corporate espionage.  Given the finite resources of any company however, the open secret is that not every computing node on the network can be equally well-protected.  As it is, priorities are often heavily skewed towards protecting servers running crucial Enterprise Resource Planning (ERP) or Customer Relationship Management (CRM) services, or publicly accessible Web servers.

What many businesses do not realize is how the humble email server is often overlooked and left under protected.  Yet it remains a front-facing server due to its location on the Internet, or in the DMZ that demarcates the Internet from the relatively safe harbor of the company intranet.

I want to highlight five repercussions of a hacked Exchange Server account today so as to illustrate the importance of ensuring that your Exchange Server is patched in a timely manner, as well as the need to ensure that adequate best practices and security defenses are put in place.

1. Stolen email messages

The most obvious repercussion of a hacked Exchange Server account would of course be the theft of email messages that have yet to be archived.  Organizations that do not practise off-line archiving of emails could conceivably see years of email messages quietly siphoned away by the hackers to be examined and dissected at leisure.  This can lead to the exposure of trade secrets and other highly confidential data, with the very real danger of careless, private remarks being aired as public knowledge – which could have embarrassing or career-ending ramifications.  It must be pointed out also that email notifications containing passwords and other personally identifiable information can often be found in old emails.  Access to this information opens the door for the bad guys to break into other accounts, as well as exposes an employee to the possibility of identify fraud.

2. Spear phishing attacks

Armed with the latest email communications of colleagues, business partners and senior executives, it is now trivial for a hacker to create sophisticated phishing attacks with a high chance of success.  The likelihood of pulling it off is far higher as the perpetrators can leverage existing information and craft their spear phishing attempt as a continuation of earlier correspondences.  It is worth noting that the same threat exists should the email accounts of business partners and other parties be broken into.  With the popularity of redirecting users to malware laden websites these days, staffers should be warned against clicking on shortened URLs or unfamiliar Web addresses.

3. Resetting of other account passwords

Signing up for a new social networking account or an email account for your private use?  You will in all likelihood be asked to furnish an additional email address as a precaution against forgotten passwords; being in control of such an email addresses is often construed as final proof of ownership of an account.  In the same vein, unauthorized access of an email account can led to the ability to reset the account passwords for other online accounts.  A worst case scenario that I’ve encountered would probably be the illicit transfer of valuable domain names being initiated from the right email address.

4. Compromised account password

Depending on the configuration of your company’s servers, the compromised account password is likely to be the same password used on Active Directory.  This is also the reason why Microsoft does not recommend that administrators use user names as the email alias.

5. Covert monitoring

After successfully breaking into an Exchange Server account and copying out older emails for study, some hackers may opt to lie low and quietly monitor for new correspondences.  Depending on business verticals, the most damage by far could result from this posture.  While server logs will retain evidence of the monitoring efforts, these logs are not something that is routinely examined.

My objective today is to convince system administrators or IT managers (or help them convince their CIOs) of the importance of properly securing their Exchange Servers.  The security-conscious email administrator may also want to take a look at Securing Your Microsoft Exchange 2010 Server, where I’ve highlighted various resources to help you tighten the screws on your Exchange installation.

Next week, I want to talk about some defensive measures and practices that companies can employ to lower or mitigate the risks should their Exchange Server account ever be broken into.

5 Repercussions of a Hacked Exchange Server Account

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

While the Oak Ridge National Laboratory’s may be famous for its role in the Mahanttan Project, recent cyber attacks have brought the Department of Energy’s research center back into the news again. According to Barbara Penland, a spokesperson for the lab, Internet service and access to external email was brought down by the lab as part of preventative measures to secure the network’s sensitive data against a spear phishing attack launched against the lab on April 7^th.

The attack targeted lab employees disguised as a message sent by the Human Resources Department that contained a link exploiting a vulnerability in Internet Explorer. Microsoft has claimed that this vulnerability was fixed on April 12^th, one day after Oak Ridge noticed the attack against them.

“We ended up with an excess of 570 of those emails coming in to different people and we had some folks who clicked on the email,” Penland stated. “One or two of them managed to get through into the system.”

After tracking the attack for a week, the IT department at Oak Ridge decided that the best thing to do was shut down access. Luckily, the attack was not able to infiltrate any of the Lab’s classified networks that are not connected to the public Internet.

Penland stated that service to the Internet should be restored early this week and email access is one again up however attachments have been blocked for the time being.

What this means for Email Administrators

The Oak Ridge lab is obviously a huge target housing some of the United States’ most secretive research projects in nuclear energy, biological systems as well as a great deal of research for the military and Department of Homeland Security. Aside from being such a lucrative target, it is also thought to be one of the most secured facilities there is.

What this recent attack, actually the second major attack against the lab in the last five years, shows us, is that security of our email systems cannot be taken for granted. Oftentimes, those responsible for email at small to medium sized organizations have a set it and forget it attitude towards security. Due to limited budgets, limited staff and requirements that are more critical to the business plan smaller companies simply don’t have the staff, time or money to fight the threat of cybercrime. The thought that a solid anti-virus solution and a firewall will adequately protect an organization is far too common.

When it comes to email, administrators are faced with a growing number of threats that come from:

• Botnets delivering SPAM
• Phishing attacks against employees
• Blended threats using malicious links
• Social engineering like the one at Oak Ridge
• Outbound spam being sent from your network

The problems with these attacks are that a traditional firewall does little to address many of these threats and unless the attack utilizes malware with a known signature file, anti-virus protection won’t identify the attack until it is too late.

To offer the best defenses against email borne threats, a comprehensive solution needs to be put in place to fight SPAM, malware attacks and prevent false positives. Email administrators also need to look to solutions that help educate users against phishing and spear phishing attacks that co-workers commonly fall victim to.

Continued threat

Over the past year and a half, private businesses have seen an increase in attacks similar to the one launched against the Oak Ridge lab. Google and RSA both claimed to be victims of Advanced Persistent Threat attacks to steal sensitive data from their networks as well. As this attack trend has proven to be successful when launched via email against some of the most highly secured targets, we can expect that it will be used against organizations with less security measures in place.

SMEs offer not only the benefit of being low-hanging fruit to such attackers, but many of them do business with larger companies or even government agencies. Being able to compromise a smaller organization that does business with a larger target can offer attackers another in road to relay an attack against the more lucrative objective.

Being that email continues to be one of the most effective methods for delivering malicious code it is up to the email administrator to work towards securing this compromise vector.

What we can Learn from the Oak Ridge Attack

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Recently a couple of phishing emails arrived at my inbox at the education institution where I teach.  Both messages were deleted without a second thought, though I realized later that one of the phishing mails could have fooled me – had it been relevant.  Purporting to be from the institution’s IT department, the offending email was exceedingly well-written and talked about how a shared storage resource had been scheduled to be taken down for routine maintenance soon.  Users were asked to visit a shortened URL link (helpfully provided, of course) to let the technical team know if they want a data backup of their folders done.

I have no idea where the proffered link leads to; though I assumed that it would have tried to obtain users’ usernames and passwords at a minimum.  As you can imagine, even having a fraction of users fall for such a ploy would be nightmarish, more so for an Exchange server that is administratively joined to a domain – a successful phishing attempt is all it takes to compromise an account across the entire domain.

So while not typically tagged as the duty of an email administrator, are there any strategies that administrators can employ to better defend against phishing attempts?  I thought about it, and came up with a number of suggestions.

1. Design a proper template for emails from the IT department

The first recommendation that I have would be to design a proper template for official emails from the IT department.  Not only will it serve to enhance the professionalism of the IT team as a whole, it is also good protection against generic phishing emails – which forms the bulk of phishing attempts.  Assuming administrators are disciplined in using this template for all their correspondence and announcements, users will naturally become alerted when confronted with an email that does not use the correct template.

In fact, a proper template will also go a long way in protecting against directed attacks, a scenario where hackers work to break into a specific organization.  They will first need to learn of the presence of the email template, which forms another barrier against a successful phishing attempt.

2. Establish authenticity using digital certificate and an official email address

Of course, the creation of a standard email template is somewhat akin to achieving security via obscurity.  Lost and stolen laptops will quickly reveal the official email template that these hackers can then use to masquerade as an administrator.  As email administrators are well aware, the real problem has to do with how easy it is to spoof the “From” address data in an email’s header.

The way to conclusively defend against phishing mails that exploit this weakness would be to tap on the use of digital certificates to establish authenticity.  While it will cost to purchase valid digital certificates, I consider it to be money worth spending.  Moreover, organizations can opt to implement digital signing only for key email accounts, which is a cheap yet effective way of stopping phishing in its tracks.  If there is interest, I will detail the steps to sign emails with a digital certificate in my next blog.  As a reference, Google has published a list of Certificate Authorities (CA) that it recognizes here.

3. Training users to detect phishing

Of course, all the security tools and measures in the world will not protect your users if they respond to every scam email or click on any proffered URL with impunity.  I feel strongly that businesses should invest in some rudimentary training to equip their employees against the evolving techniques that scammers are adopting to break through the corporate inbox.  Rather than wait for things to happen, email administrators should take the initiative and train users to forward messages whose origins are suspicious or dubious to them for further examination.

4. Send follow-up messages

To its credit, the email administrator in my above-mentioned anecdote reacted within the hour, and sent a warning email about the scam.  While some might argue that an official follow-up encumbers the inbox with yet another message, I feel that it serves as a useful reminder against the ongoing phishing threat.  In addition, it also opens up a channel for communication between the email administrator and staffers who might have fallen prey; and allow for compromised user accounts to be reset before they are exploited.

4 Ways Email Administrators can Protect their Users from Phishing

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Most of us have received emails asking us to click on a link and confirm our account information by typing in our personal financial information such as a credit card account number. Later we find out that we’ve been scammed and that our information was used so that someone else could rack up hundreds of dollars in purchases, maybe even thousands of dollars.

Our immediate thoughts are that we hope they catch the criminals who have now enjoyed a spending spree at our expense. We picture the police breaking down the doors of the living domains of these criminals, catching them while they enjoy their falsely purchased electronic gear or perhaps while they are out enjoying some fine dining at an upscale restaurant that we would never spend money on for ourselves.

The truth of the matter is that most phishers are not living lifestyles of the rich and famous, are not dining on lobster tails nor are they watching March Madness from arena box office seats and spending hundreds of dollars in pricey meals each day.

Microsoft Research released a study that concluded that phishers make very little money: ‘…low-skill jobs pay like low-skill jobs, whether the activity is legal or not.’ Their study also concluded that the Gartner numbers that everyone quotes ($3.2B/year etc) are inaccurate and off by a factor of 50. Although phishing seemingly earns huge sums of money for the phishers the result is that their total net is equal to their total expenses. If the participants were to actually work at legitimate jobs they would find that they would make just as much as they do through their phishing efforts. They would probably be better off after they factor in health benefits through their employer. Based on the study it sounds like the benefits of phishing have reached a plateau and themselves fallen victim to the Law of Diminishing Returns: they’ve increased their total phishing efforts while their total phishing revenue has declined. The whole amount of the individual phishers’ efforts is no longer greater than the sum of all of their individual efforts. So try as they might they are no longer able to increase their successes. That’s good new for us.

While many of you have or will fall victim to email phishing scams and are/will get rightfully upset you can at least take some satisfaction knowing that the phishers are not getting ahead financially and most are probably losing traction. At the very least, they will eventually be caught and spend some time in jail somewhere, somehow.

Phishers Not Getting Rich

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Last month, many users of  Google’s GoogleChat service found themselves preyed upon as potential victims to the ViddyHo worm phishing scam. The phishing scam was using a come-on approach and sent messages to some users of the online chat service from someone appearing to be one of their contacts. Although the latest phishing scam was using a chat service there is always the potential for such phishing scams to resurface through email.

In this case the scammers used the traditional bait of prompting a user to click on a link from tinyurl.com, a service that shrinks URLs for easy sharing on sites like Twitter. Victims were then directed to the ViddyHo Web site where they were asked for their Google login information. Once the user had “logged in” they unwittingly opened up their contact list for the worm to spread.

This is old advice but is worth repeating: verify and confirm links sent to you from people you know before you click on the links. The names listed in the “To” field, although familiar to you, may not have really sent the email messages. I’ve discussed in previous posts the importance of authenticating the users who have sent you email and the use of certificates of authenticity – are they really who they say they are?

In 2008, many people received emails from foreigners overseas who claimed to know someone who recently had died but had left a large sum of money. The foreigner would offer to split some of the proceeds with the email recipient in exchange for cooperation and some help with wiring the money to the states. Most variations of these email phishing scams were offshoots of the Nigerian money wires. Now that people are fully aware of these scams the scammers have to invent new methods and new false scenarios to suck in the innocent email recipients. As a result, tricking people into viewing video links is becoming more and more prevalent as the perpetrators are able to infect the computer by uploading malware in the background while the videos run.

So to protect your company’s user community it would be wise to post an internal message warning your users not to click on links sent to them or to log on to any sites related to ViddyHo.com site from emails received from friends or acquaintances.

ViddyHo Phishing Scam

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

 Neoseeker is reporting that as many as 8000 Comcast email accounts have been compromised. The breach was discovered by a professor at Wilkes University. While doing a search on his email address he found a document hosted on Scribd that contained the usernames and passwords of thousands of Comcast customers. What’s more, the list had been there for at least 2 months and had been accessed thousands of times. Comcast is denying responsibility:

Jennifer Khoury, a Comcast spokeswoman, responded stating that they did not believe this information was provided by anyone inside the company citing lack of structure on account numbers and duplicity on some of the information. Instead, the information appeared to have been gathered through a phishing type scheme.

Comcast says they are freezing the accounts that were compromised and will notify their owners. If you have a Comcast account you’d be doing yourself a favor if you changed your password. Can’t be to careful! It’s not yet known who owns the document or how the data was obtained but experts believe it could be the result of a phishing scheme.

Up to 8000 Comcast E-Mail Accounts Compromised

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Phishing is an email technique used by people who try to obtain your personal and financial information so that they can then purchase products or open up credit lines in your name. The emails they send are designed to deceive you and often look as if they came from a credible source.

Over the years, I have received dozens of emails that look like they came from departments in real companies such as eBay, Paypal, Amazon, etc. Sometimes the emails look like they cam from the security department or sometimes they look like they came from the “Account Team”.

There are obvious components of fraudulent email that all phishers will use to obtain your trust and personal information.

1. The From line. Often times the “From” line will include an official-looking email address that is different by one or two characters from a real department in a legitimate company that you may or may not be doing business with.

2. The Email Greeting. If your email starts off with a “Dear Sir” or “Dear User” then you know that the sender of the email does not know you by name. A legitimate source will contact you with the proper salutation which includes at the very least your last name.

3. A Warning Message. Phishing emailers will try to create fear or panic by stating that the message is urgent and that if you don’t act soon you will lose account privileges or you will soon be unable to access your account altogether. To keep your account open and accessible you are requested to please login and verify your account by providing private information.

4. Fraudulent Links. You may be asked to click on a reasonable looking link that takes you to a website that also looks legitimate. Clicking on the link will take you to a site that asks for your personal information or, worse, launches a virus. Never click on links if you suspect a false email source.

5. Attachments. Never click on an attachment if you do not trust the source. As with fraudulent links, attachments can also be used to download spyware or viruses.

If you suspect you have received a phishing email send or forward the email to spam@uce.gov – and to the company or organization impersonated in the phishing email. You can also report phishing email to reportphishing@antiphishing.org. The Anti-Phishing Working Group is a consortium of ISPs, security vendors, financial institutions and law enforcement agencies that use these reports to fight phishing.

If you think someone has used your information to steal your identity then please go to the Federal Trade Commission’s Identity Theft website, ftc.gov/idtheft, to learn more about how respond to and recover from identity theft.

Telltale Signs of a Phishing Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The United States Computer Emergency Readiness Team (US-CERT) Current Activity web page (http://www.us-cert.gov/index.html) includes a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.

As of February 6, the US-CERT Current Activity web page is warning that they are aware of public reports indicating that phishing scams are circulating which involve fraudulent United States Internal Revenue Service emails. The fraudulent emails offer users stimulus package payments to recipients and ask for personal information by including text that attempts to convince users to follow a link to a website or to complete an attached document.

One such recipient reported that he had received a similar email last year that included information about the stimulus check sent out at that time. The user went to say that the senders of this phishing email scam had approximated how much money the recipient received in his stimulus check and was off by $23 dollars. Because the amount was so close to what the recipient had received the recipient almost fell for the scam. Luckily the recipient noticed that the sender’s email address was suspicious. The user followed up by sending warnings to about seven different agencies including the IRS in regards to that scam.

US-CERT encourages users who receive fraudulent email messages to send the email messages and the website URLs to the IRS at phishing@irs.gov.

US-CERT encourages users to do the following to reduce their risk of giving out personal information:

• Do not follow unsolicited web links received in email messages.

• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams. (http://www.us-cert.gov/reading_room/emailscams_0905.pdf)

• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks. (http://www.us-cert.gov/cas/tips/ST04-014.html)

• Review the How to Report and Identify Phishing, E-mail Scams and Bogus IRS Web Sites document on the IRS website. (http://www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=5)

Established in 2003, the US-CERT is a partnership between the Department of Homeland Security and the public and private sectors whose goal is to protect the nation’s Internet infrastructure. US-CERT coordinates defense against and responses to cyber attacks across the United States of America.

IRS Stimulus Package Phishing Scam

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The Escapist is reporting that the popular video game Call of Duty is being used in a new email phishing scam. The emails claim to be offering keys to a new beta of the game called Call of Duty: Modern Warfare 2. It also directs the recipent to click on a link to download the alleged beta, which Call of Duty’s creator, Infinity Ward, was quick to announce does not actually exist:

Robert Bowling, better known as Infinity Ward’s community manager “fourzerotwo”, would like you to know that there is no such thing as a Call of Duty: Modern Warfare 2 multiplayer beta. In fact, there may not even be Modern Warfare 2 and that Infinity Ward, creator of the war-time series, has yet to even announce what their next project is, despite reports to the contrary. Secrets, these be. Of course, that never stops the internet as a widespread email scam has been sent around the tubes, inviting one and all to a multiplayer beta for Call of Duty: Modern Combat 2. The reason as to why this particular scam is so believable is that the content of the email is exactly the same as the one Infinity Ward sent out themselves in 2007 for the Call of Duty 4 beta. It also doesn’t hurt that the creator of the phishing scam has gone the extra mile and hoaxed its origin, as the emails appear to come from COD5BETA@infinityward.com.

Bowling advises anyone who receives the fake announcement to delete it immediately. He said it simply copies an email sent out last year announcing the current Call of Duty version, but with certain parts updated to make it look like it’s announcing a brand new beta.

Popular Video Game Falls Prey to Email Phishing Scam

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

A research note from TowerGroup, sponsored by IBM, addresses the issue of security in online banking, and the techniques that cybercriminals are using to gain access to online bank accounts. Although the report, published in 2005, is a bit outdated, its message still hits home.

Generally speaking, so long as you follow standard security protocols (complex passwords, change password regularly, don’t share passwords, and beware of emails claiming to be from your bank asking for login details), online banking is just as safe as driving to your local bank branch. In fact, locally there have been a rash of bank robberies, so online banking may be even safer!

One of the threats highlighted by the report is email phishing, which has become a very common way for attackers to try to steal account information, and sometimes, it works. The report recommends stronger authentication methods to combat this type of fraud.

The problem with the standard username and password type of authentication most commonly used by banks is that it puts the burden on the account holder to keep the information secret, and the account information becomes vulnerable to fraud and various types of social engineering tricks. But in light of the major losses that continue to occur, the report recommends that financial institutions take on more responsibility by instituting stronger authentication techniques. In the past, banks have been reluctant to do this out of fear that customers would not accept them and that they would be too expensive for the bank to implement.

The FDIC does recommend two-factor authentication (although most banks in the US don’t offer it). Fortunately, these solutions are getting less expensive, and one option is to avoid the use of a hard token in favor of a soft token. The results are the same, and it is a lot less costly. Either way, two-factor works like this: The account holder enters a memorized PIN number into the token, which then generates a one-time passcode, which is then entered by the user to gain access to their information. Because the passcode expires after a single use, theft becomes irrelevant. If banks would implement this type of technology, it would go a long way towards eliminating the threat of email-based bank phishing attacks.

A solution to email-based bank phishing attacks

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Social networking sites have changed the game of the Internet, ushering in a new layer of functionality and connectivity. People have new ways to connect, both for fun and business. Unfortunately, attackers also have new ways to connect as a result.

A recent report showed that ten thousand users of LinkedIn, a networking site for business professionals, were targeted in a spear phishing attack which attempted to trick users into downloading a malicious attachment. Spear phishing is particularly dangerous because of the level of trickery involved. By now most of us know to raise the red flag when we receive an email from a web site we use addressed to “Dear Member,” or some other generic greeting, which then proceeds to ask us for personal information. But spear phishing addresses us by name–thereby lulling us into a false sense of security and trust. In this attack, the email appeared to be from LinkedIn and addressed the recipient by name, and asked them to download a file, implying that the member had requested it.

Certainly, a spear phishing attack is more difficult to carry out, since the attacker must first obtain personal information–but with the increasing popularity of social networking sites, obtaining email addresses and names could be done with a little bit of time and planning. These types of directed attacks have a much higher success rate, and so it is necessary to take education to the next level.

In addition to educating users about not clicking on emailed links, and educating them about emails that appear to be from trusted sources but addressed generically, we must also provide education specific to these targeted attacks. Specifically, users should be suspicious if they receive an email that is addressed to them specifically and appears to be from a trusted source, but it nonetheless asks them to download a file or take an action that they did not request. And at all times, it’s a good idea to enter the legitimate web site’s URL directly into the browser as opposed to clicking on an emailed link, which can be disguised. The attack could be easily avoided if, when receiving the email that appeared to be from LinkedIn, the recipient went directly to the LinkedIn account through their browser instead of clicking on the provided link.

Spear phishing attacks can target social networking sites

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The Anti-Phishing Working Group (APWG) is the global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types.

In the first quarter of 2008 the APWG published an excellent “Phishing Activity Trends Report“.  It provides detailed statistics that cover various aspects of how phishing activities are exponentially on the upswing. The report starts out by giving  very concrete definition of phishing being a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. Social-engineering schemes use spoofed e-mails purporting to be from legitimate businesses and agencies to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as user names and passwords.

Some overview topics covered in the APWG report include:

Countries Hosting Phishing Sites
The United States remains is the top country hosting phishing sites due to a large majority of attacks being targeted toward United States-based companies. Russia remained in the top four of all countries throughout the period. There was an interesting drop for China in the last month, when they only rendered 3% of top countries hosting websites.

Most Targeted Industry Sectors
Financial Services continues to be the most targeted industry sector during the first quarter of 2008.  This is consistent with results since the APWG began tracking targeted industry sectors. The up tick of Government as a target in March reflects a rise in IRS-related phishing attacks or similar scams – by phishing and other media – related to the IRS-administered 2008 Economic Stimulus Refund program.

Phishing-based Trojans – Redirectors
Definition: Crimeware code which is designed with the intent of redirecting end-users’ network traffic to a location where it was not intended to go to. This includes crimeware that changes hosts files and other DNS-specific information, crimeware browser-helper objects that redirect users to fraudulent sites, and crimeware that may install a network level driver or filter to redirect users to fraudulent locations. All of these must be installed with the intention of compromising information which could lead to identify theft or other credentials being taken with criminal intent.

Phishing Email Reports
The number of unique phishing reports submitted to APWG in the first quarter of 2008 remained within a range of slightly over 5,000 unique reports. Over the quarter, reports received decreased by 12.5 percent ending at 25,630 in March, after a spike of attacks in February when the number rose to 30,716. The number at the close of the quarter is off from the high of September 2007 by 33 percent. This represents a count of unique phishing email reports received by the APWG from the general public, APWG members, and its research partners.

Phishing Email Trends Reported by the APWG

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

John Markoff’s article in the New York Times “Larger Prey Are Targets of Phishing” emphasizes that people must always be vigilant in not opening emails from unknown entities.  It’s important for email administrators to continue educating their email community.   Quite a few email administrators were definitely in the hot seat with this high profile phishing attack.

Over 2,000 executives received phony, but very official looking, subpoenas to appear in court. From the email they were fooled into thinking they could download a copy of the subpoena. Instead different variants of key logger programs were installed on each computer. Key logger programs intercept personal or sensitive corporate information typed on the computer keyboard.

John goes on to explain “The tactic of aiming at the rich and powerful with an online scam is referred to by computer security experts as whaling. The term is a play on phishing, an approach that usually involves tricking e-mail users — in this case the big fish — into divulging personal information like credit card numbers. Phishing attacks that are directed at a particular person, rather than blasted out to millions, are also known as spear phishing.”

Recipients of the e-mail messages were directed to a spoofed web site.  It had a realistic copy of the graphics from the real federal court site. Email readers were asked to download and install what was supposed to be document reader program  from Adobe, which allows viewing of electronic documents.

Several security consultants indicated the real danger of the attack lay in a second level of deception, after the hidden software provided the attackers with digital credentials like passwords and electronic certificates.

“There are very subtle nuances to their attacks that are well known in the financial industry but are not well publicized,” said Matt Richard, director of the Rapid Response Team at iDefense.

Apparently criminals are focusing a particular area of the financial industry. Law enforcement officials were investigating the fraudulent documents.

Although the software package used to deliver this stealth program is well known by security professionals, it was hidden on the computer in such a manner that it could not be detected.

The FBI would not comment on this particular phishing attack.

Phishing is Whaling with Executives

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

I just received an email that appeared to be from my bank, telling me to log into a web site and verify my account number. Fortunately, my spam filter caught it and filed it away with all the other emails telling me that I won a foreign lottery, or that the wife of some dead dictator wants me to help her distribute a hundred million dollars for “Christian charity.”

We like to assume that our banks are safe, and the banks themselves create the impression of safety with grand physical structures with imposing Roman columns, armed rent-a-cops at the door, and a huge safe with a steel door. Online, banks create the impression of safety with password-enabled logins and verification questions. Generally, online banking is safe, and very convenient—it’s great for me, since I spent two or three months a year traveling around the world, and I can pay my bills from a hotel room in China if I need to.

But have financial institutions gone far enough to create online security? Or is it even possible? Everyone in the IT game knows that when they get an email that appears to be from their bank asking them to click on a link and give their password, it’s a phishing scam. Yet, the phishing scams continue, and people continue to fall victim. And because the scam doesn’t originate from the bank, there’s not a lot the bank can do from a technological viewpoint, it’s purely an educational solution.

It is certainly possible for a bank to create a highly secure web site for its online banking customers, and online banking can be just as safe as when you hand your deposit over to the teller in person. But although it’s possible, is it always happening? A study by University of Michigan researchers (http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf) took a look at the web sites of major banks, to see just how secure they really are.

The policies themselves were shown to be weak in a lot of cases. The two-factor approach my bank uses (enter the password, and then enter additional qualifying information) is a good one, and some banks, especially in Europe, make that second factor the use of a portable hardware token that generates a one-time-only passcode, making the online bank ultra-secure. But not all banks use that extra step, and some even have lax password policies that let customers use easily guessed passwords, such as email addresses or social security numbers. The study found five common design flaws in banking web sites, which could easily be remedied. These flaws are:

1. Break in the chain of trust
2. Presenting secure login options on insecure pages
3. Contact information/security advice on insecure pages
4. Inadequate policies for user IDs and passwords
5. Emailing security – sensitive information insecurely

Bank security and policies

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators