By: Aaron Cohoon

We’re getting reports from users on both AppRiver’s Hosted Exchange and Microsoft Office 365 platforms that calendar events are displaying two time zones on iPhones and iPads running iOS 8. Calendar events that were created on an iPhone or iPad running iOS 8 or higher, or created in Microsoft Outlook in some cases, display the server time below the device’s local time when opened on an iPad or iPhone running iOS 8.0.0 through 8.1.1.

In this example the user’s mailbox server is hosted with Office 365 in GMT:

Calendar item

While this issue seems to be cosmetic since the device’s correct local time is still displayed in the calendar, it can potentially cause major confusion for users when they edit an event from an iPhone or iPad, as the Start time will default to the server time. One user has created a video detailing the issue and challenge it causes with editing events and posted it on YouTube here.

Tech Tip:

To edit an event displaying two time zones tap the Start time field, and make sure the time zone is correct before saving the changes to the calendar event on the device. This won’t prevent the server time zone from being displayed, but it will keep your calendar appointments set to the correct time when editing events on the go

Why is this happening?

Several users have reported this issue to Apple, and in one case the following response has been forwarded from Apple Support:

“The customer is contacting us because both the local time, and either the time of the originator or the server is showing in the Calendar app.  This is expected behavior with iOS 8.The customer can submit feedback on this feature at http://www.apple.com/feedback.”

This is not behavior observed with other email and calendar clients supporting Exchange such as Outlook, Android, Windows Phone, or BlackBerry mobile devices. Calendar events should display the time zone the event was created in as determined by the client software (Outlook or the settings on your mobile device) not the time zone in which the server is housed. Time zones are controlled at the individual mailbox client level because each Exchange server can, and does house mailboxes of users who live, work, and travel throughout different time zones.

Time Zone override is the only feature in iOS 8 that is known to display two time zones in a calendar event.  Since Time Zone Override replaced the Time Zone Support feature in iOS, we can assume its expected behavior is to display events in an iOS device’s local time as well as the time zone in which the event was created.

For example, you live in New York, your time zone is EST, and you are traveling to London, in GMT, when you get to London you’re time zone is 5 hours ahead of New York time, but you have to call a client back home at 4 PM EST. The Time Zone override feature should display your calendar events that were created in New in both EST and GMT

Unfortunately, users are seeing their server times displayed while they’re home and all of their client settings are set correctly to New York (for this example). I have reported this as a feature bug to Apple as this happens even when Time Zone Override is turned off. To further confuse the perception of “expected behavior”, Apple has not included Time Zone Override in the official IOS 8 (now 8.1) manual as of today.

http://manuals.info.apple.com/MANUALS/1000/MA1565/en_US/iphone_user_guide.pdf

Resolution:

After extensive troubleshooting and providing several examples to Apple Support, my ticket on the issue was escalated to Apple’s Engineering team. Unfortunately there is still no fix, but I have been assured there is something in the works. Apple’s Enterprise team sent me an acknowledgement after their Engineering team reviewed my case and that of several other users.

“Thank you for calling in so we may add to impact on issue with Exchange accounts and calendars on ios 8. Apple is aware of this and currently being worked on.”

From what they’ve told me they have enough examples now to know the issue with dual time zones displayed in events is specific to an iOS 8 feature. However, I was also informed the reported impact has been minimal. In order to increase awareness so that there can be a fix applied in an update soon I encourage any user encountering this issue to submit feedback at the following web address: http://www.apple.com/feedback/iphone.html

 

 

logoFake Best Buy purchase confirmations attempting to spread malware have been circulating for the past week. These messages are simple. They appear with “Best Buy” in the [from] field and they inform the recipient that an order has been placed with Best Buy which needs to be confirmed for pick up. The recipient is then directed toward the attachment which contains a Trojan downloader commonly referred to as Kulzuoz or Zortob. This file is merely a means to infect the user so that more malicious software can be downloaded, thus the profile of downloader. At the time of our analysis this program was pulling down what appears to be software geared toward data theft, although this malware has been used extensively to infect users with FakeAV malware.

bestbuyvirus

The email campaign started on Thanksgiving Day in the U.S., a time when millions of consumers began flocking to the web to take advantage of online holiday deals. These messages are meant to catch any and all unsuspecting users off guard but might be especially effective with those who have actually made purchases at Best Buy recently.

The volume of messages has been quite high, as we have already quarantined nearly 1.5 million of these malware-laden emails. Here is a look at the traffic(number of emails seen inbound) from this campaign over the past 7 days:

bbuy_virus

The good news for our users is that we had predictive rules in from the onset of this campaign and therefore none of these messages have leaked through to our SecureTide users.

Over the past several day we have been seeing several malicious email campaigns posing as legitimate communication from Amazon. The first campaign is posing as messages from the amazon.co.uk with the subject line reading: Your Amazon Order Has Dispatched (#3digits-7digits-7digits). These messages purport to be order shipment notifications. These messages began hitting our filters on 10/31/14 and have been coming in consistently ever since. Thus far we have quarantined just over 600,000 of these messages. Each message contains a Word document (MD5: a75e196e6c0cabc145f4cdc3177e66ec) that contains a malicious macro. In most instances users should at a slightly lower risk with this infection vector, since macros are not enabled by default in more recent versions of Word.  The macro (if allowed to execute)leads to the install of a Trojan dropper. The malware currently creates a process named SUVCKSGZTGK.exe on the victims machine. Eventually this leads to the install of key-logging malware designed to harvest banking login credentials, email credentials and social media credentials. As we commonly see with this these types of campaigns, the payload can be changed out by the malware distributors so this dropper could pull down some other form of malware in the future.

Here is a look at the message:

amazon_sample_2

In a separate email blast, another group is distributing malicious emails posing as Amazon order confirmation emails. These emails are coming is at a slightly slower clip than the former campaign mentioned but we have quarantined nearly 160,000 of these message over the past few days. They appear from amazon.com with the subject reading: Your order on Amazon.com.  These email have a bit more of a legitimate look as they utilize actual graphics taken from Amazon. Instead of a malicious attachment, these messages utilize links to compromised wordpress sites. Clicking these links will launchthe download of a .scr file  named: invoice1104.pdf[dot]scr. Which should be a huge red flag to most users as the .scr file extension is used almost exclusively for malware infection these days. The .scr file(MD5: 09cb12d7cd0228360cd097baeaaa6552) is in fact a Trojan dropper that will lead to the install of more malware once it has infected the host. Once again, from here, the sky is the limit for the malware distributors since they can now download and install remote files of their choosing.

Here is a look at the message and prompt :

amazon_sample_1

 

popout

This is a very popular time of the year for these types of scams with so many people in shopping mode in preparation for the holidays. With many people expecting purchase confirmations and shipping confirmations with much more frequency, it increases the likelihood that people will far for this scam. Be extra cautious this holiday shopping season and if you are suspicious of unauthorized activity on your Amazon account, never follow the link in an email such as this, go directly to the website and check your account from there.

PunkinAh, Halloween.  A time when people dress up in creepy costumes and enjoy a marathon of classic horror flicks.  And while some people may be spooked more easily than others, here are five things that will alarm even the most fearless IT security pro.

 

  • Protecting a network without sufficient funds.  Whether it’s locating qualified staff or convincing upper management that system updates are necessary expenditures, the lack of funds can seriously impede the health of an organization’s security posture.
  • A future of unknowns.  IT security pros spend a lot of time researching the world of cybercrime so that they can stay out of harm’s way.  Happily, White Hats are good at disseminating information to their peers when breach occurs.  Vulnerabilities were recently found in Heartbleed SSL and Shellshock Bash, for example, and the community responded by sharing information and patching networks before incident.  But what about those unknown exploits?  It’s enough to keep IT pros up at night.
  • The next Zero Day attack. These large-scale attacks often leverage the aforementioned secret vulnerabilities and use them to spread online malaise quickly. Examples include Storm Worm, which targeted an internet-consuming public and Stuxnet or Duqu that was a customized espionage attack.  Oftentimes, these attacks are able to operate for quite a long time without anyone ever being the wiser.
  • Insider threats.  Threats can come from careless, lazy or even well-intentioned employees who have intimate knowledge of the company’s network and accounts.  In the case of a disgruntled former employee, access can be revoked immediately but with the employee who accidentally falls for a social engineering scam, your network may never be the same.
  • Falling victim to data breach.  We seem to hear about data breaches on daily basis as of late.  Not only must IT pros take care of internal damage to systems, but also worry about stolen customer data.  This is an expensive problem that can cost millions of dollars due to direct loss and preventative assurances, like paying for victims’ credit monitoring.  Then there’s consumer confidence and negative publicity that likely affects bottom line.

 

No one wants to be the next victim of data theft or deal with unknown attacks, and because of that, sometimes it’s good to be a little afraid as an IT Security Pro.  A small dose of fear can be healthy and motivate us to go the extra mile in preventative care.  After all, those who remain complacent in their security practice often find themselves to be the next target we’ll read about in tomorrow’s newspaper.

Using current news events in spam and malware campaigns is nothing new. In fact we see it with most major tragedies or events. This time around the topic is the Ebola virus. We’ve been seeing both spam and virus campaigns using Ebola as a topic to get the readers attention, with one malware campaign even claiming to be from the World Health Organization. With this one claiming to have information on how to stay safe about diseases around “that you know nothing about”.

ebola malware sample

 

Most of the spam coming in seems to be using Ebola as a click bait in the message, rather than focusing the spam specifically on Ebola. Messages coming in with subjects claiming to have breaking news on Ebola or others claiming they have cures. Some even trying to sell Ebola survival guides. Using a popular news topic in spam is a common tactic since people are more likely to have heard about the messages alleged content. Usually with the message being formatted in such a way that it is going to provide you with information you may not know yet. Sometimes even looking like legitimate news agency emails. From there it makes it easier to deliver a payload or to try and get a user to click on some link in a message to take them elsewhere. In the recent campaigns, most of the spam with links in them take you to websites that don’t even mention Ebola. They are just using it’s popularity in the email message to get users to click on links and get their attention for products they are trying to get you to buy.

ebola samples of spams

 

Due to Ebola’s popularity at the moment, it can make it harder for a user to determine if a message is actually spam or if maybe it is something they are interested in like legitimate news. This is when it’s best to remember some good practices of safe email use.

  • Check who the message is coming from – This can show sometimes if a message is coming from an account you don’t recognize. This may not always be a reliable tactic since a From address can be spoofed, but it can make it easier to weed out the obvious fake emails.
  • Look where a link may take you - In almost every mail program, you can hover your mouse over a link and see where it’s taking you. Often you can see right away if a link looks legitimate or not. If you get an email from an American news agency about a miracle Ebola cure but it’s leading you to a a foreign website or a website you’ve never heard of, it’s probably safe to not click the link.
  • Always be wary of attachments – This goes for pretty much any attachment. Some of the commonly abused file types are .exe, .scr, .com, and .pif for malware. There are many other attack vectors in programs for malware to use as well though. So if you get attachments from unknown senders at all, it’s best to take as much caution as you can such as scanning the file with web tools or you local antivirus. A side note to add is to also be aware of double extensions. By default in Windows OS, a known file extension is not shown. Sometimes malware authors will create and zip a virus such as “Invoice.pdf.exe”. When saved and extracted to a computer, most users will just see “Invoice.pdf” making it look legitimate.

 

Keeping a close eye on the email content you look at can save you from falling in to a phishing scam or installing a virus. But using email filtering and keeping antivirus up to date is equally important in protecting users and should shield most users from these types of spam and attacks.