Kudos to Google for alerting Gmail users when they are about to send or receive mail that is not protected by Transport Layer Security (TLS). It’s certainly a step in the right direction, but it promotes the idea that TLS equals encryption.

ZV0YSZWGO6

If you’ve ever ordered a product or service online and had to give your credit card number or other sensitive information, odds are you did so through a secure server. In the past, this connection likely relied on secure socket layer (SSL) protocols to encrypt your information from the time it left your server until the time it reached the company’s. A hacker who intercepted that message somewhere in between, would find it nearly impossible to decode.

Transport Layer Security (TLS) is a application security protocol that has replaced SSL and become the standard for insurance companies, lawyers, accountants, doctors and others who send and receive sensitive data from their clients. However, there are some weaknesses within TLS that users — especially industry groups — should be aware of before blindly adopting it for compliance reasons.

The issue with TLS isn’t so much the level of security it offers, but more so where that security ends. TLS is a server-to-server protocol that encrypts messages in transit. As an analogy, think of it as having a valuable package delivered in an armored car. However, that car stops at the end of your driveway, leaves the package and drives away. Likewise, with TLS, you have secure email right up until it reaches the receiving server. At that point, anyone can access it.

In other words, someone who hacks your mailbox would be able to see and read the unencrypted message, even though one who intercepts it between servers cannot.

With TLS, your email is only as secure as your server. For some companies, that might not be a huge problem, but for small companies — think doctors’ offices, insurance agencies, individual lawyers and accountants — it could be a huge issue. This is especially true now that TLS has become the standard and these companies are sometimes led to believe that’s all they need to have a secure email system.

Make no mistake, TLS is a step in the right direction. In fact, AppRiver will always use a TLS connection if it’s available. However, if your company deals with sensitive information, CipherPost Pro™ from AppRiver might be another, even more reliable way to protect your customers. CipherPost Pro protects data from user to user rather than server to server.

Based on the analogy above, CipherPost Pro offers the same kind of “armored car” protection in transit. But with CipherPost Pro, it’s like having an armed guard come knock on your door, check your ID and place the package in your hands.

The practical effect is that someone who hacks your server will find the information as useless as the one who steals your data en route.

Do you need this level of protection? That all depends on how valuable your clients’ information is to someone who fraudulently receives it — or, more to the point, how valuable your customers are to you.

 

Over the past six months we have seen an increase in the number of emails with malicious Word (.doc) attachments. These messages utilize the available functionality in a file type that is very familiar to basically every computer user. By using this technique the attacker can increase the chances that one of these messages will be opened.

An interesting variant of the macro malware that we have been seeing hit our filters over the past few days is posing as an invoice from the also highly recognizable Adobe. The messages are quite simple in nature, thanking the recipient for their “purchase” of Adobe Creative Cloud Service. The messages all contain an attachment Invoice[dot]doc (MD5: 6767089af607eb6464374bb89ead8e3e).

adobe virus

Once the document is opened all the user has to do is click enable editing/content and the macro will infect the machine.

macroThis particular instance installs a fairly generic Trojan Downloader commonly referred to as some variation of “Downloader.VBA.Agent”.

Of course our customers are protected from all variants of this threat. However, if admins want to take it a step further they should consider disabling macros entirely using group policy if possible–that way they can combat documents with malicious macros that might make their way onto the network from any vector.

It’s been another rough year for netizens. AppRiver’s security analyst team has journaled many of the Web’s perils of the past year, including the spam and malware that has plagued it, the cybersecurity measures that are supposed to make it safer, as well as data breaches that shook consumers and employees.

In total, AppRiver quarantined 944 million messages containing malware from January to November, and an additional 705 million in December alone, doubling the number of malware messages from 2014. AppRiver also quarantined 26 billion spam messages in its filters.

0Y03HPQ7US (1)

Malware Campaigns:

Many malware campaigns came directly to individuals’ inboxes through spear phishing and spoofing attempts, pointing to the power of social engineering and trust.

Some of the major malware campaigns included:

  • Macros
  • Ransomware
  • Wire transfer fraud
  • JavaScript obfuscation

The report also devotes special video segments focused on macros malware attacks, wire transfer fraud, and ransomware.

Data Breaches:

Anthem, Premera, LastPass, Ashley Madison, Experian, and the Office of Personnel Management were some of the biggest breaches of 2015. The OPM data breach resulted in more than 18 million current and former federal employees’ records being breached, while the insurance company breaches resulted in more than 90 million patients’ health records being compromised.

Report co-author, Jon French, adds, “This year featured personal attacks on consumers, as cybercriminals favored personal data, such as health insurance records, online dating profiles, and HR files over financial information, such as credit card accounts and routing numbers. Cybercriminals are likely using this information to form detailed consumer profiles on the Dark Web for future attacks, like spear phishing and blackmail.”

Legislation:

Three major pieces of legislation were passed in the United States and the European Union this year, including:

“The Protecting Cyber Networks and National Cybersecurity Protection Advancement Acts will incentivize companies to share cyber threat information with U.S. government agencies,” says co-author and manager of security research, Troy Gill. “The goal is to prevent future attacks by sharing threat intelligence through joint efforts of government agencies and companies.”

To learn more about the spam and malware trends of 2015, data breaches, and legislation related to them, please read the Global Security Report.

 

Another day, another slew of custom crafted MS Word documents with macro functionality hits our filters. Macros used to be a tool of convenience for Microsoft documents such as Word and Excel, but now they’re primarily used for internet evil, so much so that Microsoft has had them disabled by default for years now. The only reason they haven’t gone away completely is because some companies are still using them despite their very inherit dangers, likely in legacy documents that have continued to be reused over and over within an organization.

Today’s attack began early around 4am cst and continued for the next four hours targeting the inboxes of those just heading into work in the US, though the attacks did not appear to be limited to mailboxes in the United States. By the time this campaign finished up, we had blocked over a half a million pieces associated with this attack.

This attack spoofed a winery just outside of London and thanked the recipient for their recent payment, but stated that an invoice had been overlooked. The email was spoofed to look like it was sent by someone from the winery’s domain. Even the winery itself placed a warning on their site about the attack saying that these emails originated from the address in question, however, in actuality the address was simply spoofed and originated from a botnet sent out from all over the world. The rest of the email was also well crafted, looking as close to a real correspondence as one can likely get, additionally including footer graphics promoting an actual upcoming event by the winery being spoofed.


wine6
wine3wine4

The supposed invoice was an attachment by the name of CWIH8974.doc. This was a real MS Word document, although if it were opened, it appeared to have no content. Underneath the surface, though, a macro runs that calls out to the domain powerstarthosting.com where it downloads and executes the file b4387kfd.exe. The newly downloaded executable then reaches out to 92.48.69.11 to get further instructions and payloads.

This campaign is very similar to a campaign we saw a couple of weeks ago where the exact same template was being used to push an attachment by the same name. In this campaign though, the malicious payload was hosted elsewhere – secure.novatronica.com and had a different name – 87t5fv.exe, its intent was the same though, to steal personal information from its victims.

This attack has also used a second theme in order to push its agenda, spoofing another European firm that handles accounting for restaurants in the UK. This time the attachment was entitled “British Gas.doc” and was a supposed bill from the utility company. In this version the malware reaches out to webdesignoshawa.ca and the IP 184.168.192.41 for its payload.

The best way to avoid these attacks is to avoid using macros and leave them disabled. If your company has to use them, I recommend specific user awareness training on how to spot these bad documents and establish procedures for handling possible infections and when you’re done with that, go ahead and stop using them.

wine1 wine5

First Apptix, then McAfee, now MailFoundry. Thanks to shake ups in IT security, it seems like it’s harder to hold onto a spam and virus filtering solution than it is to herd cats. Fortunately, AppRiver is privately held, meaning we control our services’ destinies, not the board room. And as for our services, SecureTide™ spam and virus filtering blocks 99 percent of spam and viruses, contributing to its 93 percent customer retention rate. Not too shabby, huh?

RPMT6Y4X8U

SecureTide™ customers also benefit from:

  • Real-time protection from today’s IT threats
  • Simple implementation
  • No hardware or software installation
  • Inbound and outbound email protection
  • Daily Held Spam Reports
  • User level filter permissions
  • Disaster email recovery included*
  • Office 365 compatible
  • Phenomenal Care from our US-based team, 24 hours a day, every day

Ready to make the switch, or curious to find out more? Call 866-223-4645 or complete our online interest form to start your FREE TRIAL today.