shutterstock_93443800Email-borne attacks come in various shapes and sizes- phishing, spear phishing, Trojans, malicious attachments, hidden scripts and more. While most have evil intentions… some are more sinister than others.

In 2014 a steel plant in Germany was attacked by a group of unknown hackers. The attackers were targeting Industrial Control Systems (ICS), with what appears to be the objective of damaging the company’s productivity. The attackers were able to cause “massive damage to the system” according to one report. Though the hackers appear to have relied on some very specialized malware designed with ICS targeting built in, they gained their initial access via a fairly basic spear phishing attack.

The volume of malicious email has exploded over the past few years, all the while the growing number of malware variants designed to specifically target Industrial Control Systems has grown along with it.  Meanwhile, phishing/spear phishing has remained a popular attack vector for malicious actors trying to gain that initial access to an organization. Once inside an organization and a back door has been established, the attackers can further infect the target with these sorts of specialized malware that can take control of things like ICS.

For example the Dragonfly group compromising several multiple companies in the Energy sector often using a remote access trojan dubbed Havex in the summer of 2013. These infections originated with targeted emails to one or more people at a given organization. Once inside, they were able to implant their trojan inside software that was available for download on these companies websites, potentially compromising ICS that were currently in use. These malicious assets could have later been used for much more sinister purposes.

So why is hacking against ICS so concerning? ICS include things like Energy Management Systems, Distributed Control Systems, Instrument Control, Building Automation, Programmable Logic Controllers, etc… These are the systems that control utilities like power grids to drinking water, safety systems to manufacturing plants… just to name a few. In other words there is a great deal of damage that can be done by attacking ICS.

These types of attacks will prove to be more complex and more frequent going forward as more automation continues to expand across the globe. ICS will be targeted by for profit hacking groups as well as attacks initiated by nation states. We can expect to see these attacks against business and government entities and utilities alike.

While there is no cure-all that will put an end to these attacks, security professionals can focus on shrinking the attack surface.  We know that attackers often use spear phishing as an initial infection vector to ultimately gain access to internal networks. So, organizations can mitigate their odds of attack by using an intelligent email security solution, and educating its users on best practices for IT security.  After all, most employees don’t realize that it only takes one entry point for an entire network to become compromised.

Other tips to shore up your defenses include:

  •   Hackers often leverage vulnerabilities in outdated software.  That’s why Web browsers and third-party software must be kept up to date.
  •   Keep a healthy level of skepticism when reading  unsolicited email.  Never click on its links or attachments.
  •   Foster a work environment that rewards honesty.  Once a company’s perimeter has been breached, reaction time plays a critical role in mitigating the damage.  Employees should not be afraid of facing   repercussions if they’ve fallen victim to an attack.  Instead, they should be encouraged to inform their IT Department straight away.

This morning we had a decent sized malware campaign start across our servers. There wasn’t much to the actual body of the message with it just being some small plain text. The subject just mentions a time sheet and the body says this time it has an attachment. Just enough information to get a user possibly curious to open the file.


 The attached zip has a small executable inside. As of writing this, 11 of 57 AV companies have it classified as malware. Most have it classified as Upatre. Upatre is a piece of malware aimed at downloading other malware on to the machine.

In this case, the downloader executable says it was compiled on March 24, 2006, which is very likely fake. The creation time is often faked just to try and throw people off on it. It was probably created with the last day or two given the low detection rate with AV scanners. This is also like many other tricky malware we have seen in which an icon resource is used in the exe to make it look like something familiar. With this virus, it looks like a pdf. This is a very common tactic used since an average user can relate to a pdf file just being something to read. I generally always recommend to set Windows to show all file extensions just for reasons like this. Teaching users to not open exe’s doesn’t help too much if the file extensions are hidden.

Screenshot from 2015-02-24 09:35:54

If file extensions were shown, you could see the .exe at the end

Once the malware is run, it reaches out to download a few files that appear to be encrypted. A few of the first attempts for the png file failed on file retrieval and it hopped around until it found a server that had the file. And on one particular file that had a .tar extension, it downloaded it 8 times.

Screenshot from 2015-02-24 09:47:31

Not actually a png

This was downloaded 8 times

This was downloaded 8 times. Not actually a tar file.


After the files are all downloaded, the malware made a connection out to a direct IP address using SSL, had about a 2kb conversation, and no more action was seen. Likely this malware is sitting idle and possibly waiting to steal credentials. There were a lot of modifications and queries to Outlook related registry keys and it opens a pst file if one is on the machine. So it may also bring the machine online to a botnet to send spam and malware to a users contacts.

This was a campaign that came in pretty heavy and pretty quick. Between 6AM and 7AM this morning, we stopped a little over 1.5 million. Since then, we have seen about 5 thousand an hour. The good news about this campaign is that the campaign in its entirety was stopped by a virus rule we had written a few days ago. Sometimes with the always evolving malware out there, we have to react within the first few minutes of a new campaign to stop it. But this is one of the cases where prior research had helped us predict future variations of malware, and stop the malware campaign from the very first message. When a new unseen piece of malware comes in, we can have it blocked system wide within minutes (compared to hours for some AV vendors). But from there we take the time to see why the file wasn’t blocked and see what rules we can write to try and block future variations. This allows us to have many cases like this where no leakage is seen for an initial blast of malware and all messages are caught.

Email. Single-handedly one of the most important tools for daily productivity.

5 Steps to Gain your Outlook Inbox Back

5 Steps to Gain your Outlook Inbox Back

Research shows the average employee spends about 23% of their time on email with an estimate that people check email about 36 times an hour. It’s easy to understand how important it is to manage the sheer volume of email and how poor email management strategies also play a role in increasing the time spent on email.

Email overload is making us less productive and less responsive. Since the amount of incoming email doesn’t ever seem to decrease, you need to find a way to handle your Outlook inbox in a way that allows you to focus more on the important information and filter out the stuff that just wastes your time. These tips will not help you to accomplish inbox zero (as nice as that would be), but will hopefully help you move annoying email out of the way so you can focus your time on what’s truly important.

So in this post, we have listed five steps to help regain control of your Outlook inbox:

1. Automatically Trigger Actions to Incoming Email
Manage your inbox by using rules as a way to automatically trigger actions on incoming messages, helping you stay on top of the messages that are more important. A rule can be set with many different parameters. For example, you could specify that email were you are not the main recipient to be moved to a different folder or set a rule that moves all incoming email from your manager into a High Importance folder.

Create Rules in Microsoft  Outlook

Create Rules in Microsoft Outlook

For more information on how to set an Outlook rule, go 

2. Mute a Group Conversation

Outlook: Mute a Group Conversation

Outlook: Mute a Group Conversation

You have been CCed on an email thread on a topic that has nothing to do with you or that you have no interest in following. We all have been there, but many people do not know that they can just mute the thread and automatically ignore all email messages in the conversation. All you have to do is right-click the conversation and choose Ignore. The existing thread and all future messages in it will be deleted.


3. Treat Email Responses like SMSs
Sometimes, it takes too long to respond to emails and you just can’t keep up. One approach to cope with inbox overflow is to just treat all email responses like SMS text messages and optionally paste an explanation into your e-mail signature.
Here is one site that explains the concept.


4. Use Outlook templates for standard responses
If you find yourself writing the same sort of emails over and over again, streamline your day by creating a boilerplate email message using Outlook’s template feature. That way, you can just send a canned response as needed. You can even assign the template to a rule for fully automated email messaging. Find out more about templates here.

Outlook: Save as Template

Outlook: Save as Template


5. Get Ahead of Spam
Outlook comes with a Junk E-Mail filter by default that blocks the most obvious spam from your inbox. While the junk folder is nice to have, often the default filter in Outlook will either just block the most obvious spam or will stop legitimate messages. Spam is not the only problem that can enter your inbox: there’s malware and viruses, too. A good Email Security solution can provide options to whitelist and blacklist senders, tag incoming bulk email and offer advanced security options.

Here, we would recommend using AppRiver’s SecureTide. The bulk tagging option is an all-time favorite feature.  That feature drops promotional email in a set folder within your inbox for review later which I rarely do.
We admit some bias, as we love our AntiSpam solution and we are proud of how it takes care of business when it comes to spam and malware. But don’t take our word for it – check out what companies that are using it on a daily basis have to say about it.

The five steps listed above can help you be more productive and save you a lot of time. To find more tips, learn about securing your corporate Email or AppRiver news try also following us @AppRiver or in Linkedin.

Do you remember passing out Valentine’s Day cards to your elementary schoolmates?  It was a fun, innocent activity that everyone seemed to enjoy each February.  The tradition carried on into the teenage years, with cards that professed sweet sentiments and underlying love for one another.  But, unfortunately, love can be fleeting.

It is not unusual for us security analysts to see love-themed malware campaigns traverse the Internet this time of year.  It’s like cupid’s evil twin decided to shoot arrows through hard drives instead of hearts.  The underlying ruse is to attract the misty-eyed and lovelorn folk to cleverly-written subject lines.  One of the more famous and most destructive malware campaigns that took advantage of ‘love’ is known as “ILOVEYOU”, “love letter” or simply “The Love Bug”.

The Love Bug originated in May 2000 and was a self-propagating worm that attached itself to emails with the subject line, “ILOVEYOU” and an attachment labeled “LOVE-LETTER-FOR-YOU”. The attachment was made to look as if it were a simple .txt file though it actuality was a .vbs (Visual Basic Scripting) file that ran when the file was opened. The fact that the file had a hidden double extension was due to how Windows operating systems interpreted the filenames at the time of reading them (from left to right and stopping after the first period it came across), thereby hiding the rest of the filename and its true file type. Once executed, The Love Bug would replace the majority of files on its new host computer with copies of itself and would then go as far as to place itself in the Windows Registry to make sure it ran at every startup. The worm would also propagate by sending its malicious payload to every contact in the infected machine’s contact list, which allowed it to travel quickly and spread across borders in a matter of hours. In the end, it was said that ‘ILOVEYOU’ spread to at least 20 countries and caused more than $15 billion dollars in damages.

The Internet worm has evolved since its early inception as a self-propagating concept. In the past, worms like The Love Bug relied on email to get from machine to machine, but nowadays, that’s just one of the arrows in their quiver of tricks. Now an Internet worm can seek out attached media devices or traverse network shares. Or in the case of Stuxnet, even jump onto an air-gapped network and make its way through very specific industrial control systems.

It’s amazing to think of the leap in technology in just the last 15 years and the dangers that have evolved alongside it. Back in 2000, Anti-virus and Firewalls were a foreign concept to many computer users.  Now they’re both considered baseline security measures and come pre-installed and run alongside the most common operating system.

We still see these types of cyber tricks that attempt to manipulate users’ heart strings and encourage rash decisions. Such attacks can –and do- propagate quickly over social media as well as other, more traditional methods such as email and infected websites. When The Love Bug made its initial rounds in 2000, there were an estimated 361 million people using the internet. Today, there are about 1.23 billion active monthly users on Facebook alone and an estimated 3.1 billion Internet users. That is a huge target demographic primed and ready to click on the first love letter that appears in their inbox.

Malware authors are always looking for a chance to leverage a newly-discovered vulnerability. That’s why it is so important for users to remain vigilant.  If it looks too good to be true, it is. If you don’t recognize the sender or you weren’t expecting a piece of mail that shows up in the inbox, it’s best to air on the side of caution and just delete it. Stay informed and in touch with potential pitfalls. If we all use a little more caution we can make a great impact in IT security so that everyone can enjoy this holiday with loved ones rather than formatting hard drives and monitoring bank accounts for illicit activity.


Intuit, the company that owns the very popular tax software/service Turbo Tax, announced today that it is shutting down ALL state tax filing capabilities due to a recent rash of “suspicious” filings. This news comes at a time when millions of US citizens are filing federal and state tax returns. This comes on the heels of the news that Minnesota stopped accepting filings from Turbo Tax in light of some potentially fraudulent activity.

It seems there has been a large number of false returns being filed and there are reports of users logging into the software only to find that their state returns have already been submitted (although we can ‘t substantiate those claims). Turbo Tax is reporting that its internal investigation revealed that these accounts were not breached via a compromise of their own systems but rather from criminal activity outside of their network. Regardless, this is quite concerning as these user profiles contain loads of personal information, likely including Social Security numbers (of filers and all dependents), bank account numbers, routing numbers – a veritable cornucopia of personal and financial data.

The main question is where the data used to access these accounts came from? If the Turbo Tax data trove were breached, it could spell lots of trouble for a large number of their customers. Fortunately, this does not appear to be the case. We wouldn’t be surprised if it turns out these accounts were breached through some other means, perhaps a group of individuals that had fallen victim to a phishing campaign or the like.

We see such attacks almost continuously here at AppRiver. In fact, we are currently tracking many different tax related phishing campaigns, although at the moment we are not seeing any specific to Turbo Tax (though we have seen those many times before). Here is an example of just one of the many attacks we block daily that is aimed at harvesting your personal data:


However, phishing is just one of the ways these criminal might have harvested the data that allowed them access to the Turbo Tax user accounts. They might have also harvested the data through malware designed to record your every keystroke. It is also possible that this was the result of some earlier and technically unrelated data breach where consumers were using the exact same login credentials that they use to access some other accounts. This is why it is very important to make sure you use different passwords for different accounts. Otherwise data stolen from a retailer (for example) can be used to access your most sensitive accounts.