Over the past six months we have seen an increase in the number of emails with malicious Word (.doc) attachments. These messages utilize the available functionality in a file type that is very familiar to basically every computer user. By using this technique the attacker can increase the chances that one of these messages will be opened.

An interesting variant of the macro malware that we have been seeing hit our filters over the past few days is posing as an invoice from the also highly recognizable Adobe. The messages are quite simple in nature, thanking the recipient for their “purchase” of Adobe Creative Cloud Service. The messages all contain an attachment Invoice[dot]doc (MD5: 6767089af607eb6464374bb89ead8e3e).

adobe virus

Once the document is opened all the user has to do is click enable editing/content and the macro will infect the machine.

macroThis particular instance installs a fairly generic Trojan Downloader commonly referred to as some variation of “Downloader.VBA.Agent”.

Of course our customers are protected from all variants of this threat. However, if admins want to take it a step further they should consider disabling macros entirely using group policy if possible–that way they can combat documents with malicious macros that might make their way onto the network from any vector.

It’s been another rough year for netizens. AppRiver’s security analyst team has journaled many of the Web’s perils of the past year, including the spam and malware that has plagued it, the cybersecurity measures that are supposed to make it safer, as well as data breaches that shook consumers and employees.

In total, AppRiver quarantined 944 million messages containing malware from January to November, and an additional 705 million in December alone, doubling the number of malware messages from 2014. AppRiver also quarantined 26 billion spam messages in its filters.

0Y03HPQ7US (1)

Malware Campaigns:

Many malware campaigns came directly to individuals’ inboxes through spear phishing and spoofing attempts, pointing to the power of social engineering and trust.

Some of the major malware campaigns included:

  • Macros
  • Ransomware
  • Wire transfer fraud
  • JavaScript obfuscation

The report also devotes special video segments focused on macros malware attacks, wire transfer fraud, and ransomware.

Data Breaches:

Anthem, Premera, LastPass, Ashley Madison, Experian, and the Office of Personnel Management were some of the biggest breaches of 2015. The OPM data breach resulted in more than 18 million current and former federal employees’ records being breached, while the insurance company breaches resulted in more than 90 million patients’ health records being compromised.

Report co-author, Jon French, adds, “This year featured personal attacks on consumers, as cybercriminals favored personal data, such as health insurance records, online dating profiles, and HR files over financial information, such as credit card accounts and routing numbers. Cybercriminals are likely using this information to form detailed consumer profiles on the Dark Web for future attacks, like spear phishing and blackmail.”

Legislation:

Three major pieces of legislation were passed in the United States and the European Union this year, including:

“The Protecting Cyber Networks and National Cybersecurity Protection Advancement Acts will incentivize companies to share cyber threat information with U.S. government agencies,” says co-author and manager of security research, Troy Gill. “The goal is to prevent future attacks by sharing threat intelligence through joint efforts of government agencies and companies.”

To learn more about the spam and malware trends of 2015, data breaches, and legislation related to them, please read the Global Security Report.

 

Another day, another slew of custom crafted MS Word documents with macro functionality hits our filters. Macros used to be a tool of convenience for Microsoft documents such as Word and Excel, but now they’re primarily used for internet evil, so much so that Microsoft has had them disabled by default for years now. The only reason they haven’t gone away completely is because some companies are still using them despite their very inherit dangers, likely in legacy documents that have continued to be reused over and over within an organization.

Today’s attack began early around 4am cst and continued for the next four hours targeting the inboxes of those just heading into work in the US, though the attacks did not appear to be limited to mailboxes in the United States. By the time this campaign finished up, we had blocked over a half a million pieces associated with this attack.

This attack spoofed a winery just outside of London and thanked the recipient for their recent payment, but stated that an invoice had been overlooked. The email was spoofed to look like it was sent by someone from the winery’s domain. Even the winery itself placed a warning on their site about the attack saying that these emails originated from the address in question, however, in actuality the address was simply spoofed and originated from a botnet sent out from all over the world. The rest of the email was also well crafted, looking as close to a real correspondence as one can likely get, additionally including footer graphics promoting an actual upcoming event by the winery being spoofed.


wine6
wine3wine4

The supposed invoice was an attachment by the name of CWIH8974.doc. This was a real MS Word document, although if it were opened, it appeared to have no content. Underneath the surface, though, a macro runs that calls out to the domain powerstarthosting.com where it downloads and executes the file b4387kfd.exe. The newly downloaded executable then reaches out to 92.48.69.11 to get further instructions and payloads.

This campaign is very similar to a campaign we saw a couple of weeks ago where the exact same template was being used to push an attachment by the same name. In this campaign though, the malicious payload was hosted elsewhere – secure.novatronica.com and had a different name – 87t5fv.exe, its intent was the same though, to steal personal information from its victims.

This attack has also used a second theme in order to push its agenda, spoofing another European firm that handles accounting for restaurants in the UK. This time the attachment was entitled “British Gas.doc” and was a supposed bill from the utility company. In this version the malware reaches out to webdesignoshawa.ca and the IP 184.168.192.41 for its payload.

The best way to avoid these attacks is to avoid using macros and leave them disabled. If your company has to use them, I recommend specific user awareness training on how to spot these bad documents and establish procedures for handling possible infections and when you’re done with that, go ahead and stop using them.

wine1 wine5

First Apptix, then McAfee, now MailFoundry. Thanks to shake ups in IT security, it seems like it’s harder to hold onto a spam and virus filtering solution than it is to herd cats. Fortunately, AppRiver is privately held, meaning we control our services’ destinies, not the board room. And as for our services, SecureTide™ spam and virus filtering blocks 99 percent of spam and viruses, contributing to its 93 percent customer retention rate. Not too shabby, huh?

RPMT6Y4X8U

SecureTide™ customers also benefit from:

  • Real-time protection from today’s IT threats
  • Simple implementation
  • No hardware or software installation
  • Inbound and outbound email protection
  • Daily Held Spam Reports
  • User level filter permissions
  • Disaster email recovery included*
  • Office 365 compatible
  • Phenomenal Care from our US-based team, 24 hours a day, every day

Ready to make the switch, or curious to find out more? Call 866-223-4645 or complete our online interest form to start your FREE TRIAL today.

Recently, we sat down with our security analyst team and asked them about their top security concerns.  While they see many threats throughout the year, below are their top ten threat predictions for 2016.

DZ1EFM9PIK

Cloud storage will make documents easier to access for consumers—and black hats.

The use of Dropbox, OneDrive, Box, Google Drive and other cloud storage services by individuals and organizations to access documents in multiple locations means that cybercriminals need to only infect one device to get access to a whole trove data.

Chip card technology will make POS credit card fraud more difficult for criminals, which will inspire them to develop malware that can compromise chip card technology.

With the new technology, it should hopefully become more difficult for cyber thieves to simply steal and utilize magnetic stripe account information. We instead anticipate it forcing them to begin creating and opening new accounts in their victims’ names and identities (Identity Theft). However, while they are forced to revert to their old ways, you can be assured that the cyber criminals are racing to create malware that can compromise chip technology.

The increasing use of wearable technology will begin to be examined a little deeper as people begin to wonder about where all of the data that they’re processing is ending up.

With the ever-expanding marketplace of health and fitness apps coupled with wearable devices that are monitoring our every move, heartbeat, and location, compromised security or even just poor privacy settings can contribute to this personal data being leaked. We can expect to see a lot of this data being used in target marketing, which although not illegal, puts this information in more datacenters, and consequently, gives cybercriminals more opportunities to steal it.

Acts of cyber aggression will continue between many nation states including the U.S. and China, as well as remain a tool of warring nations.

We may not be privy to the majority of these attacks against infrastructure or corporate espionage between our collective countries, but evidence suggests that the Internet has become an important tool in every aspect of our lives including war and politics. With the alleged North Korea hacks on Sony, we can expect this “boots at home” tactic to remain in the playbook, whether it be reconnaissance or even the disabling of infrastructures and communications.

Mobile Payment Systems work aggressively to make digital payments through services such as ApplePay, Google Wallet and CurrentC much more secure.

Vendors have been trying hard to change the way we make transactions with virtual wallets in our mobile devices. Its early adoption has left a bit to be desired thanks to security issues and concerns. However, these early flaws and the attack on the CurrentC payment system have also contributed to stricter security standards by mobile payment systems, with some having the option for a touch ID (aka thumbprint). We can expect vendors to continue to bolster their mobile payment security, while cybercriminals work hard to hack it.

Tried and true malware techniques will continue to evolve.

As organizations and individuals begin to exercise proper backup procedures and implement IT security plans, there will be fewer vulnerable targets for the criminals. However, this will force the cybercriminals to develop savvier malware and social engineering ploys, such as those utilized in ransomware, to terrorize businesses.

The bevy of breaches that occurred during 2015 and the abundance of credit card and other personal information obtained from them will lead to an increase in spear-phishing and other more targeted attacks.

Coupled with information gleaned from social media, so much private personal information exists on the cyber underground thanks to all of the data breaches now that criminals can assemble very specific personal profiles of their targets. We expect this information will be used for highly targeted attacks, like spear phishing, or in an effort to defeat new card technologies.

The TOR network and P2P networks will see a rise in use by botnets and benign services as well.

More sophisticated malware will continue to defeat detection by hiding in common services and using non-traditional forms of communication such as TOR or Peer to Peer. Adversely, Facebook’s new experimental move into the TOR network may inspire other reputable services to want to provide anonymous access thereby enticing new users who may have been unwilling to try them beforehand.

Unexposed vulnerabilities in widely used platforms and protocols will continue to be a goal for attackers.

The past few years showed us some major issues with secure communication like that in SSL as leveraged by Heartbleed and a long time bug in Bash with Shellshock. The discovery of vulnerabilities such as these will continue to be a major goal for attackers and defenders alike.

The ever-growing increase in mobility could spell trouble for BYOD policies.

Businesses that have adopted BYOD policies, but have very loose or even no IT security policies regarding them, may be in trouble as personal devices and work comingle. This could create a sharp increase in lost or compromised data collected from these devices if employees are not naturally scrupulous when it comes to their personal data protection.

DOT1T5II2J

 

While there is no one “silver bullet” that can protect you from a cyberattack, our security analyst team has offered some quick tips to keep you secure.

  • Always back up your files. Whether it’s malware like ransomware, or even just a simple hard drive failure by your dinosaur of a computer, your life will be much easier if you opt to back up your files. In the event of a ransomware infection, your options would be A) pay the ransom and support criminal activities, B) don’t pay the ransom and lose your files forever, C) do neither, because you have a copy of your files. It’s easy-peasy.
  • Schedule regular software and hardware updates. Hardware and software updates often contain patches to security holes that can let in malware onto your network. Unless you want your network to turn into a zombie army of botnet computers, force the computers on your organization’s network to update frequently, and limit how many times an employee can select “update later.”
  • On that note, when available, opt for cloud-based security solutions that update automatically, without any downtime. With cloud-based security with no downtime and automatic updates, you don’t have to worry about your employees skipping important security patches.
  • Adopt layered, redundant IT security solutions to protect your organization’s network. If the bad guys’ malware-laced .zip attachment labeled “funny cat gif” never makes it into your intern’s inbox, he can’t open it and inadvertently infect your network. Likewise, if you have Web protection, you won’t have to worry about him downloading malware when he’s surfing the Web.