Bad weather can create a perfect storm for business. With Invest 99-L—predicted to become Tropical Storm Hermine—threatening the Southeastern United States, AppRiver has once again activated its free Digital Disaster Preparedness Service (DDPS). First made available in 2005, DDPS is a service designed to prevent businesses from losing email in the event of a mail server outage. We’re offering it at no charge to our friends who may be in the path of Tropical Storm Hermine.

Hurricane Image

So what exactly is the DDPS? DDPS is a special offering to businesses that lie within the cone of uncertainty in advance of a hurricane or other natural disaster. The cloud-based service averts email loss and bounced messages by redirecting an organization’s email to one of AppRiver’s secure data centers, while also blocking any spam and virus messages. Once the danger passes and connectivity is restored, AppRiver will forward all outage-period email back to the company’s servers, free of charge.

Registration is simple and typically takes less than 10 minutes to complete. Businesses need only contact AppRiver to receive step-by-step instructions for redirecting their email to AppRiver. Almost immediately, AppRiver will begin monitoring the company`s server activity. When AppRiver detects a loss in connectivity with the email server, its service will begin queuing the business’ incoming messages in one of its safely located, hardened data centers until the business’s servers are able to receive email again.

And while hurricanes can be forecast days before landfall, fires and power outages are harder to predict. Businesses who are not located in the cone of a hurricane, but would like to protect themselves from other disasters might also consider trying AppRiver’s Email Continuity Service risk-free for 30 days.

For more information on AppRiver’s DDPS, please visit:

For more information on AppRiver’s Email Continuity Service, please visit

Ransomware is very popular these days with many different variants constantly popping up. One of the more recent high impact versions is known as Zepto. We see many different file types abused in these malware campaigns – things like macro enabled word documents, .js script files, .wsf windows script files and so on. This morning though we had a campaign coming in using the lesser known .hta file format. This format is essentially an HTML file that uses some sort of browser supported scripting in it. While we have seen this filetype used before in malware campaigns in the past, it’s not one we frequently see used.

The emails in question were pretty boring, lacking anything really other than an attached zip file. Doing something like this may offer attackers a few benefits in a broad campaign, such as having no body content to try and filter as well as not having to come up with some story about why the victim should open it. Curiosity of what’s in the file may drive many people to opening and running the malicious attachment without the attacker even having to ask.

blankemailmalwarezeptohtaThe .hta file contents are written in an obfuscated javascript fashion that we’re so used to seeing these days with the .js and .wsf malware. This obfuscation makes the code very confusing and pretty much unreadable to a human, however the code is still valid and will execute without a problem on the target system.


So once you run the malware, it does what you expect and starts encrypting files. It has a remote command server it uses to download the actual payload once the hta script runs, as well as a server it POSTs data to. In testing this, one of the first files it encrypted was the Outlook PST file. Since it used email as the attack vector, this may be a way to try and lock users out of the source of the malware for any investigating someone may do, as well as the broader picture of how important email can be for day to day operations of a business.


After all is said and done and the malware has done its damage, you get an image file popup as well as an HTML page breaking the bad news and going in to detail on how to pay the ransom.



So far this morning, the count we’ve seen for the campaign is about 11.5 million. Ransomware in general is a very big an obvious reason to take backups and security seriously due to the widespread occurrences these days. This email also serves as a great example of why you should never open unknown attachments, and that not all bad emails are going to be poorly worded or obvious in what they’re trying to get you to do.

The United Services Automobile Association, or USAA, is one of the largest financial institutions in the U.S. offering services to U.S. military personnel and their families. Like any financial institution, they are also exploited by cybercriminals in phishing campaigns. It’s so common, in fact, that our AppRiver security research team see these campaigns frequently. Our team has noticed a steady rise in spam blasts involving USAA in an attempt to defraud their customers. One such campaign is shown in the below screenshot.


This particular USAA phishing blast informs the recipient that a pending transaction requires an additional verification process. The email presents a link for the recipient to complete the transaction. Visually, the spoofed email looks just like a typical USAA message. During our investigation, however, we found several red flags that proved otherwise. The URL provided goes to an exploited website which at the time of this writing has been taken down. The email also contains the usual discrepancies found in many phishing campaigns like a rogue sending IP, spoofed sender address, etc. The email in question has also failed some of our SecureTide automated malware tests.

This campaign most likely seeks to obtain personal information from USAA customers for financial theft purposes. Multiple rules have been coded to block this variant and have currently caught around 3600 emails.

Just last week alone, we’ve seen over a handful of other USAA phishing blasts with various payloads. Below is a screenshot of another campaign that we began tracking last week.


This email also visually appears to be legitimate, but the grammatical errors within this message are suspicious. That, coupled with the usual phishing discrepancies and rogue URL, confirmed this also was a spam email. At the time of this article being written, SecureTide has quarantined 2700 emails. As always, AppRiver’s SecureTide customers are protected.


shutterstock_163066760It’s no secret that ransomware has been circulating at a fever pitch on the web as of late. Locky remains the most prolific despite the fact that new variants of ransomware being discovered with greater regularity. This morning we have been monitoring a campaign attempting to distribute Locky to millions of unsuspecting users. We have already quarantined over 3 million emails this morning associated with several different variations attempting to spread Locky. Lately, they seem to have taken a “less is more” approach to their attacks. Most messages have very little aside from some generic phrases along with an attachment, in this case a macro-enabled document. These are also being spoofed to appear to have come from a user at the same domain as the recipient and are posing as a scanned document.

The following is an example of this morning’s traffic:


Once infected, all of the users files are encrypted. This is followed shortly after by a prompt to pay the ransom. Though some current ransomware variants have corresponding tools online to help the victims decrypt their files, none seem to be a viable solution to this threat. A good backup strategy can save you from having to pay the ransom in these attacks. However, we have seen some recent ransomware variants such as CryptXXX that are also stealing the sensitive data in addition to encrypting and this is a trend that we expect to see continue in the future.

Here are a few steps you can take to limit the potential impact of ransomware

  • Maintain several robust layers of prevention
  • Consider banning macro-enabled files throughout your organization
  • No matter how innocuous a message may seem, never open an attachment in an unsolicited email –regular user training to improve
  • Keep regular hot and cold backups

This week’s Threat Thursday focuses on a phishing email blast that our AppRiver security research team is monitoring. The campaign attempts to impersonate a job notification email from, a job listing website.


The email informs the recipient that there is an exciting job opportunity listed on and provides a link to view additional information. The URL redirects to a non-Monster website with the job listing. The listing is for a Mystery Shopper, someone who gets paid to shop at and provide reviews on local stores. The job states that a mystery shopper can receive compensation of $500 per assignment plus reimbursement for any items purchased during an assignment. The website has a form provided for the recipient to fill out in order to apply. This form is used to phish information, like social security numbers, from victims.


There’s not much to this phishing campaign. Both the email and website have a no-frills appearance to them and there wasn’t much variation between the sample messages we came across. We did note several inconsistencies during our brief investigation of this campaign including the sending SMTP server, URL, email formatting etc. Our SecureTide spam filter has quarantined around 4,000 of these messages and will continue to monitor for new variants.