Users everywhere should beware of  what appears to be a very widespread phishing attack that was launched just today. Anyone who received an invite to a shared Google docs file today should handle it with kid gloves. Of course, we see phishing attacks happening constantly and ones targeting Google credentials are actually quite common. However, this attack is unique. Unlike most Google phishing attacks that lead to a site unrelated to Google or even cleverly disguised with a few misspellings etc.. this one leads the target to an actual Google page. From there it appears the attackers have created web apps with clever names like  “Google Docs.” Once you submit your details, it appears that you have granted the third party app permissions to your account and therefore the attackers have gained access. From here they can launch more of these attacks if they want. If you think you have fallen victim to this attack you should check Google’s Sign-in and Security page to see what connected apps have access to your account.

Here is a look at the current version of this attack:

Before you open that next email from a well-known company – news site, bank, vendor – give yourself an extra second or two to examine it closely. Here at AppRiver, we’ve seen a dramatic increase in phishing attempts lately and you don’t want to be next on the hook.

Spammers are disguising themselves as familiar companies such as ADP, eFax, and DHL to trick you into giving up valuable company or personal information. The best way to avoid becoming a victim is to notice irregularities in the message. These are warning signs of a possible phishing attempt.

Below is an example:

The first element to consider is that the “From” line says it’s being sent from ADP’s billing department, but we can see it’s actually from the domain littlebaja.com. (Probably not ADP’s billing department.) As you might expect, legitimate companies typically send from their own domains.

Another example is shown below with the efax message. Although it looks very similar to efax.com, it’s really “exfaxo.” Close, but no cigar. And no click, if you’re wise.

Next, consider what the email is asking. In many cases, scammers will try to get you to click a link. If that’s the case, hover over and see if the same address appears. If you are not using a computer, you might notice when you click that the destination page isn’t the same as the link.

If you get to the page (and let’s hope you won’t), you’re greeted with a request for login information. They try to make it look professional by automatically grabbing your email and prefilling it in the username box. In this case, they are phishing to get your login credentials. (The actual user’s email address was omitted for privacy.)

Also think about whether this is an email you were expecting or have gotten before. They tend to be very generic in nature and unprompted. With the more shopping being done online it is easy to look at these emails and think that the invoice, fax, or tracking information is valid. That’s human nature, and it’s exactly what scammers are counting on to lure you in.

Phishing usually works because we’ve developed predictable behaviors, like trusting a familiar logo, clicking a hyperlink, and entering a password below our email address. To avoid being a victim, however, we need to develop new habits that include viewing each email with a skeptical eye, looking for tell-tale signs of a scam, and never entering credentials on a questionable site.

We posted earlier in the year about the uptick in email attacks relating to the impending US tax deadline. Throughout tax season, we have continued to monitor tax-themed attacks in the form of bulk-phishing, spearphishing, and malicious payloads. As the filing deadline quickly approaches, we are seeing a large volume tax related messages attempting to dupe users into divulging personal information. Several of the current email campaigns utilize PDF attachments claiming to contain pertinent tax info. These attachments contain links to an active phishing page where attacks lay in wait to collect consumers’ personal data.

The first comes with a very vague message and claims to contain W2 information.

The second email campaign takes a more aggressive approach and tries to startle the user into opening the attachment with the threat of a tax penalty.

Both campaigns are being quarantined currently for our SecureTide™ customers. However, if you are not a customer and you did receive one of these– then there are a few obvious red flags that should prevent you from falling victim. Firstly, in the second message, we should all notice first that the “IRS” is sending an unsolicited message to us regarding important tax documents. This is not how they operate. Secondly, they will never send and attachment in an unsolicited email. Thirdly, the message states that they shared the document with the consumer via Dropbox (even though the file is directly attached). We think it’s safe to assume that this is also not IRS standard operating procedure. And lastly, though the attackers did insert the IRS into the friendly “from” section, the actual sending domain is not irs.gov.

What else can you do?

There’s no silver bullet when it comes to blocking phishing in general. Attackers are constantly testing new methods and finding what works and what gets to the user’s inbox. But there are some steps an organization can take to try to combat them.

  • Use encrypted email – Have it be company policy that certain bits of sensitive data should always be encrypted when sent via email. Ideally no information would ever be sent externally, but by following this protocol, the data would still ideally remain secured and unusable by the third-party.
  • Look at the recipient address when replying – A quick glance to the “To:” address when replying could potentially stop many of the spearphishing attacks. Attackers like to use freemail accounts (Outlook, Gmail, Yahoo, etc.) in the “Reply To:” field in a message when phishing. This is only visible to most users once they go to reply. If they are willing to spend a few dollars, they even register domain names very similar to the victims domain.
  • Have 2-factor verification – Having a company policy where it’s acceptable to transfer $50k with a single email request is a bit loose with the coffers. It’s best for everyone if there is a second verification in place such as a quick office visit or phone call. Same with sending around something like all employees W-2 files.
  • Hover over links in messages – Sometimes spearphishing is aimed at just that single email communication to get through to a user and doesn’t need the back and forth. Such as providing a phishing link looking for their email login, linking all the information to do a wire transfer for an external site, or even providing a link for the employee to upload sensitive company data to. Knowing where you are going online by hovering as well as glancing at URLs once you are there is a common security tactic that some people need to follow more closely.
  • Don’t be afraid of your boss – Yeah, this can be a tough one. But some of these spearphishing emails rely on using the CEO name as a strong-arm to get an employee to do something. By writing the text in a way that sounds urgent or demanding, some employees may forgo any set policy and bypass procedures in place to please their boss. After all, they think the CEO is ordering them to. Obviously questioning every order that comes down isn’t feasible or advisable, but again there are certain things like sending W-2s and wire transfers that should have set policies in place where everyone follows them no matter what. It’s better to question all wire transfers than to miss that one and send $20k to some foreign account.
  • Use an email filter – This can be the obvious one here. But many email filters have some advanced features and tests that can catch these sorts of attacks that people may not be aware of. At AppRiver, we have an advanced spearphishing test that can look for these types of low-key phishing email tactics and stop them. If you have a filter service that doesn’t have spearphishing features in it, you can even do something like block external email using your domain name in it, so that any email using your domain name, but coming from somewhere that’s not your own server, gets blocked.

Today we announced that we’re launching the first class of our new Veteran to Entrepreneur (V2E) program! V2E is a new start-up package that includes a comprehensive assistance program, including training, business counsel, marketing support, and a specialized, limited-time refund program providing additional capital to invest in veterans’ businesses. Since its inception, AppRiver has supported and hired veterans, including some senior managers who envisioned this new program.

 

“Many IT administrators have ambitions to open their own consulting practices, leveraging their years of experience and business contacts. Veterans trained in the information technology specialties have those same skills – and many others – that can help them transition into successful business owners,” said AppRiver channel manager Justin Gilbert, a former Navy air crewman. “Our entrepreneur start-up program provides veterans with the head-start they’ll need to go into business and succeed in the competitive technology marketplace.”

 

The AppRiver veteran program is designed as an “easy button” for interested and qualified veterans. Rather than simply earn a commission on their sales, veterans in the V2E program will for a limited time be refunded all the AppRiver revenue they earn. Coupled with multiple levels of training and support, the program is aimed to help veteran-entrepreneurs in the most challenging phase of a business – the critical first year.

 

After the first six months, or when the veteran-owned companies have earned $5,000 in revenue from AppRiver, they will have the option to remain as referral agents and receive commissions on future sales, or, if qualified, to become resellers who get discounted pricing and handle first-tier support calls for their clients.

 

“For a company just getting started, AppRiver’s cybersecurity services are a good way to develop a source of recurring revenue and to establish a trusted advisor relationship with their customers,” said Niels Andersen, a Navy veteran, serial entrepreneur and CEO of VetCV, a new online platform that encourages veteran entrepreneurship and helps veterans find jobs, gain easier access to VA health services, use artificial intelligence for Veteran suicide intervention, and learn about other resources that are available to them. “Every business needs online security and we’re pleased to offer AppRiver’s services to our vendor partners and affiliated companies who serve the veteran community.”

 

AppRiver is opening the program to veterans who own more than a 50-percent interest in a qualifying ISV, VAR, or MSP business that is less than one year old. It is aimed at, though not limited to, veterans whose military specialties include information technology.

 

“The partnering opportunity, which AppRiver presents to military veterans, is an excellent path for transitioning skills perfected on active duty into a viable business,” said AppRiver partner and Navy veteran Bob David, President of Technical Software Services, Inc. (TECHSOFT), now in its 27th year of business.  “One of the biggest challenges we faced as a start-up was in making the transition into the business community and acquiring the initial customer base that would allow us to survive.  The veteran partnership program that AppRiver is offering will provide the initial stream of recurring revenue that is essential to success during the early stages of a start-up company.”

 

For additional information and qualifications, please visit https://www.appriver.com/partners/v2e-program/

Complex Spamming Operation

Spam and virus filtering is a complicated operation. The other week, a friend of mine contacted me about an article he was writing that would be exposing the complexity of an international spamming operation he and another researcher uncovered. As I read through the layers of data and reviewed the spammer’s tactics, it became abundantly clear that spam is big business being carried out by sophisticated organizations using extreme tactics. The articles were written by Steve Ragan of CSO Online. The first article is “Spammers expose their entire operation through bad backups” and was posted on March 6th, 2017. In it, Steve details the sordid business that was uncovered as a result of data discovered by Chris Vickery, a security researcher with Mac Keeper. His post relating to the data collected is found here.

Forms of Spam

An aside here; spam comes in two main forms (each with many subtle derivations within each form). The form that has been around the longest is what I call “scam spam.” Think stock tips that are too good to be true, Nigerian prince emails, male enhancement drugs, and various articles of worthless merchandise. The other form of spam we see is “malicious spam.” This is the stuff that is sent with the intent to do harm to the recipients, usually through malicious links or infected attachments.

The Offender

River City Media was involved in the sending message of the scam spam type, although their tactic could and are likely employed by others with more nefarious intent. The amazing part of these disclosures is the degree to which River City Media went to insure the veracity and deliverability of their unsolicited junk messages. First, this group contracted with legitimate brands, while at the same time, engaging in mass spam campaigns hawking junk.

Key Tactics

Here are some of their key tactics:

  1. Used more than 1.34 billion email addresses to send their junk
  2. Changed corporate aliases and office locations regularly
  3. Used multiple less-than-reputable domain registrars
  4. Hosted resources with unscrupulous hosters
  5. Developed zero-day exploits targeting major email providers including Yahoo, AOL, Hotmail (Outlook.com), Juno, Gmail, Apple and others
  6. Infiltrated and read user email data without permission
  7. Tested campaigns with “warm up” accounts
  8. Worked with many other unscrupulous marketing companies to cover up their activities

You can read about some of the lessons learned in a subsequent article by Steve Ragan. The rest of the fallout from this discovery is being shared with the email providers most impacted with more reporting to follow.

Are You A Victim?

With more than 1.34 billion email addresses used, its likely that one or more of your email addresses was targeted by this organization. Good news is you can find out by visiting Have I Been Pwned and researching your desired email account(s). Once you sign up with this site by providing only your email address, they will proactively notify you if your accounts incur any pwnage in the future. Here is an email they sent me regarding one of my addresses. The subject of the message: “You’re one of 393,430,309 people pwned in the River City Media Spam List data breach.”

Example of the River City Media Spam List Notification Email

So what does this have to do with spam and virus filtering services like AppRiver’s SecureTide™? Plenty!

Spam and Virus Filtering Benefits

As you can see, spammers employ sophisticated tactics. Defending against their campaigns requires a great deal of time, resources and expertise. Most businesses don’t have the time, resources or expertise needed to implement an effective defense. SecureTide Spam and Virus Filtering does all that for your and offers the following advantages:

  1. Mail volume to your users is significantly reduced saving them time and increasing productivity
  2. Malicious content is effectively removed significantly reducing the likelihood of network compromise
  3. Emails that are filtered never reach your business network improving network performance and lowering compliance costs
  4. Statistics and logs are easily tracked through the control panel
  5. Delivery rules can be managed by administrators
  6. Only messages addressed to actual users in your organization are processed and delivered
  7. You can limit inbound connectivity to only AppRiver servers, thus increasing the security of your network

And you can have all this for a few dollars per user per month. Most out there will spend more than that on an overpriced cup of coffee! So next time you thinking about the need for spam filtering, you have some info that can help you make an informed decision.