For many IT channel partners, the billing, support, sales, marketing, and executive departments all sit in the same office—sometimes even the same chair. Between all their other tasks, it is often hard to make time for marketing. That’s why this morning, we revealed a new email marketing tool for our partners. appMailer allows AppRiver’s partners to send pre-templated and co-branded email campaigns to their customers, quickly, easily, and best of all, at no additional cost.

appMailer is easily accessible from within AppRiver’s Partner Portal. While no automated mail service is required to send an email campaign through appMailer, it can be integrated with MailChimp, Campaign Monitor, Constant Contact, or HubSpot. Users can also create an HTML file that can be sent using Outlook.

Cobranding is as simple as uploading a company’s logo and contact information into the email template (once), and all templates are completely editable. Additionally, the email campaign will generate a URL that will be active so long as the campaign is not deleted. This URL can be used as a landing page for customers so that the partner does not have to host it.

To learn more about appMailer, please visit https://www.appriver.com/about-us/news-releases/appriver-unveils-marketing-tool-for-partners/

Here are the security risks to watch.

1.Botnets for DDoS and ransomware distribution will become easier to hire 

With Necurs and Mirai blasting malware and DDoS attacks to the corners of the earth, there has never been a more profitable time for malware authors and botnet creators. Established botnets with large numbers can be found for hire online these days to carry out a variety of tasks. Allowing a buyer, with some of their cash, to point the hired botnets ill intentions towards a target they specify. Having a botnet infrastructure being offered a service will make it easier to carry out their plans since they won’t be building a botnet from scratch. With ransomware being one of the most prolific money makers for cyber criminals as of late and DDoS attacks large enough to disrupt global internet traffic, we expect these services to get more attention in the media as well as more use for nefarious reasons. The success of these types of operations will likely further their growth.

2. Rise in IOT botnets

There was an extraordinary surge in malware traffic in 2016 due to the widespread availability of botnets. As more connected devices—like iPhones, Alexa, and other smart home devices—join the party (formally referred to the Internet of Things), we can expect these devices to also be corrupted by malware and also turned into a zombie army, just like today’s PCs and Macs. Not only are these new devices constantly entering the market, consumers don’t think of them as the tiny little computers that can be infected like they are. These botnets will be able to wreak more havoc and maybe even cause some real physical harm in the world.

3. Mobile Malware will finally start to gain traction
The rise of malware designed to target mobile operating systems has been building over the years but 2017 may be the year when the issue becomes more widespread, perhaps driven by an explosion in mobile ransomware. As people are now doing so many things from their smart phone like shopping, banking and paying bills this provides a fertile ground for the attackers looking to take advantage. Also with the explosion of IoT devices and how they interact with other connected devices could prove to be a major contributing factor to the proliferation of mobile malware.

4. Ransomware will continue to be the most popular form of malware

It’s simple: of all the malware on the Internet, ransomware is the fastest and easiest way to make a buck. You don’t have to find a clever way to break into Target’s datacenter, or create a zero-day exploit to penetrate a bank’s firewall. All you have to do is trick a poor, gullible soul into opening an email attachment that downloads a ransomware payload onto his computer, and then hold all of the photos of his grandkids hostage until he pays $300. Is that dark? Yes. But it’s also true. Fortunately, preventing ransomware is often as simple as having a basic antivirus solution installed on your computer and updating your software. Don’t forget to back up your files while you’re at it!

5. People will become numbed to the lack of privacy as they include more and more of their private life online.
For those of us in the vast majority who embrace that our digital footprint is here to stay, we’ll continue to grow more resigned to the idea that our family, employer, and government are scrutinizing everything we say and do. This could lead to more people policing their own voices, or even more accepting of the fact that Big Brother is always watching.

I came across a blog post that once again showcases the importance of properly managing DNS through its entire life cycle. The article entitled “Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target” (sic) was written by Matthew Bryant (@IAmMandatory) can be found here. It’s a bit of long read, but serves as a great reminder about the importance of understanding and managing important DNS data from inception through final decommission.

The basic concept discusses deals with expired domain names that at one time had one or more authoritative name servers bound to that domain and served as authoritative name servers for other zones. Over time, domains fall out of use and their registration lapses. Many times, owners of those domains fail to remove authoritative name server registrations from the top-level domain servers, leaving the no longer functioning name servers in the expired domain listed as authoritative for one or more other zones or both. Incomplete or ineffective garbage collection over long periods for time can lead to big security holes.

Keep in mind that technically, any name server that is acting as either a primary master or primary slave authoritative name server and providing data to name servers outside the local zone needs to be registered with the parent domain. For example, any name server that is listed as authoritative and listed with the registrar for APPRIVER.COM must be registered as a name server with the .COM domain. This is typically done though an approved registrar with access to the appropriate TLD. Unfortunately, this requirement does not prevent the use of unregistered name servers being listed in NS records for publicly accessible authoritative DNS. Also, there is no mechanism in the normal DNS lookup process that validates whether or not a name server is registered with the parent zone and nothing that checks the registration status of the domains used by listed name servers.

Name servers that are listed in NS records for a given zone but not listed as name servers for the zone with the zone’s registrar are referred to as stealth name servers. Stealth name servers may or may not be registered as authoritative name servers within the parent zone. You can read more on the technical requirements for authoritative name servers on the IANA web site. The case described in the blog post is essentially the inverse of the stealth name server scenario. Name servers are listed with the registrar but one or more of the domains associated with the name server have a lapsed registration.

The security concern described in Bryant’s post deals with the following case:

  1. One or more NS records listed with a zone are part of a different zone.
  2. One or more of the zones containing the NS hosts has an expired registration

The example used in Bryant’s post is iom.int. He found that two of the four listed name servers were functional and two were not. The name servers in the org.ph zone failed to respond. Further investigation revealed that the org.ph domain was unregistered. All a malicious actor need do at this point is:

  1. Register the available domain though a supporting registrar (org.ph)
  2. Configure DNS on the zone (in this case the sub zone iom.org.ph)
  3. Set up the appropriate A records for the listed name servers (ns1.iom.org.ph & ns2.iom.org.ph)
  4. Set up a DNS service that listens on the IPs pointed to by the above A records
  5. Configure desired DNS responses for original zone with the previously broken NS records

In the example in Bryant’s post, there were four name servers. He was able to successfully hijack two of the four using the above process. This means that his name servers would respond to approximately 50 percent of all authoritative requests. This would continue until such time as the owner of ion.int removed the rogue name servers from the name server settings list at the registrar. If the owners of ion.int did nothing, Bryant could in theory hijack 50 percent of all traffic destined to ion.int since most DNS lookups utilize round robin requests. By altering the TTL data for records served up by the rogue name servers and omitting the valid NS records from his bogus DNS zone, it is likely that over time, the amount of DNS traffic influenced by the bogus name servers could approach 100 percent. Additionally, he could also theoretically request SSL certificates, re-direct email, spoof SRV records and ultimately permanently hijack the target domain. His post explains the methods involved in more detail.

Starting to see how inattention to details can come back to bite you if you mismanage you DNS?

So if you don’t own any domains this stuff doesn’t impact you right?  Wrong! As a normal user of the Internet, almost everything you do is dependent upon DNS and the accuracy and trustworthiness of that DNS data.

Bryant’s post also references a tool he developed called Judas DNS. Judas DNS is DNS proxy server that can take the place of a hijacked name server and used to perform targeted exploitation. It can be configured to target specific source IP ranges or particular zones or a combination of both. TTLs are adjustable. This tool could also be deployed in a MITM attack to target a specific IP on the target network.

So how can you protect yourself from these kinds of deceptive attacks?

Firstly, know your network! Only connect using trusted devices connected to trusted networks. If you must use unfamiliar networks, invest in a quality VPN provider. Only send data over VPN connections. This will insure that your data is safe from prying eyes while in transit between your device and the VPN provider. What happens after your data leaves the VPN end point is difficult to control.

Secondly, use only trusted DNS providers. On static networks, configure your firewalls to allow DNS response traffic only from trusted DNS sources. Make sure trusted DNS resolvers forward unknown queries to the root zones for resolution. It is not possible to verify the legitimacy of DNS requests unless DNSSEC is enforced on a particular zone. If you are concerned about a particular domain, use available tools to verify the DNS configuration. Compare zone data on all listed name servers. They should all match! DNS integrity has never been a priority. This will need to change.

If you are responsible for managing domain name registrations for your company, be sure to do regular audits of your DNS name server settings at the domain registrar making sure that all the listed name servers are correct, legitimate and actually point to registered domains that are functioning. Also check to make sure that all DNS records in your forward and reverse zones are valid, removing any that have expired or are no longer valid.

Take care of your DNS and be safe out there!

PDF phishing emails seem to be popular these days. While the PDF format isn’t immune to its own vulnerabilities used for malware, the biggest abuse we see is a phishing link embedded in the PDF leading to an external site. With the popularity of PDF files in general and the fact you can embed links in them, it makes sense attackers would try to use this to their advantage. This use of PDF’s for phishing usually comes in two flavors as well. It’s either phishing for bank details, or for generic email login credentials.

The below phishing email came in claiming to be from Navy Federal, the worlds largest credit union. It contained just a quick note about unusual activity and a PDF attached.

navyfederalphishingemail

 

Opening up the attached PDF file, you get a small description of why you should click the link. An astute observer may notice it actually links to a compromised WordPress site hosting the fake login page.

navyfederalphishpdffile

Assuming the user did not see the link before clicking and disregards the address bar, the phishing page is actually a rather convincing one. Sometimes these pages are low effort and just thrown together. Misspelled items, pictures not aligning, etc. But this one is pretty spot on to the real Navy Federal page. By phishing campaigns utilizing more convincing pages, it’s likely less of the victims will be taking the proper steps of looking closer and verifying they are indeed at the right website.

 

Click the images below and see if at a quick glance you can spot the fake phishing site.

navyfederalphish_realwebsitenavyfederalphish

 

 

 

 

 

 

 

 

 

 

The phishing website is the image on the right. Minus a few alternate images and details that no user probably has memorized, as well as changing slides on a regular basis, catching any minor details that would throw a red flag is nigh impossible. Stealing the HTML formatting and files used on a website is a rather trivial task as well. The attacker may need to put in slightly more effort to get formatting and images all looking correct on a copied version, but nothing that’s too much effort.

Once credentials are typed in, the server already has the login details. But from there, it brings up more pages asking for more details. This would hopefully also throw some red flags as well since this is likely very far from the normal login process. If someone were to complete all of the questions and details asked about them though, the attackers running the phishing site would hit a jackpot of data about a user. Opening opportunities for identity theft or further spearphishing campaigns. If they have things like bank account numbers and even your SSN#, that can make any further phishing emails using that data much more believable.

navyfederalphish2

The personal questions, often used as security questions, were in two groups on the page. I assume the first question group above was different form the rest as it may be the ones they are more likely to use.

 

navyfederalphishq1navyfederalphishq2

 

From there it goes to the hard hitting questions.

navyfederalphish3Clicking finish will reroute you to the actual NavyFederal.org website and you be presented with a normal login page. More red flags here as going through a login process only to be rerouted to another login process is a pretty classic example of what many phishing sites do. Though it’s very possible a user may just chalk it up to some generic web issue during the login.

Getting alerts or notices from banks or credit unions that are legitimate is of course a thing. So you can’t really tell users to always ignore such notifications. But it’s wise to advise using extra care when dealing with any banking details. Always check the URL you are at and make sure it’s what you expect. Seeing an email from someone like Bank of America with a link to a .ru website is a pretty good indicator of phishing. But sometimes things aren’t that easy. So taking th extra caution and time can go a long way in stopping yourself from becoming a victim.

 

 

As the new year gets underway we always take a look back at patterns and trends that we saw throughout the previous year. 2016 was certainly one thing, the most dangerous year on record–from an email perspective of course. In total we quarantined just over 15.5 billion emails containing malware. Any one of these messages could have spelled disaster to the unsuspecting user. Here is a look at the malicious email traffic as we saw it throughout 2016:

malware_2016

This new ‘normal’ with sheer volume of malicious emails coupled with growing complexity and customization is a trend that we expect to continue in 2017. But rest assured, we will be working around the clock to keep you safe from these threats. You can read more about what happened in 2016 in our upcoming Global Security Report.