Sep 14 2023

Next-Gen Email Firewalls: Beyond Spam Filters to Secure Inboxes Checklist

Category: Email Security,next generation firewalldisc7 @ 9:56 am
Next-Gen Email Firewalls: Beyond Spam Filters to Secure Inboxes Checklist

Email communication is still widely used as an attack vector despite the ever-changing nature of cyber threats.

The vast number of people who use it for communication daily, both professionally and personally, makes it a tempting target.

Cybercriminals are becoming more skilled at using malicious email campaigns in line with the growth of advanced technologies and increased security measures taken by businesses.

VIPRE Security found that 85.01% of phishing emails had harmful links inside the message body, and the volume of spam emails increased by 30.0% from the first to the second quarter of 2023.

In addition, phishing attacks against IT companies are now more common (14%) than against financial institutions (9%).

The Limitations of Traditional Spam Filters

Conventional spam filters rely on static rule-based systems with predetermined criteria or known dangerous signatures to identify emails as spam.

Their strict compliance with predetermined policies leaves companies vulnerable to ever-evolving cyberattacks. These filters rely too much on signature-based detection, making them vulnerable to zero-day threats and unable to protect against recent or modified malware. 

They canā€™t detect hidden risks like spear phishing since they donā€™t have advanced behavioral analysis. In addition, it cannot examine potentially harmful information in isolation without sandboxing characteristics.

 As a result, the ever-evolving and complicated nature of cyber threats makes their traditional approaches ineffective.

You can Understand and diagnose Email Issues using Trusitifiā€™s Email Header Analyzer Tool.

What are Next-Gen Email Firewalls?

Next-Generation Email Firewalls are the latest technologies for protecting against malicious emails. To quickly prevent new threats, such as zero-day vulnerabilities, these systems interact with real-time threat intelligence feeds, unlike traditional spam filters, which depend primarily on static rules. 

They scan things in-depth, including emails, embedded URLs, and attachments. Sandboxing is essential since it allows testing of potentially harmful information in a secure environment. 

Advanced systems use machine learning and behavioral analytics to identify complex phishing attacks like this. These firewalls use authentication protocols like DMARC, DKIM, and SPF to prevent spoofing and verify email senders. 

In addition, they have measures to prevent sensitive information from being accidentally leaked. These solutions, which are frequently cloud-native, provide a robust and complex approach to email security while scaling efficiently and integrating smoothly with existing security infrastructure.

How do Next-Gen Email Firewalls Protect Your Inbox?

Advanced Threat Intelligence ā€“ The use of real-time threat intelligence helps to identify and prevent emerging attacks, such as those that exploit zero-day flaws, as soon as they appear.

Deep Content Inspection ā€“ Rather than simply scanning the emailā€™s information, these firewalls read the message in full, including any embedded URLs or files attached, to discover any hidden risks.

Sandboxing ā€“ To prevent viruses and malware from reaching their intended recipients, suspicious attachments and URLs are displayed in a safe, isolated environment.

Behavioral Analytics ā€“ These firewalls may identify spear-phishing initiatives by learning the senderā€™s typical activity patterns and comparing them to suspicious emails that appear to be from the same sender but act differently.

Identity Verification ā€“ Using authentication methods like DMARC, DKIM, and SPF, these tools ensure that all email arrives genuine and from a known source, protecting users from spoofing and phishing attempts.

Data Loss Prevention (DLP) ā€“ Besides inbound threats, they monitor outgoing emails to prevent sensitive material from being transmitted without authorization or violating regulations.

Machine Learning ā€“ Many modern firewalls use machine learning to ā€œlearnā€ from the attacks they block and better detect various threats over time.

Next-Gen Email Firewalls vs. Traditional Email Security

Next-Gen Email FirewallsTraditional email security
Quickly adapt to new threats by using real-time threat intelligence.It uses a static collection of threats and patterns to make decisions.
Emails, URLs, and attachments are all placed through an extensive content analysis.Metadata and simple patterns are the primary areas of security inspection.
Uses content isolation technologies (sandboxes) to investigate potentially harmful data.Doesnā€™t have a sandboxing environment.
Utilizes machine learning and behavioral analytics for real-time threat assessment.Depending on predetermined guidelines rather than monitoring user activity
Designed specifically for use in the cloud, this safeguards the present remote workforces.Less flexible with cloud integrations; works best in local installations.
The sophisticated analysis and learning capabilities have resulted in fewer false positives.There is an increase in false positives because of the inflexibility of rule-based systems.

Countering Sophisticated Email Threats with Next-Gen Email Firewalls

The importance of Next-Generation Email Firewalls in preventing modern email threats cannot be underestimated.

These modern firewalls utilize real-time threat intelligence to detect and neutralize recent security risks instead of the static rules used by older systems.

They investigate thoroughly, looking at every aspect of the email, from the subject line to the attachments. Sandboxing is a technique to test malicious code in a safe, restricted setting.

Unusual behaviors, such as those used in spear phishing or impersonation, can be detected via machine learning.

In addition, email spoofing may be prevented using sender authentication methods such as DMARC, DKIM, and SPF.

By authenticating the senderā€™s identity and confirming the accuracy of the received messages, these procedures act as the first line of protection against email-based threats.

SPF aims to improve email security by limiting the possibility that an unauthorized sender

In DKIM, the transmitting server gives Each email a unique DKIM signature generated using a private key. The DNS records of the sender are queried to retrieve the senderā€™s public key, which is then used to validate the emailā€™s signature.

With DMARC, website administrators may specify how they want their domainā€™s incoming mail servers to deal with unencrypted messages that have not been authenticated. It has a policy and a statement, with three options (reject, quarantine, or do nothing). 

You can Analyze and Detect SPF Issues using Trustifiā€™sĀ SPF Record Checker Tool.

Why Trustifi ? ā€“ AI-Powered Protection for Business Email Security

Next-generation email firewalls will benefit from quantum-resistant algorithms, IoT integration, and adaptive AI for threat prediction in the long run. 

Trustifiā€™s advanced protection uses machine learning and AI to quickly find and stop the most sophisticated email-based attacks, such as ransomware, malware, phishing attacks (malicious links), CEO impersonation protection, BEC, and account compromise, keeping hackers out of inboxes with the following email threat protection solutions.

These firewalls will prioritize cross-platform connectivity, robust data protection measures, and real-time threat sharing in response to the constantly evolving nature of cyber threats.

Trustifi Advanced Email Protection With Trusitifi Inbound Shield Offers powerful multi-layered scanning technology.

It thoroughly examines, identifies, and categorizes even the most sophisticated forms of Phishing, Malicious, SPAM, and Gray Emails. 

Modern machine learning and artificial intelligence provide comprehensive, precise threat hunting for it.

The Inbound Shield checks out and removes harmful data and for various irregularities, including the following.

  • Scammers who send emails from fake domains.
  • Money transfer and other private information requests.
  • Hyperlinks lead to malicious sites.
  • Files with potentially malicious content, such as SQL injection strings or other code snippets, are designed to execute upon download.

These filtering procedures only take milliseconds to complete and can detect previously unidentified zero-day attacks.

The Trustifi Inbound Shield is a cloud-based solution that requires no alterations to your current infrastructure to implement.

Emails could be sent and received safely without any complicated setup or concerns, and It takes minutes, not days, to set up.

The Internet and the Unregulated Space of the Scammers and Hackers: Surf the Internet Safely!

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: Next-Gen Email Firewalls

Aug 30 2023

Email Authentication Protocols: SPF, DKIM, and DMARC ā€“ A Detailed Guide

Category: Email Securitydisc7 @ 9:12 am
Email Authentication Protocols: SPF, DKIM, and DMARC – A Detailed Guide


Email communication is essential for personal and professional contact in the modern digital environment.

Email is widely used, making it a perfect target for cybercriminals, leading to increased phishing attempts, spam, and email spoofing.

Strong email security measures are becoming essential as these threats become more sophisticated. Email authentication techniques like SPF, DKIM, and DMARC are crucial in situations like this.

By authenticating the senderā€™s identity and confirming the accuracy of the received messages, these procedures act as the first line of protection against email-based threats.

This article will thoroughly review these three importantĀ email authenticationĀ methods, including their roles, how they cooperate, and why they are crucial for upholding a reliable and secure email communication infrastructure.

What are Email Authentication Protocols?

Secure email communications can be achieved through Email Authentication Protocols, standards, or technologies that validate the senderā€™s identity and protect the messageā€™s integrity.

These standards aim to protect users from spam, phishing, and other malicious email-based assaults.

As a bonus, they make it less likely that a good email will be incorrectly deleted as spam or malware.

Here are the primary email authentication protocols commonly in use:

  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Sender Policy Framework (SPF)

The Sender Policy Framework (SPF) is an email authentication technology developed to prevent spam.

By letting domain owners choose which mail servers can send emails on their behalf, SPF assists receiving servers in authenticating the sender of incoming messages.

For this purpose, the DNS records of the domain are consulted to ensure that the emails come from the addresses they claim to represent.

The Sender Policy Framework (SPF) aims to improve email security by limiting the possibility that an unauthorized sender may use a specific domain in the ā€œFromā€ address.

This helps keep the senderā€™s and the recipientā€™s inboxes free of unwanted messages and strengthens the confidence each party has in email.

How It Works

  • Domain owners create SPF records showing trusted IP addresses and domains from which emails can be sent.
  • Email servers do a Sender Policy Framework (SPF) record check whenever they receive an email.
  • When a message is received, the server checks the IP address to see if it is one of the approved senders mentioned in the SPF record.
  • The SPF check is successful if the sending IP address is known and accepted; otherwise, the email may be flagged as suspicious and deleted.

How Do Attackers Abuse SPF:

Sender Policy Framework (SPF) is an email authentication system that checks the senderā€™s name to stop email spoofing and phishing. But, like any other system, SPF isnā€™t completely safe from possible attack vectors. Here are some possible ways to attack SPF:

Manipulating SPF Records: Attackers could try to change or create SPF records by changing the DNS records of a domain. This would let them list unauthorized IP addresses or servers as valid senders. This can make it possible for tactics like spoofing or phishing to work.

Domain Hijacking: If an attacker takes control of a legal domain, they can change the SPF records to include their own malicious servers. This can cause bad emails that look like they came from a trusted source to be sent.

Subdomain Attacks: SPF records are often set up for an organizationā€™s primary domain, but they might forget to set up SPF records for subdomains. Attackers who send emails from subdomains without the proper SPF records can use this against you.

Inadequate SPF Policies:Ā Organizations may have weak SPF policies that let many IP addresses send emails on their behalf. This can give attackers a bigger pool of possible IP numbers to trick people.

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is an email authentication technology that uses encryption to confirm an emailā€™s authenticity.

The sending server adds a distinctive DKIM signature using a private key to each email. The receiving server verifies the signature of the incoming email using a public key obtained from the senderā€™s DNS records.

If it matches, the email can be trusted as genuine and safe from tampering. DKIM is designed to prevent email spoofing and phishing attacks and guarantee the safe delivery of email communications by verifying the senderā€™s domain and the messageā€™s encrypted signature.

How It Works

  • Using a private key, the emailā€™s computer makes a digital signature.
  • The email packaging has been changed to include this signature.
  • From the DNS records, the email server that receives the email gets the senderā€™s public key.
  • The digital signature is then decrypted and checked using the public key.
  • The genuine email has not been changed if the signature is correct.

How Do Attackers Abuse DKIM

  1. Private Key Compromise: DKIM relies on a private key stored on the sending server to sign outgoing emails. If an attacker gains access to the private key, they can sign malicious emails that recipients might consider legitimate, as the DKIM signature would appear valid.
  2. DNS Record Manipulation: DKIM public keys are stored in DNS records as text (TXT) records. If an attacker gains control over a domainā€™s DNS records, they could modify or replace the DKIM public key, allowing them to sign fraudulent emails that appear authentic.
  3. Subdomain Spoofing: Organizations might configure DKIM for their main domain but overlook implementing it for subdomains. Attackers could then send emails from subdomains that lack proper DKIM signing, making it harder for recipients to verify the emailā€™s authenticity.
  4. Key Length and Algorithms: If an organization uses weak encryption algorithms or short key lengths for DKIM signing, it becomes easier for attackers to crack the encryption and forge DKIM signatures.

Solution: Organizations should adopt efficient incident response plans, regularly monitor email traffic for anomalies, and stay updated on emerging threats to stay ahead of the evolving email threat landscape with AI-powered solutions like Trustifi.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

To improve upon SPF and DKIM, a new email authentication protocol called Domain-based Message Authentication, Reporting, and Conformance (DMARC) was developed.

Domain administrators can instruct receiving mail servers on what to do with messages that do not pass authentication.

Domain owners can direct mail servers to stop accepting spam by adding a DMARC policy record to their DNS settings. Email traffic and any security risks can be better understood using DMARCā€™s reporting features.

DMARC is designed to strengthen email security by adding an extra layer of verification, decreasing phishing and spoofing, and increasing the credibility and delivery of legitimate communications.

How it Works

  • The receiving server references the DMARC policy if SPF or DKIM authentication fails.
  • The DMARC policy can direct the server to take various actions, such as classifying spam, placing it in quarantine, or outright rejecting it.
  • To improve their email protection measures, domain administrators can use forensic and aggregate data on authentication activity.

DMARC Attack Vector

Aggressive Enforcement: Some organizations may choose to use DMARC with a strategy of ā€œquarantineā€ or ā€œrejectā€ right from the start. This can work, but if the policy isnā€™t carefully set, it can also cause valid emails to be blocked.

Reporting Address Spoofing: Attackers could try to change the DMARC reporting address to send reports of failed DMARC checks to sites they control. This could give them a chance to learn more about how the organizationā€™s email system works.

Targeted Spoofing: Attackers could try to pose as people or parts of an organization that havenā€™t fully set up DMARC. This specific method makes it more likely that their emails will be read.

As with other email-related attacks, attackers could use social engineering to get receivers to ignore DMARC warnings or think a DMARC-failed email is real.

Where are SPF, DKIM, and DMARC Records Stored?

Spf records:

SPF records are TXT (text) records in the DNS. Emails from this domain must be sent from the IP addresses or parts specified in these records.

The recipientā€™s email server will check the SPF record for the senderā€™s field in the Domain Name System (DNS) to ensure the email is legitimate.

Example SPF record:

v=spf1 ip4:192.0.2.1 ip6:2001:db8::1 include:example.com all

DKIM Records: 

DKIM records are similarly stored in DNS, although they are TXT entries. These entries store the public key to authenticate the domainā€™s digital signatures in outgoing emails.

The DKIM record is retrieved from the DNS by the receiving email server, which then uses the public key to verify the signature and ensure the emailā€™s authenticity.

Example DKIM record:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnWLKu6qIH66AjqkMYyq3A5bkD

  sY+T4rQzSXFJWzh7DQoKmmrkRDbCIPRrkRHF/EpTExGDD2P8WOEqdGTfVbRy14

  5k3soVGMItcL1QvWskhNKLQYGJME6XE1WUCmAw29FcYKavqnGQFWFpDBIMVFOFw

  7/TZS0Lj1QIDAQAB

DMARC Records:

DNS also stores DMARC records in the TXT record format. The measures to take if an email fails SPF or DKIM checks are provided in the domainā€™s DMARC policy, defined by these records.

To keep the domain owner aware of authentication actions, DMARC additionally provides reporting tools.

Example DMARC record:

v=DMARC1; p=quarantine; pct=25; rua=mailto:reports@example.com; ruf=mailto:forensics@example.com

Checking an Email for SPF, DKIM, and DMARC Compliance

It takes multiple procedures and the capacity to query DNS records to ensure an email complies with SPF, DKIM, and DMARC.

Here are the measures taken to ensure that an email adheres to these standards:

Check SPF Compliance:

  • Extract the IP address of the email server that sent the email from the email headers.
  • Retrieve the SPF record from the domainā€™s DNS that the email claims to be sent from. This is usually found in a TXT record in the domainā€™s DNS.
  • Check if the sending serverā€™s IP address is listed in the SPF record. If it is, the email passes the SPF check; otherwise, it fails.

Check DKIM Compliance:

  • Check the email headers for a DKIM signature. This will usually be found in a header field called ā€˜DKIM-Signatureā€™.
  • Extract the ā€˜d=ā€™ parameter from the DKIM signature to find the signing domain and the ā€˜s=ā€™ parameter to find the selector.
  • Retrieve the DKIM public key from the DNS of the signing domain. This will be found in a TXT record at selector>._domainkey.signing domain>ā€™.
  • Use the public key to verify the DKIM signature in the email header. If the signature is valid, the email passes the DKIM check; otherwise, it fails.

Check DMARC Compliance:

  • Ensure that the email has passed both the SPF and DKIM checks. At least one of them must pass for the DMARC check to pass.
  • Retrieve the DMARC record from the domainā€™s DNS from which the email claims to be sent. This is usually found in a TXT record at ā€˜ _dmarc.domain>ā€™.
  • Check if the ā€˜Fromā€™ address domain matches the SPF domain or the DKIM signing domain. If it does, then the email passes the DMARC alignment check.
  • Follow the policy specified in the DMARC record for handling emails that fail the DMARC check.

How to configure SPF, DKIM, and DMARC for a domain

Configure SPF:

  • Identify Authorized IP addresses or servers: Determine the IP addresses or servers authorized to send email on behalf of your domain.
  • Create an SPF Record: Create an SPF record by creating a TXT record in your domainā€™s DNS settings. The value of this TXT record will start with ā€˜v=spf1ā€™ followed by the authorized IP addresses or servers.
Example SPF Record: 'v=spf1 ip4:192.168.0.1 -all'

This example authorizes the IP address ā€˜192.168.0.1ā€™ to send emails on behalf of your domain and denies all others.

  • Update DNS Settings: Add the SPF record to your domainā€™s DNS settings.

Configure DKIM:

  • Generate a DKIM Key Pair: Generate a public-private key pair for DKIM. Your email server will use the private key to sign outgoing emails, and your domainā€™s DNS settings will make the public key available.
  • Configure Email Server: Configure your email server to sign outgoing emails using the private DKIM key.
  • Create a DKIM Record: Create a DKIM record by creating a TXT record in your domainā€™s DNS settings.
  • The name of this TXT record will be in the format selector>._domainkey.yourdomain>ā€™, and the value will contain your DKIM public key.
Example DKIM Record: 'v=DKIM1; k=rsa; p=MIGfMA0...'

This example specifies that the key type is RSA and includes the public key.

  • Update DNS Settings: Add the DKIM record to your domainā€™s DNS settings.

Configure DMARC:

  • Create a DMARC Record: Create a DMARC record by creating a TXT record in your domainā€™s DNS settings. The name of this TXT record will be ā€˜_dmarc.your domain>ā€™, and the value will contain your DMARC policy.
Example DMARC Record: 'v=DMARC1; p=reject; rua=mailto:report@example.com'

This example specifies that emails that fail the DMARC check should be rejected and that reports should be sent to ā€˜report@example.comā€™.

  • Update DNS Settings: Add the DMARC record to your domainā€™s DNS settings.

Conclusion

The SPF, DKIM, and DMARC standards are essential components of a reliable email security architecture in an age when email is vulnerable to a wide range of attacks.

Though each has advantages and disadvantages, they provide an enormous defense against a significant fraction of email-based attacks.

By implementing these authentication processes, yourĀ email systemsā€™ securityĀ will improve, and your emailsā€™ deliverability will also be enhanced, reducing the possibility that your legitimate messages will be miscategorized as spam.

Applying these standards to your digital communication infrastructure can significantly improve the safety and dependability of your communications.

The Art of Email Security | Email security: attack and defence

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: DKIM, DMARC, SPF

Aug 20 2023

Product showcase: Free email security test by ImmuniWeb Community Edition

Category: Email Securitydisc7 @ 4:50 pm
Product showcase: Free email security test by ImmuniWeb Community Edition

In 2022, global losses from business email compromise (BEC) and email account compromise (EAC) attacks reached a record-breaking $43 billion, as reported by the FBI. Major cybersecurity companies like Microsoft and Trend Micro noted a surge in advanced phishing attacks earlier in the year, resulting in significant financial damages to organizations of all sizes. Concerns have risen among security experts about the potential for a surge in email credential attacks due to the widespread availability of generative AI technologies like ChatGPT. These attacks could range from simple social engineering tactics to complex schemes involving domain-squatting and spear-phishing, taking advantage of previously stolen personal information. Despite increasing spending on corporate cybersecurity, the risk of such attacks continues to rise.

To aid organizations in evaluating their vulnerability to email-related security, privacy, and compliance risks, ImmuniWeb has introduced a free email security test as part of its Community Edition. This online tool performs over 200,000 security scans daily, helping small and medium-sized enterprises, educational institutions, non-profits, municipal governments, and individual developers identify a wide range of cybersecurity and compliance issues. The aim is to bolster foundational cyber resilience and information security for these entities.

for more details on free email security test:

Product showcase: Free email security test by ImmuniWeb Community Edition

The Art of Email Security: Putting Cybersecurity In Simple Terms

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blog

Ā 

Tags: ImmuniWeb Community Edition

Aug 04 2023

What is Business Email Compromise (BEC) Attacks? ā€“ Prevention Guide

Category: Email Securitydisc7 @ 9:13 am
https://gbhackers.com/bec-attacks/

BEC, an acronym for Business Email Compromise, is a sophisticated form of cybercrime. Cyber threats have become a pressing concern in a world where almost every aspect of our lives is digitized. One of these threats that have been growing exponentially in recent years is the BEC attacks.

What Are BEC Attacks? 

These attacks are carefully orchestrated scams perpetrated by cybercriminals to trick businesses into transferring money or sensitive information. The attackers usually impersonate a high-ranking official in the company, such as the CEO or CFO, and send an email request for a wire transfer or confidential data to another employee.

Theyā€™re not just any random email scams; BEC attacks are highly targeted and involve a great deal of planning and research. The cybercriminals behind them often know a lot about their targets and use this information to make their fraudulent requests seem legitimate. So, itā€™s no surprise that these attacks pose a significant threat to businesses of all sizes and industries worldwide.

Understanding BEC Attacks 

Process and Mechanics of a BEC Attack

Understanding how BEC attacks work is the first step in preventing them. The process often starts with extensive research. The attackers gather information about the target company and its employees. They look for information such as who is in charge of finances, who they report to, and when these officials will likely be out of the office.

Once theyā€™ve gathered enough information, they craft a convincing email. This email is usually disguised as originating from a high-ranking official and sent to an employee with the authority to transfer funds or access sensitive information. The email will request a wire transfer, often with a sense of urgency to pressure the employee into acting quickly without questioning the requestā€™s legitimacy.

The mechanics of these attacks are what makes them so effective. The attackers exploit the trust and authority of high-ranking officials to bypass traditional security measures. And because the emails are so well-crafted, they can be tough to detect.

Common Forms of BEC Attacks

There are several common forms of BEC attacks. The most common is ā€˜CEO Fraud,ā€™ where the attacker impersonates the CEO or another top executive. They send an email to an employee in finance, requesting an urgent wire transfer.

Another form is ā€˜Invoice Scams.ā€™ In these cases, attackers impersonate a vendor or supplier and send a fake invoice to the company. The invoice will typically request payment to a new account controlled by the attacker.

Thereā€™s also ā€˜Account Compromise.ā€™ Here, an attacker hacks into an employeeā€™s email account and sends fraudulent emails to vendors listed in their email contacts. The email will request that future payments are sent to a new account.

The Targets and Motives Behind BEC Attacks

The targets of BEC attacks are typically businesses that work with foreign suppliers or regularly perform wire transfer payments. However, any business can be a target. The motive behind these attacks is simple: money. Cybercriminals are looking for the easiest way to get their hands on your cash.

Prevention of BEC Attacks 

The best way to deal with BEC attacks is to prevent them from happening in the first place. Prevention requires a multi-faceted approach that includes technical, administrative, and human elements.

Email Security Measures

The first line of defense against BEC attacks is implementing robust email security measures. It is essential to use email filtering solutions that can detect and block phishing emails. These solutions can flag emails from outside your organization that are crafted to look like theyā€™re from within.

Furthermore, you should also implement Domain-based Message Authentication, Reporting & Conformance (DMARC), an email authentication protocol. DMARC can prevent attackers from spoofing your organizationā€™s domain in their phishing attempts, significantly reducing the chances of a successful BEC attack.

Multi-Factor Authentication (MFA)

Multi-factor authentication is another crucial element in preventing BEC attacks. MFA requires users to provide two or more forms of identification before they can access their email accounts or other sensitive systems. This could be something they know (like a password), something they have (like a physical token or a smartphone), or something they are (like a fingerprint or other biometric data).

By implementing MFA, even if a criminal manages to steal an employeeā€™s login credentials through a phishing attack, they would still need the additional factor(s) to access the account. This significantly increases the difficulty for attackers, often deterring them from attempting to compromise your business.

Employee Training

The human element is often the weakest link in cybersecurity. Therefore, regular employee training is essential in preventing BEC attacks. Employees should be taught to identify phishing emails and be aware of the tactics used by cybercriminals in these attacks.

Moreover, it should be emphasized that everyone, regardless of their position in the company, could be a target. Regularly updated training programs can help employees stay abreast of the latest threats and the best practices to mitigate them.

Verify Requests

Given the nature of BEC attacks, it is crucial to establish a process to verify requests for funds or sensitive information, especially if they are unexpected or come from high-ranking individuals. This could be as simple as making a phone call to the person making the request.

The more significant the request, the more critical it is to verify it through multiple channels. This practice can significantly reduce the chances of an employee inadvertently complying with a fraudulent request.

Incident Response Plan

Even with the best preventative measures in place, itā€™s essential to be prepared for the worst-case scenarioā€”a successful BEC attack. This is where an incident response plan comes into play.

An effective incident response plan should outline the steps immediately after detecting a BEC attack. This includes identifying and isolating affected systems, investigating the breach, notifying affected parties, and reporting the incident to the relevant authorities.

Use of Secure Email Gateways

Secure email gateways can be a valuable tool in the fight against BEC attacks. These solutions provide an additional layer of security, filtering incoming and outgoing emails to identify potential threats.

They use techniques such as link protection and attachment sandboxing to protect against malicious content. Moreover, they can also detect and block emails that attempt to spoof your organizationā€™s domain, reducing the risk of BEC attacks.

Regular Monitoring

Last, regular monitoring of your email systems and network activity can help detect unusual behavior that may indicate a BEC attack. This could include abnormal login patterns, unexpected email forwarding rules, or sudden changes in email volume.

Monitoring tools can automate this process, alerting your IT team to potential threats so they can take swift action. Regular auditing of your systems can also help identify any security gaps that must be addressed.

Conclusion

To summarize, understanding and preventing BEC attacks is critical in todayā€™s digital world. It requires a combination of robust technical measures, comprehensive employee training, and vigilant monitoring. Remember, the cost of preventing these attacks is far less than the potential financial and reputational damage they can cause. So, stay informed, stay prepared, and stay safe.

DON’T FALL FOR THE SCAM: How Business Email Compromise Scams Work And How To Avoid Them (The Digital Guardian Series: Navigating Online Dating, Scams, and Cybersecurity for a Safer Digital World)

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec books

Tags: Business Email Compromise, Email scams

Jul 19 2023

Understanding Reverse Email Lookup: A Tool to Strengthen Cybersecurity

Category: Email Securitydisc7 @ 9:02 am

Reverse email lookup can be a handy tool for various tasks, ranging from verifying the senderā€™s identity, and investigating suspicious emails, to blocking unwanted communication. In this discussion, letā€™s dive into the ins and outs of this valuable tool.

Reverse email lookup is a fundamental tool in the realm of cybersecurity, empowering individuals and organizations to bolster their digital defences. It enables users to investigate the true identities of unknown email senders, a critical step in identifying potential threats

Using specialized databases and search algorithms, reverse email lookup unveils valuable information about the senderā€™s identity, verifying their legitimacy and intent. Preventing cyberattacks, data breaches and other online threats requires understanding this tool. 

Reverse email search lookup may be used to protect sensitive data, strengthen the digital presence and secure online environments. To ensure optimal protection, it is crucial to compare the best email lookup tools available in the market and select the most effective and reliable solution for enhanced online safety.

How does reverse email lookup enhance cyber threat detection

Finding possible hazards in the always-changing world of cyber threats is essential to preserving online security. In this procedure, reverse email search is vital since it sheds light on the reliability of email correspondence. 

Users may assess the legitimacy and purpose of receiving emails by examining the sender information obtained via a reverse email search. The early identification of dubious activity, such as phishing attempts or fake emails, is made possible by this proactive strategy. 

Reverse email lookup may improve cyber threat detection so that people and organizations can act quickly and intelligently to defend themselves against criminal actors and assaults.

Unveiling the senderā€™s identity: The Role of reverse email lookup in verifying unknown senders

Discovering an anonymous senderā€™s true identity is one of the primary benefits of doing a reverse email search. Users can distinguish between acceptable communication and potentially hazardous situations with the assistance of this vital feature. 

Users can gain essential information about the sender by using a tool for doing a reverse email search. This information includes the senderā€™s name, location and online presence. Because of this verification process, determining whether or not the senderā€™s identity is genuine and up to date is much less complicated. 

After a reverse email search reveals a senderā€™s identity, consumers may better protect themselves online. They can also handle unknown correspondents wisely.

Preventing phishing attacks: Leveraging reverse email lookup to detect and thwart phishing attempts

Phishing attacks continue to be a substantial menace to cybersecurity because cybercriminals employ deceptive tactics to trick users into divulging sensitive information to further their illicit goals. 

A robust defence mechanism against these attacks, reverse email lookup equips users with the knowledge and tools to identify and foil phishing scams. By comparing email addresses to various databases and public records, reverse email lookup can establish whether or not the sender has a history of being involved in fraudulent activity. 

With this information, customers should be able to recognize suspicious emails and refrain from clicking on potentially hazardous links or disclosing sensitive information. To increase cybersecurity measures and secure private and sensitive data, reverse email lookup phishing attack prevention should be used.

Safeguarding sensitive information: Using reverse email lookup to protect personal and professional data

Protecting sensitive information is of the highest importance in this day and age due to the potential consequences that may result from data breaches caused by cyberattacks. The protection of this kind of information is significantly aided by the use of reverse email lookup, which allows users to verify the credibility of email senders. 

Verifying the validity of unexpected correspondents is one way for individuals and organizations to avoid inadvertently sharing sensitive information with potentially dangerous actors. 

A proactive approach to securing sensitive data, reverse email search helps maintain the privacy of personal and professional information while shielding it from unauthorized access and potential misuse.

Strengthening defence mechanisms: How reverse email lookup supports cybersecurity measures

As a component of cybersecurity strategies, a reverse email search may help strengthen overall defences against online threats. Individuals and organizations may increase their ability to spot and stop cyberattacks by incorporating this technology into their cybersecurity practices

Reverse email search enables users to find potential risks, validate sendersā€™ integrity and lessen phishing attempts. By taking such a preventative stance toward cybersecurity, the digital perimeter can be bolstered and the organizationā€™s propensity to fall victim to cyberattacks may be reduced. 

People and organizations may benefit from reverse email lookup since it may strengthen their defensive systems, enabling them to maintain a robust and resilient cybersecurity posture.

Empowering individuals and organizations: Promoting personal and professional safety with reverse email lookup

A key objective of reverse email lookup is empowering individuals and organizations to take charge of their online safety. This tool fosters a sense of control and confidence in navigating the digital landscape by providing valuable insights into unknown sendersā€™ identities and detecting potential threats. 

Empowered with the knowledge and capabilities of reverse email lookup, users can make informed decisions about their digital interactions. They can also safeguard sensitive information and prevent cyberattacks. 

Promoting personal and professional safety with reverse email lookup enables individuals and organizations to proactively protect themselves from online risks. Thus this promotes a secure and trustworthy digital environment.

https://www.hackread.com/reverse-email-lookup-tool-strengthen-cybersecurity/

5 Best Reverse Email Lookup Tools & Free Reverse Email Lookup Methods

InfoSec ThreatsĀ |Ā InfoSec booksĀ |Ā InfoSec toolsĀ |Ā InfoSec services

Tags: Reverse Email Lookup

Mar 02 2023

ProtonVPN launches extensions for Chrome and Firefox browsers

Category: Email SecurityDISC @ 10:54 am
ProtonVPN launches extensions for Chrome and Firefox browsers

You can now connect to ProtonVPN with just one tap of a button.

Proton VPN has launched its new browser extension for Chrome and Firefox, fulfilling one of the most sought-after features requested by its user community. This new extension provides users with a more flexible way to protect their online privacy and bypass censorship.

The Proton VPN browser extension is a standalone platform that encrypts internet traffic and browsers without needing to install Windows or Mac applications. This distribution method allows users in countries with blocked app stores to access Proton VPN.

ProtonVPN launches extensions for Chrome and Firefox browsers

With this new extension, users can easily protect their browser traffic without affecting the speeds or IP addresses of other applications on their devices. The extension can be used across multiple browsers, and each browser can be connected to a different server, allowing for up to ten simultaneous VPN connections.

In a statement, Proton VPN explained that they understand the importance of online privacy and freedom of access, and this new extension is designed to provide more options for users to protect their online activity. They also emphasized that they take user feedback seriously and strive to implement new features that cater to their needs.

The Proton VPN browser extension is available for Chromium-based browsers (such as Google Chrome, Brave, Microsoft Edge, Chromium, Opera, and Vivaldi) and Firefox-based browsers (including Firefox itself, LibreWolf, and Waterfox).

ProtonVPN

Proton VPN is a well-known and reputable VPN provider based in Switzerland that has been praised for its strong security measures and privacy protections. The companyā€™s commitment to expanding its offerings and providing users with more control over their online privacy is a significant step forward in the fight for digital rights.

Secure email thatĀ protects your privacy

InfoSec ThreatsĀ |Ā InfoSec booksĀ |Ā InfoSec toolsĀ |Ā InfoSec services

Tags: Email Security, ProtonEmail, ProtonMail, ProtonVPN

Feb 17 2023

Hackers Exploit ProxyShell Flaws to Deploy ProxyShellMiner on Exchange Server

Category: Email Security,ProxyDISC @ 10:27 am
Hackers Exploit ProxyShell Flaws to Deploy ProxyShellMiner on Exchange Server

ProxyShellMiner is being distributed to Windows endpoints by a very elusive malware operation, according to Morphisec.

To generate income for the attackers, ā€œProxyShellMinerā€ deploys cryptocurrency miners throughout a Windows domain using the Microsoft Exchange ProxyShell vulnerabilities.

ProxyShellMiner exploits a companyā€™s Windows Exchange servers using the ProxyShell vulnerabilities CVE-2021-34473 and CVE-2021-34523 to get initial access and distribute crypto miners.

ā€œAfter successfully breaching an Exchange server and obtaining control, the attackers use the domain controllerā€™s NETLOGON folder to ensure the miner executes throughout the domain, similar to how software is delivered through GPOā€, Morphisec reports.

Researchers noticed that the attackers were utilizing four C2 servers. The legitimate, infected mail servers are all where the malware-dependent files are stored.

ā€œMining cryptocurrency on an organizationā€™s network can lead to system performance degradation, increased power consumption, equipment overheating, and can stop servicesā€, according to Morphisec.

Technical Analysis of the ProxyShellMiner Malware

The malware needs a command line parameter that acts as a password for the XMRig miner component in order to activate.

ā€œThis parameter is later used as a key for the XMRig miner configuration, and as an anti-runtime analysis tacticā€, Morphisec

The parameter serves as anti-analysis technique, and as a password for the XMrig miner
The parameter serves as an anti-analysis technique and as a password for the XMrig miner

The XOR decryption algorithm, an XOR key, and an embedded dictionary are all used by ProxyShellMiner. The subsequent embedded code modules are then executed using the C# compiler CSC.exe with ā€œInMemoryā€ compile parameters.

The malware then downloads a file with the name ā€œDC DLLā€ and uses .NET reflection to get the task scheduler, XML, and XMRig key arguments. The decryption of additional files is done using the DLL file.

By setting up a scheduled activity to start when the user logs in, a second downloader achieves persistence on the compromised system. The report says four other files and the second loader are downloaded from a remote resource.

The deobfuscated scheduled taskĀ 
The deobfuscated scheduled task

Using a technique called ā€œprocess hollowing,ā€ that file determines which of the installed browsers on the hacked system would be used to inject the miner into its memory space. The mining process then starts after selecting a random mining pool from a hardcoded list.

Picking a mining pool
Picking a mining pool

Setting a firewall rule that blocks all outgoing traffic and is applicable to all Windows Firewall profiles is the last stage in the attack chain. This is done to reduce the likelihood that defenders may find infection signs or get notifications about a possible compromise from the compromised system.

ā€œThe malware waits at least 30 seconds while the target machine blocks any outbound connection. It does this to tamper with the process runtime behavior analysis of common security solutionsā€, researchers.

Adding a firewall rule to block all outgoing traffic
Adding a firewall rule to block all outgoing traffic

Final Thoughts

ProxyShellMiner doesnā€™t just disrupt business networks, drive up power bills, overheat equipment, and stop services from operating. It gives threat actors access to further evil purposes.

ā€œOnce attackers have a foothold in a network, they have deployed web shells, backdoors, and used tunneling utilities to further compromise victim organizationsā€, Morphisec

Hence, Morphisec encourages all administrators to install all available security updates and employ thorough and all-encompassing threat detection and defense measures to reduce the danger of ProxyShellMiner attacks.

Everything you need to know about ProxyShell vulnerabilities

InfoSec ThreatsĀ |Ā InfoSec booksĀ |Ā InfoSec toolsĀ |Ā InfoSec services

Tags: Exchange server, ProxyShell Flaws

Feb 02 2023

HACKERS GAINED ACCESS TO O365 EMAIL ACCOUNTS BY USING OAUTH APPLICATIONS ā€œCERTIFIEDā€ BY MICROSOFT

Category: Email Security,HackingDISC @ 10:57 am
Hackers gained access to O365 email accounts by using OAuth applications “certified” by Microsoft

Becoming verified on well-known platforms such as Instagram, Twitter, or the Apple AppStore has become the standard for determining oneā€™s standing in the current online social scene. As users, we trust verified accounts more than those that arenā€™t. In the business sector, the situation is exactly the same with third-party OAuth app publishers who have been validated by Microsoft. Unfortuitously, threat actors have noticed the significance of the verified status in the Microsoft environment as well.

ResearchersĀ from Proofpoint found a new malicious third-party OAuth app campaign that used the Microsoft ā€œcertified publisherā€ status in order to meet certain of Microsoftā€™s criteria pertaining to the distribution of OAuth apps. This raised the likelihood that users would be duped into giving authorization when a malicious third-party OAuth app (from this point forward, referred to as a ā€œOAuth appā€ or a ā€œmalicious appā€) asks access to data that is available through a userā€™s account. Researchers found that the malicious applications had extensive delegated rights, such as the ability to read emails, change mailbox settings, and obtain access to files and other data that were associated with the userā€™s account.

New kind of phishing attacks are exploiting Microsoft OneNote to bypass disabled macro

According toĀ Microsoft, a Microsoft account can achieve the status of ā€œpublisher verifiedā€ or ā€œverified publisherā€ when the ā€œpublisher of the app has verified their identity using their Microsoft Partner Network (MPN) account and has associated this MPN account with their app registration.ā€ Other terms for this achievement include ā€œverified publisherā€ and ā€œverified publisher.ā€ (Just so there isnā€™t any misunderstanding, a ā€œcertified publisherā€ has absolutely nothing to do with the desktop program known as Microsoft Publisher, which is available in some levels of Microsoft 365.)

The material provided by Microsoft goes on to provide more clarification, stating that ā€œafter the publisher of an app has been confirmed, a blue verified badge displays in the Azure Active Directory (Azure AD) authorization prompt for the app and on other websites.ā€ Note that when Microsoft discusses third-party OAuth applications, it is talking to apps that have been developed by companies that fall into this category. These businesses are referred to as ā€œpublishersā€ in the Microsoft environment.

Researchers were able to identify three malicious applications that were developed by three distinct malicious publishers. The same firms were singled out for attack by these applications, and they are connected to the same malicious infrastructure. Multiple people were seen giving permission to the malicious applications, which put the environment of their firm at risk.

According to the findings of their investigation, the majority of the participants in this campaign seemed to originate from the United Kingdom (UK). Individuals from the finance and marketing departments, as well as high-profile users such as managers and executives, were among those whose accounts were compromised. Beginning on December 6th, 2022, we made our first observation of this particular avatar of malicious third-party OAuth applications. In every instance, the specialized backend infrastructure that supports the applications was only put in place a few days or weeks before December 6th.

When users give their permission, malicious applicationsā€™ default delegated permissions allow threat actors to access and manipulate mailbox resources, calendar events, and meeting invitations that are linked to accounts that have been compromised. This access and manipulation is only possible when users give their consent. After receiving approval, gaining access does not need further action on the part of the user since the permissions also allow ā€œoffline access.ā€ The given token, also known as the refresh token, often has a lengthy expiration time that is more than one year. This provided threat actors with access to the data associated with the hacked account as well as the potential to utilize the compromised Microsoft account in later BEC attempts or other types of attacks.

In addition to the possibility of user accounts being hijacked, firms that have been impersonated run the risk of having their brand abused. It is quite difficult for firms in this situation to determine whether or not their reputation is being sullied by one of these assaults. There is no necessary contact that must take place between the entity that is being impersonated and the malicious verified publisher.

Even though an OAuth third-party app has been validated by Microsoft, it is imperative to proceed with extreme care when allowing access to the app. OAuth applications are not reliable and should not be trusted only on the basis of their verified publisher status. End users are likely to become victims of sophisticated social engineering approaches because of the complexity of the assaults that are being carried out.

Jan 25 2023

Everyone Wants Your Email Address. Think Twice Before Sharing It

Category: Email Security,Information SecurityDISC @ 10:12 am

Your email address has become a digital bread crumb for companies to link your activity across sites. Hereā€™s how you can limit this.

When you browse the web, an increasing number of sites and apps are asking for a piece of basic information that you probably hand over without hesitation: your email address.

It may seem harmless, but when you enter your email, youā€™re sharing a lot more than just that. Iā€™m hoping this column, which includes some workarounds, persuades you to think twice before handing over your email address.

First, it helps to know why companies want email addresses. To advertisers, web publishers and app makers, your email is important not just for contacting you. It acts as a digital bread crumb for companies to link your activity across sites and apps to serve you relevant ads.

If this all sounds familiar, thatā€™s because it is.

For decades, the digital advertising industry relied on invisible trackers planted inside websites and apps to follow our activities and then serve us targeted ads. There have been sweeping changes to this system in the past few years, includingĀ Appleā€™s release of a software feature in 2021Ā allowing iPhone users to block apps from tracking them andĀ Googleā€™s decision to prevent websites from using cookies, which follow peopleā€™s activities across sites, in its Chrome browser by 2024.

Advertisers, web publishers and app makers now try to track people through other means ā€” and one simple method is by asking for an email address.

Imagine if an employee of a brick-and-mortar store asked for your name before you entered. An email address can be even more revealing, though, because it can be linked to other data, including where you went to school, the make and model of the car you drive, and your ethnicity.

  • Dig deeper into the moment.

ā€œI can take your email address and find data you may not have even realized youā€™ve given to a brand,ā€ said Michael Priem, the chief executive of Modern Impact, an advertising firm in Minneapolis. ā€œThe amount of data that is out there on us as consumers is literally shocking.ā€

Advertising tech is continuing to evolve, so it helps to understand what exactly youā€™re sharing when you enter in an email address. From there, you can decide what to do.

For many years, the digital ad industry has compiled a profile on you based on the sites you visit on the web. Information about you used to be collected in covert ways, including the aforementioned cookies and invisible trackers planted inside apps. Now that more companies are blocking the use of those methods, new ad targeting techniques have emerged.

One technology that is gaining traction is an advertising framework called Unified ID 2.0, or UID 2.0, which was developed by the Trade Desk, an ad-technology company in Ventura, Calif.

Say, for example, you are shopping on a sneaker website using UID 2.0 when a prompt pops up and asks you to share your email address and agree to receive relevant advertising. Once you enter your email, UID 2.0 transforms it into a token composed of a string of digits and characters. That token travels with your email address when you use it to log in to a sports streaming app on your TV that uses UID 2.0. Advertisers can link the two accounts together based on the token, and they can target you with sneaker ads on the sports streaming app because they know you visited the sneaker website.

Since your email address is not revealed to the advertiser, UID 2.0 may be seen as a step up for consumers from traditional cookie-based tracking, which gives advertisers access to your detailed browsing history and personal information.

ā€œWebsites and apps are increasingly asking for email authentication in part because there needs to be a better way for publishers to monetize their content thatā€™s more privacy-centric than cookies,ā€ Ian Colley, the chief marketing officer of the Trade Desk, said in an email. ā€œThe internet is not free, after all.ā€A New Direction for Tech FixOur tech problems have become more complex, so Brian X. Chen has rebootedĀ his columnĀ to focus on the societal implications of the tech we use.Personal Tech Has Changed. So Must Our Coverage of It.Nov. 2, 2022

However, in an analysis, Mozilla, the nonprofit that makes the Firefox web browser, called UID 2.0 a ā€œregression in privacyā€ because it enabled the type of tracking behavior that modern web browsers were designed to prevent.

There are simpler ways for websites and apps to track your web activity through your email address. An email could contain your first and last name, and assuming youā€™ve used it for some time, data brokers have already compiled a comprehensive profile on your interests based on your browsing activity. A website or an app can upload your email address into an ad brokerā€™s database to match your identity with a profile containing enough insights to serve you targeted ads.

The bottom line is that if youā€™re wondering why you are continuing to see relevant ads despite the rise of privacy tools that combat digital tracking, itā€™s largely because you are still sharing your email address.

There are various options for limiting the ability of advertising companies to target you based on your email address:

  • Create a bunch of email addresses. Each time a site or an app asks for your email, you could create a unique address to log in to it, such as, for example, netflixbrianchen@gmail.com for movie-related apps and services. That would make it hard for ad tech companies to compile a profile based on your email handle. And if you receive spam mail to a specific account, that will tell you which company is sharing your data with marketers. This is an extreme approach, because itā€™s time-consuming to manage so many email addresses and their passwords.
  • Use email-masking tools. Apple and Mozilla offer tools that automatically create email aliases for logging in to an app or a site; emails sent to the aliases are forwarded to your real email address. Appleā€™s Hide My Email tool, which is part of its iCloud+ subscription service that costs 99 cents a month, will create aliases, but using it will make it more difficult to log in to the accounts from a non-Apple device. Mozillaā€™s Firefox Relay will generate five email aliases at no cost; beyond that, the program charges 99 cents a month for additional aliases.
  • When possible, opt out. For sites using the UID 2.0 framework for ad targeting, you can opt out by entering your email address at https://transparentadvertising.org. (Not all sites that collect your email address are using UID 2.0, however.)

You could also do nothing. If you enjoy receiving relevant advertising and have no privacy concerns, you can accept that sharing some information about yourself is part of the transaction for receiving content on the internet.

I try to take a cautious but moderate approach. I juggle four email accounts devoted to my main interests ā€” food, travel, fitness and movies. Iā€™ll use the movie-related email address, for example, when Iā€™m logging in to a site to buy movie tickets or stream videos. That way, those sites and apps will know about my movie preferences, but they wonā€™t know everything about me.

Source:

https://www.nytimes.com/2023/01/25/technology/personaltech/email-address-digital-tracking.html

Checkout our previous posts on “Email Security”

The Art of Email Security: Putting Cybersecurity In Simple Terms

InfoSec booksĀ |Ā InfoSec toolsĀ |Ā InfoSec services

Tags: Email Address

Jan 16 2023

Why encrypting emails isnā€™t as simple as it sounds

Category: Email SecurityDISC @ 1:39 pm
Why encrypting emails isn’t as simple as it sounds

Why organizations need encryption

Encrypting an email message ensures that unauthorized parties cannot read it. For any party without proper authorization, the message will appear indecipherable.

For organizations, message confidentiality is crucial to stop potentially sensitive information from reaching prying eyes. Also, they should be able to confirm the integrity of the message and the senderā€™s identity ā€“ without this, spoofed messages can be sent.

The basis of confidential communication over email is that both sender and recipient have secured their respective local systems, by hardening the host OS, employing client security, EDR, XDR and so forth.

Different options have different benefits and challenges

Best-effort opportunistic encryptionĀ methods such as Outlook Message Encryption (OME) and various third-party solutions (email encryption gateways, plugins and similar) have the benefit of being easy to use. They can also be transparently integrated into email programs (such as Outlook Message Encryption), and make it easy to contact new people, with no need for prior key exchange ā€“ if the message is sent to a user who doesnā€™t run the same system, a portal for opening the message is typically placed in view.

Additionally, they can often be integrated into the outgoing email server with rules to enforce encryption automatically, depending on set rules such as automated encryption for certain attachments, for example.

There is, however, the possibility of an unauthorized party decrypting the message if they gain access to it first. This poses a real threat as the email communication itself is not guaranteed to be encrypted due to the email delivery process being reliant on STARTTLS and similar opportunistic encryption schemes. This can be mitigated byĀ adding 2FA, such as via SMS PIN code which can help improve security (of course, the recipientā€™s cell phone number must be known when sending). And in many situations, it is important to also identify the senderā€™s identity reliably: After all, if anyone can send messages, how can you differentiate a genuine sender from an imposter?

Full encryptionĀ methods such asĀ S/MIMEĀ and PGP/GPG enable complete confidentiality where only the recipient can decrypt the email message due to the possibility of verifying the senderā€™s identity. However, several issues arise when using this method. There is a need for key management where keys need to be distributed, swapped, and kept up to date. There is also limited support as the recipient often needs to use the same solution as the sender.

Only a certain subset of contacts typically use this solution, leading to the need to use multiple solutions depending on the recipient(s). This also requires extra effort to determine which solution can be used for the specific recipient and if the solution is secure enough for the material being sent. This can lead to a complicated user interface with different, confusing options like ā€œsign onlyā€ or ā€œsign and encryptā€. It becomes quite easy to end up choosing the wrong option, or worse, forgetting to use the encryption at all (since it usually must be selected specifically).

Recently Google started offering option to use S/MIME with Gmail as ā€œE2EEā€ or ā€œclient-side encryptionā€. This option is currently in beta testing and only available for limited audiences. This however is a significant development as it might result in wider adoption of S/MIME encryption, especially if made available for free Gmail tiers.

The threat model decides

What is the best solution? S/MIME or PGP/GPG may seem like attractive solutions, but challenges in key management and difficulty in training people to use them could lead to poor adoption. Some less secure solutions could be used for most communication, while the more secure solutions, such as S/MIME or GPG/PGP, could be used for other recipients.

The users that need to use the more secure solutions must be instructed on identifying when the more secure method is needed and how to use the solution properly (such as key management and practice sending and receiving encrypted email). Ultimately the demands of the specific organization and use cases determine the solutions that might be needed.

Checkout our previous posts on Email Security…

ContactĀ DISC InfoSec

InfoSec booksĀ |Ā InfoSec toolsĀ |Ā InfoSec services

Tags: Email Security, encrypting email, ProtonMail

Dec 20 2022

Googleā€™s New End-To-End Encryption for Gmail on the Web

Category: Email SecurityDISC @ 9:48 am
Googleā€™s New End-To-End Encryption for Gmail on the Web

On Friday, Google released a beta version of Client-side encryption (CSE) for Gmail. This newest service is only useful to organisations that can produce their own decryption keys because CSE is designed for organisational use.

Google has now made ā€œend-to-end encryptionā€ available for Gmail on the web, following Metaā€™s 2016 offer to use it for WhatsApp. However, it only provides client-side encryption (CSE).

Notably, Client-side encryption (Google refers to as E2EE) was already available for users of Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar (beta).

ā€œWeā€™re expanding customer access to client-side encryption in Gmail on the web. Google Workspace Enterprise plus, Education plus, and Education Standard customers are eligible to apply for the beta until January 20th, 2022ā€, Google announces.

End-To-End Encryption for Gmail

Sensitive information in the email body and attachments are rendered unreadable by Google servers using client-side encryption in Gmail. Customers retain control of both the identity service used to access encryption keys.

ā€œYou can use your own encryption keys to encrypt your organizationā€™s data, in addition to using the default encryption that Google Workspace provides,ā€ explains Google.

ā€œWith Google Workspace Client-side encryption (CSE), content encryption is handled in the clientā€™s browser before any data is transmitted or stored in Driveā€™s cloud-based storage.

ā€œThat way, Google servers canā€™t access your encryption keys and decrypt your data. After you set up CSE, you can choose which users can create client-side encrypted content and share it internally or externally.ā€

Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. Client-side encryption supports a wide range of data sovereignty and compliance requirements while enhancing the secrecy of your data.

For customers of Google Workspace Enterprise Plus, Education Plus, and Education Standard, Gmail E2EE beta is presently available.

By submitting their Gmail CSE Beta Test Application, which should include the email address, Project ID, and test group domain, they can apply for the beta until January 20, 2023.

Google says this feature will be OFF by default and can be enabled at the domain, OU, and Group levels (Admin console > Security > Access and data control > Client-side encryption).

To add client-side encryption to any message, click the lock icon and select additional encryption, compose your message and add attachments as normal.

Also, the feature is not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers. Also, the service has not yet been rolled out for personal accounts.

Finally, End-to-end encryption is something we take for granted in the modern era when hacking and data leakage is becoming more frequent occurrences.Ā 

End-To-End Encryption for Gmail

Tags: Email Security, end-to-end encryption, Google gmail

Dec 11 2022

Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

Category: Email Security,PhishingDISC @ 11:55 am
Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

A phishing scam is not only about stealing your login credentials, but it can also install malware, including ransomware, which is why it is essential to learn how to tackle this growing threat.

The number of phishing scams reported in the first quarter of 2022 set a new record of over one million total attacks, according to a report by the Anti-Phishing Working Group.

And the scams have been growing fast in recent years. The number of attempts reported in the first quarter of 2022 is more than triple the average numbers just two years before, in early 2020.

With so many attacks underwayā€”and growing by the dayā€”whatā€™s the best way to recognize these scams and prevent them? Weā€™ll look at how to recognize and protect yourself from the most common types of phishing fraud. Meanwhile, you can also learn how to detect phishing images in an email.

Most prevalent types of phishing scams

Phishing today refers to a type of scam that steals peopleā€™s personal information by posing as a trusted third party. For example, a scammer might pretend to be a government worker to get you to share your Social Security number or pretend to be from your bank to get you to share account details.

With so many communication channels today, there are more phishing methods than ever before. And scammers have adapted to each type of channel by leveraging trust signals inherent to each one.

This can make it hard for the untrained eye to spot a phishing scam and even difficult to recognize if youā€™ve been hacked after falling for an attack. The first sign that tips off most victims is an unexpected charge, damaged credit score, or depleted bank account.

Here are the six most common types of phishing scams and how to protect yourself.

1. Email scams

Anyone can fall for an email scam; this U.S. judge did. By far the most common type of phishing attack is via email. Youā€™re probably familiar with the spam emails we all get on a day-to-day basis, but the most sophisticated phishing attacks look very different.

These emails often look identical to official messages and notifications, including the companyā€™s logo and exactly the same content as a real message. For example, one of todayā€™s most common scams is a message notification from LinkedIn thatā€™s almost impossible to tell apart from the real thing.

How to protect yourself:

  • Never click on links in emails. Instead, visit the official site.
  • Beware of email addresses that arenā€™t from the business domain, especially if the address is from a free provider like Gmail.
  • Disable automatic image loading, as this can let scammers know youā€™ve seen the message.

2. Voice phishing (vishing)

Another common method fraudsters use to trick victims is over the phone. These calls usually claim to have a one-of-a-kind offer or urgent, life-threatening warning.

Most scammers use a VoIP phone system that lets them change the phone number, meaning the call appears as though itā€™s from a local number even if itā€™s not.

How to protect yourself:

  • Never answer calls from numbers you donā€™t recognize, even if it has a local area code.
  • Donā€™t return calls from numbers. you donā€™t recognize (one type of scam collects expensive per-dial and per-minute fees, hoping youā€™ll call back).
  • Remember that most U.S. government agencies, including the IRS, Medicare, and the Social Security Administration, almost never call by phone and do not have the power to arrest you.
Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

3. Phishing websites

One of the most common destinations for phishing scams is a fraudulent site that looks like the official website. The cloned site will often be identical to the real page, using the companyā€™s logos, color scheme, and fonts.

After establishing trust with the design, the site will ask you to share personal information, anything from your email and password to your Social Security number or bank account details. For example, this attack impersonating American Express used an email message and web page almost impossible to tell apart from the real brand.

Phishing email and the phishing page (Screenshots via Armorblox)

How to protect yourself:

  • If you get a message with a linkā€”even if it looks trustworthyā€”go to the official site instead.
  • Check the URL of a website to make sure itā€™s correct. (Youā€™ll notice the American Express phishing page above comes from a site other than AmericanExpress.com.)
  • Donā€™t automatically trust an HTTPS connection. The ā€œgreen padlockā€ icon is an important trust signal, but it doesnā€™t mean a site is safe. Hackers can use them on phishing sites, too.

4. SMS text message scams (smishing)

Text messages donā€™t have much space for the scammerā€™s message, but that hasnā€™t stopped criminals from trying new tactics to trick innocent victims. The goal of most SMS scams is to get you to click on a link or make a call, so immediately be suspicious of any message with a link or number (though of course, some legitimate messages have these as well).

One of the most common ruses right now with text scams is, ironically enough, helping to protect you from scams. Youā€™ll often see a message ā€œconfirmingā€ an expensive purchase or withdrawal, directing you to a number or link to cancel or investigate. There is nothing to cancel or investigate, but the scammer will pretend to resolve the situation by collecting your personal data for a future attack.

How to protect yourself:

  • Donā€™t trust texts from numbers you donā€™t recognize. Instead, visit the official site.
  • Beware of texts that use vague terms like ā€œyour bankā€ or ā€œpackage service.ā€ Scammers use these (instead of actual company names) so the message can apply to anyone.
  • Donā€™t reply to scam messages, even unsubscribe. This only confirms you have an active number and will result in more attacks.

5. Social media phishing

Social media has become one of the more recent additions to the phishing repertoire. Scammers reach out either using a fake lookalike account or a compromised account.

One common ruse is a friend reaching out for help, usually with an authentication code. But itā€™s not a friendā€”itā€™s a scammer whoā€™s taken over their account and is trying to take over yours. Another ruse is a message from someone posing as the official company support account, asking you to provide information to verify youā€™re the authentic owner or to keep your page active.

Fake Support chatbot (Image: Trustwave)

How to protect yourself:

  • Beware of anyone who reaches out and asks for personal information or verification codes, even if they appear to be coming from a friend.
  • Donā€™t respond to messages from ā€œofficialā€ accounts. If youā€™ve received an alert from the social networking site, itā€™ll usually appear in your account settings.
  • Donā€™t ever share your social media password with a third-party website.

6. Man-in-the-middle attack

This type of phishing scam requires the attacker to be nearby but can be one of the most dangerous because itā€™s almost impossible to detect. It works when you and the attacker are on the same Wi-Fi network, like at a coffee shop or airport. The attacker intercepts everything you send and receive and can redirect your browser to safe sites to look-alike sites without you knowing.

Once the attacker has set up a man-in-the-middle attack, they can see almost all the information you share, including usernames, passwords, credit card details, and more.

How to protect yourself:

  • Never use public Wi-Fi networks. A better option is to connect to a hotspot from your cell phone, which has a secure and private connection.
  • If you have to use public Wi-Fi, turn on a VPN. This can protect you against most types of man-in-the-middle attacks and safeguard your personal details.

How to prevent phishing

Every type of phishing requires a slightly different method to spot, and scammers are constantly developing new methods that leverage our weaknesses. But there are a few common warning signs you can look for across different types of phishing attacks.

  • Unfamiliar senders. Emails, texts, or calls from people you donā€™t recognize are automatically suspect.
  • Poor spelling or grammar. Major corporations pay careful attention to small details like this. Scammers, on the other hand, donā€™t usually worry about a few typos and often use poor English.
  • Urgency and threats. Scammers demand immediate action or scare you using intimidation tactics, like arrest or deportation, so you donā€™t recognize warning signs of a scam.
  • Unusual payment methods. Phishing scams often take the opportunity to charge a ā€œfeeā€ for a service but will only accept forms of payment like gift cards, money orders, or cryptocurrency. Legitimate businesses use other methods.

What to do if youā€™re a victim of phishing

Youā€™ve learned how to protect yourself from phishing scams, but what if youā€™ve already fallen victim? If you know youā€™ve shared information with a scammer, hereā€™s what you should do, based on what information youā€™ve shared.

  • Credit or debit card details. Call the issuing company and have the card canceled immediately. Ask to reverse or dispute any fraudulent charges.
  • Login details or passwords. Log into the compromised account, change the password, look for an option to close all active sessions, and add two-factor authentication if possible. Do the same for any other accounts using the same password.
  • Medical insurance information. Call your insurance company and any impacted companies, explain the fraud, and dispute any fraudulent charges.
  • Social Security number. Set up a credit freeze at each of the three credit bureaus (Experian, Equifax, and TransUnion). This prevents anyone from requesting credit in your name.
  • Name, email, date of birth, or other information. Keep a close eye on your accounts for signs of identity theft.

No matter what kind of information youā€™ve shared, itā€™s always a good idea to report the fraud to the Federal Trade Commission at IdentityTheft.gov. Filing the report helps protect others, gives you documentation of the attack, and will provide you with recovery steps specific to your situation

Conclusion

Phishing attacks are on the rise, and scammers are developing even more intricate scams all the time. But if you know the most common warning signs and stay vigilant, you can protect yourself and take quick action in case youā€™ve been compromised.

Tags: Phishing scams

Jun 09 2022

Secure email that protects your privacy

Category: Email Security,Information SecurityDISC @ 8:19 am

Keep your conversations private. Proton Mail is an encrypted email service based in Switzerland.

Images of the end to end encrypted and zero access encrypted Proton Mail inbox and message composer.

Proton Mail protects your communication and has everything you need to easily manage your inbox – Proton email top priority is keeping your data safe.

Create a free account

#protonemail


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Proton email, ProtonMail

Nov 22 2021

Attackers compromise Microsoft Exchange servers to hijack internal email chains

Category: Email SecurityDISC @ 11:18 am
Attackers compromise Microsoft Exchange servers to hijack internal email chains

A malware campaign aimed at Microsoft Exchange servers exploitsĀ ProxyShellĀ andĀ ProxyLogonĀ issues and uses stolen internal reply-chain emails to avoid detection.

The campaign was uncovered by TrendMicro researchers that detailed the technique used to trick victims opening the malicious email used as the attack vector.

The attacks were orchestrated byĀ Squirrelwaffle, a threat actor known for sending malicious spam as replies to existing email chains.

The investigation into three incidents revealed that attackers used exploits forĀ CVE-2021-26855Ā (ProxyLogon),Ā CVE-2021-34473, andĀ CVE-2021-34523Ā (ProxyShell).

Once compromised the Exchange servers, threat actors use the access to reply to the companyā€™s internal emails in reply-chain attacks containing links to weaponized documents. Sending the messages from the organizations allow the attackers to bypass detection.

ā€œIn the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange serversā€™ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).ā€ reads theĀ analysisĀ published by Trend Micro.Ā ā€œDelivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails.ā€

Tags: Microsoft Exchange servers

Sep 10 2021

ProtonMail Now Keeps IP Logs

Category: Email SecurityDISC @ 9:51 am
ProtonMail Now Keeps IP Logs

ProtonMail Amends Its Policy After Giving Up an Activistā€™s Data

ProtonMail Forced to Log IP Address of French Activist

Tags: ProtonMail

Sep 03 2021

Gift Card Gang Extracts Cash From 100k Inboxes Daily

Category: Email SecurityDISC @ 12:01 pm

Hereā€™s the story of a cybercrime group that compromises up to 100,000 email inboxes per day, and apparently does little else with this access except siphon gift card and customer loyalty program data that can be resold online.

The data in this story come from a trusted source in the security industry who has visibility into a network of hacked machines that fraudsters in just about every corner of the Internet are using to anonymize their malicious Web traffic. For the past three years, the source ā€” weā€™ll call him ā€œBillā€ to preserve his requested anonymity ā€” has been watching one group of threat actors that is mass-testing millions of usernames and passwords against the worldā€™s major email providers each day.

Bill said heā€™s not sure where the passwords are coming from, but he assumes they are tied to various databases for compromised websites that get posted to password cracking and hacking forums on a regular basis. Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials.

In about half the cases the credentials are being checked via ā€œIMAP,ā€ which is an email standard used by email software clients like Mozillaā€™s Thunderbird and Microsoft Outlook. With his visibility into the proxy network, Bill can see whether or not an authentication attempt succeeds based on the network response from the email provider (e.g. mail server responds ā€œOKā€ = successful access).

You might think that whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victimā€™s contacts. But based on interactions that Bill has had with several large email providers so far, this crime gang merely uses custom, automated scripts that periodically log in and search each inbox for digital items of value that can easily be resold.

And they seem particularly focused on stealing gift card data.

ā€œSometimes theyā€™ll log in as much as two to three times a week for months at a time,ā€ Bill said. ā€œThese guys are looking for low-hanging fruit ā€” basically cash in your inbox. Whether itā€™s related to hotel or airline rewards or just Amazon gift cards, after they successfully log in to the account their scripts start pilfering inboxes looking for things that could be of value.ā€

Source: Gift Card Gang Extracts Cash From 100k Inboxes Daily

DISC InfoSec Shop (tools and training)

DISC Infosec Books shop

Tags: Gift Card Gang

May 05 2021

Expert released PoC exploit for Microsoft Exchange flaw

Category: Email SecurityDISC @ 4:12 pm
Expert released PoC exploit for Microsoft Exchange flaw

A security expert released technical details and proof-of-concept exploit (PoC) code for the high-severity vulnerabilityĀ CVE-2021-28482Ā in Microsoft Exchange that could be exploited by remote attackers to execute arbitrary code on vulnerable systems.

April 2021 Microsoft Patch Tuesday security updates addressed four critical and high severity vulnerabilities in Exchange Server (CVE-2021-28480CVE-2021-28481CVE-2021-28482CVE-2021-28483), some of these flaws were reported by the U.S. National Security Agency (NSA).

All the vulnerabilities are remote code execution that could allow attacks to compromise vulnerable installs, for this reason, the IT giant urges its customers to install the latest updates.

The NSA confirmed that the critical vulnerabilities in the Microsoft Exchange server were recent discovered by its experts that immediately reported them to Microsoft.

ā€œAfter we disclosed these vulnerabilities to Microsoft, they promptly created a patch. NSA values partnership in the cybersecurity community. No one organization can secure their networks aloneā€ states the NSA.

Tags: Microsoft Exchange flaw

Apr 22 2021

Giving Out Your E-mail Increases Your Chances Of Getting Hacked

Category: Email SecurityDISC @ 2:37 pm
Giving Out Your E-mail Increases Your Chances Of Getting Hacked

Does it seem as if nearly every time you install an app, it wants you to register with your email or phone number? To add to that, these apps usually want loads of other sensitive information that they donā€™t need. This is because of desperate data collection attempts, as your personal information is like gold to the companies selling it (and those using it to manipulate you). Users e-mail addresses are also sold to spammers (and scammers) that will bombard you with spam and phishing e-mails.

Your online activity across many apps is tied to your email address and phone number, and it is used to build a profile on you. This is one of the reasons that you should not use your email address to sign up for multiple apps or services. However, adhering to that policy is difficult. Many of the major e-mail providers require you to enter your phone number (another detail used to link your activity across multiple online services), and they sell your data too.

Protecting Your E-mail Enhances Your Online Security

First: Your e-mail is half of your login credentials, and is used as the login across many websites. Your password is the second half, and password cracking is not a difficult feat.

If your e-mail address is leaked by a popular app or service ā€” something that happens frequently, you are at risk of hackers using that e-mail to log into other services you use online. If hackers donā€™t have your password, they can hack your e-mail account and use that to request a password reset. E-mail-related hacks are among the most catastrophic because your inbox reveals all the apps and services you use online (including financial services like banking, exchanges, and PayPal).

What You Can Do

There are multiple ways to approach this problem, but the first should be restraint. Donā€™t give any app or company your e-mail address if you arenā€™t required to. If a company asks for your e-mail when it isnā€™t needed, you can decline or say that you donā€™t have an e-mail. Also, if you donā€™t want an app that is demanding your e-mail badly enough, just uninstall it.

If you have an iPhone or iPad, you can use the ā€˜Sign in with Appleā€™ option to register and select the option to hide your e-mail address when prompted. Apple will generate a fake e-mail address and forward messages from it to the real e-mail on your Apple account. This goes a long way towards protecting your online accounts from hackers and data miners.

Sign up for ProtonMail and Tutanota to get secure, end-to-end encrypted e-mail. Each of those providers will provide you with one e-mail address for free. I would recommend getting a paid account so that you can create multiple e-mail addresses and use one exclusively for your bank, and another exclusively for your PayPal to protect those financial accounts from hackers.

If you donā€™t want a paid account, then sign up for each of them with a different alias to get one free account from each of them (ensure that you abide by their terms of use). If you want a third, there is also Disroot. If you do decide to pay, you can useĀ BitcoinĀ to avoid providing billing details (which contain your name and address) on ProtonMail.

Giving Out Your E-mail Increases Your Chances Of Getting Hacked

Basic Email Security: Volume 14 in John R. Hinesā€™ Computer Security for Mere Mortals, short documents that show how to have the most email security with the least effort by [John R. Hines]

Apr 16 2021

NSA Discloses Vulnerabilities in Microsoft Exchange

Category: Email SecurityDISC @ 10:46 am
NSA Discloses Vulnerabilities in Microsoft Exchange

NSA helps out Microsoft with critical Exchange Server vulnerability disclosures in an April shower of patches

100+ fixes for the Windows world ā€“ plus holes in SAP, Adobe, FreeBSD, etc

“This monthā€™s release includes a number of critical vulnerabilities that we recommend you prioritize, including updates to protect against new vulnerabilities in on-premise Exchange Servers,” Microsoft said in its blog post.

“These new vulnerabilities were reported by a security partner through standard coordinated vulnerability disclosure and found internally by Microsoft. We have not seen the vulnerabilities used in attacks against our customers.

Clicking through Microsoft’s coy links to CVE-2021-28480 (9.8 severity), CVE-2021-28481 (9.8 severity), CVE-2021-28482 (8.8 severity), and CVE-2021-28483 (9.0 severity), you’ll find the unspecified security partner is the NSA

Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9 are affected by this set of problems.

“NSA urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks,” the signals intelligence agency said via Twitter.

NSA helps out Microsoft with critical Exchange Server vulnerability disclosures in an April shower of patches

InfoSec shop

Severe InfoSec shortages by 2021: Here's what you can do about it

Tags: Vulnerabilities in Microsoft Exchange

Next Page »