Jul 18 2024

Threat Actors Ramp Up Use of Encoded URLs to Bypass Secure Email

Category: Cyber Threats,Email Securitydisc7 @ 10:36 am

https://www.darkreading.com/cyberattacks-data-breaches/threat-actors-ramp-up-use-of-encoded-urls-to-bypass-secure-email

Secure email gateways (SEG) do a lot to protect organizations from malware, spam, and phishing email. For some threat actors though, they also offer an attractive option for sneaking malicious mail past other SEGs.

Security researchers from Cofense this week reported observing a recent surge in attacks, where threat actors have used SEGs to encode or to rewrite malicious URLs embedded in their emails to potential victims. In many cases, when the emails arrived at their destination, SEGs allowed the malicious URLs to go through without properly vetting the link.

The SEG Versus SEG Threat

The reason, says Max Gannon, threat intelligence manager at Cofense, is that some secure email gateway products appear not to be handling SEG-encoded URLs properly and assume them to be always safe, when in reality they are not.

“We do not have access to the internals of SEGs, so I can’t say for certain,” Gannon says. “But they likely either implicitly trust the URLs or they attempt to scan them, but the domain of the SEG that encodes the URL is trusted, so the [receiving] SEG assumes the URL itself is legitimate.”

In SEG encoding, a secure email gateway product essentially rewrites every URL in an outgoing email into a link that points to its own infrastructure. When a recipient clicks on the encoded link, the user is first directed to the sender’s SEG system, which checks if the URL is safe before redirecting the user to the intended destination. The checks usually involve assessing the URL using reputation, blacklists, signatures, and other mechanisms, which means sometimes it might take an SEG days and even weeks before it designates a URL as malicious.

In these situations, problems can arise if the recipient’s secure email gateway technology does not recognize an already encoded URL as needing scanning, or if the recipient’s SEG scans the URL, but only sees the sending email gateway’s domain and not the final destination.

“Oftentimes when SEGs detect URLs in emails that are already SEG-encoded they do not scan the URLs, or the scanning shows only the security tool’s scanning page and not the actual destination,” Cofense wrote in its report this week. “As a result, when an email already has SEG-encoded URLs, the recipient’s SEG often allows the email through without properly checking the embedded URLs.”

A Substantial Increase

Attackers have abused SEG encoding previously to sneak malicious emails into target environments. But there has been a substantial increase in use of the tactic in the second quarter of this year, May in particular. Cofense said.

According to the security vendor, the four email security gateways that threat actors have abused the most to encode URLs and sneak them past email defense mechanisms are VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.

Cofense said its researchers had observed attackers using these SEGs to encode malicious URLs in variously themed campaigns targeted at users protected by SEGs from a variety of vendors.

Gannon says some SEG encodings would require the threat actor to run their URL through the SEG. “Other encodings like Barracuda Link Protect would let you simply prepend their URL to the malicious URL you are trying to bypass with,” he says. “For example, to use Barracuda Link Protect to bypass SEGs with the URL hxxp[:]//badplace[.]com/, I would simply add the Barracuda Link Protect URL and make it: hxxps://linkprotect[.]cudasvc[.]com/url?a=hxxp[:]//badplace[.]com/.”

Gannon says one reason why threat actors likely aren’t using the tactic on a much broader scale is because it involves additional work. “The biggest thing it comes down to is effort,” he says. If a threat actor can take an hour to encode all the URLs in a campaign and reach 500 more inboxes, they could take the same hour and just find an additional 1,000 email addresses to send the campaign to.”

Protecting against the tactic can be relatively difficult, as most SEGs don’t have tuning methods for ignoring other SEG encodings, Gannon says. Therefore, the best way to combat the tactic remains user awareness and training. “A vigilant and informed employee is not going to click a link in a suspect email, even if the URL is encoded by a SEG.”

SOURCE: CHIM VIA SHUTTERSTOCK

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Encoded URLs


Dec 21 2023

HOW TO SEND SPOOF EMAILS FROM DOMAINS THAT HAVE SPF AND DKIM PROTECTIONS?

Category: Email Securitydisc7 @ 8:57 am

SMTP stands for Simple Mail Transfer Protocol. It’s a protocol used for sending emails across the Internet. SMTP operates on a push model, where the sending server pushes the email to a receiving server or an intermediary mail server. Here are some basic concepts associated with SMTP:

  1. Sending and Receiving Servers: SMTP involves at least two servers: the sending mail server and the receiving mail server. The sending server initiates the process.
  2. SMTP Ports: Commonly, SMTP uses port 25 for non-encrypted communication and port 587 for encrypted communication (STARTTLS). Some servers also use port 465 for SSL/TLS encrypted communication.
  3. SMTP Commands and Responses: SMTP communication is based on commands and responses. Common commands include HELO (or EHLO for Extended SMTP), MAIL FROM to specify the sender, RCPT TO for the recipient, and DATA for the body of the email. Responses from the server indicate success or failure of these commands.
  4. MIME (Multipurpose Internet Mail Extensions): Although SMTP is limited to sending text, MIME standards enable SMTP to send other types of data like images, audio, and video by encoding them into text format.
  5. SMTP Authentication: This is used to authenticate a user who wants to send an email. It helps in preventing unauthorized access to the email server.
  6. SMTP Relay: This refers to the process of transferring an email from one server to another. When an SMTP server forwards an email to another server for further delivery, it’s called relaying.
  7. SMTP in Email Clients: Email clients (like Outlook, Thunderbird) use SMTP to send emails. These clients require configuration of SMTP settings (server address, port, authentication) to send emails.
  8. Limitations and Security: SMTP itself does not encrypt email content; it relies on other protocols (like SSL/TLS) for security. Also, SMTP does not inherently include strong mechanisms to authenticate the sender, which has led to issues like spam and phishing.
  9. Interaction with Other Protocols: SMTP is typically used alongside POP3 or IMAP, which are protocols used for retrieving emails from a mail server.
  10. Use in Modern Email Systems: Despite its age, SMTP remains a fundamental part of the email infrastructure in the Internet and is used in virtually all email systems today.

SMTP SMUGGLING

SMTP Smuggling refers to a technique used in network security to bypass security measures by exploiting vulnerabilities in the Simple Mail Transfer Protocol (SMTP). SMTP is the standard protocol used for sending emails across the Internet. Smuggling in this context typically involves manipulating the SMTP conversation in a way that allows an attacker to inject malicious commands or payloads into an email message. These payloads might be overlooked by security systems that are not properly configured to handle anomalous SMTP traffic.

There are several ways SMTP smuggling can be executed:

  1. Command Injection: By inserting additional SMTP commands into message fields (like the ‘MAIL FROM’ or ‘RCPT TO’ fields), an attacker might trick a server into executing commands it shouldn’t.
  2. CRLF Injection: SMTP commands are typically separated by a carriage return and line feed (CRLF). If an attacker can inject CRLF sequences into a message, they might be able to append additional commands or modify the behavior of the email server.
  3. Content Smuggling: This involves hiding malicious content within an email in a way that evades detection by security systems, which might scan emails for known threats.

Email authentication mechanisms

Email authentication mechanisms like SPF, DKIM, and DMARC are crucial in the fight against email spoofing and phishing. They help verify the authenticity of the sender and ensure the integrity of the message. Here’s a basic overview of each:

1. SPF (SENDER POLICY FRAMEWORK)

  • Purpose: SPF is used to prevent sender address forgery. It allows the domain owner to specify which mail servers are permitted to send email on behalf of their domain.
  • How It Works: The domain owner publishes SPF records in their DNS. These records list the authorized sending IP addresses. When an email is received, the receiving server checks the SPF record to verify that the email comes from an authorized server.
  • Limitations: SPF only checks the envelope sender (return-path) and not the header (From:) address, which is often what the recipient sees.

2. DKIM (DOMAINKEYS IDENTIFIED MAIL)

  • Purpose: DKIM provides a way to validate a domain name identity that is associated with a message through cryptographic authentication.
  • How It Works: The sending server attaches a digital signature linked to the domain to the header of the email. The receiving server then uses the sender’s public key (published in their DNS) to verify the signature.
  • Advantages: DKIM verifies that parts of the email (including attachments) have not been altered in transit.

3. DMARC (DOMAIN-BASED MESSAGE AUTHENTICATION, REPORTING, AND CONFORMANCE)

  • Purpose: DMARC builds on SPF and DKIM. It allows the domain owner to specify how an email that fails SPF and DKIM checks should be handled.
  • How It Works: DMARC policies are published in DNS. These policies instruct the receiving server what to do with mail that doesn’t pass SPF or DKIM checks (e.g., reject the mail, quarantine it, or pass it with a note).
  • Benefits: DMARC also includes reporting capabilities, letting senders receive feedback on how their email is being handled.

COMBINED EFFECTIVENESS

  • Complementary Roles: SPF, DKIM, and DMARC work together to improve email security. SPF validates the sending server, DKIM validates the message integrity, and DMARC tells receivers what to do if the other checks fail.
  • Combat Spoofing and Phishing: By using these mechanisms, organizations can significantly reduce the risk of their domains being used for email spoofing and phishing attacks.
  • Adoption and Configuration: Proper configuration of these protocols is critical. Misconfiguration can lead to legitimate emails being rejected or marked as spam.

IMPLEMENTATION

  • DNS Records: All three require DNS records to be set up. SPF and DMARC are text records, while DKIM uses a TXT record for the public key.
  • Email Servers and Services: Many email services and servers support these protocols, but they usually require manual setup and configuration by the domain administrator.

Overall, SPF, DKIM, and DMARC are essential tools in the email administrator’s toolkit for securing email communication and protecting a domain’s reputation.

In a groundbreaking discovery, Timo Longin, in collaboration with the SEC Consult Vulnerability Lab, has unveiled a novel exploitation technique in the realm of email security. This technique, known as SMTP smuggling, poses a significant threat to global email communication by allowing malicious actors to send spoofed emails from virtually any email address.

Discovery of SMTP Smuggling: The concept of SMTP smuggling emerged from a research project led by Timo Longin, a renowned figure in the cybersecurity community known for his work on DNS protocol attacks. This new technique exploits differences in how SMTP servers interpret protocol rules, enabling attackers to bypass standard email authentication methods like SPF (Sender Policy Framework).

How SMTP Smuggling Works: SMTP smuggling operates by exploiting the interpretation differences of the SMTP protocol among various email servers. This allows attackers to ‘smuggle’ or send spoofed emails that appear to originate from legitimate sources, thereby passing SPF alignment checks. The research identified two types of SMTP smuggling: outbound and inbound, affecting millions of domains and email servers.

TECHNICAL INSIGHTS: UNDERSTANDING SMTP SMUGGLING IN DEPTH

SMTP Smuggling Exploited: SMTP smuggling takes advantage of discrepancies in how different email servers interpret the SMTP protocol. Specifically, it targets the end-of-data sequence, which signifies the end of an email message. In a standard SMTP session, this sequence is represented by a line with only a period (.) character, preceded by a carriage return and a line feed (<CR><LF>.<CR><LF>). However, variations in interpreting this sequence can lead to vulnerabilities.

Outbound and Inbound Smuggling: The research identified two types of SMTP smuggling: outbound and inbound. Outbound smuggling involves sending emails from a compromised server, while inbound smuggling pertains to receiving emails on a server that misinterprets the end-of-data sequence. Both types can be exploited to send spoofed emails that appear to come from legitimate sources.

EXPLOITING SPF ALIGNMENT CHECKS:

The concept of “Exploiting SPF Alignment Checks” in the context of SMTP smuggling revolves around manipulating the Sender Policy Framework (SPF) checks to send spoofed emails. SPF is an email authentication method designed to prevent sender address forgery. Here’s a detailed explanation of how SPF alignment checks can be exploited through SMTP smuggling:

UNDERSTANDING SPF:

  1. SPF Basics: SPF allows domain owners to specify which mail servers are permitted to send emails on behalf of their domain. This is done by publishing SPF records in DNS. When an email is received, the recipient server checks the SPF record to verify if the email comes from an authorized server.
  2. SPF Check Process: The SPF check typically involves comparing the sender’s IP address (found in the SMTP envelope) against the IP addresses listed in the domain’s SPF record. If the IP address matches one in the SPF record, the email passes the SPF check.

EXPLOITATION THROUGH SMTP SMUGGLING:

  1. Manipulating the ‘MAIL FROM’ Address: In SMTP smuggling, attackers manipulate the ‘MAIL FROM’ address in the SMTP envelope. This address is used for SPF validation. By carefully crafting this address, attackers can pass the SPF check even when sending from an unauthorized server.
  2. Discrepancy between ‘MAIL FROM’ and ‘From’ Header: There’s often a discrepancy between the ‘MAIL FROM’ address in the SMTP envelope (used for SPF checks) and the ‘From’ header in the email body (which the recipient sees). SMTP smuggling exploits this by setting the ‘MAIL FROM’ address to a domain that passes the SPF check, while the ‘From’ header is spoofed to appear as if the email is from a different, often trusted, domain.
  3. Bypassing SPF Alignment: The key to this exploitation is the difference in how various mail servers interpret and process SMTP protocol rules. By smuggling in additional commands or data, attackers can make an email appear to come from a legitimate source, thus bypassing SPF alignment checks.
  4. Consequences: This exploitation can lead to successful phishing attacks, as the email appears to be from a trusted source, despite being sent from an unauthorized server. Recipients are more likely to trust and act upon these emails, leading to potential security breaches.

TECHNICAL EXPERIMENTATION

The “Technical Experimentation” aspect of the SMTP smuggling research conducted by SEC Consult involved a series of methodical tests and analyses to understand how different email servers handle SMTP protocol, particularly focusing on the end-of-data sequence.

OBJECTIVE OF THE EXPERIMENTATION:

The primary goal was to identify discrepancies in how outbound (sending) and inbound (receiving) SMTP servers interpret the SMTP protocol, especially the end-of-data sequence. This sequence is crucial as it signifies the end of an email message.

EXPERIMENT SETUP:

  1. Selection of Email Providers: The researchers selected a range of public email providers that support mail submissions via SMTP. This included popular services like Outlook.com, Gmail, GMX, iCloud, and others.
  2. SMTP Analysis Server: A specialized SMTP analysis server was set up to receive emails from these providers. This server played a critical role in observing how different SMTP servers handle various SMTP commands and sequences.
  3. SMTP Analysis Client: An SMTP analysis client was used to send emails through the outbound SMTP servers of the selected providers. This client was configured to vary the SMTP commands and sequences used in the emails.

KEY AREAS OF FOCUS:

  1. End-of-Data Sequence Variations: The researchers experimented with different end-of-data sequences, such as <LF>.<LF> (Line Feed) instead of the standard <CR><LF>.<CR><LF> (Carriage Return, Line Feed). The goal was to see if outbound servers would process these non-standard sequences differently.
  2. Server Responses to DATA Command: Different responses from email providers to the DATA SMTP command were observed. These responses provided insights into how each server might handle end-of-data sequences.
  3. Operating System Differences: The experiment also considered how different operating systems interpret “a line by itself.” For example, Windows uses <CR><LF> to denote the end of a line, while Unix/Linux systems use <LF>. This difference could affect how email servers process the end-of-data sequence.

EXPERIMENT EXECUTION:

  1. Sending Test Emails: The SMTP analysis client sent test emails through the outbound SMTP servers of the selected providers, using various end-of-data sequences.
  2. Observing Responses: The inbound SMTP analysis server received these emails and recorded how each outbound server handled the different sequences.
  3. Identifying Anomalies: The researchers looked for anomalies where outbound servers did not correctly interpret or filter non-standard end-of-data sequences, and inbound servers accepted them as valid.

FINDINGS:

The experimentation revealed that some SMTP servers did not conform to the standard interpretation of the SMTP protocol, particularly in handling end-of-data sequences. This non-conformity opened the door for SMTP smuggling, where attackers could insert additional SMTP commands into email content.

CASE STUDY – GMX SMTP SERVER

A notable example of SMTP smuggling was demonstrated using GMX’s SMTP server. The researchers were able to send an email with a specially crafted end-of-data sequence that the GMX server did not filter out. This allowed them to insert additional SMTP commands into the email content, which were then executed by the recipient server, effectively ‘smuggling’ malicious commands or content.

EXPLOITATION TECHNIQUE:

  • Manipulating End-of-Data Sequence: The researchers experimented with different end-of-data sequences, such as <LF>.<LF> instead of the standard <CR><LF>.<CR><LF>.
  • Observing GMX Server Response: It was observed that when a specific sequence (<LF>.<CR><LF>) was sent to the GMX outbound SMTP server, it passed this sequence unfiltered to the inbound SMTP server.

SUCCESSFUL SMTP SMUGGLING:

  • Breaking Out of Message Data: By using the <LF>.<CR><LF> sequence, the researchers were able to ‘break out’ of the message data at the inbound SMTP server. This meant that anything following this sequence could be interpreted as a separate SMTP command or additional email content.
  • Demonstration of Vulnerability: This technique allowed the researchers to effectively insert additional SMTP commands into the email content, demonstrating a successful SMTP smuggling attack.

The research team’s first successful SMTP smuggling exploit was demonstrated using GMX’s SMTP server. This breakthrough confirmed the feasibility of the technique and its potential to compromise email security on a large scale. SMTP smuggling represents a new frontier in email spoofing, challenging existing security measures and highlighting the need for continuous vigilance in the cybersecurity domain. The discovery underscores the importance of regular security audits and updates to protect against emerging threats. The discovery of SMTP smuggling has significant implications for email security. Vulnerabilities were identified in major email services, including Microsoft and GMX, which were promptly addressed. However, SEC Consult has issued a warning to organizations using Cisco Secure Email, urging them to update their configurations to mitigate this vulnerability.

TECHNICAL AND SECURITY MITIGATIONS:

  1. Patch and Update Systems: Regularly update and patch email servers and related software. Providers should ensure their systems are up-to-date with the latest security patches that address known vulnerabilities, including those related to SMTP smuggling.
  2. Enhance Email Authentication: Implement and enforce advanced email authentication protocols like DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). These protocols provide additional layers of verification, ensuring that the email’s sender is legitimate and that the message content hasn’t been tampered with.
  3. Configure Email Servers Correctly: Ensure that email servers, especially those handling outbound and inbound emails, are configured correctly to handle SMTP protocol standards, particularly the end-of-data sequence. This involves strict adherence to protocol specifications to prevent any ambiguity in interpretation.
  4. Use Advanced Email Filtering Solutions: Employ advanced email filtering solutions that can detect and block spoofed emails. These solutions often use machine learning and other advanced techniques to identify anomalies in email messages that might indicate a spoofing attempt.
  5. Regular Security Audits: Conduct regular security audits of email infrastructure to identify and rectify potential vulnerabilities. This should include a review of server configurations, authentication mechanisms, and update protocols.

SMTP smuggling represents a significant advancement in the understanding of email protocol vulnerabilities. It challenges the existing security paradigms and calls for a reevaluation of email security strategies. As the cybersecurity community works to address these vulnerabilities, this discovery serves as a crucial reminder of the dynamic and evolving nature of cyber threats.

Phishing Dark Waters: The Offensive and Defensive Sides of Malicious

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SPF AND DKIM, SPOOF EMAILS


Dec 16 2023

SILENT EMAIL ATTACK CVE-2023-35628 : HOW TO HACK WITHOUT AN EMAIL CLICK IN OUTLOOK

Category: Email Securitydisc7 @ 10:15 am

CVE-2023-35628 is a critical remote code execution (RCE) vulnerability affecting the Microsoft Windows MSHTML platform, with a Common Vulnerability Scoring System (CVSS) score of 8.1, indicating a high level of risk. This flaw is particularly concerning because it can be exploited without any interaction from the user. The vulnerability can be triggered when Microsoft Outlook retrieves and processes a specially crafted email, even before the email is viewed in the Outlook Preview Pane. This makes it a particularly insidious threat, as users may be unaware of the lurking danger​​​​​​.

The nature of CVE-2023-35628 allows a remote, unauthenticated attacker to execute arbitrary code on the victim’s system. The exploit can be initiated by sending a specially crafted email, and it has been noted that ransomware gangs and other malicious entities are likely to find this vulnerability an attractive target. Although the exploit code maturity for CVE-2023-35628 is currently unproven, which means there might not yet be a reliable method for exploiting this vulnerability in the wild, the potential for remote code execution makes it a critical issue for all Windows users​​.

MSHTML PLATFORM

The vulnerability in the MSHTML platform, specifically CVE-2023-35628, can be attributed to several factors that are commonly found in software vulnerabilities:

  1. Parsing and Rendering of HTML Content: MSHTML, being a component used for parsing and rendering HTML content in applications like Microsoft Outlook, processes a large amount of untrusted input. This input, which often includes complex HTML and scripting content, can contain flaws or unexpected sequences that are not properly handled by the software.
  2. Memory Management Issues: Vulnerabilities often arise due to memory management issues such as buffer overflows, use-after-free errors, or other similar problems. These issues can occur when the software does not correctly allocate, manage, or free memory when processing HTML content. Attackers can exploit these weaknesses to execute arbitrary code.
  3. Insufficient Input Validation: Software vulnerabilities can also stem from insufficient input validation. If MSHTML does not properly validate or sanitize the HTML content it processes, malicious input could be used to trigger an exploit. This could include specially crafted scripts or malformed HTML structures designed to take advantage of the parser’s weaknesses.
  4. Complexity of Web Standards: The complexity of modern web standards can also contribute to vulnerabilities. As standards evolve and become more complex, it becomes increasingly challenging to ensure that every aspect of the parsing and rendering process is secure against all potential attack vectors.
  5. Integration with Email Clients: The integration of MSHTML with email clients like Outlook adds another layer of complexity. Emails are a common vector for delivering malicious content, and the automatic processing of emails (including the rendering of HTML content) can make it easier for attackers to exploit vulnerabilities without direct interaction from the user.

THE NO-CLICK EXPLOIT

An exploit for the CVE-2023-35628 vulnerability in the Windows MSHTML platform would typically involve a few key steps, tailored to leverage the specific nature of this flaw. Here’s a generalized overview of how such an exploit could work:

  1. Crafting a Malicious Email: The attacker starts by creating a specially crafted email. This email would contain malicious code or a payload designed to exploit the vulnerability in the MSHTML platform. The precise nature of this code depends on the specifics of the vulnerability and would be tailored to trigger the flaw in MSHTML.
  2. Email Delivery and Automatic Processing: The crafted email is then sent to the target. In the case of CVE-2023-35628, the critical aspect is that the vulnerability is triggered when Microsoft Outlook retrieves and processes the email. This processing happens automatically, often before the email is even displayed in the Outlook Preview Pane.
  3. Remote Code Execution: Upon processing the malicious email, the exploit code is executed. This code execution occurs within the context of the MSHTML platform, which is a key component used by Outlook for rendering HTML content in emails.
  4. Taking Control or Damaging the System: Once the code is executed, it can perform various malicious activities. This could range from taking control of the user’s system, stealing sensitive information, installing malware, or performing other harmful actions. The extent of the damage or control depends on the nature of the payload and the permissions available to the MSHTML process.

Memory shaping is an advanced exploitation technique often used in sophisticated cyber attacks, particularly those involving complex software systems and secure environments. It’s a method used by attackers to manipulate the layout or state of memory in a target application to facilitate the exploitation of vulnerabilities. Memory shaping can be a part of exploiting vulnerabilities like buffer overflows, use-after-free errors, or other memory corruption issues.

Here’s a simplified example to illustrate how memory shaping and its exploitation might work:

  1. Identifying a Vulnerability: First, the attacker finds a vulnerability in the target application that can be exploited to corrupt memory. For instance, this could be a buffer overflow, where the application fails to check the length of input, allowing an attacker to write more data to a buffer than it can hold.
  2. Analyzing Memory Layout: The attacker then studies the application’s memory layout to understand how data is stored and managed. This involves identifying where in memory different types of data are located and how they are accessed by the application.
  3. Memory Shaping: Once the attacker has a good understanding of the memory layout, they begin the process of memory shaping. This involves crafting inputs or actions that modify the application’s memory in a controlled way. For example, they might allocate and free memory in a specific pattern to arrange chunks of memory in a desired layout.
  4. Exploiting the Vulnerability: With the memory shaped to their advantage, the attacker then exploits the identified vulnerability. Using the buffer overflow example, they might overflow a buffer with data that includes malicious code (the payload) and carefully calculated addresses or commands that redirect the application’s execution flow to the payload.
  5. Executing Arbitrary Code: If successful, the exploit allows the attacker’s code to be executed with the privileges of the target application. This could lead to various malicious outcomes, such as data theft, installation of malware, or gaining control over the system.

It’s important to note that memory shaping is a complex and technical process that requires in-depth knowledge of both the target application and general exploitation techniques. It’s typically used in scenarios where standard exploitation methods are not effective, often due to security measures like Address Space Layout Randomization (ASLR) or other protections.

Due to the complexity and potential for misuse, specific exploit code or detailed methodologies for memory shaping are not shared publicly. The goal of cybersecurity research in this area is to understand and mitigate such advanced threats, ensuring software and systems are secure against potential attacks.

It’s important to note that the complexity of the exploit for CVE-2023-35628 is considered high. It requires specific knowledge and techniques, particularly related to memory shaping, to successfully exploit the vulnerability. This complexity might limit the exploitation to more skilled attackers.

The attack complexity is considered high due to the reliance on complex memory-shaping techniques to successfully exploit the vulnerability. Despite this complexity, the high impact of the vulnerability necessitates prompt attention and action. Microsoft has addressed this flaw in their December 2023 Patch Tuesday updates, recommending users to update their systems as a preventative measure​​.

It’s important to note that CVE-2023-35628 is just one of several vulnerabilities addressed in the December 2023 Patch Tuesday updates. Other notable vulnerabilities include CVE-2023-35630 and CVE-2023-35641, which are remote code execution vulnerabilities affecting Microsoft Internet Connection Sharing (ICS) with a CVSS score of 8.8, and a critical spoofing vulnerability in Microsoft Power Platform Connector (CVE-2023-36019) with a CVSS score of 9.6​​.

MITIGATION & SCOPE

The CVE-2023-35628 vulnerability, which is a critical remote code execution flaw in the Windows MSHTML platform, affects a range of Microsoft products, including Office 365 and on-premises versions. This vulnerability is significant due to its potential to allow exploitation as soon as Outlook retrieves and processes a specially crafted malicious email, even before the user interacts with the email. This means that exploitation could occur without any action from the user, not even requiring the Preview Pane in Outlook.

In terms of impact on Office 365 and on-premises environments, it’s important to note that the MSHTML proprietary browser engine, which is the component affected by this vulnerability, is used by Outlook among other applications to render HTML content. The fact that this engine remains installed within Windows, regardless of the status of Internet Explorer 11, means that systems where Internet Explorer 11 has been fully disabled are still vulnerable until patched.

For addressing this vulnerability, Microsoft released patches as part of their December 2023 Patch Tuesday. These patches are essential for mitigating the risk posed by this vulnerability and are available for various versions of Windows and related software components. Given the critical nature of this vulnerability and its potential impact on confidentiality, integrity, and availability, it’s strongly recommended for users and administrators of both Office 365 and on-premises environments to apply these updates promptly.

The December 2023 Patch Tuesday from Microsoft addressed a total of 34 vulnerabilities, including this critical RCE vulnerability in MSHTML. It’s noteworthy that there were no security patches for Exchange, SharePoint, Visual Studio/.NET, or SQL Server in this particular update cycle.

The details about the patches and the specific versions they apply to can be found in Microsoft’s security bulletins and support documentation. For users and administrators, it is crucial to review these resources and ensure that all applicable security updates are applied to protect against potential exploits of this vulnerability​

Given the severity and the ease with which this vulnerability can be exploited, it is crucial for Windows users, particularly those using Microsoft Outlook, to ensure their systems are updated with the latest security patches provided by Microsoft. Regular review of patching strategies and overall cybersecurity methods is advisable to maintain a robust security posture.

The Microsoft Office 365 Bible: The Most Updated and Complete Guide to Excel, Word, PowerPoint, Outlook, OneNote, OneDrive, Teams, Access, and Publisher from Beginners to Advanced Paperback 

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CrowdStrike Falcon, CVE-2023-35628, Outlook


Sep 14 2023

Next-Gen Email Firewalls: Beyond Spam Filters to Secure Inboxes Checklist

Category: Email Security,next generation firewalldisc7 @ 9:56 am

Email communication is still widely used as an attack vector despite the ever-changing nature of cyber threats.

The vast number of people who use it for communication daily, both professionally and personally, makes it a tempting target.

Cybercriminals are becoming more skilled at using malicious email campaigns in line with the growth of advanced technologies and increased security measures taken by businesses.

VIPRE Security found that 85.01% of phishing emails had harmful links inside the message body, and the volume of spam emails increased by 30.0% from the first to the second quarter of 2023.

In addition, phishing attacks against IT companies are now more common (14%) than against financial institutions (9%).

The Limitations of Traditional Spam Filters

Conventional spam filters rely on static rule-based systems with predetermined criteria or known dangerous signatures to identify emails as spam.

Their strict compliance with predetermined policies leaves companies vulnerable to ever-evolving cyberattacks. These filters rely too much on signature-based detection, making them vulnerable to zero-day threats and unable to protect against recent or modified malware. 

They can’t detect hidden risks like spear phishing since they don’t have advanced behavioral analysis. In addition, it cannot examine potentially harmful information in isolation without sandboxing characteristics.

 As a result, the ever-evolving and complicated nature of cyber threats makes their traditional approaches ineffective.

You can Understand and diagnose Email Issues using Trusitifi’s Email Header Analyzer Tool.

What are Next-Gen Email Firewalls?

Next-Generation Email Firewalls are the latest technologies for protecting against malicious emails. To quickly prevent new threats, such as zero-day vulnerabilities, these systems interact with real-time threat intelligence feeds, unlike traditional spam filters, which depend primarily on static rules. 

They scan things in-depth, including emails, embedded URLs, and attachments. Sandboxing is essential since it allows testing of potentially harmful information in a secure environment. 

Advanced systems use machine learning and behavioral analytics to identify complex phishing attacks like this. These firewalls use authentication protocols like DMARC, DKIM, and SPF to prevent spoofing and verify email senders. 

In addition, they have measures to prevent sensitive information from being accidentally leaked. These solutions, which are frequently cloud-native, provide a robust and complex approach to email security while scaling efficiently and integrating smoothly with existing security infrastructure.

How do Next-Gen Email Firewalls Protect Your Inbox?

Advanced Threat Intelligence â€“ The use of real-time threat intelligence helps to identify and prevent emerging attacks, such as those that exploit zero-day flaws, as soon as they appear.

Deep Content Inspection â€“ Rather than simply scanning the email’s information, these firewalls read the message in full, including any embedded URLs or files attached, to discover any hidden risks.

Sandboxing â€“ To prevent viruses and malware from reaching their intended recipients, suspicious attachments and URLs are displayed in a safe, isolated environment.

Behavioral Analytics â€“ These firewalls may identify spear-phishing initiatives by learning the sender’s typical activity patterns and comparing them to suspicious emails that appear to be from the same sender but act differently.

Identity Verification â€“ Using authentication methods like DMARC, DKIM, and SPF, these tools ensure that all email arrives genuine and from a known source, protecting users from spoofing and phishing attempts.

Data Loss Prevention (DLP) â€“ Besides inbound threats, they monitor outgoing emails to prevent sensitive material from being transmitted without authorization or violating regulations.

Machine Learning â€“ Many modern firewalls use machine learning to “learn” from the attacks they block and better detect various threats over time.

Next-Gen Email Firewalls vs. Traditional Email Security

Next-Gen Email FirewallsTraditional email security
Quickly adapt to new threats by using real-time threat intelligence.It uses a static collection of threats and patterns to make decisions.
Emails, URLs, and attachments are all placed through an extensive content analysis.Metadata and simple patterns are the primary areas of security inspection.
Uses content isolation technologies (sandboxes) to investigate potentially harmful data.Doesn’t have a sandboxing environment.
Utilizes machine learning and behavioral analytics for real-time threat assessment.Depending on predetermined guidelines rather than monitoring user activity
Designed specifically for use in the cloud, this safeguards the present remote workforces.Less flexible with cloud integrations; works best in local installations.
The sophisticated analysis and learning capabilities have resulted in fewer false positives.There is an increase in false positives because of the inflexibility of rule-based systems.

Countering Sophisticated Email Threats with Next-Gen Email Firewalls

The importance of Next-Generation Email Firewalls in preventing modern email threats cannot be underestimated.

These modern firewalls utilize real-time threat intelligence to detect and neutralize recent security risks instead of the static rules used by older systems.

They investigate thoroughly, looking at every aspect of the email, from the subject line to the attachments. Sandboxing is a technique to test malicious code in a safe, restricted setting.

Unusual behaviors, such as those used in spear phishing or impersonation, can be detected via machine learning.

In addition, email spoofing may be prevented using sender authentication methods such as DMARC, DKIM, and SPF.

By authenticating the sender’s identity and confirming the accuracy of the received messages, these procedures act as the first line of protection against email-based threats.

SPF aims to improve email security by limiting the possibility that an unauthorized sender

In DKIM, the transmitting server gives Each email a unique DKIM signature generated using a private key. The DNS records of the sender are queried to retrieve the sender’s public key, which is then used to validate the email’s signature.

With DMARC, website administrators may specify how they want their domain’s incoming mail servers to deal with unencrypted messages that have not been authenticated. It has a policy and a statement, with three options (reject, quarantine, or do nothing). 

You can Analyze and Detect SPF Issues using Trustifi’s SPF Record Checker Tool.

Why Trustifi ? – AI-Powered Protection for Business Email Security

Next-generation email firewalls will benefit from quantum-resistant algorithms, IoT integration, and adaptive AI for threat prediction in the long run. 

Trustifi’s advanced protection uses machine learning and AI to quickly find and stop the most sophisticated email-based attacks, such as ransomware, malware, phishing attacks (malicious links), CEO impersonation protection, BEC, and account compromise, keeping hackers out of inboxes with the following email threat protection solutions.

These firewalls will prioritize cross-platform connectivity, robust data protection measures, and real-time threat sharing in response to the constantly evolving nature of cyber threats.

Trustifi Advanced Email Protection With Trusitifi Inbound Shield Offers powerful multi-layered scanning technology.

It thoroughly examines, identifies, and categorizes even the most sophisticated forms of Phishing, Malicious, SPAM, and Gray Emails. 

Modern machine learning and artificial intelligence provide comprehensive, precise threat hunting for it.

The Inbound Shield checks out and removes harmful data and for various irregularities, including the following.

  • Scammers who send emails from fake domains.
  • Money transfer and other private information requests.
  • Hyperlinks lead to malicious sites.
  • Files with potentially malicious content, such as SQL injection strings or other code snippets, are designed to execute upon download.

These filtering procedures only take milliseconds to complete and can detect previously unidentified zero-day attacks.

The Trustifi Inbound Shield is a cloud-based solution that requires no alterations to your current infrastructure to implement.

Emails could be sent and received safely without any complicated setup or concerns, and It takes minutes, not days, to set up.

The Internet and the Unregulated Space of the Scammers and Hackers: Surf the Internet Safely!

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Next-Gen Email Firewalls


Aug 30 2023

Email Authentication Protocols: SPF, DKIM, and DMARC – A Detailed Guide

Category: Email Securitydisc7 @ 9:12 am


Email communication is essential for personal and professional contact in the modern digital environment.

Email is widely used, making it a perfect target for cybercriminals, leading to increased phishing attempts, spam, and email spoofing.

Strong email security measures are becoming essential as these threats become more sophisticated. Email authentication techniques like SPF, DKIM, and DMARC are crucial in situations like this.

By authenticating the sender’s identity and confirming the accuracy of the received messages, these procedures act as the first line of protection against email-based threats.

This article will thoroughly review these three important email authentication methods, including their roles, how they cooperate, and why they are crucial for upholding a reliable and secure email communication infrastructure.

What are Email Authentication Protocols?

Secure email communications can be achieved through Email Authentication Protocols, standards, or technologies that validate the sender’s identity and protect the message’s integrity.

These standards aim to protect users from spam, phishing, and other malicious email-based assaults.

As a bonus, they make it less likely that a good email will be incorrectly deleted as spam or malware.

Here are the primary email authentication protocols commonly in use:

  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Sender Policy Framework (SPF)

The Sender Policy Framework (SPF) is an email authentication technology developed to prevent spam.

By letting domain owners choose which mail servers can send emails on their behalf, SPF assists receiving servers in authenticating the sender of incoming messages.

For this purpose, the DNS records of the domain are consulted to ensure that the emails come from the addresses they claim to represent.

The Sender Policy Framework (SPF) aims to improve email security by limiting the possibility that an unauthorized sender may use a specific domain in the “From” address.

This helps keep the sender’s and the recipient’s inboxes free of unwanted messages and strengthens the confidence each party has in email.

How It Works

  • Domain owners create SPF records showing trusted IP addresses and domains from which emails can be sent.
  • Email servers do a Sender Policy Framework (SPF) record check whenever they receive an email.
  • When a message is received, the server checks the IP address to see if it is one of the approved senders mentioned in the SPF record.
  • The SPF check is successful if the sending IP address is known and accepted; otherwise, the email may be flagged as suspicious and deleted.

How Do Attackers Abuse SPF:

Sender Policy Framework (SPF) is an email authentication system that checks the sender’s name to stop email spoofing and phishing. But, like any other system, SPF isn’t completely safe from possible attack vectors. Here are some possible ways to attack SPF:

Manipulating SPF Records: Attackers could try to change or create SPF records by changing the DNS records of a domain. This would let them list unauthorized IP addresses or servers as valid senders. This can make it possible for tactics like spoofing or phishing to work.

Domain Hijacking: If an attacker takes control of a legal domain, they can change the SPF records to include their own malicious servers. This can cause bad emails that look like they came from a trusted source to be sent.

Subdomain Attacks: SPF records are often set up for an organization’s primary domain, but they might forget to set up SPF records for subdomains. Attackers who send emails from subdomains without the proper SPF records can use this against you.

Inadequate SPF Policies: Organizations may have weak SPF policies that let many IP addresses send emails on their behalf. This can give attackers a bigger pool of possible IP numbers to trick people.

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is an email authentication technology that uses encryption to confirm an email’s authenticity.

The sending server adds a distinctive DKIM signature using a private key to each email. The receiving server verifies the signature of the incoming email using a public key obtained from the sender’s DNS records.

If it matches, the email can be trusted as genuine and safe from tampering. DKIM is designed to prevent email spoofing and phishing attacks and guarantee the safe delivery of email communications by verifying the sender’s domain and the message’s encrypted signature.

How It Works

  • Using a private key, the email’s computer makes a digital signature.
  • The email packaging has been changed to include this signature.
  • From the DNS records, the email server that receives the email gets the sender’s public key.
  • The digital signature is then decrypted and checked using the public key.
  • The genuine email has not been changed if the signature is correct.

How Do Attackers Abuse DKIM

  1. Private Key Compromise: DKIM relies on a private key stored on the sending server to sign outgoing emails. If an attacker gains access to the private key, they can sign malicious emails that recipients might consider legitimate, as the DKIM signature would appear valid.
  2. DNS Record Manipulation: DKIM public keys are stored in DNS records as text (TXT) records. If an attacker gains control over a domain’s DNS records, they could modify or replace the DKIM public key, allowing them to sign fraudulent emails that appear authentic.
  3. Subdomain Spoofing: Organizations might configure DKIM for their main domain but overlook implementing it for subdomains. Attackers could then send emails from subdomains that lack proper DKIM signing, making it harder for recipients to verify the email’s authenticity.
  4. Key Length and Algorithms: If an organization uses weak encryption algorithms or short key lengths for DKIM signing, it becomes easier for attackers to crack the encryption and forge DKIM signatures.

Solution: Organizations should adopt efficient incident response plans, regularly monitor email traffic for anomalies, and stay updated on emerging threats to stay ahead of the evolving email threat landscape with AI-powered solutions like Trustifi.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

To improve upon SPF and DKIM, a new email authentication protocol called Domain-based Message Authentication, Reporting, and Conformance (DMARC) was developed.

Domain administrators can instruct receiving mail servers on what to do with messages that do not pass authentication.

Domain owners can direct mail servers to stop accepting spam by adding a DMARC policy record to their DNS settings. Email traffic and any security risks can be better understood using DMARC’s reporting features.

DMARC is designed to strengthen email security by adding an extra layer of verification, decreasing phishing and spoofing, and increasing the credibility and delivery of legitimate communications.

How it Works

  • The receiving server references the DMARC policy if SPF or DKIM authentication fails.
  • The DMARC policy can direct the server to take various actions, such as classifying spam, placing it in quarantine, or outright rejecting it.
  • To improve their email protection measures, domain administrators can use forensic and aggregate data on authentication activity.

DMARC Attack Vector

Aggressive Enforcement: Some organizations may choose to use DMARC with a strategy of “quarantine” or “reject” right from the start. This can work, but if the policy isn’t carefully set, it can also cause valid emails to be blocked.

Reporting Address Spoofing: Attackers could try to change the DMARC reporting address to send reports of failed DMARC checks to sites they control. This could give them a chance to learn more about how the organization’s email system works.

Targeted Spoofing: Attackers could try to pose as people or parts of an organization that haven’t fully set up DMARC. This specific method makes it more likely that their emails will be read.

As with other email-related attacks, attackers could use social engineering to get receivers to ignore DMARC warnings or think a DMARC-failed email is real.

Where are SPF, DKIM, and DMARC Records Stored?

Spf records:

SPF records are TXT (text) records in the DNS. Emails from this domain must be sent from the IP addresses or parts specified in these records.

The recipient’s email server will check the SPF record for the sender’s field in the Domain Name System (DNS) to ensure the email is legitimate.

Example SPF record:

v=spf1 ip4:192.0.2.1 ip6:2001:db8::1 include:example.com all

DKIM Records: 

DKIM records are similarly stored in DNS, although they are TXT entries. These entries store the public key to authenticate the domain’s digital signatures in outgoing emails.

The DKIM record is retrieved from the DNS by the receiving email server, which then uses the public key to verify the signature and ensure the email’s authenticity.

Example DKIM record:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnWLKu6qIH66AjqkMYyq3A5bkD

  sY+T4rQzSXFJWzh7DQoKmmrkRDbCIPRrkRHF/EpTExGDD2P8WOEqdGTfVbRy14

  5k3soVGMItcL1QvWskhNKLQYGJME6XE1WUCmAw29FcYKavqnGQFWFpDBIMVFOFw

  7/TZS0Lj1QIDAQAB

DMARC Records:

DNS also stores DMARC records in the TXT record format. The measures to take if an email fails SPF or DKIM checks are provided in the domain’s DMARC policy, defined by these records.

To keep the domain owner aware of authentication actions, DMARC additionally provides reporting tools.

Example DMARC record:

v=DMARC1; p=quarantine; pct=25; rua=mailto:reports@example.com; ruf=mailto:forensics@example.com

Checking an Email for SPF, DKIM, and DMARC Compliance

It takes multiple procedures and the capacity to query DNS records to ensure an email complies with SPF, DKIM, and DMARC.

Here are the measures taken to ensure that an email adheres to these standards:

Check SPF Compliance:

  • Extract the IP address of the email server that sent the email from the email headers.
  • Retrieve the SPF record from the domain’s DNS that the email claims to be sent from. This is usually found in a TXT record in the domain’s DNS.
  • Check if the sending server’s IP address is listed in the SPF record. If it is, the email passes the SPF check; otherwise, it fails.

Check DKIM Compliance:

  • Check the email headers for a DKIM signature. This will usually be found in a header field called â€˜DKIM-Signature’.
  • Extract the â€˜d=’ parameter from the DKIM signature to find the signing domain and the â€˜s=’ parameter to find the selector.
  • Retrieve the DKIM public key from the DNS of the signing domain. This will be found in a TXT record at selector>._domainkey.signing domain>’.
  • Use the public key to verify the DKIM signature in the email header. If the signature is valid, the email passes the DKIM check; otherwise, it fails.

Check DMARC Compliance:

  • Ensure that the email has passed both the SPF and DKIM checks. At least one of them must pass for the DMARC check to pass.
  • Retrieve the DMARC record from the domain’s DNS from which the email claims to be sent. This is usually found in a TXT record at â€˜ _dmarc.domain>’.
  • Check if the â€˜From’ address domain matches the SPF domain or the DKIM signing domain. If it does, then the email passes the DMARC alignment check.
  • Follow the policy specified in the DMARC record for handling emails that fail the DMARC check.

How to configure SPF, DKIM, and DMARC for a domain

Configure SPF:

  • Identify Authorized IP addresses or servers: Determine the IP addresses or servers authorized to send email on behalf of your domain.
  • Create an SPF Record: Create an SPF record by creating a TXT record in your domain’s DNS settings. The value of this TXT record will start with â€˜v=spf1’ followed by the authorized IP addresses or servers.
Example SPF Record: 'v=spf1 ip4:192.168.0.1 -all'

This example authorizes the IP address â€˜192.168.0.1’ to send emails on behalf of your domain and denies all others.

  • Update DNS Settings: Add the SPF record to your domain’s DNS settings.

Configure DKIM:

  • Generate a DKIM Key Pair: Generate a public-private key pair for DKIM. Your email server will use the private key to sign outgoing emails, and your domain’s DNS settings will make the public key available.
  • Configure Email Server: Configure your email server to sign outgoing emails using the private DKIM key.
  • Create a DKIM Record: Create a DKIM record by creating a TXT record in your domain’s DNS settings.
  • The name of this TXT record will be in the format selector>._domainkey.yourdomain>’, and the value will contain your DKIM public key.
Example DKIM Record: 'v=DKIM1; k=rsa; p=MIGfMA0...'

This example specifies that the key type is RSA and includes the public key.

  • Update DNS Settings: Add the DKIM record to your domain’s DNS settings.

Configure DMARC:

  • Create a DMARC Record: Create a DMARC record by creating a TXT record in your domain’s DNS settings. The name of this TXT record will be ‘_dmarc.your domain>’, and the value will contain your DMARC policy.
Example DMARC Record: 'v=DMARC1; p=reject; rua=mailto:report@example.com'

This example specifies that emails that fail the DMARC check should be rejected and that reports should be sent to â€˜report@example.com’.

  • Update DNS Settings: Add the DMARC record to your domain’s DNS settings.

Conclusion

The SPF, DKIM, and DMARC standards are essential components of a reliable email security architecture in an age when email is vulnerable to a wide range of attacks.

Though each has advantages and disadvantages, they provide an enormous defense against a significant fraction of email-based attacks.

By implementing these authentication processes, your email systems’ security will improve, and your emails’ deliverability will also be enhanced, reducing the possibility that your legitimate messages will be miscategorized as spam.

Applying these standards to your digital communication infrastructure can significantly improve the safety and dependability of your communications.

The Art of Email Security | Email security: attack and defence

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: DKIM, DMARC, SPF


Aug 20 2023

Product showcase: Free email security test by ImmuniWeb Community Edition

Category: Email Securitydisc7 @ 4:50 pm

In 2022, global losses from business email compromise (BEC) and email account compromise (EAC) attacks reached a record-breaking $43 billion, as reported by the FBI. Major cybersecurity companies like Microsoft and Trend Micro noted a surge in advanced phishing attacks earlier in the year, resulting in significant financial damages to organizations of all sizes. Concerns have risen among security experts about the potential for a surge in email credential attacks due to the widespread availability of generative AI technologies like ChatGPT. These attacks could range from simple social engineering tactics to complex schemes involving domain-squatting and spear-phishing, taking advantage of previously stolen personal information. Despite increasing spending on corporate cybersecurity, the risk of such attacks continues to rise.

To aid organizations in evaluating their vulnerability to email-related security, privacy, and compliance risks, ImmuniWeb has introduced a free email security test as part of its Community Edition. This online tool performs over 200,000 security scans daily, helping small and medium-sized enterprises, educational institutions, non-profits, municipal governments, and individual developers identify a wide range of cybersecurity and compliance issues. The aim is to bolster foundational cyber resilience and information security for these entities.

for more details on free email security test:

Product showcase: Free email security test by ImmuniWeb Community Edition

The Art of Email Security: Putting Cybersecurity In Simple Terms

InfoSec tools | InfoSec services | InfoSec books | Follow our blog

 

Tags: ImmuniWeb Community Edition


Aug 04 2023

What is Business Email Compromise (BEC) Attacks? – Prevention Guide

Category: Email Securitydisc7 @ 9:13 am
https://gbhackers.com/bec-attacks/

BEC, an acronym for Business Email Compromise, is a sophisticated form of cybercrime. Cyber threats have become a pressing concern in a world where almost every aspect of our lives is digitized. One of these threats that have been growing exponentially in recent years is the BEC attacks.

What Are BEC Attacks? 

These attacks are carefully orchestrated scams perpetrated by cybercriminals to trick businesses into transferring money or sensitive information. The attackers usually impersonate a high-ranking official in the company, such as the CEO or CFO, and send an email request for a wire transfer or confidential data to another employee.

They’re not just any random email scams; BEC attacks are highly targeted and involve a great deal of planning and research. The cybercriminals behind them often know a lot about their targets and use this information to make their fraudulent requests seem legitimate. So, it’s no surprise that these attacks pose a significant threat to businesses of all sizes and industries worldwide.

Understanding BEC Attacks 

Process and Mechanics of a BEC Attack

Understanding how BEC attacks work is the first step in preventing them. The process often starts with extensive research. The attackers gather information about the target company and its employees. They look for information such as who is in charge of finances, who they report to, and when these officials will likely be out of the office.

Once they’ve gathered enough information, they craft a convincing email. This email is usually disguised as originating from a high-ranking official and sent to an employee with the authority to transfer funds or access sensitive information. The email will request a wire transfer, often with a sense of urgency to pressure the employee into acting quickly without questioning the request’s legitimacy.

The mechanics of these attacks are what makes them so effective. The attackers exploit the trust and authority of high-ranking officials to bypass traditional security measures. And because the emails are so well-crafted, they can be tough to detect.

Common Forms of BEC Attacks

There are several common forms of BEC attacks. The most common is ‘CEO Fraud,’ where the attacker impersonates the CEO or another top executive. They send an email to an employee in finance, requesting an urgent wire transfer.

Another form is ‘Invoice Scams.’ In these cases, attackers impersonate a vendor or supplier and send a fake invoice to the company. The invoice will typically request payment to a new account controlled by the attacker.

There’s also ‘Account Compromise.’ Here, an attacker hacks into an employee’s email account and sends fraudulent emails to vendors listed in their email contacts. The email will request that future payments are sent to a new account.

The Targets and Motives Behind BEC Attacks

The targets of BEC attacks are typically businesses that work with foreign suppliers or regularly perform wire transfer payments. However, any business can be a target. The motive behind these attacks is simple: money. Cybercriminals are looking for the easiest way to get their hands on your cash.

Prevention of BEC Attacks 

The best way to deal with BEC attacks is to prevent them from happening in the first place. Prevention requires a multi-faceted approach that includes technical, administrative, and human elements.

Email Security Measures

The first line of defense against BEC attacks is implementing robust email security measures. It is essential to use email filtering solutions that can detect and block phishing emails. These solutions can flag emails from outside your organization that are crafted to look like they’re from within.

Furthermore, you should also implement Domain-based Message Authentication, Reporting & Conformance (DMARC), an email authentication protocol. DMARC can prevent attackers from spoofing your organization’s domain in their phishing attempts, significantly reducing the chances of a successful BEC attack.

Multi-Factor Authentication (MFA)

Multi-factor authentication is another crucial element in preventing BEC attacks. MFA requires users to provide two or more forms of identification before they can access their email accounts or other sensitive systems. This could be something they know (like a password), something they have (like a physical token or a smartphone), or something they are (like a fingerprint or other biometric data).

By implementing MFA, even if a criminal manages to steal an employee’s login credentials through a phishing attack, they would still need the additional factor(s) to access the account. This significantly increases the difficulty for attackers, often deterring them from attempting to compromise your business.

Employee Training

The human element is often the weakest link in cybersecurity. Therefore, regular employee training is essential in preventing BEC attacks. Employees should be taught to identify phishing emails and be aware of the tactics used by cybercriminals in these attacks.

Moreover, it should be emphasized that everyone, regardless of their position in the company, could be a target. Regularly updated training programs can help employees stay abreast of the latest threats and the best practices to mitigate them.

Verify Requests

Given the nature of BEC attacks, it is crucial to establish a process to verify requests for funds or sensitive information, especially if they are unexpected or come from high-ranking individuals. This could be as simple as making a phone call to the person making the request.

The more significant the request, the more critical it is to verify it through multiple channels. This practice can significantly reduce the chances of an employee inadvertently complying with a fraudulent request.

Incident Response Plan

Even with the best preventative measures in place, it’s essential to be prepared for the worst-case scenario—a successful BEC attack. This is where an incident response plan comes into play.

An effective incident response plan should outline the steps immediately after detecting a BEC attack. This includes identifying and isolating affected systems, investigating the breach, notifying affected parties, and reporting the incident to the relevant authorities.

Use of Secure Email Gateways

Secure email gateways can be a valuable tool in the fight against BEC attacks. These solutions provide an additional layer of security, filtering incoming and outgoing emails to identify potential threats.

They use techniques such as link protection and attachment sandboxing to protect against malicious content. Moreover, they can also detect and block emails that attempt to spoof your organization’s domain, reducing the risk of BEC attacks.

Regular Monitoring

Last, regular monitoring of your email systems and network activity can help detect unusual behavior that may indicate a BEC attack. This could include abnormal login patterns, unexpected email forwarding rules, or sudden changes in email volume.

Monitoring tools can automate this process, alerting your IT team to potential threats so they can take swift action. Regular auditing of your systems can also help identify any security gaps that must be addressed.

Conclusion

To summarize, understanding and preventing BEC attacks is critical in today’s digital world. It requires a combination of robust technical measures, comprehensive employee training, and vigilant monitoring. Remember, the cost of preventing these attacks is far less than the potential financial and reputational damage they can cause. So, stay informed, stay prepared, and stay safe.

DON’T FALL FOR THE SCAM: How Business Email Compromise Scams Work And How To Avoid Them (The Digital Guardian Series: Navigating Online Dating, Scams, and Cybersecurity for a Safer Digital World)

InfoSec tools | InfoSec services | InfoSec books

Tags: Business Email Compromise, Email scams


Jul 19 2023

Understanding Reverse Email Lookup: A Tool to Strengthen Cybersecurity

Category: Email Securitydisc7 @ 9:02 am

Reverse email lookup can be a handy tool for various tasks, ranging from verifying the sender’s identity, and investigating suspicious emails, to blocking unwanted communication. In this discussion, let’s dive into the ins and outs of this valuable tool.

Reverse email lookup is a fundamental tool in the realm of cybersecurity, empowering individuals and organizations to bolster their digital defences. It enables users to investigate the true identities of unknown email senders, a critical step in identifying potential threats

Using specialized databases and search algorithms, reverse email lookup unveils valuable information about the sender’s identity, verifying their legitimacy and intent. Preventing cyberattacks, data breaches and other online threats requires understanding this tool. 

Reverse email search lookup may be used to protect sensitive data, strengthen the digital presence and secure online environments. To ensure optimal protection, it is crucial to compare the best email lookup tools available in the market and select the most effective and reliable solution for enhanced online safety.

How does reverse email lookup enhance cyber threat detection

Finding possible hazards in the always-changing world of cyber threats is essential to preserving online security. In this procedure, reverse email search is vital since it sheds light on the reliability of email correspondence. 

Users may assess the legitimacy and purpose of receiving emails by examining the sender information obtained via a reverse email search. The early identification of dubious activity, such as phishing attempts or fake emails, is made possible by this proactive strategy. 

Reverse email lookup may improve cyber threat detection so that people and organizations can act quickly and intelligently to defend themselves against criminal actors and assaults.

Unveiling the sender’s identity: The Role of reverse email lookup in verifying unknown senders

Discovering an anonymous sender’s true identity is one of the primary benefits of doing a reverse email search. Users can distinguish between acceptable communication and potentially hazardous situations with the assistance of this vital feature. 

Users can gain essential information about the sender by using a tool for doing a reverse email search. This information includes the sender’s name, location and online presence. Because of this verification process, determining whether or not the sender’s identity is genuine and up to date is much less complicated. 

After a reverse email search reveals a sender’s identity, consumers may better protect themselves online. They can also handle unknown correspondents wisely.

Preventing phishing attacks: Leveraging reverse email lookup to detect and thwart phishing attempts

Phishing attacks continue to be a substantial menace to cybersecurity because cybercriminals employ deceptive tactics to trick users into divulging sensitive information to further their illicit goals. 

A robust defence mechanism against these attacks, reverse email lookup equips users with the knowledge and tools to identify and foil phishing scams. By comparing email addresses to various databases and public records, reverse email lookup can establish whether or not the sender has a history of being involved in fraudulent activity. 

With this information, customers should be able to recognize suspicious emails and refrain from clicking on potentially hazardous links or disclosing sensitive information. To increase cybersecurity measures and secure private and sensitive data, reverse email lookup phishing attack prevention should be used.

Safeguarding sensitive information: Using reverse email lookup to protect personal and professional data

Protecting sensitive information is of the highest importance in this day and age due to the potential consequences that may result from data breaches caused by cyberattacks. The protection of this kind of information is significantly aided by the use of reverse email lookup, which allows users to verify the credibility of email senders. 

Verifying the validity of unexpected correspondents is one way for individuals and organizations to avoid inadvertently sharing sensitive information with potentially dangerous actors. 

A proactive approach to securing sensitive data, reverse email search helps maintain the privacy of personal and professional information while shielding it from unauthorized access and potential misuse.

Strengthening defence mechanisms: How reverse email lookup supports cybersecurity measures

As a component of cybersecurity strategies, a reverse email search may help strengthen overall defences against online threats. Individuals and organizations may increase their ability to spot and stop cyberattacks by incorporating this technology into their cybersecurity practices

Reverse email search enables users to find potential risks, validate senders’ integrity and lessen phishing attempts. By taking such a preventative stance toward cybersecurity, the digital perimeter can be bolstered and the organization’s propensity to fall victim to cyberattacks may be reduced. 

People and organizations may benefit from reverse email lookup since it may strengthen their defensive systems, enabling them to maintain a robust and resilient cybersecurity posture.

Empowering individuals and organizations: Promoting personal and professional safety with reverse email lookup

A key objective of reverse email lookup is empowering individuals and organizations to take charge of their online safety. This tool fosters a sense of control and confidence in navigating the digital landscape by providing valuable insights into unknown senders’ identities and detecting potential threats. 

Empowered with the knowledge and capabilities of reverse email lookup, users can make informed decisions about their digital interactions. They can also safeguard sensitive information and prevent cyberattacks. 

Promoting personal and professional safety with reverse email lookup enables individuals and organizations to proactively protect themselves from online risks. Thus this promotes a secure and trustworthy digital environment.

https://www.hackread.com/reverse-email-lookup-tool-strengthen-cybersecurity/

5 Best Reverse Email Lookup Tools & Free Reverse Email Lookup Methods

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Reverse Email Lookup


Mar 02 2023

ProtonVPN launches extensions for Chrome and Firefox browsers

Category: Email SecurityDISC @ 10:54 am

You can now connect to ProtonVPN with just one tap of a button.

Proton VPN has launched its new browser extension for Chrome and Firefox, fulfilling one of the most sought-after features requested by its user community. This new extension provides users with a more flexible way to protect their online privacy and bypass censorship.

The Proton VPN browser extension is a standalone platform that encrypts internet traffic and browsers without needing to install Windows or Mac applications. This distribution method allows users in countries with blocked app stores to access Proton VPN.

ProtonVPN launches extensions for Chrome and Firefox browsers

With this new extension, users can easily protect their browser traffic without affecting the speeds or IP addresses of other applications on their devices. The extension can be used across multiple browsers, and each browser can be connected to a different server, allowing for up to ten simultaneous VPN connections.

In a statement, Proton VPN explained that they understand the importance of online privacy and freedom of access, and this new extension is designed to provide more options for users to protect their online activity. They also emphasized that they take user feedback seriously and strive to implement new features that cater to their needs.

The Proton VPN browser extension is available for Chromium-based browsers (such as Google Chrome, Brave, Microsoft Edge, Chromium, Opera, and Vivaldi) and Firefox-based browsers (including Firefox itself, LibreWolf, and Waterfox).

ProtonVPN

Proton VPN is a well-known and reputable VPN provider based in Switzerland that has been praised for its strong security measures and privacy protections. The company’s commitment to expanding its offerings and providing users with more control over their online privacy is a significant step forward in the fight for digital rights.

Secure email that protects your privacy

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Email Security, ProtonEmail, ProtonMail, ProtonVPN


Feb 17 2023

Hackers Exploit ProxyShell Flaws to Deploy ProxyShellMiner on Exchange Server

Category: Email Security,ProxyDISC @ 10:27 am

ProxyShellMiner is being distributed to Windows endpoints by a very elusive malware operation, according to Morphisec.

To generate income for the attackers, “ProxyShellMiner” deploys cryptocurrency miners throughout a Windows domain using the Microsoft Exchange ProxyShell vulnerabilities.

ProxyShellMiner exploits a company’s Windows Exchange servers using the ProxyShell vulnerabilities CVE-2021-34473 and CVE-2021-34523 to get initial access and distribute crypto miners.

“After successfully breaching an Exchange server and obtaining control, the attackers use the domain controller’s NETLOGON folder to ensure the miner executes throughout the domain, similar to how software is delivered through GPO”, Morphisec reports.

Researchers noticed that the attackers were utilizing four C2 servers. The legitimate, infected mail servers are all where the malware-dependent files are stored.

“Mining cryptocurrency on an organization’s network can lead to system performance degradation, increased power consumption, equipment overheating, and can stop services”, according to Morphisec.

Technical Analysis of the ProxyShellMiner Malware

The malware needs a command line parameter that acts as a password for the XMRig miner component in order to activate.

“This parameter is later used as a key for the XMRig miner configuration, and as an anti-runtime analysis tactic”, Morphisec

The parameter serves as anti-analysis technique, and as a password for the XMrig miner
The parameter serves as an anti-analysis technique and as a password for the XMrig miner

The XOR decryption algorithm, an XOR key, and an embedded dictionary are all used by ProxyShellMiner. The subsequent embedded code modules are then executed using the C# compiler CSC.exe with “InMemory” compile parameters.

The malware then downloads a file with the name “DC DLL” and uses .NET reflection to get the task scheduler, XML, and XMRig key arguments. The decryption of additional files is done using the DLL file.

By setting up a scheduled activity to start when the user logs in, a second downloader achieves persistence on the compromised system. The report says four other files and the second loader are downloaded from a remote resource.

The deobfuscated scheduled task 
The deobfuscated scheduled task

Using a technique called “process hollowing,” that file determines which of the installed browsers on the hacked system would be used to inject the miner into its memory space. The mining process then starts after selecting a random mining pool from a hardcoded list.

Picking a mining pool
Picking a mining pool

Setting a firewall rule that blocks all outgoing traffic and is applicable to all Windows Firewall profiles is the last stage in the attack chain. This is done to reduce the likelihood that defenders may find infection signs or get notifications about a possible compromise from the compromised system.

“The malware waits at least 30 seconds while the target machine blocks any outbound connection. It does this to tamper with the process runtime behavior analysis of common security solutions”, researchers.

Adding a firewall rule to block all outgoing traffic
Adding a firewall rule to block all outgoing traffic

Final Thoughts

ProxyShellMiner doesn’t just disrupt business networks, drive up power bills, overheat equipment, and stop services from operating. It gives threat actors access to further evil purposes.

“Once attackers have a foothold in a network, they have deployed web shells, backdoors, and used tunneling utilities to further compromise victim organizations”, Morphisec

Hence, Morphisec encourages all administrators to install all available security updates and employ thorough and all-encompassing threat detection and defense measures to reduce the danger of ProxyShellMiner attacks.

Everything you need to know about ProxyShell vulnerabilities

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Exchange server, ProxyShell Flaws


Feb 02 2023

HACKERS GAINED ACCESS TO O365 EMAIL ACCOUNTS BY USING OAUTH APPLICATIONS “CERTIFIED” BY MICROSOFT

Category: Email Security,HackingDISC @ 10:57 am

Becoming verified on well-known platforms such as Instagram, Twitter, or the Apple AppStore has become the standard for determining one’s standing in the current online social scene. As users, we trust verified accounts more than those that aren’t. In the business sector, the situation is exactly the same with third-party OAuth app publishers who have been validated by Microsoft. Unfortuitously, threat actors have noticed the significance of the verified status in the Microsoft environment as well.

Researchers from Proofpoint found a new malicious third-party OAuth app campaign that used the Microsoft “certified publisher” status in order to meet certain of Microsoft’s criteria pertaining to the distribution of OAuth apps. This raised the likelihood that users would be duped into giving authorization when a malicious third-party OAuth app (from this point forward, referred to as a “OAuth app” or a “malicious app”) asks access to data that is available through a user’s account. Researchers found that the malicious applications had extensive delegated rights, such as the ability to read emails, change mailbox settings, and obtain access to files and other data that were associated with the user’s account.

According to Microsoft, a Microsoft account can achieve the status of “publisher verified” or “verified publisher” when the “publisher of the app has verified their identity using their Microsoft Partner Network (MPN) account and has associated this MPN account with their app registration.” Other terms for this achievement include “verified publisher” and “verified publisher.” (Just so there isn’t any misunderstanding, a “certified publisher” has absolutely nothing to do with the desktop program known as Microsoft Publisher, which is available in some levels of Microsoft 365.)

The material provided by Microsoft goes on to provide more clarification, stating that “after the publisher of an app has been confirmed, a blue verified badge displays in the Azure Active Directory (Azure AD) authorization prompt for the app and on other websites.” Note that when Microsoft discusses third-party OAuth applications, it is talking to apps that have been developed by companies that fall into this category. These businesses are referred to as “publishers” in the Microsoft environment.

Researchers were able to identify three malicious applications that were developed by three distinct malicious publishers. The same firms were singled out for attack by these applications, and they are connected to the same malicious infrastructure. Multiple people were seen giving permission to the malicious applications, which put the environment of their firm at risk.

According to the findings of their investigation, the majority of the participants in this campaign seemed to originate from the United Kingdom (UK). Individuals from the finance and marketing departments, as well as high-profile users such as managers and executives, were among those whose accounts were compromised. Beginning on December 6th, 2022, we made our first observation of this particular avatar of malicious third-party OAuth applications. In every instance, the specialized backend infrastructure that supports the applications was only put in place a few days or weeks before December 6th.

When users give their permission, malicious applications’ default delegated permissions allow threat actors to access and manipulate mailbox resources, calendar events, and meeting invitations that are linked to accounts that have been compromised. This access and manipulation is only possible when users give their consent. After receiving approval, gaining access does not need further action on the part of the user since the permissions also allow “offline access.” The given token, also known as the refresh token, often has a lengthy expiration time that is more than one year. This provided threat actors with access to the data associated with the hacked account as well as the potential to utilize the compromised Microsoft account in later BEC attempts or other types of attacks.

In addition to the possibility of user accounts being hijacked, firms that have been impersonated run the risk of having their brand abused. It is quite difficult for firms in this situation to determine whether or not their reputation is being sullied by one of these assaults. There is no necessary contact that must take place between the entity that is being impersonated and the malicious verified publisher.

Even though an OAuth third-party app has been validated by Microsoft, it is imperative to proceed with extreme care when allowing access to the app. OAuth applications are not reliable and should not be trusted only on the basis of their verified publisher status. End users are likely to become victims of sophisticated social engineering approaches because of the complexity of the assaults that are being carried out.


Jan 25 2023

Everyone Wants Your Email Address. Think Twice Before Sharing It

Category: Email Security,Information SecurityDISC @ 10:12 am

Your email address has become a digital bread crumb for companies to link your activity across sites. Here’s how you can limit this.

When you browse the web, an increasing number of sites and apps are asking for a piece of basic information that you probably hand over without hesitation: your email address.

It may seem harmless, but when you enter your email, you’re sharing a lot more than just that. I’m hoping this column, which includes some workarounds, persuades you to think twice before handing over your email address.

First, it helps to know why companies want email addresses. To advertisers, web publishers and app makers, your email is important not just for contacting you. It acts as a digital bread crumb for companies to link your activity across sites and apps to serve you relevant ads.

If this all sounds familiar, that’s because it is.

For decades, the digital advertising industry relied on invisible trackers planted inside websites and apps to follow our activities and then serve us targeted ads. There have been sweeping changes to this system in the past few years, including Apple’s release of a software feature in 2021 allowing iPhone users to block apps from tracking them and Google’s decision to prevent websites from using cookies, which follow people’s activities across sites, in its Chrome browser by 2024.

Advertisers, web publishers and app makers now try to track people through other means — and one simple method is by asking for an email address.

Imagine if an employee of a brick-and-mortar store asked for your name before you entered. An email address can be even more revealing, though, because it can be linked to other data, including where you went to school, the make and model of the car you drive, and your ethnicity.

  • Dig deeper into the moment.

“I can take your email address and find data you may not have even realized you’ve given to a brand,” said Michael Priem, the chief executive of Modern Impact, an advertising firm in Minneapolis. “The amount of data that is out there on us as consumers is literally shocking.”

Advertising tech is continuing to evolve, so it helps to understand what exactly you’re sharing when you enter in an email address. From there, you can decide what to do.

For many years, the digital ad industry has compiled a profile on you based on the sites you visit on the web. Information about you used to be collected in covert ways, including the aforementioned cookies and invisible trackers planted inside apps. Now that more companies are blocking the use of those methods, new ad targeting techniques have emerged.

One technology that is gaining traction is an advertising framework called Unified ID 2.0, or UID 2.0, which was developed by the Trade Desk, an ad-technology company in Ventura, Calif.

Say, for example, you are shopping on a sneaker website using UID 2.0 when a prompt pops up and asks you to share your email address and agree to receive relevant advertising. Once you enter your email, UID 2.0 transforms it into a token composed of a string of digits and characters. That token travels with your email address when you use it to log in to a sports streaming app on your TV that uses UID 2.0. Advertisers can link the two accounts together based on the token, and they can target you with sneaker ads on the sports streaming app because they know you visited the sneaker website.

Since your email address is not revealed to the advertiser, UID 2.0 may be seen as a step up for consumers from traditional cookie-based tracking, which gives advertisers access to your detailed browsing history and personal information.

“Websites and apps are increasingly asking for email authentication in part because there needs to be a better way for publishers to monetize their content that’s more privacy-centric than cookies,” Ian Colley, the chief marketing officer of the Trade Desk, said in an email. “The internet is not free, after all.”A New Direction for Tech FixOur tech problems have become more complex, so Brian X. Chen has rebooted his column to focus on the societal implications of the tech we use.Personal Tech Has Changed. So Must Our Coverage of It.Nov. 2, 2022

However, in an analysis, Mozilla, the nonprofit that makes the Firefox web browser, called UID 2.0 a â€œregression in privacy” because it enabled the type of tracking behavior that modern web browsers were designed to prevent.

There are simpler ways for websites and apps to track your web activity through your email address. An email could contain your first and last name, and assuming you’ve used it for some time, data brokers have already compiled a comprehensive profile on your interests based on your browsing activity. A website or an app can upload your email address into an ad broker’s database to match your identity with a profile containing enough insights to serve you targeted ads.

The bottom line is that if you’re wondering why you are continuing to see relevant ads despite the rise of privacy tools that combat digital tracking, it’s largely because you are still sharing your email address.

There are various options for limiting the ability of advertising companies to target you based on your email address:

  • Create a bunch of email addresses. Each time a site or an app asks for your email, you could create a unique address to log in to it, such as, for example, netflixbrianchen@gmail.com for movie-related apps and services. That would make it hard for ad tech companies to compile a profile based on your email handle. And if you receive spam mail to a specific account, that will tell you which company is sharing your data with marketers. This is an extreme approach, because it’s time-consuming to manage so many email addresses and their passwords.
  • Use email-masking tools. Apple and Mozilla offer tools that automatically create email aliases for logging in to an app or a site; emails sent to the aliases are forwarded to your real email address. Apple’s Hide My Email tool, which is part of its iCloud+ subscription service that costs 99 cents a month, will create aliases, but using it will make it more difficult to log in to the accounts from a non-Apple device. Mozilla’s Firefox Relay will generate five email aliases at no cost; beyond that, the program charges 99 cents a month for additional aliases.
  • When possible, opt out. For sites using the UID 2.0 framework for ad targeting, you can opt out by entering your email address at https://transparentadvertising.org. (Not all sites that collect your email address are using UID 2.0, however.)

You could also do nothing. If you enjoy receiving relevant advertising and have no privacy concerns, you can accept that sharing some information about yourself is part of the transaction for receiving content on the internet.

I try to take a cautious but moderate approach. I juggle four email accounts devoted to my main interests — food, travel, fitness and movies. I’ll use the movie-related email address, for example, when I’m logging in to a site to buy movie tickets or stream videos. That way, those sites and apps will know about my movie preferences, but they won’t know everything about me.

Source:

https://www.nytimes.com/2023/01/25/technology/personaltech/email-address-digital-tracking.html

Checkout our previous posts on “Email Security”

The Art of Email Security: Putting Cybersecurity In Simple Terms

InfoSec books | InfoSec tools | InfoSec services

Tags: Email Address


Jan 16 2023

Why encrypting emails isn’t as simple as it sounds

Category: Email SecurityDISC @ 1:39 pm

Why organizations need encryption

Encrypting an email message ensures that unauthorized parties cannot read it. For any party without proper authorization, the message will appear indecipherable.

For organizations, message confidentiality is crucial to stop potentially sensitive information from reaching prying eyes. Also, they should be able to confirm the integrity of the message and the sender’s identity – without this, spoofed messages can be sent.

The basis of confidential communication over email is that both sender and recipient have secured their respective local systems, by hardening the host OS, employing client security, EDR, XDR and so forth.

Different options have different benefits and challenges

Best-effort opportunistic encryption methods such as Outlook Message Encryption (OME) and various third-party solutions (email encryption gateways, plugins and similar) have the benefit of being easy to use. They can also be transparently integrated into email programs (such as Outlook Message Encryption), and make it easy to contact new people, with no need for prior key exchange – if the message is sent to a user who doesn’t run the same system, a portal for opening the message is typically placed in view.

Additionally, they can often be integrated into the outgoing email server with rules to enforce encryption automatically, depending on set rules such as automated encryption for certain attachments, for example.

There is, however, the possibility of an unauthorized party decrypting the message if they gain access to it first. This poses a real threat as the email communication itself is not guaranteed to be encrypted due to the email delivery process being reliant on STARTTLS and similar opportunistic encryption schemes. This can be mitigated by adding 2FA, such as via SMS PIN code which can help improve security (of course, the recipient’s cell phone number must be known when sending). And in many situations, it is important to also identify the sender’s identity reliably: After all, if anyone can send messages, how can you differentiate a genuine sender from an imposter?

Full encryption methods such as S/MIME and PGP/GPG enable complete confidentiality where only the recipient can decrypt the email message due to the possibility of verifying the sender’s identity. However, several issues arise when using this method. There is a need for key management where keys need to be distributed, swapped, and kept up to date. There is also limited support as the recipient often needs to use the same solution as the sender.

Only a certain subset of contacts typically use this solution, leading to the need to use multiple solutions depending on the recipient(s). This also requires extra effort to determine which solution can be used for the specific recipient and if the solution is secure enough for the material being sent. This can lead to a complicated user interface with different, confusing options like “sign only” or “sign and encrypt”. It becomes quite easy to end up choosing the wrong option, or worse, forgetting to use the encryption at all (since it usually must be selected specifically).

Recently Google started offering option to use S/MIME with Gmail as “E2EE” or “client-side encryption”. This option is currently in beta testing and only available for limited audiences. This however is a significant development as it might result in wider adoption of S/MIME encryption, especially if made available for free Gmail tiers.

The threat model decides

What is the best solution? S/MIME or PGP/GPG may seem like attractive solutions, but challenges in key management and difficulty in training people to use them could lead to poor adoption. Some less secure solutions could be used for most communication, while the more secure solutions, such as S/MIME or GPG/PGP, could be used for other recipients.

The users that need to use the more secure solutions must be instructed on identifying when the more secure method is needed and how to use the solution properly (such as key management and practice sending and receiving encrypted email). Ultimately the demands of the specific organization and use cases determine the solutions that might be needed.

Checkout our previous posts on Email Security…

Contact DISC InfoSec

InfoSec books | InfoSec tools | InfoSec services

Tags: Email Security, encrypting email, ProtonMail


Dec 20 2022

Google’s New End-To-End Encryption for Gmail on the Web

Category: Email SecurityDISC @ 9:48 am

On Friday, Google released a beta version of Client-side encryption (CSE) for Gmail. This newest service is only useful to organisations that can produce their own decryption keys because CSE is designed for organisational use.

Google has now made “end-to-end encryption” available for Gmail on the web, following Meta’s 2016 offer to use it for WhatsApp. However, it only provides client-side encryption (CSE).

Notably, Client-side encryption (Google refers to as E2EE) was already available for users of Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar (beta).

“We’re expanding customer access to client-side encryption in Gmail on the web. Google Workspace Enterprise plus, Education plus, and Education Standard customers are eligible to apply for the beta until January 20th, 2022”, Google announces.

End-To-End Encryption for Gmail

Sensitive information in the email body and attachments are rendered unreadable by Google servers using client-side encryption in Gmail. Customers retain control of both the identity service used to access encryption keys.

“You can use your own encryption keys to encrypt your organization’s data, in addition to using the default encryption that Google Workspace provides,” explains Google.

“With Google Workspace Client-side encryption (CSE), content encryption is handled in the client’s browser before any data is transmitted or stored in Drive’s cloud-based storage.

“That way, Google servers can’t access your encryption keys and decrypt your data. After you set up CSE, you can choose which users can create client-side encrypted content and share it internally or externally.”

Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. Client-side encryption supports a wide range of data sovereignty and compliance requirements while enhancing the secrecy of your data.

For customers of Google Workspace Enterprise Plus, Education Plus, and Education Standard, Gmail E2EE beta is presently available.

By submitting their Gmail CSE Beta Test Application, which should include the email address, Project ID, and test group domain, they can apply for the beta until January 20, 2023.

Google says this feature will be OFF by default and can be enabled at the domain, OU, and Group levels (Admin console > Security > Access and data control > Client-side encryption).

To add client-side encryption to any message, click the lock icon and select additional encryption, compose your message and add attachments as normal.

Also, the feature is not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers. Also, the service has not yet been rolled out for personal accounts.

Finally, End-to-end encryption is something we take for granted in the modern era when hacking and data leakage is becoming more frequent occurrences. 

End-To-End Encryption for Gmail

Tags: Email Security, end-to-end encryption, Google gmail


Dec 11 2022

Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

Category: Email Security,PhishingDISC @ 11:55 am

A phishing scam is not only about stealing your login credentials, but it can also install malware, including ransomware, which is why it is essential to learn how to tackle this growing threat.

The number of phishing scams reported in the first quarter of 2022 set a new record of over one million total attacks, according to a report by the Anti-Phishing Working Group.

And the scams have been growing fast in recent years. The number of attempts reported in the first quarter of 2022 is more than triple the average numbers just two years before, in early 2020.

With so many attacks underway—and growing by the day—what’s the best way to recognize these scams and prevent them? We’ll look at how to recognize and protect yourself from the most common types of phishing fraud. Meanwhile, you can also learn how to detect phishing images in an email.

Most prevalent types of phishing scams

Phishing today refers to a type of scam that steals people’s personal information by posing as a trusted third party. For example, a scammer might pretend to be a government worker to get you to share your Social Security number or pretend to be from your bank to get you to share account details.

With so many communication channels today, there are more phishing methods than ever before. And scammers have adapted to each type of channel by leveraging trust signals inherent to each one.

This can make it hard for the untrained eye to spot a phishing scam and even difficult to recognize if you’ve been hacked after falling for an attack. The first sign that tips off most victims is an unexpected charge, damaged credit score, or depleted bank account.

Here are the six most common types of phishing scams and how to protect yourself.

1. Email scams

Anyone can fall for an email scam; this U.S. judge did. By far the most common type of phishing attack is via email. You’re probably familiar with the spam emails we all get on a day-to-day basis, but the most sophisticated phishing attacks look very different.

These emails often look identical to official messages and notifications, including the company’s logo and exactly the same content as a real message. For example, one of today’s most common scams is a message notification from LinkedIn that’s almost impossible to tell apart from the real thing.

How to protect yourself:

  • Never click on links in emails. Instead, visit the official site.
  • Beware of email addresses that aren’t from the business domain, especially if the address is from a free provider like Gmail.
  • Disable automatic image loading, as this can let scammers know you’ve seen the message.

2. Voice phishing (vishing)

Another common method fraudsters use to trick victims is over the phone. These calls usually claim to have a one-of-a-kind offer or urgent, life-threatening warning.

Most scammers use a VoIP phone system that lets them change the phone number, meaning the call appears as though it’s from a local number even if it’s not.

How to protect yourself:

  • Never answer calls from numbers you don’t recognize, even if it has a local area code.
  • Don’t return calls from numbers. you don’t recognize (one type of scam collects expensive per-dial and per-minute fees, hoping you’ll call back).
  • Remember that most U.S. government agencies, including the IRS, Medicare, and the Social Security Administration, almost never call by phone and do not have the power to arrest you.
Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

3. Phishing websites

One of the most common destinations for phishing scams is a fraudulent site that looks like the official website. The cloned site will often be identical to the real page, using the company’s logos, color scheme, and fonts.

After establishing trust with the design, the site will ask you to share personal information, anything from your email and password to your Social Security number or bank account details. For example, this attack impersonating American Express used an email message and web page almost impossible to tell apart from the real brand.

Phishing email and the phishing page (Screenshots via Armorblox)

How to protect yourself:

  • If you get a message with a link—even if it looks trustworthy—go to the official site instead.
  • Check the URL of a website to make sure it’s correct. (You’ll notice the American Express phishing page above comes from a site other than AmericanExpress.com.)
  • Don’t automatically trust an HTTPS connection. The “green padlock” icon is an important trust signal, but it doesn’t mean a site is safe. Hackers can use them on phishing sites, too.

4. SMS text message scams (smishing)

Text messages don’t have much space for the scammer’s message, but that hasn’t stopped criminals from trying new tactics to trick innocent victims. The goal of most SMS scams is to get you to click on a link or make a call, so immediately be suspicious of any message with a link or number (though of course, some legitimate messages have these as well).

One of the most common ruses right now with text scams is, ironically enough, helping to protect you from scams. You’ll often see a message “confirming” an expensive purchase or withdrawal, directing you to a number or link to cancel or investigate. There is nothing to cancel or investigate, but the scammer will pretend to resolve the situation by collecting your personal data for a future attack.

How to protect yourself:

  • Don’t trust texts from numbers you don’t recognize. Instead, visit the official site.
  • Beware of texts that use vague terms like “your bank” or “package service.” Scammers use these (instead of actual company names) so the message can apply to anyone.
  • Don’t reply to scam messages, even unsubscribe. This only confirms you have an active number and will result in more attacks.

5. Social media phishing

Social media has become one of the more recent additions to the phishing repertoire. Scammers reach out either using a fake lookalike account or a compromised account.

One common ruse is a friend reaching out for help, usually with an authentication code. But it’s not a friend—it’s a scammer who’s taken over their account and is trying to take over yours. Another ruse is a message from someone posing as the official company support account, asking you to provide information to verify you’re the authentic owner or to keep your page active.

Fake Support chatbot (Image: Trustwave)

How to protect yourself:

  • Beware of anyone who reaches out and asks for personal information or verification codes, even if they appear to be coming from a friend.
  • Don’t respond to messages from “official” accounts. If you’ve received an alert from the social networking site, it’ll usually appear in your account settings.
  • Don’t ever share your social media password with a third-party website.

6. Man-in-the-middle attack

This type of phishing scam requires the attacker to be nearby but can be one of the most dangerous because it’s almost impossible to detect. It works when you and the attacker are on the same Wi-Fi network, like at a coffee shop or airport. The attacker intercepts everything you send and receive and can redirect your browser to safe sites to look-alike sites without you knowing.

Once the attacker has set up a man-in-the-middle attack, they can see almost all the information you share, including usernames, passwords, credit card details, and more.

How to protect yourself:

  • Never use public Wi-Fi networks. A better option is to connect to a hotspot from your cell phone, which has a secure and private connection.
  • If you have to use public Wi-Fi, turn on a VPN. This can protect you against most types of man-in-the-middle attacks and safeguard your personal details.

How to prevent phishing

Every type of phishing requires a slightly different method to spot, and scammers are constantly developing new methods that leverage our weaknesses. But there are a few common warning signs you can look for across different types of phishing attacks.

  • Unfamiliar senders. Emails, texts, or calls from people you don’t recognize are automatically suspect.
  • Poor spelling or grammar. Major corporations pay careful attention to small details like this. Scammers, on the other hand, don’t usually worry about a few typos and often use poor English.
  • Urgency and threats. Scammers demand immediate action or scare you using intimidation tactics, like arrest or deportation, so you don’t recognize warning signs of a scam.
  • Unusual payment methods. Phishing scams often take the opportunity to charge a “fee” for a service but will only accept forms of payment like gift cards, money orders, or cryptocurrency. Legitimate businesses use other methods.

What to do if you’re a victim of phishing

You’ve learned how to protect yourself from phishing scams, but what if you’ve already fallen victim? If you know you’ve shared information with a scammer, here’s what you should do, based on what information you’ve shared.

  • Credit or debit card details. Call the issuing company and have the card canceled immediately. Ask to reverse or dispute any fraudulent charges.
  • Login details or passwords. Log into the compromised account, change the password, look for an option to close all active sessions, and add two-factor authentication if possible. Do the same for any other accounts using the same password.
  • Medical insurance information. Call your insurance company and any impacted companies, explain the fraud, and dispute any fraudulent charges.
  • Social Security number. Set up a credit freeze at each of the three credit bureaus (Experian, Equifax, and TransUnion). This prevents anyone from requesting credit in your name.
  • Name, email, date of birth, or other information. Keep a close eye on your accounts for signs of identity theft.

No matter what kind of information you’ve shared, it’s always a good idea to report the fraud to the Federal Trade Commission at IdentityTheft.gov. Filing the report helps protect others, gives you documentation of the attack, and will provide you with recovery steps specific to your situation

Conclusion

Phishing attacks are on the rise, and scammers are developing even more intricate scams all the time. But if you know the most common warning signs and stay vigilant, you can protect yourself and take quick action in case you’ve been compromised.

Tags: Phishing scams



Jun 09 2022

Secure email that protects your privacy

Category: Email Security,Information SecurityDISC @ 8:19 am

Keep your conversations private. Proton Mail is an encrypted email service based in Switzerland.

Images of the end to end encrypted and zero access encrypted Proton Mail inbox and message composer.

Proton Mail protects your communication and has everything you need to easily manage your inbox – Proton email top priority is keeping your data safe.

Create a free account

#protonemail


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Proton email, ProtonMail


Nov 22 2021

Attackers compromise Microsoft Exchange servers to hijack internal email chains

Category: Email SecurityDISC @ 11:18 am

A malware campaign aimed at Microsoft Exchange servers exploits ProxyShell and ProxyLogon issues and uses stolen internal reply-chain emails to avoid detection.

The campaign was uncovered by TrendMicro researchers that detailed the technique used to trick victims opening the malicious email used as the attack vector.

The attacks were orchestrated by Squirrelwaffle, a threat actor known for sending malicious spam as replies to existing email chains.

The investigation into three incidents revealed that attackers used exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell).

Once compromised the Exchange servers, threat actors use the access to reply to the company’s internal emails in reply-chain attacks containing links to weaponized documents. Sending the messages from the organizations allow the attackers to bypass detection.

“In the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).” reads the analysis published by Trend Micro. “Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails.”

Tags: Microsoft Exchange servers


Sep 10 2021

ProtonMail Now Keeps IP Logs

Category: Email SecurityDISC @ 9:51 am

ProtonMail Amends Its Policy After Giving Up an Activist’s Data

ProtonMail Forced to Log IP Address of French Activist

Tags: ProtonMail


Sep 03 2021

Gift Card Gang Extracts Cash From 100k Inboxes Daily

Category: Email SecurityDISC @ 12:01 pm

Here’s the story of a cybercrime group that compromises up to 100,000 email inboxes per day, and apparently does little else with this access except siphon gift card and customer loyalty program data that can be resold online.

The data in this story come from a trusted source in the security industry who has visibility into a network of hacked machines that fraudsters in just about every corner of the Internet are using to anonymize their malicious Web traffic. For the past three years, the source — we’ll call him “Bill” to preserve his requested anonymity — has been watching one group of threat actors that is mass-testing millions of usernames and passwords against the world’s major email providers each day.

Bill said he’s not sure where the passwords are coming from, but he assumes they are tied to various databases for compromised websites that get posted to password cracking and hacking forums on a regular basis. Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials.

In about half the cases the credentials are being checked via “IMAP,” which is an email standard used by email software clients like Mozilla’s Thunderbird and Microsoft Outlook. With his visibility into the proxy network, Bill can see whether or not an authentication attempt succeeds based on the network response from the email provider (e.g. mail server responds “OK” = successful access).

You might think that whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victim’s contacts. But based on interactions that Bill has had with several large email providers so far, this crime gang merely uses custom, automated scripts that periodically log in and search each inbox for digital items of value that can easily be resold.

And they seem particularly focused on stealing gift card data.

“Sometimes they’ll log in as much as two to three times a week for months at a time,” Bill said. “These guys are looking for low-hanging fruit — basically cash in your inbox. Whether it’s related to hotel or airline rewards or just Amazon gift cards, after they successfully log in to the account their scripts start pilfering inboxes looking for things that could be of value.”

Source: Gift Card Gang Extracts Cash From 100k Inboxes Daily

DISC InfoSec Shop (tools and training)

DISC Infosec Books shop

Tags: Gift Card Gang


Next Page »