ESP attacks, again. Be wary.

There seems to be an uptick in phishing attacks that have an impact on ESPs recently.
Your CEO
The most critical one is targeted spear-phishing attacks that claim to be internal documents sent by senior staff within the company, e.g. from the company CEO.
It’s likely that the attached documents will compromise and backdoor your machine, and from their most of your internal network, using an infected document to load a remote administration tool (RAT) such as Netwire.
Be very, very wary of document attachments, especially in generic looking emails that you weren’t expecting, from senior people. Making sure your antivirus signatures are up to date is a great idea, but nothing will protect you as effectively as not opening the infected documents.
Your domain registrar
The other campaign I’m aware of is emails that claim to be abuse reports from registrars (e.g. opensrs, tucows, etc) aimed at domain registration contacts, claiming that a domain has been suspended and that the recipient should click on a link to “download a copy of complaints received”.
e.g.

Dear Steve Atkins,
The Domain Name ABUSEMONKEY.COM have been suspended for violation of the TUCOWS, INC. Abuse Policy.

or

Dear Sir/Madam,
The following domain names have been suspended for violation of the TUCOWS, INC. Abuse Policy:
Domain Name: KNOWYOURDELIVERY.COM
Registrar: TUCOWS, INC.
Registrant Name: Steve Atkins
SPF debugging
All About Email: Q & A session tomorrow

Related Posts

Return Path partners with Symantec

Today Return Path announced a partnership with Symantec to improve their anti-phishing product. Return Path is incorporating the Symantec Trusted Domain List into their authentication and filtering product to help customers protect their brands. Press Release
Phishing scams affect everyone, and having a brand that is used in phishing can reduce consumer trust in that brand. Protecting brands in email has been one of the more difficult challenges facing the email community. With the adoption of DKIM and DMARC by major brands and ISPs it has become easier to track and address phishing.

Read More

Aetna, phishing and security

We’ve just gotten home from M3AAWG and I’m catching up with a lot of the administrative stuff that’s gotten ignored while we were soaking up the tons of information from some of the smartest Internet security folks around. One of the tasks I’m working on is checking on our recent bills from our health insurance provider. Their website seems to be down, so I called them up and asked them if it was down or if something was broken on my end.
They did confirm there was a problem with the site “earlier today” but then started asking me for my account information. They’ve promised to email me a new password because of reasons.
One of the things about M3AAWG is that concentrated discussions about spam and online criminals and security can make everything feel so fragile and security so inadequate to protect us against criminals. I start thinking that everything is compromised. It doesn’t help that websites fail just at the time when I start trying to figure out if my personal information leaked out.
In the course of trying to figure out if there is something wrong at Aetna and if my personal information is safe, I find an article about how poor security is for health companies. “Health companies flunked an email security survey—except Aetna.” Apparently, out of all the health companies out there, Aetna are the only ones fully implementing DMARC on all their mail streams.
The problem is that for the mail I received from Aetna, the visible From: address is AetnaeBilling@aetnagroupbilling.com. This is one of the major vulnerabilities of DMARC. How can I, as a recipient, tell that this is officially mail from Aetna? Any phisher could register “aetnabilling.com” or “aetnagoupbilling.com” or “aetnaebilling.com” and publish DMARC records and use those records to phish customers. Even worse, aetnagroupbilling.com isn’t a SSL registered website.
This is exactly the type of setup a phisher would use to gain access to people’s health insurance accounts. And Aetna offers the ability to draft payments directly from a business checking account, so breaking into the billing account also offers some level of access to the business money.
Do I think this is a phish? No.
Do I think the average person would be able to tell that? No.
There’s got to be a better way to secure folks online.

Read More

Disposable addresses

Both Steve and I have blogged about how we use tagged addresses to monitor and manage our incoming mail. This is not something unique to our system, but rather a feature that’s existed in many mail systems for a long time. Many unix systems support tagged addresses out of the box, but there are also commercial MTAs and even some webmail services that support tags.
Gmail offers “+ addressing” where users can use unique tags after their username. This gives every gmail use an unlimited number of addresses to use. Any address gets leaked or compromised, and you can set filters to ignore future mail to that particular tagged address.
Yahoo offers up to 500 unique addresses per account. Initially this was a service provided by OtherInbox, now owned by Return Path, but it’s not clear if that’s still the case.
Spamgourmet has been offering disposable addresses since 2000. Their system has a built in limit on the number of emails a particular email will receive, which can help control the incoming volume.
Spamex is another provider of disposable addresses that’s been around for years and is providing services that allow recipients to control their incoming mail.
New on the scene is MeAndMyID.com who popped up in the comments here today. They are offering disposable addresses, free for a lifetime, if you sign up soon.
There are also the “short term” or “open inbox” disposable addresses like Malinator or 10 Minute Mail
I find disposable addresses invaluable for sorting through the mail coming into my account. A bank email to an address I didn’t give the bank? It’s a phish. A pizza hut email to an untagged address? Not real. Target emails to an address only given to Amazon? Amazon is selling or giving addresses away in violation of their privacy policy. Unexpected email from a vendor, but to a tagged address? Time to unsubscribe as I’ve lived this long without their mail.

Read More