Category Archives: blog

WHAT IS PHISHING?

WHAT IS PHISHING?

Phishing is a scam that uses email to try and trick you into giving out confidential information.

Phishing emails will often use familiar logos and look like they’ve come from a genuine company or person, but are actually sent by criminals who want to access your online accounts and details.

Phishing emails can be tricky to spot; which is why it is important to stay alert and report any mail that looks suspicious.

HOW TO SPOT PHISHING EMAILS

Mismatched URL’s

The email may contain a link to a website that looks genuine but isn’t. You can usually tell if the link is going to direct you to a trustworthy website by hovering your mouse over the link. If the linked website address is different from the text displayed in the email, it is probably fraudulent and could link to a fake website.

(On an iPhone or iPad, tap and hold the link until a pop-up box appears with options. Tap the link URL at the top of the pop-up).

Poor spelling and grammar

This is one of the most common signs of a malicious email. Companies will usually have their marketing emails reviewed before they’re sent so if the email is full of spelling mistakes and poor grammar, it is most likely a scam.

Unbelievable offers:

“Congratulations! You’ve won!” Emails containing exclusive offers that are too good to be true are usually scams. An email congratulating you on a prize draw or competition you’ve won but never entered usually contain links to “claim your prize”. These links will direct you to a fake website where you could be asked to give confidential information.

Sender’s email address:

It’s worth checking that the sender’s email address matches who they say they are.

Confidential questions

You should be wary of any email that asks you to give out personal or confidential information no matter how realistic it looks. A legitimate email shouldn’t ask you for security details like pin numbers, passwords or account details.

Dear customer:

Any email that doesn’t use your name and addresses you as ‘customer’ is a warning sign for a phishing scam. Scammers usually send thousands of phishing emails at a time so keep an eye out for generic greetings.

Requests to send money:

As a general rule, any email with requests to send money should be considered a scam. Scammers might ask you for money to cover expenses or fees in return for a service.

URGENT! IMPORTANT!:

You could receive an email to say ‘your account will be closed’ and scammers will try and make you panic and react quickly to send confidential information. These emails are usually made to look like they’ve been sent from your bank.

The message appears to be from a government agency:

These phishing emails claim to be from government departments such as HMRC or law enforcement agencies and are created to scare and pressure you into giving out confidential information.

HOW DO SPAMMERS GET MY EMAIL ADDRESS?

HOW DO SPAMMERS GET MY EMAIL ADDRESS

There are several common ways that spammers can get your email address:

  • Crawling the web for the @ sign. Spammers and cybercriminals use sophisticated tools to scan the web and harvest email addresses. If you publicly post your email address online, a spammer will find it.
  • Making good guesses… and lots of them. Cybercriminals use tools to generate common user names and pair them with common domains. These tools are similar to the ones that are used to crack passwords. And they work.
  • Tricking your friends. Even if you know better than to publicly post your email address on the web, it could still be stored in the email inbox of anyone who’s ever emailed you or whom you’ve ever emailed. Cybercriminals can steal contact lists or use social engineering to trick people into giving them access.
  • Buying lists. Spammers can purchase lists legally and illegally. When you sign up for a website or a service, make sure you read the privacy policy carefully to find out what the site plans to do with your email address.

It pays to keep your email address as private as possible, but sometimes it seems like there’s nothing you can do to keep it out of the hands of spammers. For this reason you have to combine smart privacy practices with strong email filters.

WEBSITE SECURITY MYTHS

WEBSITE SECURITY MYTHS

Some conversations are easy… some are difficult. Some are harmonious and some are laborious. But when it comes to website security, the conversation is confusing.

Every organisation agrees, in theory, that their websites need to be secure. But in practice, there is resistance to investing enough time and budget. Reasons for neglecting security include misconceptions surrounding Web Application security.

Below I’ve outlined some of the most common myths and misconceptions that can often put your website at serious security risks.

My website is not the target of an attack because it is small and I run a small business.

An average small business website is attacked 44 times per day. In addition, a low profile website is a nice playground for hackers to try out new tools and techniques. Hackers often use automated tools to find various vulnerable websites and don’t discriminate when it comes to the size of the target. Any web application, even if it is not itself a target, may be of interest to attackers. Web applications with lax security are easy pickings for hackers and can be subject to a mass or targeted cyber attack.

We have not been attacked in years so, there’s nothing to worry about

Just because you can’t see an attack, it doesn’t mean it isn’t happening.

According to one of the studies, at any given moment, 18.7 million sites around the world are infected by some form of malware. Automated web attacks that fly under the radar are damaging businesses at a large scale. Some bots are dangerously adept at operating under the guise of a legitimate user.

I have thoroughly tested my website and have fixed most of the known bugs. My site is completely secured now

Security is also about constant monitoring and testing the complete stack of your application.

In the latest White Hat study, the organisations that conducted security testing had, on average, as many as 10 vulnerabilities and only 50% of them got fixed. Modern websites are constantly changing. Every new line of code has the potential to introduce a new security issue.

Good security practices include having ‘visibility’ and necessary ‘verifications’ of the traffic patterns and the security posture of your website. Many modern Web monitoring tools, like Google Alerts, provide affordable, easy to use visibility and verification strategies.

The ability to measure web application security is critical for any business having a web facing asset. Attack metrics like ill-reputed data (IP, tracking IDs), attacks by countries and IPs, most attacked URLs, etc. need to be measured. Such data provide context, awareness and actionable response about current and emerging threats.

FALLING PREY TO SEXTORTION

FALLING PREY TO SEXTORTION

When it comes to the world of online scams, sextortion is one of the most common ones and a threat that’s not going away anytime soon.

WHAT IS SEXTORTION?

It’s a form of blackmail in which a cybercriminal or a former friend or romantic partner tries to extract favours or financial gain from a victim.

Ever since the web became a daily destination for a majority of people, there have been cases of sextortion through the use of webcams, the threat of intimate pictures leaking and hundreds and thousands of victims.

Even though most people exercise caution in sending potentially compromising pictures and videos, sometimes even the best of us could be exposed to sextortion. A recent study of 1,631 victims of sextortion revealed how every online user is, at one point or the other, potentially liable to become a sextortion victim.

 This is a typical email that is being circulated around…

Let’s get straight to the point. I do know [redacted] is your password. More importantly, I know about your secret and I have evidence of it. You do not know me and no one hired me to investigate you.

It’s just your misfortune that I stumbled across your misdemeanor. Actually, I actually setup a malware on the adult videos (sex sites) and you visited this web site to experience fun (you know what I mean).  While you were busy watching videos, your browser initiated functioning as a Rdp (Remote desktop) with a keylogger which provided me with access to your display as well as cam. Right after that, my software gathered your entire contacts from fb, and email.

Next, I gave in more hours than I should’ve exploring into your life and created a two screen video. First part shows the video you had been watching and second part shows the capture of your web cam (its you doing nasty things).

Frankly, I am ready to forget exactly about you and allow you to continue with your life. And I am going to offer you two options that will accomplish that. Those two choices either to ignore this letter, or simply pay me $2900. Let’s explore above two options in more details.

Option 1 is to ignore this email. Let’s see what is going to happen if you pick this path. I will definitely send your video recording to your entire contacts including close relatives, coworkers, and so on. It does not shield you from the humiliation your self will feel when relatives and buddies learn your dirty videos from me.

Second Option is to make the payment of $2900. We will name it my “confidentiality tip”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will destroy the video immediately. You continue on with your daily life like nothing like this ever occurred.

At this point you must be thinking, “Let me call cops”. Let me tell you, I have taken steps in order that this e-mail can’t be linked returning to me plus it will not stop the evidence from destroying your daily life. I am not seeking to steal all your savings. I am just looking to be compensated for my efforts I place into investigating you. Let’s assume you decide to make all this disappear completely and pay me my confidentiality fee. You will make the payment through Bitcoin (if you don’t know this, type “how to buy bitcoins” on google)

Required Amount: $2900
Bitcoin Address to Send to: [redacted]
(It is case sensitive, so copy and paste it)

Tell no person what will you use the Bitcoins for or they will often not give it to you. The task to have bitcoin may take a couple of days so do not wait. I have a special pixel in this e-mail, and now I know that you have read this e mail. You now have 2 days in order to make the payment. If I don’t receive the BitCoins, I will definitely send out your video recording to all of your contacts including members of your family, co-workers, and so forth. You better come up with an excuse for friends and family before they find out. Nonetheless, if I do get paid, I will destroy the video immediately. It is a non negotiable offer, thus please don’t waste my time & yours. Your time is running out.

This type of sextortion scam demanding payment in bitcoin is so widespread, it’s unbelievable. Just hours after Reddit officially announced they had a breach, due to the fact that employees relied on SMS-based two-factor authentication, plenty of users found threatening emails in their inbox. Why? The Reddit data breach exposed quite a few old usernames and passwords. Cybercriminals took those passwords to provide some “legitimacy” to their common online scam. Even one of Reddit’s employees received the sextortion message, pointing out the ways cybercriminals try to monetize stolen email databases.

As long as people will continue to have digital lives, sextortion will, in one way or another, remain one of the most common types of online scams. Whether it will come from a known person, after a phishing attack or as part of a spray-and-pray email scam campaign, there’s no question about it, it will happen time and time again.

SENDER POLICY FRAMEWORK (SPF)

SENDER POLICY FRAMEWORK (SPF)

This blog refers to Mailprotector Email system

Spoofing and phishing email activity observed over the past few months and feedback from Mailprotector’s partners has led to modifying the enforcement of SPF (Sender Policy Framework) records for incoming emails.SPF indicates what sources are authorized to send emails for a domain.

Major email services are also enforcing SPF to improve email security, increasing the importance of managing SPF records for consistent and predictable email delivery.

Email security continues to change, and the efforts to stop spam, phishing and other abuses require improvements to mail flow processing. SPF is widely used and is a starting point for determining email authenticity. Future improvements and support for DKIM and DMARC will require sound SPF implementation and management.

What’s Changed?

Mailprotector is following the SPF specification more closely, as defined by RFC 7208, protecting against SPF failures from being delivered to end-users. An SPF record indicates whether to treat failure as a “hard fail” or “soft fail.”

The SPF RFC recommends bouncing messages for hard failures and filtering messages for soft failures. Mailprotector’s belief that all email should be processed and logged for visibility means the enforcement is slightly different.

Hard failures are considered spam and are sent to the user’s quarantine. Soft failures receive a score increase, but may not be high enough to filter the message on its own.

End-user Experience Changes

The end-users may not observe an apparent change. Emails that have been delivered in the past may not be delivered if the SPF record is not correct. For example, a multi-function device that sends emails of scanned documents may be quarantined if the IP or hostname of the device is not included in the domain’s SPF record.