Search This Blog

Showing posts with label email security. Show all posts

How these Invisible Images Enable Companies Eavesdrop on your Email — Here’s all you need to know

 

The emails are eavesdropping on you. Most of the billions of emails that arrive in our inboxes every day contain hidden trackers that can tell the recipient when you open them, where you open them, how many times you've read them, and much more — a privacy nightmare that many call "endemic." Fortunately, you can take measures to safeguard yourself and your inbox. 

Advertisers and marketing firms, in particular, embed tracking pixels in their promotional emails to keep track of their mass campaigns. Senders can learn which subject lines are the most "clickable," and which of their targets are potential customers, based on how people interact with them.

Though this is beneficial from an analytics standpoint, it is frequently done covertly and without consent.  There is a simple way to disable email tracking. Continue reading to learn more about these troublesome little pixels and how to get rid of them.
 
Email tracking pixels:

The email tracking pixel is a surprisingly simple concept that allows anyone to secretly collect a plethora of information about you as soon as you interact with their messages.

When someone wants to know if you read their email, they insert a tiny 1 pixel by 1 pixel image into it. When you open the email, it sends a ping to the server where the image is stored and records your interaction. The sender can tell your location by checking where that network ping was launched and what type of device was used, in addition to whether or not you clicked their email and how many times you clicked it.

There are two possible explanations for why you never notice that tracking graphic. For starters, it's insignificant. Second, it's in GIF or PNG format, enabling the company to keep it transparent and invisible to the naked eye. A sender will frequently conceal this in their signature. As a result, that fancy font or flashing company logo at the bottom of a commercial email may be more than just a cosmetic presence.

More importantly, studies have revealed that by pairing your location and device specifications, advertisers and other malicious actors can link your email activities with your browser cookies. This opens a can of worms because it allows them to identify you wherever you go online and connect your email address.

Most email clients, including Gmail and Outlook, do not have this feature built-in, but you can use third-party tools. It's recommended to use the Chrome and Firefox extensions Ugly Email for Gmail. It places an "eyeball" icon next to emails containing tracking pixels and prevents them from spying on you. If you use Yahoo or Outlook, you can also use Trocker, which marks emails with trackers on their websites.

These extensions, however, are only available on your computers. You'll need to subscribe to a premium email client like HEY to detect email trackers on your phone.

How to block email tracking pixels?

Email trackers are easy to detect because they rely on hidden media attachments. The simplest method is to simply disable image loading in your email apps by default and only do it manually for emails you trust or when there is an attachment to download.

1. Adjust your existing inbox: On Gmail, the option to block external images is available under Settings > Images > Ask Before Displaying External Images on the web and mobile apps. On Outlook apps, it’s found under Options > Block External Images on mobile and Options > Trust Center > Automatic Download on desktop.

Though Apple Mail also lets you accomplish this from Preferences > Viewing > Load remote content in messages, you can directly block trackers on it as long as you’re on macOS Monterey. Head over to Mail > Preferences > Privacy and check the “Protect Mail Activity” box. 

2. Get yourself a private relay email address: The issue with the methods discussed previously is that they only block tracking pixels after the email has already arrived in your inbox — they don't remove them entirely. To ensure that you never open an email containing trackers by accident, you'll need a proxy address that scans your messages and eliminates any malware before they show up in your inbox.

Another advantage is that you can keep your personal email address private and only provide a relay ID to websites, newsletters, and other services. There are numerous free services that provide a proxy email address. 

Email Protection from DuckDuckGo is recommended. It allows you to create a new custom relay address, which secures your mail before forwarding it to your personal inbox by booting the trackers and encrypting any unsecured links in the body. DuckDuckGo adds a small section at the top of forwarded emails that tells you whether it found any trackers in it and, if so, which companies were responsible for it.

To sign up for the DuckDuckGo app on an Android or iPhone, go to Settings > Email Protection. You can get started on a desktop with the DuckDuckGo browser extension or its Mac browser.


Five Important Tips for Keeping Your Email Safe

 

Whether it’s on our smartphones or desktops – we can’t really function today without scanning our emails on a daily basis. However, we often undermine the hacker's abilities and think we're immune to scams. take the privacy and security of our inboxes and emails for granted. 

Email scam is often the easiest way for malicious hackers to trick individuals into giving personal and private data. According to the FBI, email frauds are the most expensive type of cybercrime, costing American billions of dollars in losses. 

According to Google Safe Browsing, there are now nearly 75 times as many phishing sites as there are malware sites on the internet. Interestingly, 20% of all employees are likely to click on phishing email links, and, of those, a whopping 68 percent go on to enter their credentials on a phishing website. 

So how can we mitigate this and safeguard our emails? Here are 5 simple steps that can assist in protecting your email account and steer clear of threat actors. 

1. Apply a strong and unique password 

This one may seem cliche, but never employ a password that contains your name, date of birth, user name, email address, or any other piece of information that can be easily accessed by hackers. Your password needs to be six characters or longer. Employ different passwords for each of your accounts, never the same one. 

You can store all your passwords in multiple ways, including on a piece of paper, hard drive, password manager, or otherwise. If you're using a password manager app, keep in mind that these can be prone to hacks, as they rely on internet connections and software programs to store your data, both of which can be abused by hackers. 

2. Post minimal personal information on social media 

Recognize the privacy settings you have. Always scan the default privacy settings before posting anything on a social media platform. The default privacy settings on multiple social media platforms are often lenient and may permit the sharing of information with a big online community. A social networking platform’s settings should be adjusted before sharing any content there. 

3. Employ a spam filter 

Spam filters help you keep spam emails from your inbox or flag spam emails so that you are aware of them. Relying on the software and configuration, some spam filters can automatically eliminate junk emails and thwart web bugs that track your activity and system information. 

4. Block Suspicious Addresses 

While some scammers may only try to contact you once or twice, others will make repeated attempts at getting in touch. This is why you should block email addresses that you have confirmed to be dangerous. It's usually pretty quick and easy to block an email address, but the process may differ slightly depending on the provider you're using. It can usually be done by highlighting a specific email and choosing the Block option, or by going into your email account settings. 

5. Use Antivirus Software 

It is highly recommended that you install and maintain good and well-respected antivirus software on your desktop, smartphone, or tablet to mitigate infection. Search all email attachments with an antivirus program before downloading them, even if they come from someone you know.

Increasing Cyber Attacks Prompt the IT Ministry to Beef Up the E-mail Security

 


A new report released by the Ministry of Electronics and Information Technology (MeitY) has suggested that the ministry is looking into strengthening the security of its email system in light of the increasing number of cyberattacks.

NIC has issued a Request for Proposals (RFP) to select a system integrator to maintain the existing email setup, add additional security framework support, and integrate an additional infrastructure into the existing setup. The government is seeking to select a system integrator that will be able to perform these tasks.

There is a Network Information Centre (NIC), under the jurisdiction of MeitY, which meets the government's information and communication technology (ICT) requirements at all levels, designs and develops IT systems for the government, and so forth.

"With the rapid adoption of emerging technologies, here comes a new generation of cyberattacks that are complex and targeted. As a result, cyberattacks targeting government email infrastructure are increasing exponentially," reported the NIC.

"To address the issue of advanced threats and cyberattacks, the security of the existing email service will have to be enhanced to provide a secure communication channel, deploying state-of-the-art security software and features to ensure effective and reliable communication," the NIC said in its RFP.

It has been reported that Moneycontrol has contacted the NIC with additional questions in this regard and the article regarding the same will be updated when a reply will be received from the NIC.

As part of the proposed additional security, it will be necessary to acquire threat intelligence software that supports the integration of third-party security to secure virtual machines from viruses, malware, etc.

The software must be able to detect malware that is not only capable of highlighting threat indicators but also capable of analyzing them.

It was stated in the RFP that "the information should include, among other things, background information on the threat actors and attack methods associated with specific indicators and artefacts that are linked to the threat actors."

As part of the threat intelligence collection process, it should also be capable of providing threat intelligence reports. These may include information such as the goal of the cyber attacker, variants of the threat, the outcome of a cyberattack, and so on.

The security measures for the government's email infrastructure will also include the implementation of HIPS (host intrusion prevention system), which monitors security across physical and virtual servers.

According to the RFP, the company will also acquire a security gateway that supports email security solutions that integrate inbound and outbound defences against email threats. These defences integrate inbound and outbound security analytics.

The RFP stated: "Potentially, the solution should be able to protect the company from zero-day and targeted attacks and be able to dynamically analyze messages attachments for malware without sending files to the cloud," according to the document.

"It is essential that the email security appliance be able to produce a PDF file containing a print-safe version of a message attachment that has been detected as malicious or suspicious."


Analyzing the security situation


Apart from that, the system integrator should also conduct an audit of the email architecture. This includes evaluating the email solution, changes in the design, changes in the operating system, and so on, as well as an assessment of the whole email environment.

There will also be a requirement for the system integrator to conduct a data audit of the email platform that is used by the government. According to the NIC, this is following any major feature changes, patch upgrades, and security fixes that are scheduled for the upcoming month.

Cyberattacks on government entities have increased in recent years


There has been an increase in the number of cyberattacks on the government, especially on the email infrastructure that the government uses as a communication tool.

According to a report in the Indian Express in December, several employees of various central ministries received mysterious emails from the nic. in the domain, which implied the death of Gen. Bipin Rawat had been caused by an "internal hand." From the nic. in the domain, the email claimed to be from a secret service agent.

A phishing attempt was carried out through compromised domain email IDs to try and lure officials of the Centre into clicking on the unsolicited link.

There was a similar cyberattack that took place in October last year when Prime Minister Narendra Modi visited the United States. A compromised email account belonging to the government was used in the attack.


Hyperscraper: A New Tool that Iranian Hackers Use for Stealing E-mails


State Sponsored Threat 

Charming Kitten, a state-sponsored Iranian hacking group is using a new tool to download emails from targeted Yahoo, Microsoft Outlook, and Gmail accounts. 

The utility is called Hyperscraper and like many hackers' operations and tools, it is in no way sophisticated. But its lack of sophistication is balanced by effectiveness, letting the threat actors hack a target's e-mail inbox without leaving any traces of the intrusion. 

Simple but effective email scraper

In a recent technical report, experts from Google's TAG (Threat Analyst Group), shared information about Hyperscraper's capabilities and said that it is under active development. 

Google TAG links the tool to Charming Kitten, a threat group based in Iran that is also called APT35 and Phosphorus, and said the earliest samples were found from 2020. 

The researchers discovered Hyperscraper in December 2021 and analysed it using a Gmail test account. Hyperscraper isn't a hacking tool but an instrument that lets threat actors steal email data and store it on their devices after getting into the victim's email account. 

How does Hyperscraper work?

Getting the login credentials for the victim's inbox is done in an earlier stage of the attack, generally by stealing them. 

Hyperscraper has an embedded browser and fools the user agent to imitate an outdated web browser, it provides a basic HTML view of the Gmail account's details. 

Google TAG says that once logged in, the tool changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread. 

Google TAG Experts' Analysis 

When the extraction is completed, Hyperscraper changes the language settings to English and moves through the contents of the email inbox, downloading messages individually as .eml files extension and marking them unread. 

Google TAG experts said earlier variants of Charming Kitten's utility could get data from 'Google Take-out,' a feature that lets users shift data from their Google account for making a backup or using it with a third-party service. 

While running, Hyperscraper works via the C2 (Command and Control) server, waiting for a 'go' sign to start the exfiltration process. 

How does threat actor use Hyperscraper?

The operator can change the tool with important parameters (identifier string, operation mode, path to valid cookie file) via command-line arguments or using a minimal user interface. 

If the path to the cookie file isn't given over the command line, the operator has the option to drag and drop it into a new form. After the cookie has been parsed successfully and embedded in the local cache of the web browser, 

Victims have been notified 

Hyperscraper makes a 'Download' folder where it throws the contents of the target inbox. The victims of Charming Kitten who were attacked with Hyperscraper have been informed about the government-backed attacks. 

"Users that received such a warning are encouraged to bolster their defenses against more sophisticated attackers by enrolling in Google’s Advanced Protection Program (AAP) and by activating the Enhanced Safe Browsing feature, both provided an added security layer to existing protection mechanisms," said Bleeping Computers. 







Hackers Use Malware To Spy on Emails


Gmail users should keep a watch out for the recently found email spying software called SHARPEXT. The malware was found by Volexity, a cybersecurity firm. The spying malware targets AOL and Google account holders and can read/download their personal e-mails and attachments.

A hacking group that is believed to work from North Korea is loading harmful browser extensions for Edge and Chrome. It tries to steal email info from open AOL and Gmail sessions and interchange browser preference files. 

About SHARPEXT

Volexity experts found the malicious extension, known as SHARPEXT, it is active for almost a year by Kimsuky (aka SharpTongue). It uses the extension after the attack has been launched, for keeping its presence. 

"SharpTongue's toolset is well documented in public sources; the most recent English-language post covering this toolset was published by Huntress in 2021. The list of tools and techniques described in that post is consistent with what Volexity has commonly seen for years. However, in September 2021, Volexity began observing an interesting, undocumented malware family used by SharpTongue," reports Volexity.

Kimsuky's Attack

Unlike other harmful browser extensions, SHARPEXT isn't made for stealing user credentials. On the contrary, the extension steals information from the e-mail inboxes of the victims.

The hackers deploy the extension manually via a VBS script once the initial breach of the victim system has been done. 

How SHARPEXT is installed

To install SHARPEXT, the hackers replace the Preferences and Secure Preferences files, for the aimed Chromium-based browser, which is generally said to be a difficult task to execute. 

• To interchange the Secure Preferences file, the hackers obtain some details from the browser and make a new file running on browser start-up.

• After that, the attackers use a secondary script to conceal some of the extension's features and any other windows that can surface and alarm the users about suspicious activities. 

• Lastly, the extension uses a pair of listeners for a particular type of activity in the browser tabs. Installation is then modified for different respective targets. 

Volexity says "the purpose of the tabs listeners is to change the window title of the active tab in order to add the keyword used by dev.ps1, the PowerShell script described previously. The code appends the keyword to the existing title (“05101190” or “Tab+”, depending on the version). The keyword is removed when DevTools is enabled on the tab." 

Malicious Emails have the Potential to Bring Down Cisco Email Security Appliances

 

Cisco notified customers this week that its Email Security Appliance (ESA) product is vulnerable to a high-severity denial of service (DoS) vulnerability that may be exploited using specially crafted emails. The CVE-2022-20653 vulnerability affects the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco AsyncOS Software for ESA. It is remotely exploitable and does not require authentication. 

This vulnerability is caused by the software's insufficient error handling in DNS name resolution. An attacker could take advantage of this flaw by sending specially crafted email messages to a device that is vulnerable. A successful exploit could allow the attacker to make the device unavailable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a denial of service (DoS) issue. Repeated attacks could render the gadget fully inoperable, resulting in a persistent DoS condition, said the company. 

This vulnerability affects Cisco ESA devices running a vulnerable version of Cisco AsyncOS Software with the DANE functionality enabled and downstream mail servers configured to deliver bounce messages. 

Customers can prevent exploitation of this vulnerability by configuring bounce messages from Cisco ESA rather than downstream reliant mail servers. While this workaround has been deployed and confirmed to be functional in a test environment, users should evaluate its relevance and efficacy in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation deployed may have a negative impact on network functioning or performance due to inherent customer deployment circumstances and limitations.

"Cisco has released free software updates that address the vulnerability described. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license," the company said. 

Cisco has given credit to numerous persons who worked with the Dutch government's ICT services company DICTU for reporting the security flaw. According to the networking behemoth, there is no evidence of malicious exploitation. 

Cisco also issued two advisories this week, informing users of medium-severity issues impacting Cisco RCM for Cisco StarOS software (DoS vulnerability), as well as Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (XSS vulnerability).

Office 365 Provides Email Protection Against Downgrade and MITM Attacks

Microsoft adds SMTP MTA Strict Transport Security (MTA-STS) support feature in Exchange Online to improve Office 365 customers' email security. Redmond disclosed MTA-STS's release in September 2020. after mentioning that it was also adding inbound and outbound support for DNSSEC (Domain Name System Security Extensions) and DANE for SMTP (DNS-based verification of Known Entities). The Exchange Online Transport Team has been validating and implementing and is now ready to disclose support for MTA-STS for all outgoing messages via Exchange Online. 

Office 365 now has MTA-STS, which means that emails sent by users with Exchange Online will be sent over connections having authentication and encryption. It will protect the mails from threat actors and hacking attempts. The new feature improves Exchange Online email security and resolves various SMTP security problems, it includes out-of-date TLS certificates, poor secure protocols support, and certifications not trusted by third parties or same server domain names. Before MTA-STS, emails sent via unsafe TLS connections were vulnerable to external threats like man-in-the-middle and downgrade attacks. 

Exchange Team says "downgrade attacks are possible where the STARTTLS response can be deleted, thus rendering the message in cleartext. Man-in-the-middle (MITM) attacks are also possible, whereby the message can be rerouted to an attacker's server. MTA-STS (RFC8461) helps thwart such attacks by providing a mechanism for setting domain policies." Microsoft offers assistance on adopting MTA-STS, this includes hosting of the policy files on the domain web infrastructure. 

DANE for SMTP support 

Redmond is currently working on starting DANE for SMTP with DNSSEC support, it provides better security for SMTP connections compared to MTA-STS. Microsoft has secured various domains for email transmission as a domain owner including primary domains such as hotmail.com and outlook.com and live.com. It means that connections from senders supporting MTA-STS are prevented from man-in-the-middle attacks. 

Microsoft says "you can use both standards on the same domain at the same time, so customers are free to use both when Exchange Online offers inbound protection using DANE for SMTP by the end of 2022. By supporting both standards, you can account for senders who may support only one method."

To Spread STRRAT Malware, Phishing Campaign Impersonates Shipping Giant Maersk

 

A new phishing campaign employing bogus shipping delivery lures installs the STRRAT remote access trojan on the computers of unsuspecting victims. Fortinet identified the new campaign after detecting phishing emails mimicking Maersk Shipping, a worldwide shipping behemoth, but utilising seemingly authentic email addresses. 

STRRAT is a multi-functional Remote Access Trojan that dates to at least mid-2020. It is unusually Java-based and is normally sent to victims via phishing email. Previous STRAAT operations, like other phishing attacks, used an intermediary dropper (e.g., a malicious Excel macro) attached to the email that downloaded the ultimate payload when viewed. Instead of using that method, this sample attaches the final payload directly to the phishing email. 

In the case of Maersk Shipping, the message eventually goes through "acalpulps[.]com" before being delivered to the final recipient after leaving the sender's local infrastructure. This domain was only registered in August 2021, which makes it questionable. Furthermore, the domain utilised in the "Reply-To" address, "ftqplc[.]in," was recently registered (October 2021), making it highly suspicious as well. The email body urges the recipient to open attachments regarding a pending shipment. 

A PNG image and two Zip archives are directly attached to the sample email. "maersk.png" is simply an image file. However, the two Zip archives “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip” and “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip” include an embedded copy of STRRAT. When one of these archives is unzipped, the file “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar” is displayed. However, when you open the file in Jar Explorer, a few things become clear. 

Firstly, this package contains a significant number of Java class files. Second, the strings in the class "FirstRun" appear to be scrambled or encoded. Lines beginning with "ALLATORIxDEMO" denote the presence of the Allatori Java Obfuscator. 

STRRAT malware first collects basic information about the host system, such as its architecture and any anti-virus software that are operating on it, before checking local storage and network capability. STRRAT can collect user keystrokes, enable remote control operation, steal passwords from web browsers such as Chrome, Firefox, and Microsoft Edge, steal passwords from email clients such as Outlook, Thunderbird, and Foxmail, and launch a pseudo-ransomware module to simulate an infection. 

Trojans like STRRAT are frequently overlooked because they are less sophisticated and more randomly distributed. However, this phishing attempt proves that even little threats can cause significant damage to organizations.

SonicWall's Email Security and Firewall Products Were Hit by the Y2K22 Bug

 

SonicWall acknowledged on January 7th that the Y2K22 bug had affected some of its Email Security and firewall solutions, causing message log updates and junk box failures beginning January 1st, 2022. According to the organization, email users and administrators on affected systems would no longer be able to access the junk box or un-junk newly received emails. They will also be unable to trace incoming/outgoing emails using the message logs because they will no longer be updated.

SonicWall, a private firm based in Silicon Valley that was a Dell subsidiary from 2012 to 2016, produces a variety of Internet equipment aimed largely at content restriction and network security. These include network firewalls, unified threat management (UTM), virtual private networks (VPNs), and email anti-spam devices. 

SonicWall issued updates to North American and European instances of Hosted Email Security, the company's cloud email security service, on January 2nd. It also issued updates for its on-premises Email Security Appliance (ES 10.0.15) for customers that use firewalls with the Anti-Spam Junk Store feature enabled (Junk Store 7.6.9). 

The server administration community has dubbed this bug "Y2K22" because to its resemblance to the infamous Y2K bug, a date-related bug that was feared to cause numerous computer systems, and possibly the whole world economy, to crash at the turn of the century. FIP-FS is a malware-scanning engine built into Microsoft Exchange 2016 and 2019 servers. This engine employs a signature file that holds dates as 32-bit integers. The most significant integer that can be stored in 32 bits is 2147483647. 

Everything was acceptable for the dates in 2021 because it was stamped as 211231XXXX (for 31st December). However, as of the start of the next year, January 1st, 2022, it was converted to 2201010001. When attempting to format in 32 bits, which is greater than the maximum number allowed. As a result, date/time validations on the server software would fail, resulting in emails not being sent and stacking up on servers.

Despite the fact that SonicWall has not explained what is causing the Y2K22 bug in its devices, they are not the only company affected by this problem. Honda and Acura owners began claiming that their in-car navigation systems' clocks were automatically set back 20 years, to January 1st, 2002, beginning on January 1st. According to sources, the Y2K22 bug affects nearly all older vehicle models, including the Honda Pilot, Odyssey, CRV, Ridgeline, Odyssey, and Acura MDX, RDX, CSX, and TL.

Google: Russian APT Targeting Journalists and Politicians

 

On October 7, 14,000 Google customers were informed that they were potential targets of Russian government-backed threat actors. The next day, the internet giant released cybersecurity upgrades, focusing on high-profile users' email accounts, such as politicians and journalists. 

APT28, also known as Fancy Bear, a Russian-linked threat organisation, has allegedly increased its efforts to target high-profile people. According to MITRE ATT&CK, APT28 has been operating on behalf of Russia's General Staff Main Intelligence Directorate 85th Main Special Service Center military unit 26165 since at least 2004. 

This particular operation, discovered in September, prompted a Government-Backed Attack alert to Google users this week, according to Shane Huntley, head of Google's Threat Analysis Group, or TAG, which handles state-sponsored attacks. 

Huntley verified that Gmail stopped and categorised the Fancy Bear phishing operation as spam. Google has advised targeted users to sign up for its Advanced Protection Program for all accounts. 

Erich Kron, a former security manager for the U.S. Army’s 2nd Regional Cyber Center, told ISMG: "Nation-state-backed APTs are nothing new and will continue to be a significant menace … as cyber warfare is simply a part of modern geopolitics."

Huntley said on Thursday in his Twitter thread, "TAG sent an above-average batch of government-backed security warnings. … Firstly these warnings indicate targeting NOT compromise. … The increased numbers this month come from a small number of widely targeted campaigns which were blocked." 

"The warning really mostly tells people you are a potential target for the next attack so, now may be a good time to take some security actions. … If you are an activist/journalist/government official or work in NatSec, this warning honestly shouldn't be a surprise. At some point some govt. backed entity probably will try to send you something."

Google's Security Keys 

Following the news of Fancy Bear's supposed targeting of high-profile individuals, Google stated in a blog post that cybersecurity functionalities in its APP programme will safeguard against certain attacks and that it was collaborating with organisations to distribute 10,000 free security keys to higher-profile individuals. The keys are two-factor authentication devices tapped by users during suspicious logins. 

According to Grace Hoyt, Google's partnerships manager, and Nafis Zebarjadi, its product manager for account security, Google's APP programme is updated to adapt to evolving threats - it is accessible to users, but is suggested for elected officials, political campaigns, activists, and journalists. It protects from phishing, malware, harmful downloads, and unwanted access. 

Alvarado, currently the threat intelligence team lead at the security firm Digital Shadows stated, "Although Google's actions are certainly a step in the right direction … the old saying, 'Where there is a will, there is a way,' still applies. … These [security] keys will undoubtedly make an attacker's job more difficult, but there are plenty of other options and vulnerabilities for [threat actors] to achieve their goals. 

KnowBe4's Kron alerted, "These security keys, while useful in their own limited scope, do not stop phishing emails from being successful. They only help when an attacker already has access to, or a way to bypass, the username and password for the email account being targeted." 

Global Partnerships 

Google stated it has partnered with the International Foundation for Electoral Systems, the UN Women Generation Equality Action Coalition for Technology and Innovation; and the nonprofit, nonpartisan organisation Defending Digital Campaigns in its initiatives to distribute 10,000 security keys. Google claims that as part of its partnership with the IFES, it has sent free security keys to journalists in the Middle East and female activists throughout Asia. 

Google stated it is giving security training through UN Women for UN chapters and groups that assist women in media, politics, and activism, as well as those in the C-suite. 

2FA Auto-Enrollment 

In a blog post on October 5, Google's group product manager for Chrome, AbdelKarim Mardini, and Guemmy Kim, Google's director of account security and safety, wrote that by the end of 2021, Google also aims to auto-enrol 150 million additional users in two-factor authentication - and require 2 million YouTubers to do the same. 

"We know that having a second form of authentication dramatically decreases an attacker's chance of gaining access to an account," Mardini and Kim wrote. 

"Two-step verification [is] one of the most reliable ways to prevent unauthorized access," Google said in May that it will soon begin automatically enrolling customers in 2-Step Verification if their accounts were configured correctly. 

This week, Google announced that it is auto-enrolling Google accounts with "proper backup mechanisms in place" to move to 2SV.

Hackers use BazarCall Malware to Infect Victims

 

The most current strategy for tainting your PC is astoundingly antiquated: It utilizes a telephone call. Online researchers are documenting a new malware campaign that they've named "BazarCall." One of its primary malware "payloads" is the BazarLoader remote-access Trojan, which can give a hacker full authority over your PC and be utilized to install more malware. 

In the same way as other malware campaigns, BazarCall begins with a phishing email but from that point goes amiss to a novel distribution method - utilizing phone call centers to circulate pernicious Excel documents that install malware. Rather than bundling attachments with the email, BazarCall emails brief clients to call a telephone number to cancel a subscription before they are naturally charged. These call centres would then direct clients to a specially crafted website to download a "cancellation form" that installs the BazarCall malware. 

All BazarCall assaults begin with a phishing email targeting corporate clients that express the recipient's free trial is about to run out. Be that as it may, these emails don't give any insights about the supposed subscription. The emails at that point brief the client to contact a listed telephone number to cancel the subscription before they are charged $69.99 to $89.99 for a renewal. While the greater part of the emails seen by BleepingComputer has been from a fictitious company named "Medical reminder service, Inc.", the emails have additionally utilized other phony organization names, for example, 'iMed Service, Inc.', 'Blue Cart Service, Inc.', and 'iMers, Inc.' 

All these emails use similar subjects, for example, "Thank you for using your free trial" or "Your free trial period is almost over!" Security researcher ExecuteMalware has put together a more broad list of email subjects utilized by this assault. At the point when a recipient calls the listed telephone number, they will be set on a short hold and afterward be welcomed by a live individual. When asked for more data or how to cancel the subscription, the call center agent asks the victim for a unique customer ID enclosed in the email.

Randy Pargman, Vice President of Threat Hunting and Counterintelligence at Binary Defense, disclosed to BleepingComputer that this unique customer ID is a core component of the assault and is utilized by the call center to decide whether the caller is a targeted victim.

Remote Working Susceptible to Data Risks, 83% of Organizations at Suffer Email Breaches


As per the report by Egress, 95% of cybersecurity experts believe company and client data in e-mails is at risk. Besides this, a massive 83% of firms have been targets of data breaches through these attacks in the last twelve months. Human error is the primary cause of almost a quarter of these incidents, around 24% caused by an empty who shared data by mistake. For instance, forwarding an email that consists of important information to the wrong recipient or sending a wrong attachment. The report enquired 500 IT leaders and 3000 work from home employees in the US and UK across various vertical sectors consisting financial sector, legal, and healthcare. 

The downside of remote working 

Work from home culture has left employees highly dependent on working with emails, especially using them for sharing sensitive data. Since the start of the Covid-19 pandemic, 85% workforce has confirmed sending more emails. It has exposed the user to more risks and attacks involving outbound email data breaches. The report also revealed that around 60% of team members work in an environment that is usually buzzing with distractions and noise. These generally include communal spaces and shared home offices. 

Besides the problems related to confidentiality, these distractions that employees face in the work environment often lead to more risks of a data breach. The risk is intensified more by work stress and fatigue, report shows around 73% of employees said that they feel low due to the pandemic. The blend of home and work life resulted in many employees working for long hours in an overwhelming environment, while both of these factors increasing the chances of a data breach. 

Tony Pepper, CEO, Egress said "it's clear to see that legacy DLP tools are no longer fit for purpose; they’re difficult to use and because they can’t take people’s behavior into consideration, they’re limited in their ability to mitigate the rising tide of email data breaches in this new world of remote working. He further said, "employees continue to work in challenging environments, and the lines between work and home life have been blurred. All of this contributes to the likelihood that a costly mistake might be made."

Emotet trojan is back with a bang

Emotet gang takes their operation to a whole new level, showing why they're today's most dangerous malware. It would seem it now has taken on new tactics in the form of hijacking users old email chains and then responding from a spoofed address to portray legitimacy, this additional tactic can heighten a hackers chances when stealing financial information once a victim has been lured into clicking on said malicious content. Targeted emails appears to affect both private and public sectors, including government, particularly those that provide financial and banking services.

Emotet is a known banking Trojan, discovered five years ago, first in Europe and the USA. It started out stealing information from individuals, like credit card details. It has been lurking around since 2014 and has evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware.

It injects itself into a user’s device via malspam links or attachments, with the intent to steal financial data. It targets banking emails and can sometimes deploy further attacks once inside a device.

The Emotet malware gang is now using a tactic that has been previously seen used by nation-state hackers.

The U.S. Department of Homeland Security published an alert on Emotet in July 2018, describing it as “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” and warning that it’s very difficult to combat, capable of evading typical signature-based detection, and determined to spread itself. The alert explains that “Emotet infections have cost SLTT (state, local, tribal, and territorial) governments up to $1 million per incident to remediate.”

This campaign targeted mainly Chile and used living off the land techniques (LotL) to bypass Virus Total detections. This up and coming tactic uses already installed tools on a users’ device to remain undetected for as long as possible.

During ransomware attack, student's GCSE coursework seized

Sir John Colfox Academy, in Bridport, was the target of hackers, believed to be from China, after a member of staff mistakenly opened an email that contained virus and infected the school’s entire computer network. The email claimed to be from a teacher at another Dorset school.

Hackers seized pupil’s GCSE courework of the secondary school and demanded cash or returning it.

The Sir John Colfox Academy has about 1,000 pupils. The coursework was from one subject submitted by Year 11 students, which was saved on the school' system.

Head teacher David Herbert said: "We are liaising with the relevant exam boards about this specific issue."

Police have launched an investigation into the cyber attack.

Neither police nor the school have said how much money was demanded for the return of the coursework, but police say no money has been paid.

Lee County Tax Collector’s email hacked

On Thursday, an email went out from the office of Lee County Tax Collector Larry Hart, sent by hackers having gained access to his email.





It has been reported that Hart was using a device out of his office and the device was compromised.

Lee County taxpayers are now worried that their information might have been compromised in the hack. However, Noelle Branning, Deputy Chief Tax Collector, said that because Larry Hart rarely emails taxpayers directly, they aren’t likely to have received the email.

"We don't think our taxpayers need to have any concern," Branning said. "Additionally, it doesn't appear that any taxpayer information has been compromised in any way."

While the office maintains that it does not seem that any information has been compromised, Branning cautions anyone opening an email from Hart to be careful.

"If it's an email coming from Mr. Hart containing an attachment or a link, no one should open the attachment, nor should they try to click on the link," said Branning.

Hart’s account has been disabled as a security measure and is undergoing a forensic exam. A cybersecurity professional is helping them get to the bottom of the hack. Meanwhile, an organisation-wide advisory has been sent to make them aware of the risk.

Other counties have also been warned of the possibility of a hack.

Mailsploit: Email that permits sender spoofing

Pretending to be somebody you're not in an email has never been very sufficiently hard – all thanks to phishing, that endless scourge of web security. In any case, now one researcher recently, has uncovered another gathering of bugs in an email program that by and large strip away even the current, defective protections against email impersonation, enabling anybody to imperceptibly spoof a message with no allude at all to the recipient.

 On Tuesday, Sabri Haddouche, a developer and a bug hunter revealed a noteworthy new email spoofing strategy. Named Mailsploit, the strategy use bugs in email clients and enables hackers to dispatch imperceptible email spoofing attack, including well know clients like Microsoft outlook 2016, apple mail, Yahoo! Mail and many more.

Mailsploit has the capacity to effectively go through email servers and circumvent the already established spoofing protection like DMARC and other spam filters. This implies that if the server is configured to utilize DMARC or Domain Keys Identified Mail (DKIM) it will regard a message as genuine, regardless of whether it ought to be spam-binned. Through a demo that Haddouche has made accessible on his site depicting the Mailsploit attack gives anybody the access to send messages from whichever address they desire; thinkblue@whitehouse.gov, redpigeon.9898@gmail.com or some other made up the email address that may trap somebody into surrendering their private information and details. Mailsploit now though has made it possible that no amount of scrutiny in the email client can help uncover the fakery.

 Where is DMARC?

 Domain-based Message Authentication, reporting and conformance, which blocks spoofed emails via painstakingly sifting through those whose headers pretend to originate from an unexpected source in comparison to the server that sent them. This authentication system has progressively been embraced by different administrators throughout the years.

 In any case, Mailspoilt's tricks defeat DMARC by misusing how email servers handle content information uniquely in contrast to desktop and portable or mobile working systems. By creating email headers to exploit the imperfect execution of a 25-year-old framework for coding ASCII characters in email headers known as RFC-1342, and the peculiarity of how Windows, Android, iOS, and macOS handle content, Haddouche has demonstrated that he can surely trap email servers into interpreting the email headers in one way, while email client programs read them in a totally different way.

 The interwoven fixes 

Haddouche says he contacted the majority of the influenced firm’s months prior to caution them about the vulnerabilities he's found. Yahoo! Mail, Protonmail and Hushmail have effectively settled their bugs, while firms like Apple and Microsoft are as yet dealing with it. In any case, Mozilla and Opera both have informed him that they don't plan to settle their Mailspolit bugs as they appear of being simply server-side issues.

 Haddouche further added that email providers and firewalls can likewise be set to filter this attack regardless of whether email clients stay helpless against it. Beyond the particular bugs that Mailspolit features, Haddouche's research focuses on a more principal issue with email authentication, as security add-ons for email like DMARC were intended to stop spam, not focused on spoofing.

Nevertheless, Haddouche recommends the users to stay tuned for more security updates to email clients to fix the Mailsploit bugs. As meanwhile, it's always insightful to treat emails with caution.

Yahoo to the rescue of forgetful users with "on-demand password"

Passwords are not meant to be remembered. It is meant to be generated fresh, every time you forget it.

This is what Yahoo seems to think as the company just introduced an on-demand password system.

The system works like this: After signing into the Yahoo account one has to select Account security from the account information page and opt-in for “On-demand passwords”. Then one has to enter the phone number where Yahoo sends the verification code and after entering this code one never has to worry about memorizing passwords ever again.

It can be argued that the move away from default passwords is welcome as password theft is very common now a days but some feel that the privacy is being sacrificed because anybody with access to the phone for even a few seconds has the potential to read through all your communication.

But the fact remains that peril of default passwords had been dealt well with the two step authentication process; whereby if one logs in from a new device, in addition to the password one is asked for a code that has been sent to the associated mobile number. A move to completely eliminated the first step seems to be inclining towards laxer cyber-security norms.

At a time when Google tries to put one in panic mode by notifying what happens if you forget your password and repeated reports of security breaches makes one paranoid, the move from Yahoo to eliminate passwords has invited mixed reactions.

Presently, it is available only to US users.

While the effort is in the right direction to deal with password security issues by closely connecting the virtual and real identities, the approach adapted seems to be fallacious.