Weaponized Email

Nearly all of the popular domains are inadequately protected from “weaponized” email impersonation by hackers, formerly known as spear phishing.

See the source image

One out of every five emails today appears to come from a suspicious sender who’s not authorized to use the sending domain. It has also been found that only 0.5 percent of the top million domains use adequate authentication strategies to protect against email impersonation, even though most systems support stronger defenses.

Better email authentication defenses could help the typical company save $8.1 million each year in costs related to cybercrime.

These findings come on the heels of a report released last week from Google and the University of California-Berkeley that identified phishing as the greatest threat to people’s online identities.

‘Vast Majority’ of Businesses are Vulnerable

DMARC (domain-based message authentication, reporting, and conformance) is an email security system designed to protect against malicious actors sending unauthorized emails that appear to come from legitimate domains. The DMARC system enables administrators to set policies that validate the “From:” content in email headers comes from legitimate senders at those domains.

“Email has been weaponized by hackers as the leading way to infiltrate networks, and the vast majority of businesses are leaving themselves vulnerable by either incorrectly configuring their authentication systems or forgoing protection entirely,” ValiMail co-founder and CEO Alexander García-Tobar said in a statement. “Businesses are asking their employees to complete an impossible task: identifying who is real and who is an impersonator, by closely examining every message in their inboxes. The only sustainable solution is for companies to take control of their email security at the technology level and stop placing the onus on employees to prevent phishing attacks.”

Of organizations that use DMARC to validate their emails, 77 percent have either misconfigured the system or set policies that are too permissive, the ValiMail study found. In fact, only 15 percent to 25 percent of companies in various industries have properly implemented and maintained DMARC protections, the study noted.

‘Alarming Lack of Understanding’

Close to 100,000 phishing email campaigns were reported every month in the early part of this year, according to the Anti-Phishing Working Group, an international coalition of businesses, government organizations, and law-enforcement agencies. Several hundred companies see phishing attacks every few weeks, with businesses in the payment, financial services, and Webmail sectors the most vulnerable, the group said.

The year-long study by Google and the University of California-Berkeley released last week found that phishing poses the top threat against people whose online identities were exposed by Internet data breaches. Google said it has taken several steps in response to boost its authentication systems to defend against phishing.

The new research released today “demonstrates the volume of email fraud threats faced by companies today and highlights the alarming lack of understanding of how to combat these threats,” the Global Cyber Alliance’s Shehzad Mirza said in ValiMail’s statement. “These findings highlight that a lack of email authentication is the most prevalent security vulnerability companies face.”

Late last month, the U.S. Department of Homeland Security issued a directive requiring all federal agencies to begin implementing stronger email security defenses, including DMARC, within 90 days. The move is aimed at preventing federal emails and Web sites from spoofing and impersonation by hackers.

DMARC usage by federal agencies has grown since 2016, although only 38 percent had established adequate record policies as of October, according to the Online Trust Alliance. The ValiMail study noted that DMARC protection is available to most domains.

“Over three-fourths (76 percent) of the world’s email inboxes support DMARC and will enforce domain owners’ authentication policies, if those policies exist,” the report noted.

Share This:

Boomerang Your Email

If you are a dedicated reader of this fine blog you surely know that I am a big fan of Microsoft’s email app, “Outlook”. However if “Outlook” is not for you and email manegement is something that frustrates you – Boomerang may be just what the technology doctor ordered.

Image result for boomerang mail app

Dealing with the hundreds of pitches, follow-ups, and angry emails can basically become a full-time job.

If you want to try something diferent in respect to how you work with your email check out Boomerang. This app, which available on both iOS & Android has been around since 2010 and it has been popular ever since.

Now, Boomerang brings an AI assistant to how email can be managed. Boomerang’s AI assistant uses machine learning and NLP (natural language processing) tech to do much of the heavy sifting for you. Put simply, it reads your email for you, and tells you what it thinks you’ll care about, leaving the irrelevant chaff and garbage marketing emails to one side.

Boomerang now has a little microphone icon. When you tap the microphone and say “brief me,” the app takes you to a briefing page, which contains highlights from your inbox, along with some analytics. It’ll show you, for example, how long it’d take you to clear your inbox, if you made a concerted decision to sit down and play catch-up.

This could be a nice way to start your day without even opening your inbox becuase this displays a quick overview of what awaits your there. I must say I was a bit dissapointed at the time delay from the point in which you say, “brief me” to the time the the “briefing” is displayed on your phone. This length of this delay may be a function of how much email you have in your inbox.

Share This:

Creating Email Signatures

Creating a professional email signature can be daunting, from figuring out which details to include to how to format it. But with the right online tool, the process can be extremely easy. That’s good news because email signatures are perfect for sharing contact information and promoting your company.

One of the easiest and most straightforward (and completely free!) tools is MySignature. There are no upgrades you have to pay for, no extensions you have to install, and you don’t even have to create an account to use the service.

MySignature has five small tabs where you can fill in your information. These tabs are:

  1. General: Name, phone, mobile, website, Skype, email, and address.
  2. Photo: Upload a photo, which you will have to crop into a 1:1 image.  You can adjust its size and shape (square, rounded corners, or circle).
  3. Company: Company name, position, and department.
  4. Style: Choose a theme color, text size, and typeface. Typeface choices are limited to Georgia, Arial, Courier New, Lucida Console, and for reasons we cannot understand, Comic Sans.
  5. Social: Add buttons to 12 online platforms including Facebook, LinkedIn, Twitter, Instagram, and YouTube.

There are also five templates to choose from, some of which override some of the style options. The templates change the placement of the social media icons and the formatting of your text.

Once you’ve got your signature looking how you want it, you can simply copy and paste it into the email program or platform of your choice. We found that some of the formatting such as font size was lost in desktop apps like Outlook, but worked flawlessly in online options like Gmail.

Adding a few additional features, like the ability to add custom fields (e.g. for disclaimers) or some basic HTML, would make MySignature an even more handy tool to keep in your online arsenal. But even without, it’s excellent.

Share This:

Verizon Gives Up on Email Service

Do you use a Verizon email account? Pretty soon, that could be an AOL account. I missed this story entirely until my dad called me asking what he should do with his Verizon email account. At first I thought my dad was a victim of a phishing attack… but as is usually the case… my dad was right and I was wrong.

So after my dad called I did a little research and this is what I discovered.

Verizon has recently been notifying customers that it is giving up control of 4.5 million customer email accounts and will be migrating those accounts to AOL — a move that may give some flashbacks to the 1990’s. (Although I do not expect any free CD’s!)

Customers have 30 days to choose one of three options before they lose access to their accounts:

  1. Head over to AOL.
  2. Transfer their email to another provider or
  3. Leave their accounts alone to be deleted.

Verizon users who choose the AOL option will still be able to keep their existing addresses, which will carry the “verizon.net” ending. They will, however, have to let Verizon know that they want to hang on to their addresses and log in through AOL’s system from now on.

Why the change? According to an information page on Verizon’s website, the company stated that it realized there are “more capable email platforms out there”, including AOL Mail, which has been owned by Verizon since 2015.

Migrating from Verizon to AOL will apparently be easy. Users interested in keeping their email addresses will not have to do much. Verizon will migrate the contacts, calendars, email and other information to AOL for them.

Depending on your situation AOL may actually be the right choice, however this will also be a good time for many to look at service providers like Google & Microsoft.

For my dad, I am thinking AOL will be his best option.

Share This:

Beware Holiday Email Scams

It’s the holiday season, which means shopping is buzzing more than usual. Many of us are are using online storefronts to purchase our gifts. While this is quite convenient, it can also lead to some problems.

holidayscams-100532824-primaryidge

We know that scam emails are nothing new, but recently a fake email claiming to come from Amazon has cycled around. The message reads as follows:

Hello,

There was a problem processing your order. You will not be able to access your account or place orders with us until we confirm your information.click here to confirm your account. We ask that you not open new accounts as any order you place may be delayed.

 

For more details, read our Amazon Prime Terms & Conditions.

Of course, this is garbage. Clicking on the link in this email leads you to a fake “Amazon” login page, where the scammers ask you to kindly enter your credit card information. Once you’ve done so, it redirects you to the real Amazon website, but the damage is already done.

It’s worth reiterating email safety tips so you don’t fall victim to traps like these. Never click through links in emails that ask for personal information. If you receive an email you aren’t sure about, go to amazon.com in your browser and sign into your account from there. Amazon and other reputable companies will never ask you for your password or other sensitive info via email.

Amazon also asks that if you receive a spoofed email like this, forward it to stop-spoofing@amazon.com so they can review it.

Of course, this is garbage. Clicking on the link in this email leads you to a fake “Amazon” login page, where the scammers ask you to kindly enter your credit card information. Once you’ve done so, it redirects you to the real Amazon website, but the damage is already done.

It’s worth reiterating email safety tips so you don’t fall victim to traps like these. Never click through links in emails that ask for personal information. If you receive an email you aren’t sure about, go to amazon.com in your browser and sign into your account from there. Amazon and other reputable companies will never ask you for your password or other sensitive info via email.

Amazon also asks that if you receive a spoofed email like this, forward it to stop-spoofing@amazon.com so they can review it.

Share This:

FBI Probes More Emails from Clinton’s Private Server

This is not a political blog. We cover technology. In an example of just how technology is tangled in our lives is the current presidential election. This year’s presidential election has been tied up and may hinge on something that we should all be aware of.

Email management.

I have spoken about it, I have written about it, and I have taught classes on it. Over the past 20 years we have all become so comfortable with it that we often use it unwisely. Countless people have lost their job over it. This included General David Petraeus who in the November of 2012 was forced to resign as Director of the CIA. Although there were other behaviors that resulted in this resignation, General Petraeus’ email management played a role as well.

Of course we all use email, both at home and at work for many topics. Most will not get you in trouble. However it is easier then you may think to get in legal trouble.

Who Our Next President Is May Rest on Email Management

Now less then 2 weeks from the election for the presidency of the United States one of the candidates is answering questions about her email management and the conversations found.

The FBI has uncovered new emails related to Hillary Clinton’s use of a private email server, prompting federal authorities to investigate them.

The FBI discovered the emails as part of an “unrelated case,” FBI Director James Comey said in a letter to a congressional committee that was later tweeted on Friday.

103894270-gettyimages-534816054-530x298

These emails “appear to be pertinent” to the FBI’s original investigation into Clinton’s private server use, which the agency wrapped up back in July, Comey said. Clinton, now the Democratic nominee for U.S. president, used the private server while she served as Secretary of State.

Comey said he agreed to allow the FBI to determine if the newly uncovered emails contain any classified information, “as well as to assess their importance” to its original investigation.

The FBI can’t say whether the emails are significant or how long the agency will take to probe them, he added.

On Friday, the FBI confirmed that a letter was sent out to members of Congress but declined to offer further comment.

U.S. House Speaker Paul Ryan, a Republican, said on Twitter the FBI had essentially reopened its investigation into Clinton’s private email server use.

“She was entrusted with some of our nation’s most important secrets, and betrayed that trust by carelessly mishandling highly classified information,” he said in a statement.

He’s asking the U.S. director of national intelligence to suspend all classified briefings with Clinton until the matter is resolved.

Clinton and her presidential campaign have yet to respond to the FBI’s new investigation.

In July, the FBI concluded that Clinton had been “extremely careless” in her use of a private email server, but the agency didn’t recommend filing any charges against her.

The FBI said Clinton’s server faced ongoing cyber threats from possible hackers, including phishing email attacks and failed login attempts. However, the agency found no evidence confirming that the server was ever compromised.

The letter from FBI’s director didn’t mention how the newly uncovered emails were obtained or where they came from.

However, recently stolen emails from a Clinton aide have been published through WikiLeaks and include allegedly thousands of private messages between U.S. officials and her staff.

The Fate of a Nation

What happens in the next 2 weeks no one knows. The course of the the most powerful nation this world has ever seen may rest on…. email.

Share This:

Checking your Email Security with Hacked

Hardly a week goes by when we do not hear about a security breach at some company that results in the loss of user credentials and other personal information. The sheer numbers of these events can also be challenging to keep up with these days.

Screenshot: See all the breaches your email was found in and exactly was was taken in that breach

This past week a new Universal Windows Platform (UWP) app arrived for Windows 10 that can provide us all with the ability to easily keep up with these breaches and it just takes a little initial work from us to get started.

Hacked is from Lancelot Software and you will find it available through the Windows Store for both desktops, tablets and mobile Windows 10 devices.

The features of Hacked? according to the software developer include:

  • Easy to use: All you need to do is enter the email address you want monitored – Hands-off: Background monitoring of all your email addresses
  • Safe: The app uses the industry-trusted Troy Hunt’s massive haveibeenpwned database of breaches
  • Updated: the haveibeenpwned database scans pastes frequently, you’ll always have fresh data to compare against
  • Privacy: This app will never share your email addresses with anyone outside of the haveibeenpwned API (which itself uses the secure HTTPS protocol)
  • After testing this app I have one big request for the author – cloud sync of the accounts I add to Hacked? on different devices.

Currently you must manually enter all of the accounts you want tracked on each device which unfortunately can be very labor intensive.

Share This:

Avoiding Email Scams with 10 Easy Tips

Recently I have been asked about a couple of suspicious email messages, which were both of course not legitimate messages but scams in which the sender, a truly bad guy was “phishing” in order to steal money from the receiver.

Every day countless phishing emails are sent to unsuspecting victims all over the world. While some of these messages are so outlandish that they are obvious frauds, others can be a bit more convincing. So how do you tell the difference between a phishing message and a legitimate message? Unfortunately, there is no one single technique that works in every situation, but there are a number of things that you can look for.

This article lists 10 of them.

1: The message contains a mismatched URL

One of the first things I recommend checking in a suspicious email message is the integrity of any embedded URLs (or website addresses). Often the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over the top of the URL, you should see the actual hyperlinked address (at least in Outlook). If the hyperlinked address is different from the address that is displayed, the message is more then likely fraudulent or malicious.

2: URLs contain a misleading domain name

People who launch phishing scams often depend on their victims not knowing how the DNS naming structure for domains works. The last part of a domain name is the very telling. For example, the domain name info.brienposey.com would be a child domain of brienposey.com because brienposey.com appears at the end of the full domain name (on the right-hand side). Conversely, brienposey.com.maliciousdomain.com would clearly not have originated from brienposey.com because the reference to brienposey.com is on the left side of the domain name.

I have seen this trick used countless times by phishing artists as a way of trying to convince victims that a message came from a company like Microsoft or Apple. The phishing artist simply creates a child domain bearing the name Microsoft, Apple, or whatever. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.

I have found that sadly this often works because most people trust companies like “Microsoft” and “Apple” so when long standing names like this are used people often let their guard down. The lesson here is to never let your guard down when it comes to email messages.

3: The message contains poor spelling and grammar

Whenever a large company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, and legality, among other things. So if a message is filled with poor grammar or spelling mistakes, it probably did not come from a major corporation’s legal department.

4: The message asks for personal information

No matter how official an email message might look, it’s always a bad sign if the message asks for personal information. Your bank does not need you to send it your account number. It already knows what that is. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.

5: The offer seems too good to be true

There is an old saying that if something seems too good to be true, it probably is. That holds especially true for email messages. If you receive a message from someone unknown to you who is making big promises, the message is probably a scam.

6: You didn’t initiate the action

Just yesterday I received an email message informing me I had won the lottery! The only problem is that I have never-ever bought a lottery ticket. If you get a message informing you that you have won a contest you did not enter, you can bet that the message is a scam.

7: You’re asked to send money to cover expenses

One telltale sign of a phishing email is that you will eventually be asked for money. You might not get hit up for cash in the initial message. But sooner or later, phishing artists will likely ask for money to cover expenses, taxes, fees, or something similar. If that happens, you can bet that it’s a scam.

8: The message makes unrealistic threats

Although most of the phishing scams try to trick people into giving up cash or sensitive information by promising instant riches, some phishing artists use intimidation to scare victims into giving up information. If a message makes unrealistic threats, it’s probably a scam. Let me give you an example.

Just recently a workmate received an official looking email that was allegedly from a co-worker. The email went on to ask for our “account number” and “routing number”. Although it appeared to be an email from one staffer to another staffer the email originated from a hidden domain and as I mentioned in Tip #3 the spelling and grammar was poor.

Also – As I mentioned in Tip #4 – legitimate companies will not ask for sensitive information by email and you – of course should never-ever send this type of information via email.

9: The message appears to be from a government agency

Phishing artists who want to use intimidation don’t always pose as a bank. Sometimes they will send messages claiming to have come from a law enforcement agency like the IRS, the FBI, or just about any other entity that might scare the average law-abiding citizen.

I can’t tell you how government agencies work outside the United States. But here, government agencies do not normally use email as an initial point of contact. That isn’t to say that law enforcement and other government agencies don’t use email. However, law enforcement agencies follow certain protocols. They do not engage in email-based extortion.

10: Something just doesn’t look right

In Las Vegas, casino security teams are taught to look for anything that JDLRjust doesn’t look right, as they call it. The idea is that if something looks off, there’s probably a good reason why. This same principle also applies to email messages. If you receive a message that seems suspicious, it is usually in your best interest to avoid acting on the message.

Share This:

Email Issues with Outlook 2016 for POP3 Arise

Having any issues with deleted or duplicated emails lately?

A recent Microsoft Support Knowledge Base article has been posted that describes a problem with POP3 accounts.

POP3 accounts are what providers such as Verizon and Comcast rely on for their email service.

outlook

The article, KB3145116, describes the following as the symptoms that are indicative of this issue:

  • After Outlook downloads your email, all the email messages on the server are deleted from the Inbox.
  • Email messages are downloaded multiple times in Outlook, causing duplicate items.

The issues described above occur if you are using Outlook 2016 version 16.0.6568.2025 and have setup any email accounts that are accessed using the POP3 protocol.

There are three settings that may cause the inadvertent and unexpected removal or duplication of emails if you have the Leave a copy of messages on the Server enabled along with these options:

  • If Remove from server after X days is enabled it may cause emails to be deleted from your account on the server.
  • If Remove from server after X days is disabled it may cause emails to be duplicated in your local account.
Outloook 2016 POP3 Account Settings

Microsoft is currently looking into this problem and will update the knowledge base article once they have more information. I am sure an appropriate update will also be shipped once they know what needs to be updated/modified.

In the interim they have published two workaround options for this which include using IMAP instead of POP3, if your service provider supports it of course, while the second method is to revert back to a previous version of Outlook/Office 2016.

Unfortunately, not everyone has the ability to use either of those options so hopefully this gets resolved sooner rather than later.

If you can take advantage of either workaround you can get the full step by step process on the KB3145116 page at Microsoft’s Support site.

Share This:

Is Your iPhone Hiding Your Email?

A bug in iOS is periodically hiding email messages, in a way that makes the messages appear to have been deleted.

Here’s how the bug makes its presence known. (And, yes, it’s an intermittent bug, which is tech support’s favorite phrase.) Let’s say you just downloaded 50 email messages. As you scan your mobile inbox, you notice four messages that you need to respond to right away. The others are junk that you want to delete now so that you can focus on the critical ones.

You then choose “Edit” and select everything other than the four important messages. You select “Trash” and, poof! Everything disappears. But wait, I specifically did not delete those four crucial messages. What happened?

When this delightful bug first hit me, I thought that I might have accidentally selected the “Delete All” option within the latest iOS email. When it happened again, though, I was ultra-careful and it did the exact same thing.

Why am I saying the critical messages (the ones you deliberately chose to not delete) are hidden and not deleted? That’s where this mess gets interesting. Despite having an inbox with no messages in it, I backed out to the top-level email screen. Instead of it showing what I expected—zero unread messages in the inbox—it said that there four unread messages. I have run into this bug more than 50 times (have been working with Apple support on this since late last year) and it always present itself identically. The number of “unread messages” is always the number of messages I told it to not delete.

Here’s more evidence for those messages being hidden and not deleted. When I went to the inbox and downloaded more messages, I used the inbox’s search bar. When I searched for whatever words I remembered from the important messages’ subject lines, the messages were always found. The search bar could see them, the top-level email app could see them, but the lowly end-user couldn’t see them.

The bug has one last attribute. Several hours after it mischievously hides your critical messages, it kind of sort of returns. It displays this iOS dialogue box: “Unable to move messages. The messages could not be moved to the mailbox Trash” and then it restores all of your recently deleted messages, including the ones that you wanted to save and were hidden.

Of course, that happens hours after you needed the messages.

This bug materializes about one out of every six or seven times the opportunity presents itself. To do it, you first need a bunch of messages in your inbox and then you need to select all but a handful to delete. Have no idea why it happens only periodically, but that it does.

No surprise, but the issue isn’t presenting when looking at the messages on the server, nor when accessing the mail from any other device, such as a Windows laptop. And given that the iPhone coughs the messages back up several hours later, it appears clear that it’s an iOS issue.

It’s worth noting that I discovered this glitch right after Apple introduced the long-delayed “Delete All” function for its email. My immediate suspicion was that the two were related.

This is a serious problem, as mobile devices are rapidly morphing into a power user’s main email access unit, rather than the supplemental way smartphones were used a few years ago in enterprises. The more a user travels, the more mission-critical the device’s ability to retrieve and present email becomes.

The workaround is unpleasant. When I see a crucial email on the phone, I choose to not delete any messages until I no longer need that message. But with my receiving hundreds of emails a day—many of them newsletters and Google news alerts—it’s really hard to keep the inbox functional when it gets that crowded. When traveling, the inbox quickly becomes impractical.

Hence, Apple really needs to make this glitch go away. First, though, it needs to admit that it exists.

Share This:

1 2 3 35