Weaponized Email

Nearly all of the popular domains are inadequately protected from “weaponized” email impersonation by hackers, formerly known as spear phishing.

See the source image

One out of every five emails today appears to come from a suspicious sender who’s not authorized to use the sending domain. It has also been found that only 0.5 percent of the top million domains use adequate authentication strategies to protect against email impersonation, even though most systems support stronger defenses.

Better email authentication defenses could help the typical company save $8.1 million each year in costs related to cybercrime.

These findings come on the heels of a report released last week from Google and the University of California-Berkeley that identified phishing as the greatest threat to people’s online identities.

‘Vast Majority’ of Businesses are Vulnerable

DMARC (domain-based message authentication, reporting, and conformance) is an email security system designed to protect against malicious actors sending unauthorized emails that appear to come from legitimate domains. The DMARC system enables administrators to set policies that validate the “From:” content in email headers comes from legitimate senders at those domains.

“Email has been weaponized by hackers as the leading way to infiltrate networks, and the vast majority of businesses are leaving themselves vulnerable by either incorrectly configuring their authentication systems or forgoing protection entirely,” ValiMail co-founder and CEO Alexander García-Tobar said in a statement. “Businesses are asking their employees to complete an impossible task: identifying who is real and who is an impersonator, by closely examining every message in their inboxes. The only sustainable solution is for companies to take control of their email security at the technology level and stop placing the onus on employees to prevent phishing attacks.”

Of organizations that use DMARC to validate their emails, 77 percent have either misconfigured the system or set policies that are too permissive, the ValiMail study found. In fact, only 15 percent to 25 percent of companies in various industries have properly implemented and maintained DMARC protections, the study noted.

‘Alarming Lack of Understanding’

Close to 100,000 phishing email campaigns were reported every month in the early part of this year, according to the Anti-Phishing Working Group, an international coalition of businesses, government organizations, and law-enforcement agencies. Several hundred companies see phishing attacks every few weeks, with businesses in the payment, financial services, and Webmail sectors the most vulnerable, the group said.

The year-long study by Google and the University of California-Berkeley released last week found that phishing poses the top threat against people whose online identities were exposed by Internet data breaches. Google said it has taken several steps in response to boost its authentication systems to defend against phishing.

The new research released today “demonstrates the volume of email fraud threats faced by companies today and highlights the alarming lack of understanding of how to combat these threats,” the Global Cyber Alliance’s Shehzad Mirza said in ValiMail’s statement. “These findings highlight that a lack of email authentication is the most prevalent security vulnerability companies face.”

Late last month, the U.S. Department of Homeland Security issued a directive requiring all federal agencies to begin implementing stronger email security defenses, including DMARC, within 90 days. The move is aimed at preventing federal emails and Web sites from spoofing and impersonation by hackers.

DMARC usage by federal agencies has grown since 2016, although only 38 percent had established adequate record policies as of October, according to the Online Trust Alliance. The ValiMail study noted that DMARC protection is available to most domains.

“Over three-fourths (76 percent) of the world’s email inboxes support DMARC and will enforce domain owners’ authentication policies, if those policies exist,” the report noted.

Share This:

Boomerang Your Email

If you are a dedicated reader of this fine blog you surely know that I am a big fan of Microsoft’s email app, “Outlook”. However if “Outlook” is not for you and email manegement is something that frustrates you – Boomerang may be just what the technology doctor ordered.

Image result for boomerang mail app

Dealing with the hundreds of pitches, follow-ups, and angry emails can basically become a full-time job.

If you want to try something diferent in respect to how you work with your email check out Boomerang. This app, which available on both iOS & Android has been around since 2010 and it has been popular ever since.

Now, Boomerang brings an AI assistant to how email can be managed. Boomerang’s AI assistant uses machine learning and NLP (natural language processing) tech to do much of the heavy sifting for you. Put simply, it reads your email for you, and tells you what it thinks you’ll care about, leaving the irrelevant chaff and garbage marketing emails to one side.

Boomerang now has a little microphone icon. When you tap the microphone and say “brief me,” the app takes you to a briefing page, which contains highlights from your inbox, along with some analytics. It’ll show you, for example, how long it’d take you to clear your inbox, if you made a concerted decision to sit down and play catch-up.

This could be a nice way to start your day without even opening your inbox becuase this displays a quick overview of what awaits your there. I must say I was a bit dissapointed at the time delay from the point in which you say, “brief me” to the time the the “briefing” is displayed on your phone. This length of this delay may be a function of how much email you have in your inbox.

Share This:

Creating Email Signatures

Creating a professional email signature can be daunting, from figuring out which details to include to how to format it. But with the right online tool, the process can be extremely easy. That’s good news because email signatures are perfect for sharing contact information and promoting your company.

One of the easiest and most straightforward (and completely free!) tools is MySignature. There are no upgrades you have to pay for, no extensions you have to install, and you don’t even have to create an account to use the service.

MySignature has five small tabs where you can fill in your information. These tabs are:

  1. General: Name, phone, mobile, website, Skype, email, and address.
  2. Photo: Upload a photo, which you will have to crop into a 1:1 image.  You can adjust its size and shape (square, rounded corners, or circle).
  3. Company: Company name, position, and department.
  4. Style: Choose a theme color, text size, and typeface. Typeface choices are limited to Georgia, Arial, Courier New, Lucida Console, and for reasons we cannot understand, Comic Sans.
  5. Social: Add buttons to 12 online platforms including Facebook, LinkedIn, Twitter, Instagram, and YouTube.

There are also five templates to choose from, some of which override some of the style options. The templates change the placement of the social media icons and the formatting of your text.

Once you’ve got your signature looking how you want it, you can simply copy and paste it into the email program or platform of your choice. We found that some of the formatting such as font size was lost in desktop apps like Outlook, but worked flawlessly in online options like Gmail.

Adding a few additional features, like the ability to add custom fields (e.g. for disclaimers) or some basic HTML, would make MySignature an even more handy tool to keep in your online arsenal. But even without, it’s excellent.

Share This:

Verizon Gives Up on Email Service

Do you use a Verizon email account? Pretty soon, that could be an AOL account. I missed this story entirely until my dad called me asking what he should do with his Verizon email account. At first I thought my dad was a victim of a phishing attack… but as is usually the case… my dad was right and I was wrong.

So after my dad called I did a little research and this is what I discovered.

Verizon has recently been notifying customers that it is giving up control of 4.5 million customer email accounts and will be migrating those accounts to AOL — a move that may give some flashbacks to the 1990’s. (Although I do not expect any free CD’s!)

Customers have 30 days to choose one of three options before they lose access to their accounts:

  1. Head over to AOL.
  2. Transfer their email to another provider or
  3. Leave their accounts alone to be deleted.

Verizon users who choose the AOL option will still be able to keep their existing addresses, which will carry the “verizon.net” ending. They will, however, have to let Verizon know that they want to hang on to their addresses and log in through AOL’s system from now on.

Why the change? According to an information page on Verizon’s website, the company stated that it realized there are “more capable email platforms out there”, including AOL Mail, which has been owned by Verizon since 2015.

Migrating from Verizon to AOL will apparently be easy. Users interested in keeping their email addresses will not have to do much. Verizon will migrate the contacts, calendars, email and other information to AOL for them.

Depending on your situation AOL may actually be the right choice, however this will also be a good time for many to look at service providers like Google & Microsoft.

For my dad, I am thinking AOL will be his best option.

Share This:

Building Fuzzy Engine

While the very notion of a lightweight email search tool may seem quaint in this mobile/cloud era, Microsoft may actually be on to something here. Its new Email Insights app for Windows 10 promises faster, more relevant email searches than what’s possible today in Microsoft Outlook or Gmail.

“Searching through emails can be tedious at times,” the Email Insights website notes. “You might have to keep scrolling to find that elusive email. We present a lightweight no-frills email application to alleviate these problems.”

Searching your email can be a daunting and frustrating experience and Email Insights strives to finally rectify this problem. That app works with both Outlook 2016 and Gmail. You can download Email Insight from the Windows Store.

I tested the new app today and I can report that it works as advertised, and seems to work quickly. Email appears inline in the search results, and you can expand each message individually to read more.

Be aware that the install took almost 10 minutes for me (Surface Book) and I really enjoyed some of the messages during install like, “Building Fuzzy Engine” which I have no idea what it means.

I believe that Email Insights will be a big deal for Outlook users, since that application is so terrible (with searches). Further, this would be a much bigger deal if Microsoft simply integrated this technology into Outlook 2016 itself.

According to Microsoft, the reason for Email Insights was simple enough: Email search sucks. (Remember that these are Microsoft guys, so they are probably using Outlook. Email search in Gmail is excellent.)

“The email search experience today lags far behind the web search experience,” Microsoft notes. “A user might search for an email with some keywords and keep scrolling down the search results to find that elusive email. A user has to remember the keywords from an email or the spelling of peoples’ names to get to the required email. Moreover, having a complex application with hundreds of features is an overkill for doing some quick tasks like send one liner emails.”

If regularly searching email for specific content is an issue for you, Email Insights is worth checking out. However I do hope that this solution will simply become a part of Microsoft’s email services and applications at some point.

Share This:

New Phishing Scam Alert

We’ve been seeing plenty of phishing scams lately.

What are Phishing Scams?

These are when cybercriminals try to get unsuspecting victims to click on a malicious link to steal their private information. It’s usually carried out through an email where the scammer imitates a legitimate person or business.

Image result for phishing scam

Thieves will go through great lengths to create a message that appears to be from someone you trust. The latest attack that you need to know about is a malicious email claiming to be from Microsoft.

Current Active Phishing Scam

The email has a subject line that states, “Your Banking Assets Are Blocked.” The message claims to be from Benedict Brown, who is representing Microsoft Security Office. Warning: This is a fake email and contains a malicious link.

How this phishing attack works

fake-email

If you receive this email, delete it immediately. You also need to know how to prevent falling victim to a phishing scam.As you can see in the image above, the message tells the recipient that suspicious activity has been found with their bank accounts. It goes on to claim that their computer is infected with a virus or an exploit impacting banking operations.

The scammer says they have included a full report containing all relevant information pertaining to the suspicious activity. The recipient is then asked to download the report from an official server by clicking a link at the bottom of the message.

The link will actually take you to a malicious site that could infect your gadget with malware. Once you get to the site, you’ll be asked to open a malicious Office document. Then you will be asked to enable macros to view the document.

If you enable macros, your gadget will be infected with Neutrino bot malware. This malware allows the scammer to do several things:

  • Steal personal data – The cybercriminal can capture keystrokes, do form grabbing, and take screenshots from your gadget.
  • Perform DDoS attacks – DDoS stands for “distributed denial of service,” which is a techy way of saying “crashing a system or the whole internet.” It works when a targeted website or server is flooded by an overwhelming amount of requests from millions of connected machines in order to bring it down.
  • Download more malware
  • Make spoof DNS requests – Domain Name Server (DNS) spoofing is when cybercriminals exploit vulnerabilities found in the domain name server. They do this to redirect traffic from legit servers to fake ones.

Tips for Avoiding Phishing Scams

  • Be cautious with links – If you get an email or notification that you find suspicious, don’t click on its links. It’s better to type the website’s address directly into a browser. Before you ever click on a link, hover over it with your mouse to see where it is going to take you. If the destination isn’t what the link claims, do not click on it.
  • Do NOT enable macros – You should never download Word or Excel files attached to unsolicited emails to begin with. If you do open one of these documents and it says that you need to turn on macros, close the file and delete it immediately.
  • Do an online search – If you get a notification about something that seems shady, do an online search on the topic. If it’s a scam, there are probably people online complaining about it and you can find more information.
  • Watch for typos – Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos.
  • Know what phishing emails look like – Typically, there are obvious signs that give away the fact that an email is fake.
  • Use multi-level authentication – When available, you should be using multi-level authentication. This is when you have at least two forms of verification, such as a password and a security question before you log into any sensitive accounts. .
  • Have strong security software – Having strong protection on your family’s gadgets is very important. The best defense against digital threats is strong security software.

Share This:

Beware Holiday Email Scams

It’s the holiday season, which means shopping is buzzing more than usual. Many of us are are using online storefronts to purchase our gifts. While this is quite convenient, it can also lead to some problems.

holidayscams-100532824-primaryidge

We know that scam emails are nothing new, but recently a fake email claiming to come from Amazon has cycled around. The message reads as follows:

Hello,

There was a problem processing your order. You will not be able to access your account or place orders with us until we confirm your information.click here to confirm your account. We ask that you not open new accounts as any order you place may be delayed.

 

For more details, read our Amazon Prime Terms & Conditions.

Of course, this is garbage. Clicking on the link in this email leads you to a fake “Amazon” login page, where the scammers ask you to kindly enter your credit card information. Once you’ve done so, it redirects you to the real Amazon website, but the damage is already done.

It’s worth reiterating email safety tips so you don’t fall victim to traps like these. Never click through links in emails that ask for personal information. If you receive an email you aren’t sure about, go to amazon.com in your browser and sign into your account from there. Amazon and other reputable companies will never ask you for your password or other sensitive info via email.

Amazon also asks that if you receive a spoofed email like this, forward it to stop-spoofing@amazon.com so they can review it.

Of course, this is garbage. Clicking on the link in this email leads you to a fake “Amazon” login page, where the scammers ask you to kindly enter your credit card information. Once you’ve done so, it redirects you to the real Amazon website, but the damage is already done.

It’s worth reiterating email safety tips so you don’t fall victim to traps like these. Never click through links in emails that ask for personal information. If you receive an email you aren’t sure about, go to amazon.com in your browser and sign into your account from there. Amazon and other reputable companies will never ask you for your password or other sensitive info via email.

Amazon also asks that if you receive a spoofed email like this, forward it to stop-spoofing@amazon.com so they can review it.

Share This:

Technology Training for November 10, 2016

Today’s Technology Training shared for all of our dedicated readers.

Share This:

FBI Probes More Emails from Clinton’s Private Server

This is not a political blog. We cover technology. In an example of just how technology is tangled in our lives is the current presidential election. This year’s presidential election has been tied up and may hinge on something that we should all be aware of.

Email management.

I have spoken about it, I have written about it, and I have taught classes on it. Over the past 20 years we have all become so comfortable with it that we often use it unwisely. Countless people have lost their job over it. This included General David Petraeus who in the November of 2012 was forced to resign as Director of the CIA. Although there were other behaviors that resulted in this resignation, General Petraeus’ email management played a role as well.

Of course we all use email, both at home and at work for many topics. Most will not get you in trouble. However it is easier then you may think to get in legal trouble.

Who Our Next President Is May Rest on Email Management

Now less then 2 weeks from the election for the presidency of the United States one of the candidates is answering questions about her email management and the conversations found.

The FBI has uncovered new emails related to Hillary Clinton’s use of a private email server, prompting federal authorities to investigate them.

The FBI discovered the emails as part of an “unrelated case,” FBI Director James Comey said in a letter to a congressional committee that was later tweeted on Friday.

103894270-gettyimages-534816054-530x298

These emails “appear to be pertinent” to the FBI’s original investigation into Clinton’s private server use, which the agency wrapped up back in July, Comey said. Clinton, now the Democratic nominee for U.S. president, used the private server while she served as Secretary of State.

Comey said he agreed to allow the FBI to determine if the newly uncovered emails contain any classified information, “as well as to assess their importance” to its original investigation.

The FBI can’t say whether the emails are significant or how long the agency will take to probe them, he added.

On Friday, the FBI confirmed that a letter was sent out to members of Congress but declined to offer further comment.

U.S. House Speaker Paul Ryan, a Republican, said on Twitter the FBI had essentially reopened its investigation into Clinton’s private email server use.

“She was entrusted with some of our nation’s most important secrets, and betrayed that trust by carelessly mishandling highly classified information,” he said in a statement.

He’s asking the U.S. director of national intelligence to suspend all classified briefings with Clinton until the matter is resolved.

Clinton and her presidential campaign have yet to respond to the FBI’s new investigation.

In July, the FBI concluded that Clinton had been “extremely careless” in her use of a private email server, but the agency didn’t recommend filing any charges against her.

The FBI said Clinton’s server faced ongoing cyber threats from possible hackers, including phishing email attacks and failed login attempts. However, the agency found no evidence confirming that the server was ever compromised.

The letter from FBI’s director didn’t mention how the newly uncovered emails were obtained or where they came from.

However, recently stolen emails from a Clinton aide have been published through WikiLeaks and include allegedly thousands of private messages between U.S. officials and her staff.

The Fate of a Nation

What happens in the next 2 weeks no one knows. The course of the the most powerful nation this world has ever seen may rest on…. email.

Share This:

Checking your Email Security with Hacked

Hardly a week goes by when we do not hear about a security breach at some company that results in the loss of user credentials and other personal information. The sheer numbers of these events can also be challenging to keep up with these days.

Screenshot: See all the breaches your email was found in and exactly was was taken in that breach

This past week a new Universal Windows Platform (UWP) app arrived for Windows 10 that can provide us all with the ability to easily keep up with these breaches and it just takes a little initial work from us to get started.

Hacked is from Lancelot Software and you will find it available through the Windows Store for both desktops, tablets and mobile Windows 10 devices.

The features of Hacked? according to the software developer include:

  • Easy to use: All you need to do is enter the email address you want monitored – Hands-off: Background monitoring of all your email addresses
  • Safe: The app uses the industry-trusted Troy Hunt’s massive haveibeenpwned database of breaches
  • Updated: the haveibeenpwned database scans pastes frequently, you’ll always have fresh data to compare against
  • Privacy: This app will never share your email addresses with anyone outside of the haveibeenpwned API (which itself uses the secure HTTPS protocol)
  • After testing this app I have one big request for the author – cloud sync of the accounts I add to Hacked? on different devices.

Currently you must manually enter all of the accounts you want tracked on each device which unfortunately can be very labor intensive.

Share This:

1 2 3 5