Every day, over 31 billion email messages are sent across the internet. On average, 70%- 80% of these emails are considered Spam; Unsolicited email. But what does spam have to do with security?
Data destruction and theft are the number one issues affecting both individuals and businesses on the Internet. The single easiest way to get the data these criminals crave is to waltz right into a computer or network on this wave of spam email.
What Are the Dangers Associated with Malicious Email?
Identity theft and associated Data Loss.
One of the key ways spammers infiltrate the business community is through identity theft and the FTC estimates that Identity theft will cost businesses in the United States more than $8 billion in 2006.
Identity theft affects businesses and isn’t just limited to personal credits cards and cell phones. Corporate data can be stolen just as easily which can lead to financial losses, lost clients, lost productivity, and massive fees associated with cleanup and stabilization of internal data.
What Are the Dangers Associated with Malicious Email? (continued)
Destruction/Loss of Data
If theft of sensitive client data is the biggest fear of a small business, destruction of that data can’t be far behind. Most have backups of critical data, but what happens if the backup fails- or worse- is corrupted by the malicious code of a virus, for example?
It’s difficult to measure cleanup costs because companies loath reporting incidents, but the FBI polled 269 private respondents and they admitted spending a staggering $141 million in cleanup fees last year (2004).
The following will deal with some common email security risks as well as how to protect yourself and business from stepping on one of the many landmines planted by hackers and criminals before they cost you or your company more than you ever want to risk.
Viruses have been the most commonly known and most often addressed issue related to internet, data, and email security. Still, many fail to properly address these threats and protect themselves from catastrophe. In 2004, despite the common use of antivirus software, over 37 MILLION computers were infected by a virus.
Despite often being preventable, viruses continue to destroy valuable data and cripple computers every day.
These outbreaks tend to hit small or medium business the hardest because of limited budgets and a small or non-existent IT staff. Protecting your business from a virus isn’t all that difficult, but the issue lies predominantly in effort (or lack thereof), diligence, and education.
Make sure every computer in your office is equipped with antivirus software. Perhaps more importantly, make sure it is properly configured and up to date (the number one shortfall among victims of a virus or worm).
Make sure Antivirus applications are properly configured to check incoming AND outgoing messages. Not only is it important to know when a virus is coming in, but scanning outgoing messages will stop you from potentially spreading anything your computer has contracted. This also allows you to snuff the problem out before it causes damage to others.
Many computers are set to automatically download patches, but these programs sometimes fail- make sure you check for updates manually at least once every week.
Education and policies are key. If employees do not understand the risks and what they must do to prevent the inevitable, the entire office could be open to a catastrophic compromise of data integrity including client financial data.
This list probably sounds like a broken record, but sometimes the basics are the best place to start. You may be surprised by how many simple preventative steps AREN’T being taken in your very own office.
A Trojan is often distributed as part of a virus, but its calling card is its ability to fly under the radar by disguising itself as a valid file or program. Often times, Trojans work with other malicious software in tandem.
The Trojan Horse is primarily designed to get in the door and the malware does the dirty work of securing the data it is designed to steal or destroy.
The Malicious running mate of the Trojan is normally some form of Spyware. Spyware is often times installed without the knowledge of the user and can infiltrate a network through downloads, a virus, an email attachment, a click of a pop-up window, or even by simply receiving an email.
Spyware is designed to Spy on a victim. Sometimes this data is used for something as “innocent” as market research, but even in that context, it violates privacy and slows computers/compromises data integrity. At its worst, Spyware is far more dangerous.
If your email program (Such as Outlook) accepts HTML email, there are pieces of software that can be installed through the preview pane of the email box. By simply clicking on an email in Outlook, the default setting allows for a “preview pane” where messages can be read. What many don’t understand is simply viewing email in the HTML enabled preview pane can execute some malicious code on your computer and lead to a loss of data integrity on your network!
A recent poll revealed that the average computer has 29 pieces of spyware running on it!
Software Keyloggers are perhaps the most frightening of all threats that can attack via email. The primary goal of keyloggers is recording keystrokes in specific ways with the goal of storing and sending that information to the hacker or hackers that created the tool.
The most common and damaging way keyloggers are used involves silently recording passwords, credit card data, and other sensitive information that is then transmitted from your computer to a remote user. At that point, they can do whatever they wish with that data.
Protecting yourself from Trojans, Spyware, and Keyloggers
First and foremost: The best security and related policy is always built on layers. The best way to protect a system and network from these intrusions always starts with the same methods one would use to prevent the spread of a virus, but additional measures must be taken for these new risk BEYOND those measures.
Protecting yourself from Trojans, Spyware, and Keyloggers (continued)
Make sure your Internet Browser (often times Explorer on Windows) and mail program are both completely up to date with the latest patches and check for new releases frequently. These threats can reach your system in more way that one.
Keyloggers and Trojans often aren’t detected by Antivirus systems, so make sure you have a good spyware detection and removal tool OR verify your Antivirus program handles these spyware threats as well. Make sure this software is update and run regularly as new threats can burrow in at any time.
Protecting yourself from Trojans, Spyware, and Keyloggers (continued)
Consider disabling HTML in your email box to protect against threats that can execute themselves through a preview pane.
Make sure any sensitive data that must be stored on a computer is centralized, password protected, and encrypted.
Consider installing a personal firewall on each computer or at least enabling a firewall built into the operating system of the computer. Firewalls can’t save the world by themselves, but a good personal firewall monitoring incoming AND outgoing traffic from an individual computer will be a good way to find out if anyone is attempting to break in. It will also give you an idea as to whether or not anyone or thing is attempting to have your computer send data out.
Phishing attacks use both social engineering and technical subterfuge to steal personal identity data, financial account credentials, passwords, and more. In plain English, these emails are designed to fool the recipient into providing data the Phisher (criminal) wants to ascertain. They normally attack via email and get the information they need by installing keyloggers, coercing the victim, or fooling the victim into providing data in a form or on a web site.
Generally, what separates Phishing from other malicious activity is the intent. Phishing is a profit-driven attack, plain and simple. While many threats are designed to destroy or corrupt data for the sake of chaos or notoriety in the hacker community, Phishing has the intention of stealing data for personal financial gain.
The main goal of a Phishing email is to provoke a reaction from the recipient. They normally achieve this by spoofing (faking) email addresses from large companies and sending very professional and accurate corporate emails. In that email, they will normally ask the victim to click on a link to the site in order to verify some personal data (normally a username, password, or credit card). These emails normally relay an immediacy such as “before your account is suspended”, and often are bold enough to warn of Phishing scams in that very Phishing email!
Some of the most popular companies these criminals fake are the biggest ones in the world like eBay, Citibank, Paypal, etc. They use these large companies as cover because their phishing spam is more likely to reach a match- someone who has an account with that company.
Once you click on the link, they use one of many technologies to direct you where they want you to go- their trap. These sites almost always match the real corporate sites exactly and it’s difficult for even professionals to tell the difference between real and fake.
When you complete the task they request, nothing horrible happens right away that would set off an alarm in the victim’s mind, but the phisher now has enough data to start using your identity for whatever purpose they have.
It’s very difficult to track these scam sites because they never stay in one place for more than a couple days, so the primary objective is educating potential victims on tips to avoid these criminals so both employees and clients remain safe from these attacks
The term “Phishing” originates from a combination of hacking phrases.
“ Fish” is a common term when using social engineering to steal passwords or information.
The “PH” in place of “F” is a common hacker way of spelling. This originated with John Draper, who developed one of the first methods of hacking called “Phone Phreaking” in 1971. He achieved this task by inventing a “blue box” and using a toy whistle found in boxes of Cap’n Crunch that blew a frequency of exactly 2600 Hz. The tone from the whistle gave him full access to the entire phone system.
As stated earlier in this presentation, all security is built in layers, so all steps to avoid a virus, keylogger, trojans, phishing scams, etc. are built on the critical bases of protection already established.
Each layer and helpful hint from the previous sections provides crossover protection to help thwart phishing scams.
While Phishing has become more sophisticated over the years, the first keys to anything out of the ordinary are spelling and grammatical errors. Most of the scams are smarter than this, but these types of errors are a huge red flag.
Never reply with sensitive data in an email or form requesting it- a reputable company will NEVER ask you to.
Beware of any links embedded in email. They often transpose a few letters for their fake site or add additional characters before or after the main web address for an easy way to direct you to their trap (ex. www.123AOLConfirm.com ).
Never click on any of the links in an email if you are unsure whether the request is legitimate or not. Always open up a separate browser and type the main web address in yourself. If there is an urgent alert to clients of a major company being sent out via email, there will an announcement on their web site.
For a quick reference on the latest Phishing scams (and past scams as well), check http:// www.antiphishing.org / . When you become aware of a new scam, there’s a decent chance someone else in the office was also contacted, so communicate with one another to help avoid these pitfalls.
If all else fails, call the company directly, but never be intimidated by the urgency of the email. The more urgent the email is, the more likely it’s a fake.
Make Sure These Threats Never Reach your Inbox
The best defense is making sure threats never reach your network. Make sure the company handling your email is scrubbing it for viruses, spam, content, etc.
While this layer doesn’t guarantee success, prevent all attacks, or remove the need for all other measures included in this presentation- it’s a critical first step in keeping your computer and network safe.
Make Sure Every Computer is Patched and Up to Date.
Make sure you stay up to date on all of your internal countermeasures (operating system patches, firewall updates, antivirus updates, etc.).
Many threats can be avoided by simply keeping up to date and the rest can be managed by utilizing sound policies built on the information and tips like the ones we’ve included. A clearly understood policy will help eliminate potential human error.
This has been mentioned throughout the presentation, but it can’t be overemphasized!
Strong passwords (uppercase and lowercase letter, numbers, etc.) that would be impossible to guess are optimal.
If this isn’t practical, make sure your policy includes stipulations on how long a password should be used before it’s changed and make sure employees do not use the same password for entry into many different places- this will help limit the damage that can be done even if your information is taken.