Hosted Desktop UK - Your office anywhere

Email security – keeping yourself safe from modern attacks

Email is an old, simple, yet highly used functional tool of everyday working unfortunately, due to its dated technology (SMTP), email is easily misused and is the primary method for distributing malware, viruses, and phishing attacks.

This makes email just as dangerous as it is useful, to make matters worse the newer types of attack, commonly referred to as Ransomware and frequently distributed via email, are becoming increasingly more difficult to stop.

This article will give you some information on how such attacks work, and what we are doing to help prevent them, but more importantly, as these attacks rely on users activating them it will give you the insight into how to identify such emails and know what to do with them.

How these attacks work and why are they hard to stop

Modern malware, and specifically Ransomware, are very clever bits of software. The virus itself isn’t ever sent directly in an email therefore email antivirus will not detect it. These attacks instead use seamlessly harmless scripts/commands embedded into other files, commonly Word Documents with Macros enabled.

These scripts then run silently and action the install/attack by downloading it from the internet, these attacks are again often hosted on everyday website servers or email servers that have been compromised and often the owner is unaware of this. Again, due to the simplistic and common nature of the commands used in the attack itself, it’s very hard for an antivirus to detect this without having huge impact on user functionality.

Once the attack is running it then uses the permissions of the user that triggered it to work through their system encrypting the files they have access to. Unfortunately, this exploits the basic need that users have which is to have access to edit and delete files.

What we do to help prevent this

Hosted Desktop have several measures in place to help prevent this happening to you.
Firstly there is the Email Filter/Quarantine system, this will block docm files and Javascript files unless the sender is whitelisted. These are the most common methods for sending the malware embedded within. The other is .zip files, however blocking these would have a negative impact overall on working.

Additionally our quarantine system uses the public RBL’s (Real Time Block Lists).
These are lists of servers that have been identified as compromised/distributing spam or malware. If a server is listed on an RBL our servers will automatically quarantine their emails unless they have been whitelisted by yourselves.

Should an email have made it through however, and the file is opened, another line of defence is the web filter. This also uses a blacklist system where it looks to a 3rd party list of servers/domains/ip’s that have been flagged as spamming/distributing viruses therefore the virus can’t be downloaded in many cases as a result of this.
Unfortunately, these attacks are usually triggered in waves of big attacks and they often have an array of servers rigged to distribute this. There is no guarantee they will all be found and/or blacklisted.

As the most common file used to distribute this is a type or Word Document, the other precaution is MS Word Protected Mode. By default Word will open documents and docm’s from unknown sources (not your server) in protected mode. This will not allow the scripts to run.

These documents often contain a picture showing you how to take it out of protected mode as you will need to do this in order to view the document. This is nothing more than a trick to try to get you to do so. ANY/ALL documents that do that are malicious.

Finally, in a worst case scenario, should you end up in a situation where your system has been compromised, we are able to restore the server to a state before the virus took effect. Should you notice an issue it is important to let us know as soon as possible and remember, the best protection is through user awareness.

How you can identify potentially malicious email:

Unfortunately, due to the basic nature of SMTP (email technology) there is no true method for sender verification, this is what makes email distribution such a tempting and practical method for malware/phishing as it is very easy to pose as another person.

The attacks often use social engineering to coerce you into opening the email.
Common tactics are:

  • Custom Personal Messages such as “Dear <YourNameHere> please see the attached invoice”
  • Spoofing: They will forge the email to look like it is from an address/contact you know, or even someone within your own organisation.
  • They will make the email threatening. Examples: “Your account will be closed if…” or “Act now to avoid charges” etc
  • They will make the email look official via spoofing from addresses like “Emailadministrator@yourdomain.com”, support@microsoft.com, etc.
  • The alternative is to make it look completely harmless with titles such as “Our holiday pics/wedding invitation” etc., these are less common.

How to identify these

The first thing would be some basic questioning, initially treat every email as suspect; if you get an email supposedly with a court summons, think:

  • Am I due in court?
  • Have I given my email address to the courts?
  • Would the court contact me by email rather than by post?

Chances are the answer to each is ‘NO’ – therefore you already have a good indication it’s a scam.

Same with the Royal Mail if you’re not expecting a package, and you’ve not signed up to their emails, it’s probably not genuine.

If you don’t bank with RBS for example then an email from them to recover your account is obviously fake.

Sometimes it’s not as clean cut as that however, you may get an email from a friend, contact, or colleague (or so it appears) again you need to be critical of this:

  • Are you expecting this email?
  • Is the wording out of sorts for them?
  • Does it request anything from you such as clicking a link, opening an attachment etc?

If so, be cautious, ask them if they sent it to you (not via reply however) or ask your email provider to check the email headers if you don’t know how. If it has an attachment look at the attachment itself in detail, paying attention to the file extension. Often they may double these extension to make you think it is something else, for example:

Your invoice.pdf.htm or Your invoice.pdf.zip

These are common tactics, at a glance many people think, ‘oh, it’s a PDF’, it’s not though. The first is an htm file, a webpage, this can lead to just about anything the attacker programs the htm file to do. The .zip file again may contact anything the attacker wants.

Again, should the file be extracted from a .zip and it looks like this:

screenshot3

Then you need to be aware of this. It looks like a PDF if you read the text however, the image is wrong, it also doesn’t look quite like a word document either. It is in fact a Javascript file, if you were to open this it would instantly begin downloading and installing malware on your system.

A more common method however is exploiting MS Word Macros.They will send a Word Document, but if you look closely it will be a docm not a doc or a docx, for example: ‘Your Court Order.docm

Should you mistakenly open one of these documents by default MS Word will open it in Protected Mode, the document however will be engineered to encourage you to disable this as in the following two examples: screenshot1

orscreenshot2

The document will not change when you ‘enable content’ it will simply just infect your system. ANY document that encourages you to do this to view its content should be considered malicious and disregarded immediately.

Following these steps and taking that extra level of caution with your emails can be the difference between staying clean and being infected.

Remember, with all emails (especially unsolicited ones) it is better to assume that ALL are dangerous until proven safe, not the other way around, even if it appears to be from a known address.

  • Be suspicious of every attachment, check the extensions.
  • If in doubt, or if you think you’ve opened something dodgy let us know as soon as possible.
  • If you’re ever unsure or need further advice please contact our support team.

 

HDUK Support Team

This entry was posted in HDUK Blog and tagged , , , . Bookmark the permalink.

keith-h

HDUK Webinars

No events available...

More than 10,000 users trust HDUK for their Hosted Services. Here are just some of our clients:

  • CS_AtriaAssociates
    AIMS 215 x 97
    CS_BrookesSivyer
    CS_gloverStanbury
  • CS_interface
    CS_mcphersons
    CS_pattinsons
    CS_SmithKennedy
  • CS_pastel
    CS_wintersSolicitors
    CS_wilkinsKennedy
    CS_prism

HDUK Business Awards

  • Everline 50 215 x 114
    42under42 215x114
  • west-morn
    eande
  • EE_FinalistSBY
    EE_Winner
  • WMN2012
    EE_Finalist3

HDUK Partners & Accreditations

  • Cyber Essentials 215 x 114
    NimbleStorage
  • ms-partnet
    fsb
  • theBunker
    Cyber Essentials 215 x 114
  • DellPartnerDirect
    ms-cert
  • goCardless
    AVG Gold Reseller
  • Over 94% of our clients would recommend our Hosted Services to another business
  • Over 53% of our clients say that anywhere access was their main reason for moving to a hosted solution
  • 60% of our clients chose us as their preferred hosting provider due to a recommendation
  • Over 92% of our clients say that they now spend less time dealing with IT issues
  • 41% of our clients stated that improved security was their main reason for moving to a hosted solution

Privacy Statement Terms & Conditions Copyright 2017 Hosted Desktop UK Ltd. All Rights Reserved.
Company Registered in England & Wales No. 07258568. Registered Office: Unit24 Basepoint Business Centre, Yeoford Way, Marsh Barton, EXETER EX2 8LB

Devon Web Design & Development