Email spoofing, also known as spoofing email, involves forging the sender’s email address. Often, the address in the sender’s field is fake; any responses sent to this address will likely reach a third party. The primary goal of this scam is to deceive the user.

Fraudsters deploy a variety of tactics to execute a successful spoofing attack ¹. Below, we explore the most common methods they use.

1. Sharing a Similar Domain

To successfully spoof an email, fraudsters meticulously imitate sender addresses that appear similar to those of well-known organizations or companies. They typically:

• Alter the top-level domain, for example, from support@spotify.com to support@spotify.co
• Change the domain to include a country code, for example, support@spotify.com.ru
• Modify a single character in the domain name, turning support@spotify.com into support@spatify.com
• Use a variant of the domain that still references the brand, such as support@spotifyinfo.com
• Create an email address that incorporates the company’s name, like support.spotify@gmail.com

2. Substituting the Sender’s Name

This tactic involves falsifying the sender’s name, with the “From” and “Reply-To” headers displaying the fraudster’s address instead. This method is particularly prevalent on mobile mail clients, which typically only display the sender’s name. Fraudsters may use:

• Misleading variations of the company’s name.
• Fabricated names paired with deceptive email addresses.

Imagine that you receive an email like this:

Notice that all fields are correct, but the From and Reply-To fields are not. When Dude1 receives this email, he may think it’s from his boss. When he hits “Reply,” all he’ll see in the To: field is the name “BossMan,” but it will actually go back to his friend who spoofed the email, Dude2.

3. Changes the significance of the From and Reply-to fields

Because the SMTP protocol does not authenticate headers, fraudsters can easily forge addresses in the From and Reply fields without being noticed. Thus, they have the privilege of not being caught, as a fake is almost no different from the original.

Protection from Email Spoofing

To effectively guard against email spoofing, it’s essential to configure email security protocols such as SPF, DKIM, and DMARC. Below, you’ll find step-by-step guides on how to set up these protocols for popular email platforms:

1. Setting Up SPF (Sender Policy Framework)

SPF helps to verify that incoming mail from a domain comes from a host authorized by that domain’s administrators.

• Gmail: Go to the Google Admin console, navigate to ‘Domains’, and then ‘Add a domain or a domain alias’. Add the SPF record in your DNS settings: v=spf1 include:_spf.google.com ~all
• Outlook: In the Microsoft 365 admin center, go to ‘Settings’ → ‘Domains’, select your domain, and add the SPF record to your DNS settings: v=spf1 include:spf.protection.outlook.com -all

2. Implementing DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail) adds an encrypted signature to outgoing emails, allowing the receiver to verify that an email was indeed sent and authorized by the owner of the sending domain. Setting up DKIM correctly can help prevent email spoofing by verifying the authenticity of the sender. Here’s how to set up DKIM for Gmail and Outlook:

Implementing DKIM for Gmail:

To configure DKIM for Gmail, use the following steps:

1. Sign in to the Google Admin console.
2. Navigate to Apps → Google Workspace → Gmail → Authenticate email.
3. Select the domain for which you want to set up DKIM and click GENERATE NEW RECORD. You might see this option only if you haven’t already set up DKIM for your domain.
4. Choose a key length of 2048 bits for better security (1024 bits is also available but less secure).
5. After generating the DKIM key, Google will provide you with a TXT record to add to your domain’s DNS. It will look something like this:

   google._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq...AB"

   This is your public key.

6. Add this record to your DNS settings at your domain host. Keep in mind that DNS propagation can take up to 48 hours.
7. Once the DNS has propagated, return to the Admin console and click START AUTHENTICATION.

When DKIM is set up correctly, Gmail will sign outgoing emails automatically, allowing recipient servers to verify their authenticity.

Implementing DKIM for Outlook:

For users of Microsoft 365 or Outlook, the setup process involves similar steps:

1. Login to the Microsoft 365 Defender portal.
2. Go to Email & collaboration → Policies & rules → Threat policies → DKIM.
3. Choose the domain you wish to enable DKIM for and click Enable.
4. If no DKIM keys exist, Microsoft will prompt you to create them. Click on Create to generate the keys.
5. Microsoft will then provide two CNAME records to add to your domain’s DNS. These records delegate the DKIM signing authority to Microsoft. They typically look like this:
   selector1._domainkey.YOURDOMAIN.com CNAME selector1-YOURDOMAIN-com._domainkey.OURDOMAIN.onmicrosoft.com
selector2._domainkey.YOURDOMAIN.com CNAME selector2-YOURDOMAIN-com._domainkey.OURDOMAIN.onmicrosoft.com
6. Add these CNAME records to your DNS. Again, allow up to 48 hours for DNS changes to take effect.
7. Once DNS propagation is complete, go back to the Defender portal and confirm the DKIM status to ensure it is active.

Implementing DKIM for your domain significantly improves your email security by enabling email authenticity verification at the recipient’s end.

3. Configuring DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication, policy, and reporting protocol. It builds on SPF and DKIM protocols, helping email receivers determine if a given message aligns with what the receiver knows about the sender. If not, DMARC includes guidance on how to handle these discrepancies. Here’s a step-by-step guide to setting up DMARC:

Understanding DMARC Policy:

Before setting up DMARC, you need to understand the policies you can apply:

Steps to Configure DMARC:

1. Create a DMARC record: A DMARC policy is published as a DNS TXT record. The typical format of a DMARC record looks like this:

   v=DMARC1; p=none; rua=mailto:admin@yourdomain.com

   In this example, ‘p=none’ specifies the policy, and ‘rua’ indicates where aggregate reports of DMARC failures will be sent.

2. Choose Your Policy: Decide which policy (none, quarantine, reject) fits your needs based on your security posture and the maturity of your SPF and DKIM setups.
3. Specify Email Reporting: Determine where you want reports of pass/fail to be sent. These reports are crucial for understanding the types of attacks targeting your domain and observing how your emails are being received on the internet. Use ‘rua’ for aggregate reports and ‘ruf’ for forensic reports:

   rua=mailto:aggregate@yourdomain.com; ruf=mailto:forensic@yourdomain.com

4. Publish the DMARC Record: Add the DMARC TXT record to your domain’s DNS. This is similar to adding SPF or DKIM records. You typically enter the record into your DNS management dashboard.
5. Monitor and Adjust: After implementing DMARC, monitor the reports you receive and adjust your policy as needed. Initially starting with a ‘none’ policy and moving to ‘quarantine’ or ‘reject’ as you confirm that legitimate emails are passing SPF and DKIM checks is a common approach.

Additional DMARC Tags:

DMARC records can include several optional tags to refine its operation:

• aspf: Alignment mode for SPF (strict or relaxed).
• adkim: Alignment mode for DKIM (strict or relaxed).
• fo: Forensic options to specify conditions under which forensic reports should be generated.
• rf: The format to be used in forensic reports.
• ri: Reporting interval for how often you want to receive the aggregate reports.

The post How to Prevent Email Spoofing appeared first on Gridinsoft Blog.

Ways to Get Rid of Spam Emails

Fortunately for the users, there are plenty of ways of getting rid of annoying messages. Depending on their number, you can try different practices and find the one that works best for your case. For example, simple reports of a couple of phony emails you’ve got over the last month may be enough to prevent their appearance. Popular email services usually keep an eye on users’ reports and will likely react to reports about the malevolent activity. Still, you may sometimes require a much more harsh approach.

1. Mark as spam

Email services such as Gmail, Yahoo & Outlook have special features for filtering unwanted emails. To do this, you need to mark emails as “spam”, after which they will go to the spam folder and will not disturb you in the common list of emails. If you receive such emails from the same sender in the future, it will automatically be sent to this folder.

How to mark spam in Gmail

Tap on the square next to the email. After that tap the stop sign icon.

How to mark spam in Yahoo! Mail

Tap the box next to the email or on multiple emails. After that tap on the shield icon.

2. Delete spam emails

Spam email at first glance looks harmless. But there are a few nuances that you need to consider. First of all, if you notice that your mailbox is filled with letters from unknown sources, do not click on them. By clicking on these emails, you will inform the attacker that your email is active and will be subject to more spam. The harm is that you will start receiving even more spam emails. Only if you follow links or respond to spam – that’s when you can come across the distribution of malware and other things. The best thing you can do is simply remove spam emails and rid yourself of unnecessary content.

How to delete spam from Gmail

1. Tap on the empty box to check out the message.
2. Tap on the stop sign in the top menu.
3. Tap Report Spam in the dropdown menu.
4. Tap on the “Delete All Spam Messages Now option.”

How to delete spam from Yahoo! Mail

1. Firstly, check the box next to the email.
2. In the above menu tap on the shield.
3. Tap the Report Spam option.
4. Go to the spam folder.
5. Tap the Delete Emails option.

How to delete spam from Microsoft Outlook

1. Tap the email in the inbox area.
2. Tap on the Junk Mail option in the top menu.
3. In the side menu click on the Junk Email tab.
4. To empty the folder click the metal trash can.

3. Keep your email address private

Try to avoid sharing your email on different platforms to avoid receiving spam emails. If you don’t have to share your email address, you better keep it quiet. You can also change your account privacy settings. As in the following examples:

Google Privacy Settings

1. Enter your Google account.
2. Navigate to the Security Checkup option to see the devices, security events and other email addresses and devices connected to your Gmail account.
3. Set up the toggle switches to turn features on or off.
4. Do the same process for the Personal Information and Privacy settings.

Yahoo! Mail privacy settings

1. Log-in to your Yahoo! Mail Account.
2. Click on the gear icon.
3. Click the Account Information option.
4. In the Account Security section, click on the Generate app password option.

Microsoft Outlook privacy settings

1. In the upper-right corner of the screen tap on your account icon.
2. In the menu list, tap My Account.
3. Tap on the Privacy and Security options to change the settings.

4. Use a third-party spam filter

Each mailbox has its spam filter, but working with a third-party filter can provide additional protection. All emails will pass through these two filters. This way, you can provide adequate protection against malware and unwanted content. Finding an anti-spam filter that will work with your service provider is best.

5. Change your email address

If spam still comes to your email address after all the steps above, then the problem is the continuous leak of your personal info, in particular email address. In this case, you need to change your email address. To do this, see the following guide.

1. Register a new account with your current email service.
2. After that, notify your contacts from your new account that you’ve changed email addresses.
3. Go to the Settings section and add the new email address to forward incoming emails from your old account. It is important to specify the emails you want to redirect the messages from. Otherwise, all the spam will appear in the new mailbox as well.

How to add a forwarding address

After you create a new email address, you will be able to receive emails from the old email address. To do this, you need to change your forwarding settings. By redirecting, you will be able to update your contact information in all accounts that are linked to your original account.

1. In the old email account, navigate to the Settings option.
2. Tap the Forwarding and POP/IMAP tab.
3. Enter the new email address in the Add a forwarding address box.
4. Tap “Next” to confirm the process.

Common spam email security threats

In addition to being annoying and time-consuming, spam emails can compromise users’ digital security. Attachments that are attached to spam emails often carry a virus or malware. Here is a list of the most common ones.

Trojan Virus

Trojans are malware disguised as legitimate apps. Get on the user’s PC they can by downloading free apps or come through attachments in email. Trojan installs malicious code, usually spyware or coin miners, via a link attached to an email. Thus, the attacker manages to control the user’s computer, steal data and block many programs. From this point of view, remember that clicking on all composed spam emails is dangerous.

Phishing and vishing

Phishing emails are one of the most common attacks in this case. Since, in letters of this kind, the attacker imitates the messages of legitimate companies and firms, trying to extract the necessary information for him. In the Phishing email, it is suggested to go to the attached link and confirm your data or credit card details. It’s a scheme to steal sensitive data.

Vishing is also used to steal data only through calls. Intruders call users and, during the conversation, extort card numbers, personal data, addresses, insurance numbers, etc. To avoid falling victim to Phishing and Vishing, check the legality of the companies that call or write to you. Also, try to answer only those calls in your phone book.

Zombie Computer Virus

Zombies are a type of malware that can spread via spam email. This program turns the user’s computer into a server through which it sends spam to other users. You won’t be able to see the moment when this malware will be on your computer, but slow PC operation will be the first sign that it is. Moreover, an infected computer can attack web pages. To avoid this, you should not click on the attached links in spam emails.

How to stay free of spam emails?

You can take all the steps mentioned above only if you are a victim of spam mailing. If you only know about it and do not want to face such a problem directly, then take the recommended precautions. Use the spam filters we mentioned earlier. Do not spread your email address on different platforms and sites. Also, try not to click on pop-ups and banners that carry annoying and malicious content. Finally, be careful when visiting untested and unprotected sites, and especially leaving there your main email address. If you need to browse such pages time to time, that will be a great solution to create a separate email address that will take all the potential spam.

The post How to Get Rid of Spam Emails? appeared first on Gridinsoft Blog.

How to Fix “Be Careful With This Message” Error

Gmail does not disclose the logic behind its filters and spam detection to prevent hackers from bypassing Google’s filters. When a user sends or receives an email, it goes through Google’s spam filters before reaching the inbox. It’s a kind of Blackbox that can’t be turned off. If Google deems the email suspicious, it will either be flagged with a banner. However, this doesn’t always mean a guaranteed threat; sometimes, filters can flag safe, clean emails.

If you receive an email and see a “This message seems dangerous” message, try going through the following steps. I begin with the troubleshooting steps for:

Check the Sender

Before trusting an email, it’s crucial to verify the sender. Sometimes, hackers can disguise their email to appear as if it’s from a legitimate source. Examine the email address for spelling mistakes or characters that closely resemble others, such as a numeric “0” instead of a capital “O” or a lowercase “l” instead of a capital “I”.

Hackers can spoof an email to make it look like it’s from a trusted source, like Amazon. However, if you look closely at the sender’s email address, you might find that it’s something like Ama.z0n.full@hotmail.com, which is not a legitimate Amazon email address.

Today, scammers are using artificial intelligence to write phishing emails, virtually eliminating errors in the text or red flags. Nevertheless, while you open the email, look for suspicious signs in the email’s body content, such as misspelled names and other spelling mistakes. Remember: Banks, social networking sites, and government institutions never contact you for sensitive information via email.

Is It a Trusted Sender?

Next, there’s one thing you can review to be completely certain about the “This message seems dangerous” notification”: check whether the sender is really someone you know. Google offers a convenient way to do this. Select Compose in the upper left corner of the Gmail window.

Copy the suspicious email address to the “To” field in the new email panel.

If the address matches a trusted sender with whom you’ve corresponded, their email will appear in the drop-down list. However, if nothing occurs or the emails in the drop-down list don’t match, you’ve probably received a fraudulent email disguised as one from a trusted sender.

If the email is authentic after performing the above checks, click “Looks safe”, and the banner will disappear. This action informs Gmail’s AI that you trust the sender and stops displaying the flag. However, sometimes Gmail won’t let you click “Looks Safe”. Instead, it will just offer the option to “Delete” or nothing at all, indicating Gmail has determined that the email is malicious.

If you’re still convinced it’s safe, you must request Google Support to fix the problem. In any case, it’s important to remember that your discretion is key in handling suspicious emails. If you don’t trust the email, don’t click on any links, don’t download any attachments, and don’t reply.

It’s important to understand that legitimate senders can also send you malware if their email has been compromised. The most reliable option is to contact the sender outside of Gmail and ask them directly if the email came from them.

Report the Email

If you determine that the message is a phishing scam, click “Report Dangerous” or “Report Phishing”. This will move the suspicious email to your spam folder and alert Google’s anti-malware team to help prevent similar phishing attacks. The email will be automatically deleted after 30 days, but you can also delete it manually.

Gmail Labeling My Messages As Dangerous

Now, let’s switch to the point of view of a sender. In some cases legitimate businesses, especially ones that send newsletters, encounter Gmail flagging their emails as “dangerous”. This happens because the system is triggered by signs characteristic of spam mailings. The following are the possible triggers that cause the banner to appear:

• Too many recipients (the system often labels chains of emails that way)
• Too many images
• Too many attachments
• Too many hyperlinks
• Poor grammar/punctuation
• Your email address is in the spam filter database
• You have not set up email authentication
• Your device is infected with malware
• The email has no unsubscribe button (or link)
• You are sending it from the corporate domain

If you’re encountering this issue, remember that you have the power to optimize your email template design. If your emails have a design element, there might be code in your email template that flags them. For example, some chunks in your email that optimize the display on different devices may be suspicious to Gmail:

/* MOBILE STYLES */
@media screen and (max-width: 525px) {
.mobile-hide {
display: none !important;
}
}

This class is used to hide some elements to make them fit on mobile screens, but it can cause a red banner.

More Careful Handling

If you send business emails to a mailing list, checking your rejection and complaint rates is essential. Keep them as low as possible by immediately removing addresses where you received a rejection or complaint from your database. For instance, if none of the user’s emails have been opened in the last six months, consider that an inactive account and stop mailing them.

You can email fewer people or use Gmail’s “blind carbon copy” (BCC) feature, which hides recipients’ email addresses from each other. This reduces the likelihood of Gmail flagging your email because you won’t be spreading personal information (PII).

Another important point is allowing recipients to unsubscribe from your mailing list. Ensure your emails always have an “Unsubscribe” link in the footer.

Set Up Email Authentication

SPF, DKIM, and DMARC are email authentication methods that confirm to ISPs and mailers that you are authorized to send emails from a particular domain. Verifying an account with SPF, DKIM, and DMARC is vital, and Google also recommends using all three authentication methods.

These functions are briefly described:

• SPF (Sender Policy Framework) specifies which domain IP addresses can send emails from your domain.
• DKIM (DomainKeys Identified Mail) ensures that emails traveling from server to server are not tampered with and that the receiving end can verify these emails.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance) adds an extra layer of verification by matching the validity of SPF and DKIM records. You can receive DMARC reports if an email verification fails.

Disable Your Antivirus Email Signature

Some antivirus programs automatically add a digital signature to outgoing emails, confirming they have been scanned and are virus-free. However, this digital signature can conflict with Gmail’s security measures, which leads to flagging your emails as potentially hazardous. Consider disabling the digital signature feature in your antivirus program to see if it resolves the problem.

The post This Message Seems Dangerous appeared first on Gridinsoft Blog.

Exploitation of these issues allows an attacker to steal credentials, intercept emails, and so on.

While the entire STARTTLS negotiation process was not very robust and error prone, STARTTLS came at a time when there was still no massive support for encrypted connections in mail clients and servers.

Since there were no better alternatives at the time, most users and administrators chose to enable STARTTLS as a temporary solution until TLS became more widespread.

Now everything has changed: almost all mail clients and servers support TLS-only mode, in which all old protocols, including POP3, IMAP and SMTP, by default operate over an encrypted channel that protects email from hacking or eavesdropping, and mail clients refuse to send emails if a secure TLS connection cannot be established. However, there are still millions of mail clients and hundreds of thousands of mail servers where STARTTLS is supported and is still enabled.

Now experts report that they have discovered over 40 vulnerabilities in client and server implementations of STARTTLS. Problems can be abused to downgrade STARTTLS connections to plain text, intercept emails, steal passwords, and so on.

Although to implement such attacks, an attacker must first carry out a MitM attack (in order to be able to interfere with the STARTTLS negotiation process, that is, the attacker must interfere with the connection established between the mail client and the mail server, and must also have credentials to log into the account on the same server), the research team insists that “these vulnerabilities are so widespread that we recommend that you avoid using STARTTLS whenever possible.” That is, users and administrators are advised to update their clients and servers as soon as possible, and switch to using TLS-only.

Over the past few months, researchers have been actively collaborating with the developers of mail clients and servers to fix 40 bugs they discovered. Although users now can install the resulting patches and continue using STARTTLS, researchers still advise switching to TLS-only.

Let me remind you that I talked about the fact that Hackers used Firefox extension to hack Gmail.

The post Vulnerabilities in STARTTLS threaten popular email clients appeared first on Gridinsoft Blog.

According to the researchers, the campaign was active from January to February 2021. Hackers attacked Tibetan organizations around the world using a malicious Firefox extension that steals Gmail and Firefox data and then downloads malware onto infected systems.

The researchers say that cybercriminals attacked Tibetan organizations with targeted phishing emails that lured victims to sites prompting them to install a fake Flash update, allegedly required to view the content.

In fact, these resources contained code that divided users into groups. So, only Firefox users with an active Gmail session were offered to install a malicious extension, while other hackers were not interested in other users.

The malicious extension was called Flash update components, but in fact it was a variation of the legitimate Gmail notifier (restartless) extension, and was capable of abusing the following features.

Gmail:

• Search for emails
• Archive emails
• Receive Gmail notifications
• Read emails
• Changing the audio and visual alert functionality in Firefox
• Flag emails
• Mark emails as spam
• Delete messages
• Refresh Inbox
• Forwarding letters
• Searching in email
• Delete messages from the Gmail Trash
• Send mail from a compromised account

Firefox (depends on the rights granted):

• Access to user data from all sites
• Show notifications
• Read and change privacy settings
• Access browser tabs

However, the attack did not end there. The extension also downloaded and installed ScanBox malware on the infected machine. It is an old malware tool based on PHP and JavaScript that has been used more than once in attacks by Chinese hack groups.

The last recorded use of ScanBox dates back to 2019, when analysts at Recorded Future noticed attacks on visitors of Pakistani and Tibetan sites.

Interestingly, this time the fake Flash attacks worked better than ever. While majority of users know for a long time that they should stay away from sites offering Flash updates, support for Flash was discontinued early this year. On January 12, 2021, all Flash content stopped playing in browsers, and this seems to be what made the TA413 attacks much more successful than usual.

Let me also remind you that a special version of Flash for China turned into adware.

The post Hackers used Firefox extension to hack Gmail appeared first on Gridinsoft Blog.

The malware established full control over infected devices, collected credentials, GPS from infected devices, made screen recordings, and so on.

At the same time, the malware carefully avoided infections in countries such as Ukraine, Belarus, Kyrgyzstan and Uzbekistan, Africa and the Middle East.

Mandrake has a three-stage structure, which allowed its operators to avoid detection by Google Play security mechanisms for a long time. It all started with a harmless dropper placed in the official application catalog and disguised as a legitimate application, such as a horoscope or cryptocurrency converter.

When such an application was downloaded on the victim’s device, the dropper downloaded the bootloader from the remote server. At the same time, the dropper himself was able to remotely turn on Wi-Fi, collect information about the device, hide its presence about the victim and automatically install new applications.

In turn, the bootloader was already responsible for direct downloading and installing Mandrake malware.

“The malware completely compromised the target device, gave itself administrator privileges (the request for rights was masked as a license agreement), after which it gained wide opportunities: forwarding all incoming SMS messages to the attackers’ server; sending messages; making calls; stealing information from the contact list; activating and tracking of the user’s location via GPS; stealing Facebook credentials and financial information and screen recording”, – report Bitdefender specialists.

Additionally, the malware carried out phishing attacks on Coinbase, Amazon, Gmail, Google Chrome, applications of various banks in Australia and Germany, the currency conversion service XE and PayPal.

Worse, Mandrake is able to reset the infected device to the factory settings in order to erase user data, as well as all traces of the malware’s activity. When the attackers received from the victim all the information they needed, Mandrake went into the “destruction mode” and erased himself from the device.

“We believe that the number of victims of Mandrake is tens or even hundreds of thousands, but we don’t know the exact number”, — writes Bitdefender expert Bogdan Botezatu.

The company’s researchers believe that for four years, all spyware attacks were coordinated by its operators manually and were not fully automated, as is usually the case. They also note that Mandrake was not spread by spam, and it seems that the attackers carefully selected all their victims.

Specialists were able to trace the Mandrake developer account on Google Play to a certain Russian-speaking freelancer hiding behind a network of fake company websites, stolen IDs and email addresses, as well as fake job ads in North America.

As for Friday, I remind you that For eight years, the Cereals botnet existed for only one purpose: it downloaded anime.

The post Mandrake malware was hiding on Google Play for more than four years appeared first on Gridinsoft Blog.