Email spoofing, also known as spoofing email, involves forging the sender’s email address. Often, the address in the sender’s field is fake; any responses sent to this address will likely reach a third party. The primary goal of this scam is to deceive the user.

Fraudsters deploy a variety of tactics to execute a successful spoofing attack ¹. Below, we explore the most common methods they use.

1. Sharing a Similar Domain

To successfully spoof an email, fraudsters meticulously imitate sender addresses that appear similar to those of well-known organizations or companies. They typically:

• Alter the top-level domain, for example, from support@spotify.com to support@spotify.co
• Change the domain to include a country code, for example, support@spotify.com.ru
• Modify a single character in the domain name, turning support@spotify.com into support@spatify.com
• Use a variant of the domain that still references the brand, such as support@spotifyinfo.com
• Create an email address that incorporates the company’s name, like support.spotify@gmail.com

2. Substituting the Sender’s Name

This tactic involves falsifying the sender’s name, with the “From” and “Reply-To” headers displaying the fraudster’s address instead. This method is particularly prevalent on mobile mail clients, which typically only display the sender’s name. Fraudsters may use:

• Misleading variations of the company’s name.
• Fabricated names paired with deceptive email addresses.

Imagine that you receive an email like this:

Notice that all fields are correct, but the From and Reply-To fields are not. When Dude1 receives this email, he may think it’s from his boss. When he hits “Reply,” all he’ll see in the To: field is the name “BossMan,” but it will actually go back to his friend who spoofed the email, Dude2.

3. Changes the significance of the From and Reply-to fields

Because the SMTP protocol does not authenticate headers, fraudsters can easily forge addresses in the From and Reply fields without being noticed. Thus, they have the privilege of not being caught, as a fake is almost no different from the original.

Protection from Email Spoofing

To effectively guard against email spoofing, it’s essential to configure email security protocols such as SPF, DKIM, and DMARC. Below, you’ll find step-by-step guides on how to set up these protocols for popular email platforms:

1. Setting Up SPF (Sender Policy Framework)

SPF helps to verify that incoming mail from a domain comes from a host authorized by that domain’s administrators.

• Gmail: Go to the Google Admin console, navigate to ‘Domains’, and then ‘Add a domain or a domain alias’. Add the SPF record in your DNS settings: v=spf1 include:_spf.google.com ~all
• Outlook: In the Microsoft 365 admin center, go to ‘Settings’ → ‘Domains’, select your domain, and add the SPF record to your DNS settings: v=spf1 include:spf.protection.outlook.com -all

2. Implementing DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail) adds an encrypted signature to outgoing emails, allowing the receiver to verify that an email was indeed sent and authorized by the owner of the sending domain. Setting up DKIM correctly can help prevent email spoofing by verifying the authenticity of the sender. Here’s how to set up DKIM for Gmail and Outlook:

Implementing DKIM for Gmail:

To configure DKIM for Gmail, use the following steps:

1. Sign in to the Google Admin console.
2. Navigate to Apps → Google Workspace → Gmail → Authenticate email.
3. Select the domain for which you want to set up DKIM and click GENERATE NEW RECORD. You might see this option only if you haven’t already set up DKIM for your domain.
4. Choose a key length of 2048 bits for better security (1024 bits is also available but less secure).
5. After generating the DKIM key, Google will provide you with a TXT record to add to your domain’s DNS. It will look something like this:

   google._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq...AB"

   This is your public key.

6. Add this record to your DNS settings at your domain host. Keep in mind that DNS propagation can take up to 48 hours.
7. Once the DNS has propagated, return to the Admin console and click START AUTHENTICATION.

When DKIM is set up correctly, Gmail will sign outgoing emails automatically, allowing recipient servers to verify their authenticity.

Implementing DKIM for Outlook:

For users of Microsoft 365 or Outlook, the setup process involves similar steps:

1. Login to the Microsoft 365 Defender portal.
2. Go to Email & collaboration → Policies & rules → Threat policies → DKIM.
3. Choose the domain you wish to enable DKIM for and click Enable.
4. If no DKIM keys exist, Microsoft will prompt you to create them. Click on Create to generate the keys.
5. Microsoft will then provide two CNAME records to add to your domain’s DNS. These records delegate the DKIM signing authority to Microsoft. They typically look like this:
   selector1._domainkey.YOURDOMAIN.com CNAME selector1-YOURDOMAIN-com._domainkey.OURDOMAIN.onmicrosoft.com
selector2._domainkey.YOURDOMAIN.com CNAME selector2-YOURDOMAIN-com._domainkey.OURDOMAIN.onmicrosoft.com
6. Add these CNAME records to your DNS. Again, allow up to 48 hours for DNS changes to take effect.
7. Once DNS propagation is complete, go back to the Defender portal and confirm the DKIM status to ensure it is active.

Implementing DKIM for your domain significantly improves your email security by enabling email authenticity verification at the recipient’s end.

3. Configuring DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication, policy, and reporting protocol. It builds on SPF and DKIM protocols, helping email receivers determine if a given message aligns with what the receiver knows about the sender. If not, DMARC includes guidance on how to handle these discrepancies. Here’s a step-by-step guide to setting up DMARC:

Understanding DMARC Policy:

Before setting up DMARC, you need to understand the policies you can apply:

Steps to Configure DMARC:

1. Create a DMARC record: A DMARC policy is published as a DNS TXT record. The typical format of a DMARC record looks like this:

   v=DMARC1; p=none; rua=mailto:admin@yourdomain.com

   In this example, ‘p=none’ specifies the policy, and ‘rua’ indicates where aggregate reports of DMARC failures will be sent.

2. Choose Your Policy: Decide which policy (none, quarantine, reject) fits your needs based on your security posture and the maturity of your SPF and DKIM setups.
3. Specify Email Reporting: Determine where you want reports of pass/fail to be sent. These reports are crucial for understanding the types of attacks targeting your domain and observing how your emails are being received on the internet. Use ‘rua’ for aggregate reports and ‘ruf’ for forensic reports:

   rua=mailto:aggregate@yourdomain.com; ruf=mailto:forensic@yourdomain.com

4. Publish the DMARC Record: Add the DMARC TXT record to your domain’s DNS. This is similar to adding SPF or DKIM records. You typically enter the record into your DNS management dashboard.
5. Monitor and Adjust: After implementing DMARC, monitor the reports you receive and adjust your policy as needed. Initially starting with a ‘none’ policy and moving to ‘quarantine’ or ‘reject’ as you confirm that legitimate emails are passing SPF and DKIM checks is a common approach.

Additional DMARC Tags:

DMARC records can include several optional tags to refine its operation:

• aspf: Alignment mode for SPF (strict or relaxed).
• adkim: Alignment mode for DKIM (strict or relaxed).
• fo: Forensic options to specify conditions under which forensic reports should be generated.
• rf: The format to be used in forensic reports.
• ri: Reporting interval for how often you want to receive the aggregate reports.

The post How to Prevent Email Spoofing appeared first on Gridinsoft Blog.

Ways to Get Rid of Spam Emails

Fortunately for the users, there are plenty of ways of getting rid of annoying messages. Depending on their number, you can try different practices and find the one that works best for your case. For example, simple reports of a couple of phony emails you’ve got over the last month may be enough to prevent their appearance. Popular email services usually keep an eye on users’ reports and will likely react to reports about the malevolent activity. Still, you may sometimes require a much more harsh approach.

1. Mark as spam

Email services such as Gmail, Yahoo & Outlook have special features for filtering unwanted emails. To do this, you need to mark emails as “spam”, after which they will go to the spam folder and will not disturb you in the common list of emails. If you receive such emails from the same sender in the future, it will automatically be sent to this folder.

How to mark spam in Gmail

Tap on the square next to the email. After that tap the stop sign icon.

How to mark spam in Yahoo! Mail

Tap the box next to the email or on multiple emails. After that tap on the shield icon.

2. Delete spam emails

Spam email at first glance looks harmless. But there are a few nuances that you need to consider. First of all, if you notice that your mailbox is filled with letters from unknown sources, do not click on them. By clicking on these emails, you will inform the attacker that your email is active and will be subject to more spam. The harm is that you will start receiving even more spam emails. Only if you follow links or respond to spam – that’s when you can come across the distribution of malware and other things. The best thing you can do is simply remove spam emails and rid yourself of unnecessary content.

How to delete spam from Gmail

1. Tap on the empty box to check out the message.
2. Tap on the stop sign in the top menu.
3. Tap Report Spam in the dropdown menu.
4. Tap on the “Delete All Spam Messages Now option.”

How to delete spam from Yahoo! Mail

1. Firstly, check the box next to the email.
2. In the above menu tap on the shield.
3. Tap the Report Spam option.
4. Go to the spam folder.
5. Tap the Delete Emails option.

How to delete spam from Microsoft Outlook

1. Tap the email in the inbox area.
2. Tap on the Junk Mail option in the top menu.
3. In the side menu click on the Junk Email tab.
4. To empty the folder click the metal trash can.

3. Keep your email address private

Try to avoid sharing your email on different platforms to avoid receiving spam emails. If you don’t have to share your email address, you better keep it quiet. You can also change your account privacy settings. As in the following examples:

Google Privacy Settings

1. Enter your Google account.
2. Navigate to the Security Checkup option to see the devices, security events and other email addresses and devices connected to your Gmail account.
3. Set up the toggle switches to turn features on or off.
4. Do the same process for the Personal Information and Privacy settings.

Yahoo! Mail privacy settings

1. Log-in to your Yahoo! Mail Account.
2. Click on the gear icon.
3. Click the Account Information option.
4. In the Account Security section, click on the Generate app password option.

Microsoft Outlook privacy settings

1. In the upper-right corner of the screen tap on your account icon.
2. In the menu list, tap My Account.
3. Tap on the Privacy and Security options to change the settings.

4. Use a third-party spam filter

Each mailbox has its spam filter, but working with a third-party filter can provide additional protection. All emails will pass through these two filters. This way, you can provide adequate protection against malware and unwanted content. Finding an anti-spam filter that will work with your service provider is best.

5. Change your email address

If spam still comes to your email address after all the steps above, then the problem is the continuous leak of your personal info, in particular email address. In this case, you need to change your email address. To do this, see the following guide.

1. Register a new account with your current email service.
2. After that, notify your contacts from your new account that you’ve changed email addresses.
3. Go to the Settings section and add the new email address to forward incoming emails from your old account. It is important to specify the emails you want to redirect the messages from. Otherwise, all the spam will appear in the new mailbox as well.

How to add a forwarding address

After you create a new email address, you will be able to receive emails from the old email address. To do this, you need to change your forwarding settings. By redirecting, you will be able to update your contact information in all accounts that are linked to your original account.

1. In the old email account, navigate to the Settings option.
2. Tap the Forwarding and POP/IMAP tab.
3. Enter the new email address in the Add a forwarding address box.
4. Tap “Next” to confirm the process.

Common spam email security threats

In addition to being annoying and time-consuming, spam emails can compromise users’ digital security. Attachments that are attached to spam emails often carry a virus or malware. Here is a list of the most common ones.

Trojan Virus

Trojans are malware disguised as legitimate apps. Get on the user’s PC they can by downloading free apps or come through attachments in email. Trojan installs malicious code, usually spyware or coin miners, via a link attached to an email. Thus, the attacker manages to control the user’s computer, steal data and block many programs. From this point of view, remember that clicking on all composed spam emails is dangerous.

Phishing and vishing

Phishing emails are one of the most common attacks in this case. Since, in letters of this kind, the attacker imitates the messages of legitimate companies and firms, trying to extract the necessary information for him. In the Phishing email, it is suggested to go to the attached link and confirm your data or credit card details. It’s a scheme to steal sensitive data.

Vishing is also used to steal data only through calls. Intruders call users and, during the conversation, extort card numbers, personal data, addresses, insurance numbers, etc. To avoid falling victim to Phishing and Vishing, check the legality of the companies that call or write to you. Also, try to answer only those calls in your phone book.

Zombie Computer Virus

Zombies are a type of malware that can spread via spam email. This program turns the user’s computer into a server through which it sends spam to other users. You won’t be able to see the moment when this malware will be on your computer, but slow PC operation will be the first sign that it is. Moreover, an infected computer can attack web pages. To avoid this, you should not click on the attached links in spam emails.

How to stay free of spam emails?

You can take all the steps mentioned above only if you are a victim of spam mailing. If you only know about it and do not want to face such a problem directly, then take the recommended precautions. Use the spam filters we mentioned earlier. Do not spread your email address on different platforms and sites. Also, try not to click on pop-ups and banners that carry annoying and malicious content. Finally, be careful when visiting untested and unprotected sites, and especially leaving there your main email address. If you need to browse such pages time to time, that will be a great solution to create a separate email address that will take all the potential spam.

The post How to Get Rid of Spam Emails? appeared first on Gridinsoft Blog.

However, in some cases, the HxTsr.exe process may be responsible for performance issues, security, or system stability. It is possible that this process is tampered or infected with a virus that uses its name to masquerade on the system. Such malware can threaten your privacy, security, and finances, so it’s important to learn how to recognize and eliminate them.

What is HxTsr.exe?

The HxTsr.exe (Hidden Executable To Sync Remote Servers), is a part of MS Outlook app, the one that orchestrates part of its networking affairs. It appeared with the introduction of Microsoft Office 2013 and is also a component of built-in Windows 11/10 applications such as Mail, Calendar, and Contacts. It runs in the background and powers the Microsoft Outlook application which uses different types of accounts. HxTsr is also responsible for updating your mail, calendar, and contact data on your computer and in the cloud.

The HxTsr.exe process is located in the C:\Users\****\AppData\Local\Packages\microsoft.windowscommunicationsapps_XXX\ folder, where XXX is the version of the application package. It is not a Windows system file and does not affect the operating system. It can be suspended or closed without affecting Windows, but it may cause the Outlook application or its counterparts to malfunction.

Can I delete HxTsr?

It is possible to close/suspend the HxTsr.exe process, but the question arises – can it be deleted completely?

Well, it is doable, even though there are a couple of drawbacks you will get. If you remove the HxTsr.exe process, it may affect the operation of Microsoft Outlook, Mail, Calendar and other applications that use it to synchronize data with mail servers. You may lose access to your email, contacts, tasks, and calendar or get errors while using them. So, if you do not use the “Mail” application, the removal will not make that much of an impact. Here is how you can do it:

1. Click on Start Menu > Settings > System > Apps and Features.
2. Wait till the app list is populated.
3. Click on the Mail & Calendar App.
4. It will reveal the menu to Move and Uninstall.
5. Click on the Uninstall button to remove the Mail & Calendar from Windows. This will remove the source programs of HxTsr.exe, removing it as well.

Is HxTsr.exe virus?

Although the HxTsr.exe process itself is not a virus or malware, it can be spoofed or used by such programs to disguise their activities. Viruses and malware may create copies of the HxTsr.exe process in other folders or with different names to trick the user or antivirus. They may also masquerade as the HxTsr.exe process to hide their presence. Such malware can threaten your privacy, security, and finances, so it’s important to learn how to recognize and eliminate them.

Typical malware effects that can mimic the HxTsr.exe process can be as follows:

• Computer slowdown
• Appearance of unwanted advertisements
• Theft of personal information
• Infection of other computers
• Breach of security or privacy

To recognize and remove malware masquerading as the HxTsr.exe process, you can perform the following steps:

Step 1: Open Task Manager

To open Task Manager, press the keyboard shortcut Ctrl+Shift+Esc or right-click on an empty spot on the taskbar and select “Task Manager”.

Step 2: View the list of processes

In Task Manager, choose the Processes tab and view a list of all running processes. Find the process named HxTsr.exe.

Step 3: Open the location of the process file

To open the file location of a process, right-click on the process in Task Manager and choose “Open File Location”. This will open the folder where the process executable is located.

It is located in the folder C:\Users\****\AppData\Local\Packages\microsoft.windowscommunicationsapps_(version of the application package)

Its size is about 30 KB. It usually does not consume more than 1% of CPU and 10 MB of memory.

If you find any inconsistencies, do not rush to delete the file, as it may lead to undesirable consequences. First, check it for viruses.

Perform a full system scan with a quality antivirus software like Gridinsoft Anti-Malware and remove all detected threats. You can also check the HxTsr.exe process file for viruses using an online service such as Gridinsoft’s Online Virus Scanner.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post HxTsr.exe – What is the HxTsr Process? appeared first on Gridinsoft Blog.

Microsoft Outlook Vulnerability Used by Kremlin-Backed Hackers

Being a privilege escalation bug, CVE-2023-23397 received almost the highest CVSS score of 9.8. The rating was set back in March 2023, when the vulnerability was originally uncovered. And well, the flow of attacks commenced with this vulnerability exploitation confirms every bit of this score.

By its essence, the vulnerability consists of the ability to leak the Net-NTLMv2 hash by sending a specially-crafted email message. It is possible due to the features of the specific transfer format Microsoft uses in the Outlook. Through playing with the PidLidReminderFileParameter settings, adversaries can leak the hash and send it to its command server. That’s it for this exploit, but the main course of actions happens afterwards.

Forest Blizzard Exploits MS Outlook in Attacks on Poland

Microsoft researchers noticed one main threat actor using the CVE-2023-23397 in its cyberattacks – Forest Blizzard a.k.a. APT28/Fancy Bear. This threat actor has a proven connection to the Russian government, particularly to the Main Intelligence Directorate (GRU). In the campaign that exploited the described Outlook vulnerability, hackers primarily targeted Poland.

Upon receiving the Net-NTLMv2 hash, adversaries were able to manipulate the access permissions to specific mailbox folders. This, in turn, ended up with the ability to read all of the contents. Hackers specifically aimed at ones that could store any valuable and potentially sensitive information.

Such a targeting is rather obvious – Poland has had its relations with Russia ruined since February 2023. And its participation in supplies delivery to Ukraine is a point of interest for Russian intelligence. While such espionage bears on the same tactics as cybercriminals use in attacks on corporations, the final target is what is different. Though, nothing stops hackers from applying the same tactics in attacks on other countries.

Install the Patch, Microsoft Insists

As I have mentioned at the beginning, the patch for the CVE-2023-23397 was available all the way back in March 2023. Microsoft released it almost immediately after disclosing it. And since it is a vulnerability in the protocol, there is not much you can do to temporarily mitigate the issue. Even though it may be troublesome to update all the instances soon after the patch, it was plenty of time to arrange the update.

The post Outlook Vulnerability Exploited by Russian Hackers appeared first on Gridinsoft Blog.

Previously, the maximum payout was $250,000. For similar bugs in Mozilla Thunderbird, the company is willing to pay up to $200,000.

Let me remind you that the Zerodium company, founded in 2015, has been buying up exploits for various zero-day vulnerabilities for a long time, in order to then resell them to governments and law enforcement agencies around the world. To do this, the company has its own bug bounty program, in which researchers can sell exploits for up to $2.5 million (depending on the type and nature of the bug).

In addition, from time to time the company holds “bug-fixing” campaigns, during which it buys exploits for a particular software at special prices. Previously, similar promotions were held for Pidgin, WordPress, hypervisors, popular VPN products, and so on.

Rewards for bugs in Mozilla Thunderbird and Microsoft Outlook have also been temporarily increased, the company said on Twitter.

Zerodium does not specify which platform the exploits should target, but both email clients have versions for all three major operating systems—Windows, macOS, and Linux.

Many information security experts noted that a successful hack into either of the two email clients would give the attacker access not only to the user’s computer, but also to all mailboxes managed through the compromised client. Since account passwords can be extracted from the client, this also means that the party using the exploit will later be able to access cloud accounts.

You might also be interested to read that Researchers noticed that the darknet is discussing exploits as a service, and that a PoC exploit was published for fresh vulnerability in Ghostscript.

The post Zerodium offers up to $400,000 for exploits for Microsoft Outlook appeared first on Gridinsoft Blog.