Email spoofing | Confirm my thoughts please

Forums › IT Pro and developers › Email spoofing | Confirm my thoughts please

1 | 2

martyyn

1971 posts

Uber Geek

ID Verified

#2566646 17-Sep-2020 09:51

This is starting to get a little interesting. One of my clients has started to see the same emails and I have an email address with them which only two other people know about.

I've received email this morning from them both with .doc attachments asking me to complete the forms to open my account.

I've run both attachments through virustotal.com as @1101 suggested to find one is all clear but the other lights up like a Christmas tree with all sorts of trojans.

1101

3122 posts

Uber Geek

#2566664 17-Sep-2020 10:03

martyyn:

I've run both attachments through virustotal.com as @1101 suggested to find one is all clear but the other lights up like a Christmas tree with all sorts of trojans.

I get a bit p8ssed when Endpoint AV payware does a worse job than some freeware AV . So , thousands of $ spend on AV lic's across many clients , I really expect a bit better
I uploaded my infected doc to ESET , for them to have a look at . Never heard back, no acknowledgement , no confirmation email , nothing .

BlakJak

1275 posts

Uber Geek

Trusted

#2566739 17-Sep-2020 11:15

1101:

martyyn:

I've run both attachments through virustotal.com as @1101 suggested to find one is all clear but the other lights up like a Christmas tree with all sorts of trojans.

I get a bit p8ssed when Endpoint AV payware does a worse job than some freeware AV . So , thousands of $ spend on AV lic's across many clients , I really expect a bit better
I uploaded my infected doc to ESET , for them to have a look at . Never heard back, no acknowledgement , no confirmation email , nothing .

Antivirus is largely reactive. Whack-a-mole. No solution is going to be perfect, it is only part of a layered approach.

No signature to see here, move along...

BlakJak

1275 posts

Uber Geek

Trusted

#2566757 17-Sep-2020 11:34

1101:

martyyn:

The attachment appears to be an empty .docx file. It's only 172KB, so I put it on an old laptop and it scanned ok with ESET and malwarebytes and opens a blank Word doc.

Upload it to Virustotal.com for scanning
https://www.virustotal.com/gui/

A doc attatchment I was given , thought to have caused a ransomware attack , scanned clean with NOD, Bitdefender & Mbytes, but showed as infected in Virustotal .

"Somewhere out there is a massive database of ancient emails from many many hacked accounts. "
Actually, whats been happening is recent (Dec 2019) emails are on hackers databases . They use these emails to make the spamed email look like a legit reply , this is becoming more common

The other thing that should be done , is have companies remove email adress from their websites. No matter how many time you advise them to do this, nothing happens
Some company websites have stafers Full name , position & email adress . Making it all to easy to spoof emails to look like invoices or payment requests from the company accountant or mangers

Removing email addresses won't help much. It reduces the number of targets, but a lot of successful phishing emails are actually obviously emails from completely random domains, and the recipient simply doesn't notice or pay attention to the fact that the source email address is completely random and irrelevant.

Public knowledge of email addresses doesn't make spammed emails look like a legit reply per-se, what the public breach databases do is provide a target-rich environment. Fake From headers and clever use of reply-to is intended to catch the unprepared out. So education remains key.

No signature to see here, move along...

1101

3122 posts

Uber Geek

#2566792 17-Sep-2020 12:38

BlakJak:

. So education remains key.

that doesnt work, in real life , unfortunately.
The week after a bad ransomware infection (that everyone was aware of) , and after all staff were warned NOT to open suspicious email attachments , one of the staff asks IT how to get
a email attachment to open . Could have easily been a 2nd ransomware issue just after cleaning up the first .

Even those who know better , can & do open attachments they shouldnt .

BlakJak

1275 posts

Uber Geek

Trusted

#2567203 17-Sep-2020 21:55

1101:
BlakJak:

. So education remains key.

that doesnt work, in real life , unfortunately.
The week after a bad ransomware infection (that everyone was aware of) , and after all staff were warned NOT to open suspicious email attachments , one of the staff asks IT how to get
a email attachment to open . Could have easily been a 2nd ransomware issue just after cleaning up the first .

Even those who know better , can & do open attachments they shouldnt .

Trust - but verify. Loads of other technical measures you should also use as a baseline, including MFA (which will save you from a large proportion of the risk associated with phished creds, if done properly), AV on your email system and separate AV on the desktop should be a given for business and corporate. Also a web security service like ZScaler has its place.

No signature to see here, move along...

1 | 2