" phishing Archives - Page 2 of 3 - LuxSci

Posts Tagged ‘phishing’

Phishing or for Real? Why Companies Need to Take a Closer Look at Their Email Marketing

Friday, April 7th, 2017

 

In July 2016, Hilton HHonors loyalty program members received an email asking them to log into their Hilton HHonors account to confirm their correct email address, mailing address, and other personal details.

The email set off alarm bells for a number of customers. One tweeted a screenshot of the email to the Hilton HHonors Twitter account, asking, “… is this legit? Looks very much like a phishing email…”Phishing

Hilton’s support team responded, “This is not an email from the HHonors team. Please do not share your account details.”

The only problem? It was a legitimate email from Hilton HHonors, but it so closely resembled a phishing email it fooled Hilton’s own IT team.

Hilton is not the only company to inadvertently send customer emails that are nearly indistinguishable from phishing emails. Many companies send emails asking their customers to log in to confirm account information or confirm payment details. Sometimes, cautious customers will reach out to the digital community for feedback on whether an email is real or fake.

These emails are a problem because not only do customers believe them to be phishing emails, but they normalize emails that ask for personal information—making people more vulnerable to real phishing scams in the future.

Marketers need to understand email marketing best practices to send secure customer messages that don’t endanger customer privacy and data. Here’s everything you need to know from a technical and content perspective to make sure your email isn’t mistaken for a phishing scam.

Read the rest of this post »

Analyzing a Forged Email Message: How to Tell It Was Forged?

Monday, February 9th, 2015

In our previous posting, we looked at exactly how Spammers and hackers can send forged email — how its is possible and how it is done.  Therein, we gave an example how one could send an email forged to be from Bank of America.

In this post, we will look at that forged Bank of America email to see technically what it looks like and how it differs from legitimate email from Bank of America.

What can we learn that allows us to detect forged email in the future?

The Forgery: Received.

The forged email from Bank of America was based on a legitimate email message, so that the forgery could look as close as possible to actual email from them.

In truth, the majority of forged email simply changes the “From” address and does not bother with anything else.  These forged messages are used for Spam and hope the forgery fools enough people to be worth it, through numbers.  What we are looking at here is a more carefully crafted message designed to fool filters and a careful eye.  These kinds of fakes might be used in spear phishing attacks on an individual or in more sophisticated Spam campaigns.

The the forged Bank of America email that arrived in the recipient’s mail box looked like this (the raw headers):

Read the rest of this post »

How can Spammers and Hackers Send Forged Email?

Thursday, February 5th, 2015

Everyone has seen spam messages arrive with a “From” address that is your own address, a colleague’s, a friends, or that of some company that you work with or use.  These From addresses are forged to help the messages (a) get by your spam filters, and (b) get by your “eyeball filters”.

But how are these folks “allowed” to do that?

When email was first developed, there was no concept of the need for security; protections against identity theft and forgery were not part of the plan.  As a result, it is actually trivial for one to send an email with a forged “From” address and even some forged “Received” tracking lines by just connecting to your target’s email server and telling it whatever you want.

Let’s try to send an email to the address “testuser@luxsci.net” pretending to be from “Bank of America”.  The purpose of this exercise is not to teach you how to send forged email so much (this is not a new technique) as to set the stage for understanding how to detect and combat these kinds of messages.

Read the rest of this post »

8 Ways to Protect yourself from Forged/Fake Email

Monday, January 26th, 2015

The Internet is rife with fake and forged email.  Typically these are email messages that appear to be from a friend, relative, business acquaintance, or vendor that ask you to do something.  If you trust that the message is really from this person, you are much more likely to take whatever action is requested — often to your detriment.

These are forms of social engineering — the “bad guys” trying to establish a trusted context so that you will give them information or perform actions that you otherwise would not or should not do.

Here we address some of the actions you can take to protect yourself from these attacks as best as possible.  We’ll present these in the order of increasing complexity / technical difficulty.

Read the rest of this post »

Ebola is Infecting Computers; How to Protect Yours

Monday, October 20th, 2014

Spam and Virus FilterNo, your computer can’t catch the actual Ebola virus… its not even airborn yet.  However, we are finding that criminals are taking advantage of the hype and scare and curiosity over Ebola to infect people’s computers more easily.

This is commonly being done via email.  There are four prevalent types of email going around now that are meant to infect your computer:

  1. A fake report on the Ebola virus — when you click the link to read more, your Windows machine is infected with a virus that can collect and steal your personal information.
  2. A fake email from telecommunications provider that contains an important “Ebola Presentation” for your to download and view.  If you do it, you install malware that can allow others to remotely control your computer, access your web cam, log what you type, etc.
  3. Fake emails talking about an “Ebola Cure” which contains a malware attachment and which asks you to forward the news on to your friends.  The malware records your keystrokes and downloads additional malware on to your computer
  4. Fake emails about Ebola news and lists of “precautions”.

There are many other types of attacks and attack vectors that are being and can be exploited.  We will go over many of these, below, and how to protect yourself from them.  You should be very wary of any email received about Ebola, even if it appears to be from a friend.  You should be especially wary of opening any attachments sent through email, unless you have good confidence that they are malware-free.

Read the rest of this post »

LUXSCI