Web security

Over the last week we have seen an increase in the amount of companies receiving emails containing Zepto Ransomware, a file encrypting virus based on the infamous Locky cryptoware.
Most of the emails have been carefully crafted to ensnare the victims using social engineering techniques, typically greeting the recipient by first name and asking them to open an attachment which they had requested.
zepto image
The attachment will typically be either a .zip extension or .docm extension and once opened will run a malicious JavaScript which then encrypts all files on the users machine with the .zepto extension

To try and combat the infection, we offer the following advice
1. To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
2. To protect against VBA malware, tell Office not to allow macros in documents from the internet.
3. Ensure your AntiMalware program is upto date
4. Ensure your users are careful with email attachments and only open the ones they are sure they have requested
5. If possible set email filtering to quarantine all .zip and .docm files

Businessman pushing virtual security button on digital background

The Web opens a window between networks and the world, creating risks businesses can’t manage. We look at 3 killer web security features that put MSPs in this space.

According to the Threat Landscape 2015 report published by the European Union Agency for Network and Information Security (ENISA), the “observed current trend” for web attacks is described, simply and rather ominously, as “increasing”.

Of course, what this also means is that the opportunity for MSPs to play into this space, by managing organisations’ web security headaches for them, is potentially huge.

But the market is crowded - so what are the killer web security innovations MSPs need to offer to really differentiate themselves from competitors?

Innovation 1: defeating outbound threats in a pure service model

Web attacks aren’t just inbound – in fact, the most devastating consequences can occur as a result of outbound traffic, for example if a Botnet, Key Logger, or other malicious program sends out information from within the customer’s network.

The innovation here is happening on multiple levels.

MSP solutions are now taking over the role of constant outbound web security monitoring that customers’ teams often simply do not have the capacity to provide.

Immediate alerts, by email or SMS, when a threat is detected, plus automatic blocking of malicious requests, protect the business from haemorrhaging its own IP and sensitive data, and safeguard teams’ core productivity.

Network usage and threat analysis reports, delivered to inboxes, then enable stakeholders to understand top threats, overall network traffic, and trends, enabling them to adjust security policies and manage future risk.

Ease of deployment: we are now looking at MSP solutions that require no on-site hardware or software, and can protect the entire customer network instantaneously simply by being “pointed” at the security vendor’s DNS structure.

Lastly, protection is no longer a trade-off against performance. An MSP delivering a web security service like this one benefits from over 2,500 auto-updates to its threat definitions daily, but doesn’t have to funnel checks and traffic through the bottleneck of a proxy server - thus maintaining optimum surfing performance.

Innovation 2: visibility into cloud apps and social media

As one vendor has explained, “Ten years ago, web security meant stopping people going to the wrong website. Today…it has become increasingly about visibility and analysis of activity within cloud applications that employees are accessing,..”

Across services like Facebook, Dropbox, Twitter, and even enterprise applications like Salesforce, what are customers’ employees posting or uploading? Is it appropriate to the audience it reaches? What are they clicking on? How are they storing sensitive data, where are they sending it, and why? Are they using language that could hint at malicious or criminal intent?

Any one of these concerns is a potential reputational and compliance timebomb – but MSP solutions are now available that take the heat out of HTTPS in three ways.

Firstly, it is now possible for MSPs to deliver visibility into cloud application usage, enabling customers to see actions like file uploads, message posts, data storage, and look inside the content of risky or suspicious activity.

Secondly, MSPs can now control access (or enable customers to control access) not only to cloud applications, but to specific features within them – by individual, role, device and location.

These can include, for example, functions that enable users to upload or delete profile images, remove a public link, permanently delete files from a recycle bin, disable a security group, and many other types of actions that can be high-risk in certain contexts, both with and without malicious intent.

The massive productivity gains that cloud apps can deliver are thus largely retained, but at a far lower level of accompanying risk.

Thirdly, this “cloud application control”, to be viable across multiple applications, and, potentially, hundreds or thousands of users, has now evolved into a centralised service that can be controlled from a single dashboard, reducing admin and management overheads, and enabling MSPs to keep their margins keen.

Innovation 3: holistic threat view

Analysis of web attacks in isolation does not always deliver the full web threat picture. Web users are invariably email and collaboration software users too, for example, so web threats often propagate through these channels, via vulnerable endpoints.

The danger for the MSP providing a web security service is that if they don’t have a truly holistic view of each user and the threats that have been ranged against them in the recent past, the true threat pattern – and so the true extent of users’ vulnerability – will not be fully understood. Service fail!

But MSPs are already over this hurdle, for two reasons.

They can now access a centralised management console that makes all the relevant threat data visible in one synopsis, (an example of which is shown in this video).

And the web security application itself can be connected to other security applications (email, collaboration, endpoint) in one integrated service.

The benefits of this approach are immediate, in the sense that the customer is less likely to get caught out by a threat pattern that the MSP’s service hasn’t picked up on!

But they’re also forward-looking, as threat intelligence is actively shared between applications, making detection of multi-channel threats easier in the future.

MSPs and web security – the future

But let’s play devil’s advocate here for a moment. MSPs can deliver services around everything from email provision, to backup and business recovery, to accounting and finance, to business analytics, and more besides. There is no shortage of growth markets for MSPs – so why choose web security?

None of us have a crystal ball, but the view from the bridge at analysts The Radicati Group looks pretty decisive in this summary of their 2015 to 2019 predictions.

“The Corporate Web Security market”, they say, “continues to grow at a fast pace, fueled [sic] by on-going concerns about corporate security… The market is expected to grow from over $2.1 billion revenues in 2015, to over $3.9 billion in 2019.”

The Group also tells us that “Cloud based Web Security solutions are seeing increasingly strong demand”, bolstered by the need for “powerful Web Security protection on the go, without the complexity of connecting back to the corporate network.”

The web security market is on the up. MSPs just need to make sure they’re delivering the right features to get a profitable slice of it.

Brian-A-Jackson1

On a weekly basis there are now articles regarding a big brand company which has been hacked, these usually relate to what data has been lost, how they are notifying those affected and what they are going to be doing to prevent this from happening again.

So how do you prevent it from happening in the first place?

From experience I can see that if a hacker wants to get details from somewhere they will take the easiest target, the ‘Low Hanging Fruit’ as they say, in ensuring your company has some basic security principles in place can help mitigate this.

So how do you ensure you are not the ‘Low Hanging Fruit’

Simple measures can be taken within your environment to help secure it. As a basic level you should be meeting the following guide - CyberEssentials Requirements

This sets out some advice regarding Firewalls, User access control, Passwords, Malware protection and Patch management.

Once you have met the standards given within this document you should be looking to increase the security standards within your organisation. The most effective we have found is the use of education, once educated your staff will be able to react to the threats quicker and reduce the risks to your company.

security-banner

Our top security updates in the news and on the web this week

1. CryptoWall 4.0 A Stealthier, More Sweet-Talking Ransomware

When the malware makes its move, the new CryptoWall not only encrypts files, as it always has done, it also encrypts filenames. Heimdal Security states this new technique increases victims’ confusion, and thereby increases the likelihood that they’ll pay the ransom, and quickly. First posted on Dark Reading.

For the original post and further information click here

2. TalkTalk – The case for a Chief Security Officer

While the importance of the Chief Information Security Officer has been in constant growth over the past few years, organisations that employ a CISO/CSO are still far too few. First posted on Trend Micro.

For the original post and further information click here

3. Linux Ransomware Debut Fails on Predictable Encryption Key

No need to crack RSA when you can guess the key. File encrypting ransomware Trojans are almost ubiquitous on Windows, and it was only a matter of time. First Posted on Bitdefender Labs.

For the original post and further information click here

Brian-A-Jackson1

 

4. Adobe Flash Update Includes Patches for 17 Vulnerabilities

In what’s becoming a monthly ritual, Adobe today pushed out an updated version of its Flash Player that includes patches for critical vulnerabilities. First posted on Threatpost.

For the original post and further information click here

5. How Scammers Are Trying To Use Your Computer To Steal Your Cash

Cyber criminals want to hijack your computer for financial gain. But how does the scam work and how can you stop them? First posted on TechWeek Europe.

For the original post and further information click here

6. Top ranking Instagram client removed from iTunes and Google Play after user data theft discovery

A software developer has discovered that a leading free app on iTunes and Google Play has been sending people’s usernames and passwords to an unknown website. The malicious app is called InstaAgent, and is touted as an Instagram client. It is also reportedly the most downloaded free app in the UK and Canada. First posted on TechWeek Europe.

For the original post and further information click here

If you have any security news that you would like to see on our blog please send it to us at bluesolutions, please include the link from the original article in the email.

In preparation for print (CMYK and RGB), the greens and blues were edited. These would need to be extracted (icons and their color adjustment layers) from 175032_8_R3.psd, the schawk master.

Originally posted on the AppRiver Blog

Researcher David Leo of Deusen.co.uk has announced a proof of     concept vulnerability that was active, until recently, in both Chrome and Safari browsers that allows attackers to spoof legitimate URLs in their address bar while taking web surfers to a completely different site.

Chrome has since patched this vulnerability, but Safari has not. This leaves all devices that rely on the Safari browser vulnerable to this exploit. This includes current Macs running OSX, iPhones and iPads.

This exploit works by running a quick and tiny code snippet in the browser when a supposed legitimate link is provided to end users. The actual “legitimate link” is requested and the browser begins to head in that direction, however before it can, the exploit redirects the browser to the false destination. The original URL destination remains in the address bar, making it appear as though the user has ended up at the legitimate site. The code is very simple and very light weight making it possibly very enticing to those who would like to offer up a very convincing phishing attack.

Through spoofing, attackers already utilize legitimate sites and news stories to make their attacks more convincing, usually by stealing graphics and headlines. A couple of safety precautions, or things to look out for in these attacks, would be to mouseover the link provided to make sure it was pointing where it says it is pointed. Otherwise ending up at a destination that was not advertised is another bright red flag. However in this style of attack, everything would simply appear normal and correct on the surface.

Here's an example of the code that executes this exploit:

safair

This particular PoC attack makes the user believe they are headed to the news site dailymail.co.uk, however the hidden redirect takes viewers back to the research page on www.deusen.co.uk while maintaining dailymail.co.uk in the address bar.

To test this exploit out on your system, David Leo has provided a test page to see if you are a potential victim located here:  http://www.deusen.co.uk/items/iwhere Simply press “Go” and if Dailymail shows in your address bar, you are still vulnerable to this attack and are encouraged to be extra careful while browsing the internet or following links within emails from unexpected sources.

AppRiver provide email & web security solutions, helping businesses to communicate securely and protect their networks from malicious web content. Contact our sales team on 0118 9898 222 to learn more about AppRiver solutions.

 

Malware attacks, security breaches and data corruption- just a few of the problems that business owners would prefer not to happen. Knowing these disasters cause businesses to lose money and sometimes their livelihoods, MSPs need to think about their customer’s disaster recovery plans and how long will it take for them to recover if the worst does happen?

The big questions are:

How quickly would they need to recover? This is the recovery time objective (RTO).  How much data can they afford to lose? That’s their recovery point objective (RPO).

Your RTO is a calculation of how quickly business processes need to be restored and resumed after a disaster—the maximum allowable downtime after which the consequences become unacceptable. Reduce the gap between the RTO and your recovery time actual (RTA), the time it actually takes the I.T. team to get servers functioning and that’s money in your customer’s pocket!

Your RPO is the maximum amount of data over time that could be lost. How much data can they afford to lose (or have the time to re-enter into the database)? A couple days’ worth of data? A few hours’ worth? Even less?

Whatever the answers are to these questions, having a disaster recovery solution that helps their businesses recover quickly is important to protect them against the worst happening.

Call our Sales Team today on 0118 9898 222 to find out about the best backup and recovery solutions for your business

AppRiver logo largerversion

Article by Troy Gill, AppRiver

Over the past several days we have been seeing several malicious email campaigns posing as legitimate communication from Amazon. The first campaign is posing as messages from the amazon.co.uk with the subject line reading: Your Amazon Order Has Dispatched (#3digits-7digits-7digits). These messages purport to be order shipment notifications. These messages began hitting the AppRiver filters on 31/10/14 and have been coming in consistently ever since. So far we have quarantined just over 600,000 of these messages.

Each message contains a Word document (MD5: a75e196e6c0cabc145f4cdc3177e66ec) that contains a malicious macro. In most instances users should at a slightly lower risk with this infection vector, since macros are not enabled by default in more recent versions of Word.  The macro (if allowed to execute)leads to the install of a Trojan dropper. The malware currently creates a process named SUVCKSGZTGK.exe on the victims machine. Eventually this leads to the install of key-logging malware designed to harvest banking login credentials, email credentials and social media credentials. As we commonly see with this these types of campaigns, the payload can be changed out by the malware distributors so this dropper could pull down some other form of malware in the future.

Here is a look at the message:

Malicious Amazon message1

 

In a separate email blast, another group is distributing malicious emails posing as Amazon order confirmation emails. These emails are coming is at a slightly slower clip than the former campaign mentioned but we have quarantined nearly 160,000 of these message over the past few days. They appear from amazon.com with the subject reading: Your order on Amazon.com.

These email have a bit more of a legitimate look as they utilize actual graphics taken from Amazon. Instead of a malicious attachment, these messages utilize links to compromised wordpress sites. Clicking these links will launchthe download of a .scr file  named: invoice1104.pdf[dot]scr. Which should be a huge red flag to most users as the .scr file extension is used almost exclusively for malware infection these days. The .scr file(MD5: 09cb12d7cd0228360cd097baeaaa6552) is in fact a Trojan dropper that will lead to the install of more malware once it has infected the host. Once again, from here, the sky is the limit for the malware distributors since they can now download and install remote files of their choosing.

Here is a look at the message and prompt :

Malicious Amazon message2

 

Malicious Amazon3

 

 

 

 

This is a very popular time of the year for these types of scams with so many people in shopping mode in preparation for the holidays. With many people expecting purchase confirmations and shipping confirmations with much more frequency, it increases the likelihood that people will far for this scam.

Be extra cautious this holiday shopping season and if you are suspicious of unauthorized activity on your Amazon account, never follow any links in an email, go directly to the website and check your account from there.

 

Channel partners building business around cloud-based productivity suite; Trial conversion, seat count and revenue growth see triple-digit increase

AppRiver logo largerversion

AppRiver’s popular Microsoft Office 365 productivity suite is helping channel partners capture top-line revenue, expand their service offerings and grow their cloud businesses. Since the company introduced two-tier pricing last year, it has seen a 240 percent increase in the total number of AppRiver partners engaged to sell Office 365. Revenue growth and total number of Office 365 seats sold also grew by 330 percent.

The company has a close, long-standing relationship with Microsoft and is currently one of only a handful of Office 365 syndicated hosting partners in the world. That partnership grants immediate access to expertise, support and insight into the Microsoft product roadmap, which adds significant value to AppRiver’s own partner community.

“There is a real financial incentive for partners to include Office 365 in their product portfolio because demand is on the rise,” said Scott Paul, senior director of sales, AppRiver. “More and more businesses understand that they can move to the cloud and increase productivity for less cost, without having to give up familiar Microsoft applications.”

All Mountain Technologies (AMT) recently signed on to resell AppRiver’s Office 365 to help maximize their customers’ technology investments.

“About half of the time, customers come to AMT wanting to learn more about Office 365 and the ways it can increase business productivity and enhance bottom line,” explains Jonathan Zapp, director of sales and marketing at All Mountain Technologies. “The rest of the time, we recommend Office 365 to clients who use outdated services or hardware that’s reaching end of life.”

There are several reasons why Office 365 from AppRiver is unique:

  • True On-Demand, Pay-As-You-Go Service: Office 365 from AppRiver allows partners to own the billing process, generate additional revenue and sell/service customers in a way that makes sense for their business. The company does not require minimum packaging spends or annual commitments, thereby allowing partners to mix and match services for specific users (and adjust customer consumption or user count) without fear of penalty.
  • Maintain Renewal Margin: With AppRiver, the margins are preserved even after renewal and throughout the life of the customer relationship.
  • Account Maintenance: Partners can manage all Office 365 services from a single console to add users, manage groups and send maintenance reminders and notices. AppRiver will maintain the Microsoft Partner of Record status and will not interfere or break the record without first receiving partner consent.
  • Partner Certification: Partners can learn the ropes at AppRiver University and earn certifications in both the sale and support of Office 365 once they have demonstrated mastery of required skill sets.
  • Phenomenal Care™: High-touch customer support is available from trained employees24 hours a day, every day.

The AppRiver Phenomenal Care model has become a hallmark of the company’s success, and includes expert migration assistance to anyone who needs it. That’s important because migrations can be difficult, slow and problematic. And migrating to a new cloud email service only compounds the difficulty. Perhaps that is why Gartner recently found that organizations will likely need vendor-supplied support to resolve migration issues.

“It was difficult, and often time consuming, to work with Microsoft Support,” said Zapp. “AMT takes pride in our Always-On™ Managed Services and so it was a no-brainer to choose AppRiver for its consistently great 24/7 support. We operate in a close-knit community where word of mouth and reputation go a long way. AppRiver’s swift conflict-resolution time has actually helped to increase our bottom line because customers trust that they can leave their IT worries with us and we will work through any technical issue before it impacts business operation.”

To date, AppRiver has successfully resolved 100 percent of the customer-facing support interactions for Office 365.

To learn more about AppRiver’s Office 365 or how to become a partner, please contact our Product Specialist Nicola Boswell on 0118 9898 219.