Tag: email

By Vicky Sidler for MyBroadband / Nick Saunders at Mimecast

When I say the word “bat”, what image comes to mind? A flying mammal? A cricket bat?

In English, they call this a “homograph”: when two or more words are spelled the same but don’t have the same meanings or origins.

In cyber-security, a homograph is a lot more sinister. It’s a term given to a type of impersonation attack where an email address or website URL looks legitimate but isn’t. It’s designed to trick people into clicking on malicious links or to fool them into transferring money or sharing sensitive information.

Recent research by Vanson Bourne and Mimecast found that more than 85% of respondents had seen impersonation fraud in the past 12 months, and 40% had seen an increase in this type of attack in the same period. In South Africa, 36% of respondents had seen an increase in impersonation fraud asking to make wire transactions, and 37% had seen an increase in impersonation fraud asking for confidential data.

Despite this growth, many organisations do not have a cyber resilience strategy in place to help them detect, prevent and recover from these types of attacks.

Easy to execute, hard to detect
Homograph attacks are difficult to detect – by both the user and regular email security systems.

To create these lookalike domains, attackers use non-Western character sets or special characters found in Greek, Cyrillic and Chinese, to display letters which, to the naked eye, look identical to the western alphabet. Mimecast.com, for example, looks like мімесаѕт.com in Cyrillic. According to one domain name checker, there are 117 possible Mimecast domains that can be misrepresented with just one character from a non-English alphabet.

These subtle changes are likely to go unnoticed by users. In South Africa, 31% of respondents were not confident that employees could spot and defend against impersonation attacks, which easily and often slip through an organisation’s security systems.

Some 21% of South African respondents were not confident that their organisation’s security defences could defend against impersonation fraud asking for confidential information, rising to 25% for fraud asking to make wire transactions – in line with global trends.

This is because the emails themselves don’t contain malware and the URLs often have legitimate (read: stolen) security certificates.

Is it me you’re looking for?
Website URLs aren’t the only avenues for impersonation attacks; email address impersonation is also on the rise.

These types of attacks are designed to trick users such as finance managers, executive assistants and HR representatives into transferring money or disclosing information that can be monetised by cybercriminals. The email appears to come from someone they trust – a C-suite executive or a third-party supplier that they regularly do business with – and therefore wouldn’t think twice about responding to.

South Africans reported that, in the past 12 months, cybercriminals have attempted to impersonate finance teams (24%), third-party vendors (20%), a member of the C-suite (7%), as well as HR, sales, operations, legal and marketing team members (between 5% and 8%).

Again, these emails do not contain malware, which means they can go undetected by most email security systems. Social engineering attacks such as these rely on our inability to spot anomalies in URLs and email addresses – and the fact that we believe we’re communicating with someone we know.

Know what to do
Cybercriminals have figured out that they can bypass security systems by switching from malware-laden attacks to malware-less impersonation attacks. Now, social engineering meets technical means to put us in the middle of the next evolution of cyber-attacks.

Here are some measures organisations can implement to guard against these types of attacks:

  1. Education – when users know how social engineering and spoofing attacks work and then understand they shouldn’t click on links in emails, breach incidents can be drastically reduced. Users should be encouraged to physically type an address into a browser rather than click on a link in an email, even if it was supposedly sent by someone they know and trust. Education and awareness will always be the most important defence mechanisms.
  2. Protection – email security systems are getting better at stopping malware which enter the network through dodgy files and attachments, but few are effective against impersonation attacks. Organisations need a solution that can deep-scan all inbound emails and inspect for header anomalies, domain similarity, sender spoofing and the existence of keywords and suspicious impersonation emails. These can then be blocked, quarantined, or delivered as flagged to alert the receiver of potential risk.
  3. Resilience – having the right threat protection in place is just one part of a robust cyber resilience strategy. Organisations also need to be able to adapt their strategies to stay ahead of attacks, while having the durability to continue with business as usual in the event of an attack, and the recoverability to ensure data and emails are always accessible.
  4. Oversight – often, lax security on a third-party supplier’s side provides an entry point into an organisation’s network. Enterprises should continuously evaluate and manage the security and privacy policies of their suppliers and include security in their service level agreements. They should also perform on-site security assessments with new suppliers before sharing sensitive information.
  5. Visibility – organisations need to know who their vendors are and who has access to company information, and for what reasons. This is even more important now that the EU’s General Data Protection Regulation has come into force and will affect all South African organisations when the Protection of Personal Information Act is finalised.

Thirty-seven percent of South African organisations have suffered data loss because of email-based impersonation attacks in past 12 months. These organisations also reported reputational damage (34%), loss of customers (29%), direct financial loss (17%) and lost market position (19%).

Email continues to be the number one threat to organisations globally and accounts for 96% of all incidents that organisations face.

Clearly, there is an urgent need to work towards a higher standard of email security. Cyber-criminals have evolved their attack methods. It’s time the security strategies organisations use to protect their users and their businesses evolve as well.

By Adiel Ismail for Fin24 

Goliath and Goliath CEO Kate Goliath is encouraging small businesses to ramp up security measures after her comedy and entertainment agency fell victim to invoice intercepting as a result of e-mail hacking.

Goliath and Goliath is out of pocket to the tune of more than R300 000, while its subsidiary The PR Bailiff has been scammed out of R20 000.

The hackers gained access to the company’s emails and requested clients to make payments to a different bank account.

Goliath told Fin24 that small businesses shouldn’t just rely on tech companies to educate them about cybercrime.”Find out as much information about how hackers get into the systems so that you are aware of what service providers need to offer,” she said.

“Be vigilant. Protect your business and insure the technical side of your business as well.”

The company opened a case with the police and is in the process of sending a subpoena to the bank where the funds have been deposited.

Afrihost said it will work with the police to further investigate the incident. “We strongly believe this was a case of phishing,” a representative told Fin24.

Entertainment and media high risk for cybercrime

“We have noticed that some banks are posting warnings before a client makes a payment to verify that the bank details they’re using are correct. We assume that this is because of an increase in these types of phishing attacks.”

Cyber incidents rank top in the entertainment and media, financial services, technology and telecommunications industries, according to the Allianz Risk Barometer 2018.

The report revealed that cyber incidents remain a top threat with 38% of responses for South African businesses, which is reported to lose billions of rands a year to cyber attacks.

The three Goliaths – Jason, Donovan and Nicholas – do stand-up comedy and entertains at workshops, conferences, award ceremonies and events.

Craig Rosewarne, Managing Director at Wolfpack Information Risk, which is a threat intelligence firm that specialises in understanding and predicting cyber threats, said small and medium businesses are just as vulnerable as big businesses when it comes to hacking.

“Their challenge however is that security is often the last thought until they get stung and end up either losing a substantial amount of money or leaking their customer’s sensitive data,” he told Fin24.

Wolfpack has assisted many small and medium sized businesses whose invoices have been hacked, said Roseware. In this regard it has found three common causes:

1. Attackers will perform reconnaissance on key individuals in IT / Finance / Execs and send a targeted spear phishing email to target their machines for access or further information

2. Spyware is loaded on their devices that record keystrokes and take screenshots for the attacker

3. Compromising their online hosting / email platform and adding in rules for any email that has the word “invoice” or “payment” – to send a duplicate email to the attacker’s gmail or “burner” account.

Tips for companies

Roseware suggested that companies under attack should conduct an independent risk assessment and obtain guidance on how to mitigate risk.

“Employees should also be made aware of risks and this should be backed up with an information security policy signed by staff and contractors.”

He also stressed the importance of having up to date anti-malware software on all devices that process sensitive information.

Cyber risk is fast becoming the number one risk facing countries, governments and organisations, noted Roseware.

“In all of these scenarios it often boils down to an individual that gets compromised so cyber awareness is key in both your business and personal lives.”

How to keep on top of your e-mails

They are one of the biggest distractions of office life, pinging into your inbox every few minutes.

But ignoring your emails, even if you get hundreds a day, is not the best way to be more productive.
Checking just a few times at work has the opposite effect, a review by Kingston University has found, and will probably just make you more stressed.

Ignoring your emails, even if you get hundreds a day, is not the best way to be more productive. Checking just a few times at work has the opposite effect, a review by Kingston University has found, and will probably just make you more stressed, even if you get hundreds a day, is not the best way to be more productive.

Checking just a few times at work has the opposite effect, a review by Kingston University has found, and will probably just make you more stressed.

The four steps

1) Delete or file away emails whenever you check  your inbox – by reducing inbox clutter, people report feeling less overloaded.

2) Switch off email alerts – interruptions can have a negative impact on our efficiency, but make sure that you are still logging on every 45 minutes or so – to stay on top.

3) Use the ‘delay send’ function when sending email out of hours – this means recipients only receive their email during normal working hours. While you are taking advantage of the flexibility of email, you aren’t imposing this on the recipient.

4) Review your personal email strategies – are your emails purposeful and efficient or are they habitual and reactionary? The best advice is apparently to log on every 45 minutes to stay on top of new emails and work priorities.

The review’s author, Dr Emma Russell, Head of the Wellbeing at Work Research Group at Kingston Business School, says: “People use email to help them get their jobs done. Most people say they couldn’t imagine being able to do their work effectively without it, and very few send non-work critical email during their working day.”

The review highlights three popular myths which are not backed up by the academic evidence.

Email myths
The review highlights three popular myths which are not backed up by the academic evidence.
The first is that emails are a ‘time-wasting distraction from “real” work’, while in fact recent studies show up to 92 per cent of emails received are critical to people’s jobs.

Another is that we should limit ourselves to checking email a few times a day, such as in the morning, at lunchtime and before leaving work, which in fact makes people feel less in control.

The third myth is that emails stop us getting on well with other people, because of ‘back-covering’ messages, for example, cc’ing in colleagues who people want to implicate in mistakes.

However studies show the cc’ing culture of copying people into emails in facts forges rewarding relationships by keeping workmates informed and in the loop.

Dr Russell wrote: ‘The same participants also reported that processing more email resulted in greater perceived coping – actually dealing with email and keeping on top of it helped workers to feel in control.”

The study was commissioned by Acas, the mediation service which also provides workplace training.

By Victoria Allen for The Daily Mail

Ropemaker: a new email security weakness

Most people live under the assumption that email is immutable once delivered, like a physical letter. A new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing.

Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.

Described in more detail in a recently published security advisory, Mimecast has been able to add a defense against this exploit for our customers and also provide security recommendations that can be considered by non-customers to safeguard their email from this email exploit.

So what is ROPEMAKER?

The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.

Clearly, giving attackers remote control over any aspect of ones’ applications or infrastructure is a bad thing. As is described in more depth in the ROPEMAKER Security Advisory, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users. ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.

Changing this:

Into this, post-delivery (without having direct access to the user’s desktop):

To date, Mimecast has not seen ROPEMAKER exploited in the wild. We have, however, shown it to work on most popular email clients and online email services. Given that Mimecast currently serves more than 27K organizations and relays billions of emails monthly, if these types of exploits were being widely used it is very likely that Mimecast would see them. However, this is no guarantee that cybercriminals aren’t currently taking advantage of ROPEMAKER in very targeted attacks.

For details on email clients that we tested that are and are not exploitable by ROPEMAKER and the specifics on a security setting recommended by Apple for Apple Mail, please see the ROPEMAKER Security Advisory.

Is ROPEMAKER a software vulnerability, a form of potential application abuse/exploit, or a fundamental design flaw resulting from the intersection of Web technologies and email? Does it really matter which it is? For sure attackers don’t care why a system can be exploited, only that it can be. If you agree that the potential of an email being changeable post-delivery under the control of a malicious actor increases the probability of a successful email-borne attack, the issue simplifies itself. Experience tells us that cybercriminals are always looking for the next email attack technique to use. As an industry let’s work together to reduce the likelihood that the ROPEMAKER style of exploits gains any traction with cybercriminals!

by Matthew Gardiner for Mimecast

 

Words matter. People may not read everything, but they do scan. And they process information subconsciously at lightning speeds to determine if they’ll click or bounce within a few fractions of a second.
While some words (like “Submit” on your button) may seem innocent enough, they could be costing you dearly, turning away visitors in droves.

Here’s why, along with a few other conversion-sabotaging words you need to replace in your e-mails, ads, and landing pages ASAP.

‘Submit’
“Submit” is a derivation of submission. And therein lies the problem. There’s a negative connotation with yielding to someone or something superior. People, as a general rule, don’t like yielding.
This was proven definitively years and years ago by Dan Zarella and HubSpot. They took a look at the conversion rates of over 40 000 customer landing pages and quickly noticed a huge discrepancy.
When call to action (CTA) buttons included the word “submit,” conversion rates tended to drop immediately by a few percentage points.
Use words like “click here” or “go” instead.

‘Synergy’
What’s the fastest way to learn terrible copywriting? Get an MBA.
Because in just a few short weeks, you’ll find yourself spewing out “synergy,” “competencies,” and a host of other clichéd, meaningless words that have old professors nodding their heads in approval.
As evidence, go visit almost any B2B website outside of marketing and advertising. Your eyes will glaze over, your face will contort, and a sudden bout of narcolepsy might hit at any moment.
Many times, clients and bosses don’t notice anything wrong at first either. The problem with “best in class” and all other common business jargon (besides the fact that it also appears on every competitor’s Web site) is that customers can detect that the company is talking nonsense.
Research shows that people prefer things that are easy to think about to those that are hard. Generally, the level of reading comprehension is low. People aren’t focusing or reading online; they’re scanning and multitasking and browsing and tweeting while looking at your page.
Rewrite anything with the faintest resemblance to what you learned in school.

‘Spam’
Consumers are bombarded with hundreds of “greymail” e-mails each day. Trillions are being sent by marketers each year. So you’d think, logically speaking, that assuring visitors you won’t spam them would help conversions. Unfortunately that’s not the case. “Spam” is a huge stop word — or no no — that causes
people to become apprehensive and hesitate.
A test carried out by Michael Aargaard showed the surprising ramifications. He added the seemingly harmless line of “100% privacy — we will never spam you” in between the form fields and submission button.
Typically, these extra credibility indicators surrounding a CTA can help to give conversions a nice little boost. But not in this case, and it backfired by over 18%.
Try assurances like “Your information will not be shared.”
Avoid words with a negative connotation (as we saw with “submit”) in general, and use additional messaging to reinforce the positive aspects of what someone is about to get.

‘We’
“We” opens a door. It’s like the gateway drug of bad copywriting. One small hit, and you’re quickly off to dabbling with bigger, badder things.
While it might seem harmless at the time, “we” puts you on a path to jonesing for a fix of “synergy” and “best in class” in no time.
But keep in mind, that as a general rule, people don’t care about you. Instead, they want a “better version of themselves.”
This is especially so for all those visiting your site at the top of the funnel, who haven’t realized a need for your product or service yet. They’re Googling solutions for drilling a hole in their wall so they can hang a picture… they’re not looking for a drill (just yet).
That means the focus of messaging should be centered around a problem and solution, not a tool, product or service.
Instead of “we” begin with “you” or don’t use a pronoun at all (like a question or a command/call to action).

‘Your’
The copy on most web sites is written in the second person. And that’s a good thing! Copywriters are taught to use “you” instead of “they” when explaining the benefits derive from the latest product or service.
However, there are exceptions. When focusing on a CTA or specific conversion event, the “possessive determiner” should switch back to first person.
Another test from Michael Aagaard proves the point. Michael initially thought that “your” in the CTA button copy would work best. But he found an almost a 25% difference, just by switching a single word – from “your free trial” to “my free trial”.
Switching to “my” gives people ownership of the benefit they’re about to receive.

‘Free’
You’d think, on the surface, that “free” increases conversions. And it does in most cases. The last example a few seconds ago used a “free trial” to generate more interest (and clicks). But there are exceptions.
The first (albeit tiny) issue is that the word “free” can trip up spam filters in email messaging. The second, bigger problem though is a curious case of over-optimisation. The problem is that more conversions isn’t always better. A Totango study showed that 70% of the people who sign up for free trials are useless, with
only around 20% of those actively evaluating the product.
So while the word “free” can (and will) increase initial conversions, you should be optimising for sales and revenue — not vanity metrics like leads or impressive (but hollow) conversion rates.

‘Save time and money’
So far we’ve seen that vague, meaningless, overly generic phrases are bad for conversions. The culmination of them all — the cherry on top and the pièce de résistance — is “save time and money”.
This phrase breaks one of the very first rules of copywriting that says you should write to a particular audience.
Roll up your sleeves and dig a little deeper into who you’re speaking to, and what they value most.
The key is to ferret out those few ingredients that make your offering awesome & unique, which both audiences value. You want the stuff that overlaps, which will help you create a specific value proposition that reinforces your primary aim (of driving conversions), while avoiding the same generic message showing up on each of your competitor’s Web sites.

Souce: WordStream

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top