ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Kaseya Fake Invoice Malware Attack Underlines Need for Stricter Email Security

    Self Promotion
    2
    2
    505
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GlennBarley
      last edited by

      0_1453216779225_Kaseya-Fake-Invoice-Malware-Attack-Underlines-Need-for-Stricter-Email-Security.png

      Original blog post at: MSP Blog

      This weekend, news broke that malicious emails requesting payment for licenses were sent in remote management company, Kaseya's, name. This latest security headline is just one of many instances of malware launched through an email phishing scheme. The hackers, who haven't yet been identified, reportedly sent an email with a fake invoice attachment, which once opened, compromises the recipient's device with malware capable of stealing sensitive company data. If you've not yet heard of this latest hack sending tidal waves through the channel, let it serve as a warning. All employees and clients must screen any emails requesting payment for services, even those from a trusted name or company they do business with.

      The Kaseya Email Attack Explained

      On Saturday, January 16, Channelnomics reporter, Sam Trendall, exposed the false Kaseya email that landed in her inbox. According to her account, the email's subject is titled Kaseya Invoice with a random customer reference number to fake authenticity. Keeping up the rouse, the message is directed at the recipient company's Accounts Payable department, as shown in this screenshot provided by My Online Security:

      0_1453216811797_Screen_Shot_2016-01-18_at_6.24.45_PM.png

      The fake invoice with payment details is attached to the email in both a Microsoft Word document and Microsoft Excel XLS spreadsheet version. Once downloaded, malware such as Trojans, password stealers and ransomware infect the user's system.

      It is worth noting that in each of these email impersonation attacks, the companies or individuals who've had their names used have not been hacked themselves. Unless their email servers have been compromised or some other vulnerability is exploited, they are not to blame for phishing attempts based on mimicry.

      With that in mind, understand that hackers can make it look like any company is sending you a legitimate request, not just Kaseya. In case this latest attack signals a new trend in targeting companies in the IT services space, we advise you to be especially suspicious of invoice emails sent from any vendors within the channel, including those which may appear to come from Continuum.

      If you do receive a phishing email like the one from Kaseya that's circulating, do not click into it or attempt to contact the sender. Along with other Microsoft Office tips like ensuring your programs are up-to-date, My Online Security reminds us that "if protected view mode is turned off and macros are enabled then opening this malicious document will infect you, and simply previewing it in Windows Explorer or your email client might well be enough to infect you." Besides disabling edit mode and macros to protect against this or future malware attempts, above all never open any attachment in an email you aren't expecting or aren't sure is legitimate. Pro tip: files ending in .exe, .com, .pif, .scr or .js should never be clicked or downloaded. These are indicators of malicious intent.

      Thanks to social engineering, however, judging email legitimacy isn't always easy. Let's take a look at some of the tactics employed in the fake email above.

      The attacker appears legitimate by addressing Accounts Payable rather than a random individual at the company. Knowing that this is the department that typically processes invoice payment, the scheme crafters hope to gain trust. Similarly, the Kaseya customer service department email address, [email protected] is believable, as the tail duplicates the company's name and the "cs" could be an abbreviation for customer service. A popular social engineering trick, attackers often manipulate account information to only subtly differ from the original. Additionally, pay attention to the email signature. By including one, the message seems to be sent from a professional account. Also, the email address listed matches the sender's address, which makes it easier for recipients to mistakenly trust.

      As a sanity check, create a list of all your vendors, when they typically invoice you, which addresses the emails come from and the follow-up contact information detailed in the body of the email. Then, each new time you receive an email requesting payment, cross-reference it with this list to make sure it's legitimate.

      For a closer examination of the process of email phishing, and common occurrences of it, check out this guest blog post about the current state of encrypting ransomware, written by our friends over at Webroot. What other best practices and tips can you share with your employees and clients to avoid additional malware cases? Check out our related material:

      Protect Yourself and Clients from Malware
      How to Keep Clients Safe from Phishing Attacks and Online Scams this Holiday Season

      And don't forget to stay up-to-date with the latest threats and patches! We compiled key updates from last month to give you an idea of what to look out for and help you stay ahead of the malware curve:

      Monthly Malware Roundup - December 2015

      1 Reply Last reply Reply Quote 3
      • DashrenderD
        Dashrender
        last edited by

        This is just one more reason email needs to die!

        I know we need anonymous ways to communicate over the internet, but we also need ways to protect ourselves better.

        1 Reply Last reply Reply Quote 2
        • 1 / 1
        • First post
          Last post