SlideShare a Scribd company logo

Safe Email Practices

J
Jonathan Slavin

This document provides guidance on identifying and preventing the spread of malware through emails. It discusses how malicious emails try to trick recipients through spoofing, phishing links and attachments. Examples are given of common types of malicious emails, like those disguised as package tracking notifications but containing viruses. The document advises users to be wary of emails from unknown senders or containing strange formatting, links or large attachments meant to infect computers. Proper precautions can help safeguard systems from data loss or theft resulting from malware spread through emails.

1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
1 [Type the company name] Triboro Safe Email and Computer Practices A guide to understanding Malware and preventing the spread of computer viruses. Triboro Quilt Manufacturing Information Services Department 2/28/2014
2 Intentionally Left Blank
3 Introduction Since its inception, the Internet has become a central part of conducting business and searching for information. With the advent of personal data devices such as smart phones and tablets, the internet created new forms of social engineering. For example a person can access vast interconnected network of computers to “surf” for information without ever leaving their home. They can conduct financial transactions, purchase goods from anywhere around the world, remotely connect to their office network, and even placing an order for delivering dinner. There have been untold benefits of being a connected member to this world wide community. At the same time there are members of this vast and interconnected network whose intentions are to exploit and hurt others for their own personal gain. The perpetrators do this by using programs created to attack and harm other computer. When a computer is attacked in such a matter they are attempting to gain access to the intended victim’s computer and data. This is called a Computer Virus. Just like when a bad germ attacks the body and cause a person to become sick. When a computer is infected by a virus it can cause serious harm regardless if it is a personal computer or if it is part of an office network. Once a computer has become compromised, it can transfer the virus to other computer such as File Servers by the means of transferring files or sending infected attachments by email. The results of such an outbreak can lead to the loss of data, worker productivity, and possible theft of data to commit corporate espionage and or identity theft based crimes. In addition to web based computer software based attacks. The initiators have added another weapon to their arsenal using malicious and spoofed emails created a simple means to harm and harass the unsuspecting victim and computer by fool the recipient into installing and infecting their own computer. The intention of this manual is to cover a wide range of information from erroneous emails to the many types of Computer Viruses. In addition it will include steps that can be taken to safe guard your workstation from harm and loss of data. What is Electronic Mail? Using a computer program to first compose and then send a letter in digital form from a sender to single or multiple recipients. When you send electronic mail to an internal or external recipient the server tags the message with important information. Just like filling out a shipping slip for sending a package using FedEx. The servers will apply “shipping information” in a form of Internet Protocol address. This is how our email server sends your message to its intended recipient’s address mailbox on their mail server. It contains the important information such as a time stamp of the date and time the message was sent. Then senders email address which also includes the numerical address of the sending service routing address. The intended recipients addresses if there is more than one in order to send a reply message. Also listed is the message subject matter and any message attachments. The header will also list the program that the message was created with. A “hacker” can intercept an email and change the return path. To an alternate location or in bed it with dangerous software in the hopes the reader will be fooled into installing it. They will even create a fake internal address to deceive the reader into thinking it was sent from legitimate internal address. Instead this address is an alias to an external hosted mailbox that will redirect the reply message.
4 The Anatomy of an Email message This is an example of an honest email message between two recipients. When viewed the Message Header. This is what the real message looks like when it is received by the recipient’s mail server. Return-Path: <lzacharias@triboro.com> Received: from mail2.aceinnovative.com ([unix socket]) by mail2 with LMTPA; Tue, 25 Feb 2014 13:37:08 -0500 X-Sieve: CMU Sieve 2.3 Received: from mail1.aceinnovative.com (mail1.aceinnovative.com [66.114.74.12]) by mail2.aceinnovative.com (8.13.8/8.13.8) with ESMTP id s1PIb1ZP017496 for <jslavin@cuddletime.com>; Tue, 25 Feb 2014 13:37:01 -0500 Received: from B042VF1LD (static-72-68-128-74.nycmny.fios.verizon.net [72.68.128.74]) (authenticated bits=0) by mail1.aceinnovative.com (8.13.8/8.13.8) with ESMTP id s1PIb19X016315 for <jslavin@triboro.com>; Tue, 25 Feb 2014 13:37:01 -0500 Reply-To: <lzacharias@triboro.com> From: "Lindsey Zacharias" <lzacharias@triboro.com> To: <jslavin@triboro.com> Subject: test Date: Tue, 25 Feb 2014 13:37:01 -0500 Organization: Triboro Quilt Mgf. Corp. Message-ID: <003e01cf3258$92d97770$b88c6650$@com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_003F_01CF322E.AA036F70" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac8yWJK6bNzYjaHlSiydjqqVxgDIkQ== Content-Language: en-us X-Spam-Status-Local: No (-970/50) Anatomy of malicious and erroneous emails Recently many employees have received an increased level of emails from unknown senders that contained questionable content, such as attached zip files, foul and inappropriate material, or embedded web site links. What type of email to look out for? Normally email messages are from a known sender such as a purchase confirmation, from a family, friend, and or a business contact. On the other hand you could receive a message in your inbox that does not look just right. When this does happen be on the alert and not open the email. The sender will attempt to trick you into opening and reading the message content. How to distinguish a fake email? Emails with the intention of doing harm are sent from a Bank or Express Mail shipping service that might have been “spoofed” or commandeered to hide the true sender’s address that is relying on the lazy habits of the reader, to trick them into thinking the email is from a legitimate source. The intentions of such a letter are an attempt to infiltrate your PC to install software as a means to gain unauthorized access to it and the network that it associated with if it is attached to a corporate domain.
5 Why, would someone intentionally want to harm me? The sender wants to steal your information by installing “back door” software that can steal your passwords to your online shopping or banking sites to cause you financial harm. They want to compromise any type of network or user security measures such as Firewall by exploiting computers that have not been updated with the latest security software updates issued from legitimate software developers. What are Phishing and Spoofing Emails? Phishing is the act of trying to get the username, password, and financial account information by masquerading as a trustworthy entity though the use of electronic communication. Spoofing is an email that contains a forged return to sender email address. Examples of malicious emails: Example 1) Received emails with compressed virus installer. This is a fake email address. DHL and other shipping services would never use an email address as XXXXX@dhl-tracking.com Important Information Tracking number used by service carrier DHL Express: 10 numerical numbers. FedEx : 12 numerical numbers UPS: Star with 1Z with a string of letter and numbers. USPS: 20 digits or a combination of 13 alphabetic and numerical characters. Starting with two Alphabet letters and ending with US. A less common format is using Ten digits. Fake DHL Express Tracking number A tracking number would NEVER be attached as a Zipped file. Emails are never sent as plain text from a package delivery services.
6 Example 2) Email sent from a known recipient who had their address book hijacked Example 2) Fake email with embedded links: The title and body of the email could either contain strange characters or a message to invite you to see the attached file. Look at the attached ZIP file. The size alone should be a clue that it contains a virus or malware. The email address might look right to the casual reader. The sending address is wrong. A Bank or other financial institution would use the real domain after the @ sign. The embedded link will redirect you to a fake banking site. It’s intended to trick you into entering your account information
7 Not a Triboro site Example 4) Email sent from a fake administrator’s account that contains improper English. From: Admin@cuddletime.com Sent: Tuesday, October 30, 2012 10:20 AM Subject: Important Message From Helpdesk!! Dear Email Owner (Email Owner? Who says that?) You have exceeded the limit of your mailbox set by our IT Service, and from now you cannot be receiving (you cannot be receiving?) all incoming emails and also some of your outgoing emails will not be delivered and LASTLY, your account will be 'DE- ACTIVATED' within 24 hours from now. To prevent this, you are advised to click on the link below to reset your account. Failure to do this, will result to (will result to?) limited access to your mailbox while your account will remain IN-ACTIVE within the next 24 hours. Click link: https://mail.cuddletime.net/blah%20blah%20blah Thanks for letting us serve you better! Regards, Management. Upgrade Department (Upgrade Department?) This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. If you are the intended recipient, please be advised that the content of this message is subject to access, review and disclosure by the sender's Email System Administrator. IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. federal tax advice contained in this communication (including any attachment) is not intended or written by us to be used, and cannot be used, (i) by any taxpayer for the purpose of avoiding tax penalties under the Internal Revenue Code or (ii) for promoting, marketing or recommending to another party any transaction or matter addressed herein. Example viewing the Message Header of a spoof email. Return-Path: <AmericanExpress@welcome.aexp.com> Received: from mail2.aceinnovative.com ([unix socket]) by mail2 with LMTPA; Mon, 18 Nov 2013 10:56:07 -0500 X-Sieve: CMU Sieve 2.3 The title of the email could look harmless and get you to read it. Don’t be fooled! Why would Admin@cuddletime.com send you a Help Desk message? We do not have an email address in our system called Administrator or Admin @cuddletime It appears that this email was written by someone who has a poor grasp of the English Language. That alone should be a warning sign. Foreign Computer criminals will include official looking water marks. Look closely, what does this email have to do with Internal Revenue Service?
8 Received: from mail1.aceinnovative.com (mail1.aceinnovative.com [66.114.74.12]) by mail2.aceinnovative.com (8.13.8/8.13.8) with ESMTP id rAIFu0k9010009; Mon, 18 Nov 2013 10:56:00 -0500 Received: from [38.104.61.38] ([38.104.61.38]) by mail1.aceinnovative.com (8.13.8/8.13.8) with ESMTP id rAIFtx80015649; Mon, 18 Nov 2013 10:55:59 -0500 Received: from [252.133.121.214] (port=47689 helo=[192.168.6.08]) by 38.104.61.38 with asmtp id 1rqLaL-00048-00 for aasrar@cuddletime.com; Mon, 18 Nov 2013 09:55:58 -0600 Message-ID: <528A37D5.6080609@cuddletime.com> Date: Mon, 18 Nov 2013 09:55:58 -0600 From: "DocuCentre-IV" <fxC4477@cuddletime.com> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: aasrar@cuddletime.com Subject: Scan Data Content-Type: multipart/mixed; boundary="----=_Part_52620_4226026627.0566228937852" X-Spam: Not detected X-Mras: Ok X-Badrcpts-Local: 7 X-Spam-Status-Local: No (-450/50) The same message when viewed in the in the receiver's inbox. Procedures to Decipher and remove malicious emails The following procedures should be followed in order to safeguard your computer and the office network that includes other user computers and file servers. When you receive a questionable email in Outlook you should change the settings to enable the Reading Pane. The default behavior of viewing emails under the reading pane is “not read”. Outlook treats the message as not read and you can then decide to delete the message from your inbox and PC.
9 An Example of Outlook 2003 with the View Menu selected. Showing the Reading Pane on the right side of the reader’s Inbox. To Enable the Reading Pane in Outlook Regardless of which version of Outlook that is installed on your computer the instructions below can be applied for all. Step 1) Select the View menu from the tool bar. Step 2) when the menu choices appear click on Reading Pane. Move the mouse to the right and chose where the Reading Pane will appear. Step 3) once the message has been viewed and it has been determined to be Junk. Delete the email by pressing on the Delete Key. Step 4) Right click on your Outlook Trash. Select Empty Trash. This will permanently delete all items that are in your Outlook recycle bin. To Disable the Reading Pane Step 1) Select the View Menu Step 2) Select Reading Pane Step 3) Slide the mouse and select off The user has the option where the reading pane appears on the screen. The two options are on the bottom below the list of inbox message or on the right side of the screen.
10 For further assistance please contact Jonathan Slavin, X849, or Jeff Coplan, X852. They will come to your desk and check the received message. Computer Viruses, Worms and all The next important subject to address is Computer Viruses, Computer Worms, Trojan Horses, Rootkits, Keyloggers, Dialers, Spyware, Adware, Browser Helper Objects, Rogue Security Software, and Ransomware. This all can be categorized as Malware. What is Malware? Malware is defined as: Short for "malicious software," malware refers to software programs designed to damage or do other unwanted actions on a computer system. In Spanish, "mal" is a prefix that means "bad," making the term "badware." What is a Computer Virus? Computer Virus is defined as: A program that enters a computer usually without the knowledge of the operator. The code replicates itself by inserting itself into other programs or data files. Some viruses are mild and only cause messages to appear on the screen, but others are destructive and can wipe out the computer's memory or cause more severe damage. What is a Computer Worm? Computer Worm of Worm is defined as: is a standalone malware computer program that replicates itself in order to spread to other computers on a network. The program designed to spread to other computers by that aid of flawed security measures. Unlike a Computer Virus that requires a host application to attach itself to, worms do not. What is a Trojan horse? Trojan Horse is defined as: A hacking program that hides it true intentions and the name is taking from Greek Mythology. While it appears to be performing a desired function it is instead installing a back door “payload” of software. The intention is to gain unauthorized access to the victim’s computer. It is installed through accessing internet web pages that include online games or using internet driven applications. Once installed remote software operator “hacker” can use the computer to perform a number of tasks that the original computer owner or user would be unaware of. Once the machine it has been infect it could be used as Spam server infecting other machine or part of a Denial of Attack drone. Where is linked to other compromised computer in a coordinated effort against another computer network or web site or Stealing financial records or other sensitive information. Under No circumstances should you ever send any emails that contain any suspect attachments to another user on the network.
11 What is a Rootkits? Rootkit is defined as: malicious software that allows an unauthorized user to maintain access to a computer by concealing programs and processes, files, or data from the operating system. The word is comprised of the term “Root” which refers to Local Administrator account in UNIX based systems and Kit meaning software package. A rootkit can be installed through automated means while using a host application. Once installed it gains System and hardware administrative level rights granting backdoor access to a computer or network. Detection is almost impossible and long term effects it can render a computer Operating System inoperable. Performing a full system restore is the only way to remove a rootkit from a computer. What is a keylogger? Keylogger is defined as: a software program or hardware device that records all keystrokes on a computer keyboard, used either overtly as a surveillance tool or covertly as spyware. What is a Dialer? Dialer is defined as: an electronic device attached to a telephone to call preselected numbers automatically when activated. When a person used a modem to access the internet, a dialer program was required to gain access. A criminal organization would use a fraudulent compromised dialer program where the victim would be dialing expensive premium rate numbers provided through the program enabling the organization to profit from the call unbeknownst to the user. Using a dialing program to access networks in searching for illegal software, entertainment items that would contain hidden virus programs. What is Spyware? Spyware is defined as: software that is installed surreptitiously and gathers information about an Internet user's browsing habits, intercepts the user's personal data, etc., transmitting this information to a third party. Or through the use of tools that conduct espionage. What is Adware? Adware is defined as: a type of spyware that gathers information about an Internet user's browsing habits and displays targeted or contextual advertisements. Adware deployed as malware in a form of “POP-Up” unwanted advertisements to the user of a computer. What are Malicious Browser Helper Objects? Browser Helper Objects (BHO) is defined as: A Browser Helper Object (BHO) is a Dynamic Link Library (DLL) module designed as a plug-in for Microsoft's Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of Internet Explorer 4. This includes the ability for Adobe Acrobat files to be viewed within Internet Explorer and other such software integration. BHO provides unrestricted access to a users system through Internet Explore. Malware is written to trick IE into thinking it is a BHO which is how a system can become to a compromised. A good example of this is called a “Drive by Attack”. This when in the process of viewing a web site at the same time malicious software is installed without the end user’s authorization? Once installed the computer has become infested with computer viruses. What is Ransomware? Ransom is defined as: A means of deliverance or rescue from punishment for sin, especially the payment of a redemptive fine and the sum or price paid or demanded. There are three versions of Ransomware that has become a
12 growing problem while surfing the World Wide Web. The first two versions try to scar the intended victim with damaging repercussions if a payment is not rendered within a three day time frame. The second and more server version of this called a Cyrptolocker Ransomware, uses an encryption tool to destroy the victims files at the informing them that unless a financial bounty has been surrendered they will not be able to access their files again. This type of Ransomware has caused The United States Department of Homeland Security to issue a national security bulletin to address the matter. The third version is called Rogue Security Software. All three are explained below. The perpetrators intention is to trick you into using your credit card to “repair” your computer. In reality once you have provided payment the system’s infestations are not removed and now your credit card or bank account information is in the hands of a criminal. Ransomware viruses are not isolated to the computer users in the United States. Users all over the world have been preyed upon. The criminal entities behind these programs are very sophisticated and daring as well. A machine running the Windows Microsoft Operating System has been infected. The virus gains Administrative rights. It is able to immediately change the user’s desktop to very sinister display informing them that they violated the law. Or that their Computer is full of malware and the program can clean up the system if a bounty has been paid. A possible theory is to convince the victim that their Government is watching their web activity. Examples of Ransomware to extort a bounty When a computer is infected by Ransomware, the desktop is replaced with a Fake Government warning demanding a payment or risk going to jail. Notice the use of Official Government Agencies Seals. The intended purpose is to scare and convince the victim that they performed an illegal act while surfing the internet. Notice - Why would the United States Government or a foreign agency require the intended victim to pay by going to Commercial Establishment to purchase a “Money Pack” before paying the alleged fine?? Some types of Ransomware are able to use the built in webcam to take a snap shot of the victim as they sat at their computer. It is then included into the screen message.
13 What is Cryptolocker Ransomware? Cryptolocker Ransomware is a new but very vicious form of Ransomware. When a computer becomes infected by a Cryptolocker Ransomware it begins to encrypt the user’s files. The user will be presented with full screen message with a timer. The message will inform the victim that their files have been encrypted and must provide payment to decrypt the files. Once the files have been touched by the Ransomware there is no way to restore them back to normal. It is highly advised to not pay the ransom and to instead have your hard drive reformatted. The following is an office United States Government bulletin discussing the effects of Ransomware attacks. National Cyber Awareness System: TA13-309A: CryptoLocker Ransomware Infections 11/05/2013 10:58 AM EST Original release date: November 05, 2013 | Last revised: November 06, 2013 Systems Affected Microsoft Windows systems running Windows 7, Vista, and XP operating systems Overview US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments. Description CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber- criminal underground. Impact The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach. Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key. While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion
14 attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3). Solution Prevention US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection: Do not follow unsolicited web links in email messages or submit any information to WebPages in links Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments Maintain up-to-date anti-virus software Perform regular backups of all systems to limit the impact of data and/or system loss Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity Secure open-share drives by only allowing connections from authorized users Keep your operating system and software up-to-date with the latest patches Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks Mitigation US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware: Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network Users who are infected should change all passwords AFTER removing the malware from their system Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods: o Restore from backup, o Restore from a shadow copy or o Perform a system restore. Revision History Initial This product is provided subject to this Notification and this Privacy & Use policy. OTHER RESOURCES: Contact Us | Security Publications | Alerts and Tips | Related Resources STAY CONNECTED SUBSCRIBER SERVICES: Manage Preferences | Unsubscribe | Help This email was sent to using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235- 5110 Example of Cyptolocker Ransomware
15 When infected with a Cyrptolocker Ransomware. The data on the user’s computer has already been encrypted and the files are destroyed. This can include any external hard drives and could spread to a mounted server. It is advised to not pay since the hacker will not provide you with any a means to decrypt the files. What is Rogue Security Software? Rogue Security Software is defined as: Is a type of Ransomware software that deceives a victim into paying to remove fake or simulated viruses from their computer. When that ransom has been paid the virus is not removed and more malware are loaded onto the infected machine. Example of Windows Rogue Security Software installed on compromised systems. The rogue software creators try to fool you into thinking it is official software from Microsoft. They incorporate the look and feel of the programs, the icons, shapes, and colors.
16 The above examples are from computers running the Microsoft Windows Operating Systems. While it is rare there have been reported incidents of Apple Macintosh Computer being infected by natively created Malware applications. The vast majority of reported cases of infected systems have been running the Windows Operating System. What to do if my System is infected with Malware? When your computer has become infected with any of the types of malware listed. Take the following steps to prevent the spread to other users and systems on the network. Step One) immediately disconnect from the network or close a VPN session if connected remotely. Step Two) disconnect any external hard drives or USB memory sticks. Step Three) shut down the computer. Do this by going to Start Menu and selecting shutdown. If the PC prevents you from performing this action then hold down the power button on the front of the workstation or the laptop until it powers down. Step Four) Contact Jonathan at X849 or Jeff at X852 who will come to your desk and address the matter. Data Loss Prevention An external hard drive or other forms of data storage should never be continually attached to the computer. If the computer fallen prey to a virus. Depending on the type of infestation could spread to the backed up data. Causing data lose. It is a safe practice to eject or disconnect external storage devices when not in use. User File Management All users are provided with two mapped network drives on their computer workstations. A. S:Public Shares. This is the main network shared folder where all communal department work is stored. B. U: User Data. This is where individual corporate related files are saved to secured personalized assigned folder. C. Users should store all work related files to the network instead of storing it on local computers. Remote users should use an external drive to perform local file back-ups. This method insures the files are able to be recovered. Back-up to the network is a good practice to prevent catastrophic loss of data. Under no circumstances should you ignore an outbreak of Malware on your PC and continue to work. The longer you wait to address the matter the infestation could spread to the server and other users.
17 Intentionally Left Blank
18

More Related Content

PPT
Malware from the Consumer Jungle
Jason S
 
PPTX
Internet and Email 101 v1
Adam Ripsam
 
PDF
No one cares about your damn emails
San Diego Continuing Education
 
PDF
How to Trace an E-mail Part 1
Lebowitzcomics
 
PPT
E-Mail Crimes - Gurugram Cyber Crime Cell July 2017
Shyam Pareek
 
PPT
Tutorial 2 - Basic Communication on the Internet: Email
dpd
 
PPT
Tutorial 06 - Real-Time Communication on the Internet
dpd
 
PPT
Cyber security and emails presentation refined
Wan Solo
 
Malware from the Consumer Jungle
Jason S
 
Internet and Email 101 v1
Adam Ripsam
 
No one cares about your damn emails
San Diego Continuing Education
 
How to Trace an E-mail Part 1
Lebowitzcomics
 
E-Mail Crimes - Gurugram Cyber Crime Cell July 2017
Shyam Pareek
 
Tutorial 2 - Basic Communication on the Internet: Email
dpd
 
Tutorial 06 - Real-Time Communication on the Internet
dpd
 
Cyber security and emails presentation refined
Wan Solo
 

What's hot (20)

PPSX
Email strategies
Alan Haller
 
PDF
Processing obtained email data by using naïve bayes learning algorithm
ijcsit
 
PPT
Email
ARSD College
 
PPTX
Internet Fraud #scichallenge2017
Alexandru Turcu
 
PPT
E Mail
MrsMoss
 
PPT
About Web and E-mail
sai prakash
 
PPTX
Technical Background Overview Ppt
Antonio Ieranò
 
PDF
Network paperthesis2
Dhara Shah
 
PPTX
What is Email Header - Understanding Email Anatomy
email_header
 
DOCX
Internet 8th level imen tek bouaziz 2016
imen Tekaya Bouaziz
 
PPTX
Presentation1
Bhoxz JoYrel
 
PPTX
Benefits of email ! Batra Computer Centre
jatin batra
 
PDF
Web phish detection (an evolutionary approach)
eSAT Journals
 
PDF
Web phish detection (an evolutionary approach)
eSAT Publishing House
 
PPTX
Introduction to Email
Made Aditya
 
DOCX
Sherbimet e mail serverit
Xhendris Ismaili
 
PPT
Internet Tutorial 02
dpd
 
PDF
B0940509
IOSR Journals
 
PDF
Complete guide to_email
Rochelle Lee
 
PPTX
E mail features
mrscjrobertson
 
Email strategies
Alan Haller
 
Processing obtained email data by using naïve bayes learning algorithm
ijcsit
 
Email
ARSD College
 
Internet Fraud #scichallenge2017
Alexandru Turcu
 
E Mail
MrsMoss
 
About Web and E-mail
sai prakash
 
Technical Background Overview Ppt
Antonio Ieranò
 
Network paperthesis2
Dhara Shah
 
What is Email Header - Understanding Email Anatomy
email_header
 
Internet 8th level imen tek bouaziz 2016
imen Tekaya Bouaziz
 
Presentation1
Bhoxz JoYrel
 
Benefits of email ! Batra Computer Centre
jatin batra
 
Web phish detection (an evolutionary approach)
eSAT Journals
 
Web phish detection (an evolutionary approach)
eSAT Publishing House
 
Introduction to Email
Made Aditya
 
Sherbimet e mail serverit
Xhendris Ismaili
 
Internet Tutorial 02
dpd
 
B0940509
IOSR Journals
 
Complete guide to_email
Rochelle Lee
 
E mail features
mrscjrobertson
 
Ad

Similar to Safe Email Practices (20)

DOCX
Best e-Mail Security PracticesUsing Email Safely E-mai.docx
AASTHA76
 
DOCX
Best e-Mail Security PracticesUsing Email Safely E-mai.docx
ikirkton
 
PDF
How to Detect Email Fraud
Texas Medical Liability Trust
 
PPT
cyber security unit-1, r20-JNTUK-USED FOR STUDENTS
SAIPAVANKUMARNANDIGA
 
PPSX
IDENTIFYING CYBER THREATS NEAR YOU
Billy Warero
 
PPTX
Email hacking
ShreyaBhoje
 
PPT
Cyber security and emails presentation
Wan Solo
 
PDF
Email threat detection and mitigation
NimishaRawat
 
PPTX
phishing technique.pptx
ECE6054PRIYADHARSHIN
 
PPTX
The Emotional Lure of Social Engineering
The TNS Group
 
DOC
email security
Shiva Krishna Chandra Shekar
 
DOC
Eseminar1
Shiva Krishna Chandra Shekar
 
DOCX
Security awareness
Sanoop Nair
 
PPTX
Cyber Security and prevention Presentation.pptx
kumardev57663
 
PPT
Protecting Yourself Online
Gary Wagnon
 
PPTX
Security Awareness Training.pptx
MohammedYaseen638128
 
PPT
Email basics
SeniorServices
 
PPTX
Email threats
Shivam Tomar
 
PDF
How to Implement DMARC/DKIM/SPF to Stop Email Spoofing/Phishing: The Definiti...
Gangcai Lin
 
PDF
How and Why to Make Email Everyone's Business
Sendio
 
Best e-Mail Security PracticesUsing Email Safely E-mai.docx
AASTHA76
 
Best e-Mail Security PracticesUsing Email Safely E-mai.docx
ikirkton
 
How to Detect Email Fraud
Texas Medical Liability Trust
 
cyber security unit-1, r20-JNTUK-USED FOR STUDENTS
SAIPAVANKUMARNANDIGA
 
IDENTIFYING CYBER THREATS NEAR YOU
Billy Warero
 
Email hacking
ShreyaBhoje
 
Cyber security and emails presentation
Wan Solo
 
Email threat detection and mitigation
NimishaRawat
 
phishing technique.pptx
ECE6054PRIYADHARSHIN
 
The Emotional Lure of Social Engineering
The TNS Group
 
email security
Shiva Krishna Chandra Shekar
 
Eseminar1
Shiva Krishna Chandra Shekar
 
Security awareness
Sanoop Nair
 
Cyber Security and prevention Presentation.pptx
kumardev57663
 
Protecting Yourself Online
Gary Wagnon
 
Security Awareness Training.pptx
MohammedYaseen638128
 
Email basics
SeniorServices
 
Email threats
Shivam Tomar
 
How to Implement DMARC/DKIM/SPF to Stop Email Spoofing/Phishing: The Definiti...
Gangcai Lin
 
How and Why to Make Email Everyone's Business
Sendio
 
Ad

Safe Email Practices

  • 1. 1 [Type the company name] Triboro Safe Email and Computer Practices A guide to understanding Malware and preventing the spread of computer viruses. Triboro Quilt Manufacturing Information Services Department 2/28/2014
  • 3. 3 Introduction Since its inception, the Internet has become a central part of conducting business and searching for information. With the advent of personal data devices such as smart phones and tablets, the internet created new forms of social engineering. For example a person can access vast interconnected network of computers to “surf” for information without ever leaving their home. They can conduct financial transactions, purchase goods from anywhere around the world, remotely connect to their office network, and even placing an order for delivering dinner. There have been untold benefits of being a connected member to this world wide community. At the same time there are members of this vast and interconnected network whose intentions are to exploit and hurt others for their own personal gain. The perpetrators do this by using programs created to attack and harm other computer. When a computer is attacked in such a matter they are attempting to gain access to the intended victim’s computer and data. This is called a Computer Virus. Just like when a bad germ attacks the body and cause a person to become sick. When a computer is infected by a virus it can cause serious harm regardless if it is a personal computer or if it is part of an office network. Once a computer has become compromised, it can transfer the virus to other computer such as File Servers by the means of transferring files or sending infected attachments by email. The results of such an outbreak can lead to the loss of data, worker productivity, and possible theft of data to commit corporate espionage and or identity theft based crimes. In addition to web based computer software based attacks. The initiators have added another weapon to their arsenal using malicious and spoofed emails created a simple means to harm and harass the unsuspecting victim and computer by fool the recipient into installing and infecting their own computer. The intention of this manual is to cover a wide range of information from erroneous emails to the many types of Computer Viruses. In addition it will include steps that can be taken to safe guard your workstation from harm and loss of data. What is Electronic Mail? Using a computer program to first compose and then send a letter in digital form from a sender to single or multiple recipients. When you send electronic mail to an internal or external recipient the server tags the message with important information. Just like filling out a shipping slip for sending a package using FedEx. The servers will apply “shipping information” in a form of Internet Protocol address. This is how our email server sends your message to its intended recipient’s address mailbox on their mail server. It contains the important information such as a time stamp of the date and time the message was sent. Then senders email address which also includes the numerical address of the sending service routing address. The intended recipients addresses if there is more than one in order to send a reply message. Also listed is the message subject matter and any message attachments. The header will also list the program that the message was created with. A “hacker” can intercept an email and change the return path. To an alternate location or in bed it with dangerous software in the hopes the reader will be fooled into installing it. They will even create a fake internal address to deceive the reader into thinking it was sent from legitimate internal address. Instead this address is an alias to an external hosted mailbox that will redirect the reply message.
  • 4. 4 The Anatomy of an Email message This is an example of an honest email message between two recipients. When viewed the Message Header. This is what the real message looks like when it is received by the recipient’s mail server. Return-Path: <lzacharias@triboro.com> Received: from mail2.aceinnovative.com ([unix socket]) by mail2 with LMTPA; Tue, 25 Feb 2014 13:37:08 -0500 X-Sieve: CMU Sieve 2.3 Received: from mail1.aceinnovative.com (mail1.aceinnovative.com [66.114.74.12]) by mail2.aceinnovative.com (8.13.8/8.13.8) with ESMTP id s1PIb1ZP017496 for <jslavin@cuddletime.com>; Tue, 25 Feb 2014 13:37:01 -0500 Received: from B042VF1LD (static-72-68-128-74.nycmny.fios.verizon.net [72.68.128.74]) (authenticated bits=0) by mail1.aceinnovative.com (8.13.8/8.13.8) with ESMTP id s1PIb19X016315 for <jslavin@triboro.com>; Tue, 25 Feb 2014 13:37:01 -0500 Reply-To: <lzacharias@triboro.com> From: "Lindsey Zacharias" <lzacharias@triboro.com> To: <jslavin@triboro.com> Subject: test Date: Tue, 25 Feb 2014 13:37:01 -0500 Organization: Triboro Quilt Mgf. Corp. Message-ID: <003e01cf3258$92d97770$b88c6650$@com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_003F_01CF322E.AA036F70" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac8yWJK6bNzYjaHlSiydjqqVxgDIkQ== Content-Language: en-us X-Spam-Status-Local: No (-970/50) Anatomy of malicious and erroneous emails Recently many employees have received an increased level of emails from unknown senders that contained questionable content, such as attached zip files, foul and inappropriate material, or embedded web site links. What type of email to look out for? Normally email messages are from a known sender such as a purchase confirmation, from a family, friend, and or a business contact. On the other hand you could receive a message in your inbox that does not look just right. When this does happen be on the alert and not open the email. The sender will attempt to trick you into opening and reading the message content. How to distinguish a fake email? Emails with the intention of doing harm are sent from a Bank or Express Mail shipping service that might have been “spoofed” or commandeered to hide the true sender’s address that is relying on the lazy habits of the reader, to trick them into thinking the email is from a legitimate source. The intentions of such a letter are an attempt to infiltrate your PC to install software as a means to gain unauthorized access to it and the network that it associated with if it is attached to a corporate domain.
  • 5. 5 Why, would someone intentionally want to harm me? The sender wants to steal your information by installing “back door” software that can steal your passwords to your online shopping or banking sites to cause you financial harm. They want to compromise any type of network or user security measures such as Firewall by exploiting computers that have not been updated with the latest security software updates issued from legitimate software developers. What are Phishing and Spoofing Emails? Phishing is the act of trying to get the username, password, and financial account information by masquerading as a trustworthy entity though the use of electronic communication. Spoofing is an email that contains a forged return to sender email address. Examples of malicious emails: Example 1) Received emails with compressed virus installer. This is a fake email address. DHL and other shipping services would never use an email address as XXXXX@dhl-tracking.com Important Information Tracking number used by service carrier DHL Express: 10 numerical numbers. FedEx : 12 numerical numbers UPS: Star with 1Z with a string of letter and numbers. USPS: 20 digits or a combination of 13 alphabetic and numerical characters. Starting with two Alphabet letters and ending with US. A less common format is using Ten digits. Fake DHL Express Tracking number A tracking number would NEVER be attached as a Zipped file. Emails are never sent as plain text from a package delivery services.
  • 6. 6 Example 2) Email sent from a known recipient who had their address book hijacked Example 2) Fake email with embedded links: The title and body of the email could either contain strange characters or a message to invite you to see the attached file. Look at the attached ZIP file. The size alone should be a clue that it contains a virus or malware. The email address might look right to the casual reader. The sending address is wrong. A Bank or other financial institution would use the real domain after the @ sign. The embedded link will redirect you to a fake banking site. It’s intended to trick you into entering your account information
  • 7. 7 Not a Triboro site Example 4) Email sent from a fake administrator’s account that contains improper English. From: Admin@cuddletime.com Sent: Tuesday, October 30, 2012 10:20 AM Subject: Important Message From Helpdesk!! Dear Email Owner (Email Owner? Who says that?) You have exceeded the limit of your mailbox set by our IT Service, and from now you cannot be receiving (you cannot be receiving?) all incoming emails and also some of your outgoing emails will not be delivered and LASTLY, your account will be 'DE- ACTIVATED' within 24 hours from now. To prevent this, you are advised to click on the link below to reset your account. Failure to do this, will result to (will result to?) limited access to your mailbox while your account will remain IN-ACTIVE within the next 24 hours. Click link: https://mail.cuddletime.net/blah%20blah%20blah Thanks for letting us serve you better! Regards, Management. Upgrade Department (Upgrade Department?) This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. If you are the intended recipient, please be advised that the content of this message is subject to access, review and disclosure by the sender's Email System Administrator. IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. federal tax advice contained in this communication (including any attachment) is not intended or written by us to be used, and cannot be used, (i) by any taxpayer for the purpose of avoiding tax penalties under the Internal Revenue Code or (ii) for promoting, marketing or recommending to another party any transaction or matter addressed herein. Example viewing the Message Header of a spoof email. Return-Path: <AmericanExpress@welcome.aexp.com> Received: from mail2.aceinnovative.com ([unix socket]) by mail2 with LMTPA; Mon, 18 Nov 2013 10:56:07 -0500 X-Sieve: CMU Sieve 2.3 The title of the email could look harmless and get you to read it. Don’t be fooled! Why would Admin@cuddletime.com send you a Help Desk message? We do not have an email address in our system called Administrator or Admin @cuddletime It appears that this email was written by someone who has a poor grasp of the English Language. That alone should be a warning sign. Foreign Computer criminals will include official looking water marks. Look closely, what does this email have to do with Internal Revenue Service?
  • 8. 8 Received: from mail1.aceinnovative.com (mail1.aceinnovative.com [66.114.74.12]) by mail2.aceinnovative.com (8.13.8/8.13.8) with ESMTP id rAIFu0k9010009; Mon, 18 Nov 2013 10:56:00 -0500 Received: from [38.104.61.38] ([38.104.61.38]) by mail1.aceinnovative.com (8.13.8/8.13.8) with ESMTP id rAIFtx80015649; Mon, 18 Nov 2013 10:55:59 -0500 Received: from [252.133.121.214] (port=47689 helo=[192.168.6.08]) by 38.104.61.38 with asmtp id 1rqLaL-00048-00 for aasrar@cuddletime.com; Mon, 18 Nov 2013 09:55:58 -0600 Message-ID: <528A37D5.6080609@cuddletime.com> Date: Mon, 18 Nov 2013 09:55:58 -0600 From: "DocuCentre-IV" <fxC4477@cuddletime.com> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: aasrar@cuddletime.com Subject: Scan Data Content-Type: multipart/mixed; boundary="----=_Part_52620_4226026627.0566228937852" X-Spam: Not detected X-Mras: Ok X-Badrcpts-Local: 7 X-Spam-Status-Local: No (-450/50) The same message when viewed in the in the receiver's inbox. Procedures to Decipher and remove malicious emails The following procedures should be followed in order to safeguard your computer and the office network that includes other user computers and file servers. When you receive a questionable email in Outlook you should change the settings to enable the Reading Pane. The default behavior of viewing emails under the reading pane is “not read”. Outlook treats the message as not read and you can then decide to delete the message from your inbox and PC.
  • 9. 9 An Example of Outlook 2003 with the View Menu selected. Showing the Reading Pane on the right side of the reader’s Inbox. To Enable the Reading Pane in Outlook Regardless of which version of Outlook that is installed on your computer the instructions below can be applied for all. Step 1) Select the View menu from the tool bar. Step 2) when the menu choices appear click on Reading Pane. Move the mouse to the right and chose where the Reading Pane will appear. Step 3) once the message has been viewed and it has been determined to be Junk. Delete the email by pressing on the Delete Key. Step 4) Right click on your Outlook Trash. Select Empty Trash. This will permanently delete all items that are in your Outlook recycle bin. To Disable the Reading Pane Step 1) Select the View Menu Step 2) Select Reading Pane Step 3) Slide the mouse and select off The user has the option where the reading pane appears on the screen. The two options are on the bottom below the list of inbox message or on the right side of the screen.
  • 10. 10 For further assistance please contact Jonathan Slavin, X849, or Jeff Coplan, X852. They will come to your desk and check the received message. Computer Viruses, Worms and all The next important subject to address is Computer Viruses, Computer Worms, Trojan Horses, Rootkits, Keyloggers, Dialers, Spyware, Adware, Browser Helper Objects, Rogue Security Software, and Ransomware. This all can be categorized as Malware. What is Malware? Malware is defined as: Short for "malicious software," malware refers to software programs designed to damage or do other unwanted actions on a computer system. In Spanish, "mal" is a prefix that means "bad," making the term "badware." What is a Computer Virus? Computer Virus is defined as: A program that enters a computer usually without the knowledge of the operator. The code replicates itself by inserting itself into other programs or data files. Some viruses are mild and only cause messages to appear on the screen, but others are destructive and can wipe out the computer's memory or cause more severe damage. What is a Computer Worm? Computer Worm of Worm is defined as: is a standalone malware computer program that replicates itself in order to spread to other computers on a network. The program designed to spread to other computers by that aid of flawed security measures. Unlike a Computer Virus that requires a host application to attach itself to, worms do not. What is a Trojan horse? Trojan Horse is defined as: A hacking program that hides it true intentions and the name is taking from Greek Mythology. While it appears to be performing a desired function it is instead installing a back door “payload” of software. The intention is to gain unauthorized access to the victim’s computer. It is installed through accessing internet web pages that include online games or using internet driven applications. Once installed remote software operator “hacker” can use the computer to perform a number of tasks that the original computer owner or user would be unaware of. Once the machine it has been infect it could be used as Spam server infecting other machine or part of a Denial of Attack drone. Where is linked to other compromised computer in a coordinated effort against another computer network or web site or Stealing financial records or other sensitive information. Under No circumstances should you ever send any emails that contain any suspect attachments to another user on the network.
  • 11. 11 What is a Rootkits? Rootkit is defined as: malicious software that allows an unauthorized user to maintain access to a computer by concealing programs and processes, files, or data from the operating system. The word is comprised of the term “Root” which refers to Local Administrator account in UNIX based systems and Kit meaning software package. A rootkit can be installed through automated means while using a host application. Once installed it gains System and hardware administrative level rights granting backdoor access to a computer or network. Detection is almost impossible and long term effects it can render a computer Operating System inoperable. Performing a full system restore is the only way to remove a rootkit from a computer. What is a keylogger? Keylogger is defined as: a software program or hardware device that records all keystrokes on a computer keyboard, used either overtly as a surveillance tool or covertly as spyware. What is a Dialer? Dialer is defined as: an electronic device attached to a telephone to call preselected numbers automatically when activated. When a person used a modem to access the internet, a dialer program was required to gain access. A criminal organization would use a fraudulent compromised dialer program where the victim would be dialing expensive premium rate numbers provided through the program enabling the organization to profit from the call unbeknownst to the user. Using a dialing program to access networks in searching for illegal software, entertainment items that would contain hidden virus programs. What is Spyware? Spyware is defined as: software that is installed surreptitiously and gathers information about an Internet user's browsing habits, intercepts the user's personal data, etc., transmitting this information to a third party. Or through the use of tools that conduct espionage. What is Adware? Adware is defined as: a type of spyware that gathers information about an Internet user's browsing habits and displays targeted or contextual advertisements. Adware deployed as malware in a form of “POP-Up” unwanted advertisements to the user of a computer. What are Malicious Browser Helper Objects? Browser Helper Objects (BHO) is defined as: A Browser Helper Object (BHO) is a Dynamic Link Library (DLL) module designed as a plug-in for Microsoft's Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of Internet Explorer 4. This includes the ability for Adobe Acrobat files to be viewed within Internet Explorer and other such software integration. BHO provides unrestricted access to a users system through Internet Explore. Malware is written to trick IE into thinking it is a BHO which is how a system can become to a compromised. A good example of this is called a “Drive by Attack”. This when in the process of viewing a web site at the same time malicious software is installed without the end user’s authorization? Once installed the computer has become infested with computer viruses. What is Ransomware? Ransom is defined as: A means of deliverance or rescue from punishment for sin, especially the payment of a redemptive fine and the sum or price paid or demanded. There are three versions of Ransomware that has become a
  • 12. 12 growing problem while surfing the World Wide Web. The first two versions try to scar the intended victim with damaging repercussions if a payment is not rendered within a three day time frame. The second and more server version of this called a Cyrptolocker Ransomware, uses an encryption tool to destroy the victims files at the informing them that unless a financial bounty has been surrendered they will not be able to access their files again. This type of Ransomware has caused The United States Department of Homeland Security to issue a national security bulletin to address the matter. The third version is called Rogue Security Software. All three are explained below. The perpetrators intention is to trick you into using your credit card to “repair” your computer. In reality once you have provided payment the system’s infestations are not removed and now your credit card or bank account information is in the hands of a criminal. Ransomware viruses are not isolated to the computer users in the United States. Users all over the world have been preyed upon. The criminal entities behind these programs are very sophisticated and daring as well. A machine running the Windows Microsoft Operating System has been infected. The virus gains Administrative rights. It is able to immediately change the user’s desktop to very sinister display informing them that they violated the law. Or that their Computer is full of malware and the program can clean up the system if a bounty has been paid. A possible theory is to convince the victim that their Government is watching their web activity. Examples of Ransomware to extort a bounty When a computer is infected by Ransomware, the desktop is replaced with a Fake Government warning demanding a payment or risk going to jail. Notice the use of Official Government Agencies Seals. The intended purpose is to scare and convince the victim that they performed an illegal act while surfing the internet. Notice - Why would the United States Government or a foreign agency require the intended victim to pay by going to Commercial Establishment to purchase a “Money Pack” before paying the alleged fine?? Some types of Ransomware are able to use the built in webcam to take a snap shot of the victim as they sat at their computer. It is then included into the screen message.
  • 13. 13 What is Cryptolocker Ransomware? Cryptolocker Ransomware is a new but very vicious form of Ransomware. When a computer becomes infected by a Cryptolocker Ransomware it begins to encrypt the user’s files. The user will be presented with full screen message with a timer. The message will inform the victim that their files have been encrypted and must provide payment to decrypt the files. Once the files have been touched by the Ransomware there is no way to restore them back to normal. It is highly advised to not pay the ransom and to instead have your hard drive reformatted. The following is an office United States Government bulletin discussing the effects of Ransomware attacks. National Cyber Awareness System: TA13-309A: CryptoLocker Ransomware Infections 11/05/2013 10:58 AM EST Original release date: November 05, 2013 | Last revised: November 06, 2013 Systems Affected Microsoft Windows systems running Windows 7, Vista, and XP operating systems Overview US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments. Description CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber- criminal underground. Impact The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach. Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key. While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion
  • 14. 14 attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3). Solution Prevention US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection: Do not follow unsolicited web links in email messages or submit any information to WebPages in links Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments Maintain up-to-date anti-virus software Perform regular backups of all systems to limit the impact of data and/or system loss Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity Secure open-share drives by only allowing connections from authorized users Keep your operating system and software up-to-date with the latest patches Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks Mitigation US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware: Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network Users who are infected should change all passwords AFTER removing the malware from their system Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods: o Restore from backup, o Restore from a shadow copy or o Perform a system restore. Revision History Initial This product is provided subject to this Notification and this Privacy & Use policy. OTHER RESOURCES: Contact Us | Security Publications | Alerts and Tips | Related Resources STAY CONNECTED SUBSCRIBER SERVICES: Manage Preferences | Unsubscribe | Help This email was sent to using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235- 5110 Example of Cyptolocker Ransomware
  • 15. 15 When infected with a Cyrptolocker Ransomware. The data on the user’s computer has already been encrypted and the files are destroyed. This can include any external hard drives and could spread to a mounted server. It is advised to not pay since the hacker will not provide you with any a means to decrypt the files. What is Rogue Security Software? Rogue Security Software is defined as: Is a type of Ransomware software that deceives a victim into paying to remove fake or simulated viruses from their computer. When that ransom has been paid the virus is not removed and more malware are loaded onto the infected machine. Example of Windows Rogue Security Software installed on compromised systems. The rogue software creators try to fool you into thinking it is official software from Microsoft. They incorporate the look and feel of the programs, the icons, shapes, and colors.
  • 16. 16 The above examples are from computers running the Microsoft Windows Operating Systems. While it is rare there have been reported incidents of Apple Macintosh Computer being infected by natively created Malware applications. The vast majority of reported cases of infected systems have been running the Windows Operating System. What to do if my System is infected with Malware? When your computer has become infected with any of the types of malware listed. Take the following steps to prevent the spread to other users and systems on the network. Step One) immediately disconnect from the network or close a VPN session if connected remotely. Step Two) disconnect any external hard drives or USB memory sticks. Step Three) shut down the computer. Do this by going to Start Menu and selecting shutdown. If the PC prevents you from performing this action then hold down the power button on the front of the workstation or the laptop until it powers down. Step Four) Contact Jonathan at X849 or Jeff at X852 who will come to your desk and address the matter. Data Loss Prevention An external hard drive or other forms of data storage should never be continually attached to the computer. If the computer fallen prey to a virus. Depending on the type of infestation could spread to the backed up data. Causing data lose. It is a safe practice to eject or disconnect external storage devices when not in use. User File Management All users are provided with two mapped network drives on their computer workstations. A. S:Public Shares. This is the main network shared folder where all communal department work is stored. B. U: User Data. This is where individual corporate related files are saved to secured personalized assigned folder. C. Users should store all work related files to the network instead of storing it on local computers. Remote users should use an external drive to perform local file back-ups. This method insures the files are able to be recovered. Back-up to the network is a good practice to prevent catastrophic loss of data. Under no circumstances should you ignore an outbreak of Malware on your PC and continue to work. The longer you wait to address the matter the infestation could spread to the server and other users.
  • 18. 18