Threat Investigation in Delivery Center

Email delivery is under assault by spammers and hackers world-wide.  Your brand and domain name can be leveraged to send spoofing emails, malware and spam to your customers, your suppliers and even to random strangers.  Unfortunately, the potential for abuse is no longer restricted to larger companies as hackers and spammers attack smaller, less protected companies.  Regardless of the size of your business, you need to protect yourself.  Several small businesses using MxToolbox Delivery Center have recently discovered that as much as 90% of the email volume reportedly coming “From” their domain is spoofed, leading to blanket denial of their email delivery.  Any company can have their business completely crippled by this type of spoofing.  How do you investigate and prevent email spoofing to improve email deliverability and protect your business?

Introducing, MxToolbox Threat Investigator!

Screen Shot 2018-08-22 at 4.20.01 PM

Investigate threats to your email delivery in a consolidated interface.

Continuously striving to increase our customers’ email delivery rates, MxToolbox is excited to unveil a new product feature that will help your business achieve ideal deliverability.   With Threat Investigator, our customers get in-depth details on potential email delivery threats, including threatening IP addresses, geo-location, related domain information, reverse domain name system (DNS), autonomous system name/number (ASN), threat volume, and online reputation (MxReputation).  Threat Investigator provides everything you need to analyze current and potential email threats to email delivery and take steps to prevent these threats from impacting your business.

Screen Shot 2018-08-22 at 4.18.53 PM

Leverage ASN, Geo-location and Reverse DNS to categorize threats.

Because online communication is essential for your business, MxDelivery Center with the new Threat Investigator feature examines issues associated with outbound email, focusing on any encountered delivery difficulties. Moreover, this product identifies ongoing phishing and spoofing campaigns that threaten your brand and email reputation. Being able to recognize these threats early preserves your company name and helps overall message deliverability.

In addition, this innovative feature also provides phishing and legitimate email failure samples as references for investigation purposes. All of this is at your disposal for comparison exercises and to further enhance your familiarity with threats as they emerge.

Screen Shot 2018-08-22 at 4.32.50 PM

Threat Investigator integrates MxToolbox blacklist reputation to give you more insight.

MxToolbox’s Threat Investigator gives you unmatched awareness of threats to your company’s email practices. Your messages deserve safeguarding, and MxToolbox provides the tools necessary to protect and deliver your business email. Rely on our team of experts to help your emails get delivered by using the new Threat Investigator feature to reinforce your brand.

Existing customers: As a valued MxToolbox customer, you will have access to the Threat Investigator tool (depending on your current product subscription level). If you do not have access and would like to use this new feature, be sure to upgrade your plan to take advantage of MxToolbox’s Threat Investigator item.  Your business and your customers will greatly benefit from its addition.

Source: MXtoolbox

Fake Font Dropper

Fake Font DropperEvery day we see different website infections. When we receive unusual or interesting cases, our researcher instincts are triggered to investigate the unusual website behavior in order to understand how new infections work. In this case, the odd behavior was the website’s pop-up window claiming there was a missing font.

The Unwanted Popup Window

A website owner reached out to us to investigate the error displaying on their site. The popup window informed the visitors that they were unable to view the content of the site because their computers were missing a font called “HoeflerText”:

The malware tries to trick visitors into clicking the “Update” button to download a malicious file called: Font_Update.exe

Earlier this year, we wrote about a wave of WordPress infections involving malicious plugins that inject obfuscated scripts, creating unwanted pop-up/pop-unders which serve unwanted ads.

Continue reading Fake Font Dropper at Sucuri Blog.

Source: Scuri check

Massive WordPress Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins

Massive WordPress Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member PluginsThis August, we’ve seen a new massive wave of WordPress infections that redirect visitors to unwanted sites.

When redirected, users see annoying pages with random utroro[.]com addresses and fake reCAPTCHA images. The messages and content try to convince visitors to verify and subscribe to browser notifications without disclosing the purpose of this behavior.

Alternative redirect URLs include:

hxxp://murieh[.]space/?h=930130016_dc950a456f7_100&h_l=&h_5=sub_id_2&h_2=def_sub

hxxps://unverf[.]com/?h=930130016_dc950a456f7_100&h_l=&h_5=sub_id_2&h_2=def_sub
Injected Scripts

The injected malware involves a script from one of the following two sites: cdn.eeduelements[.]com and cdn.allyouwant[.]online.

Continue reading Massive WordPress Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins at Sucuri Blog.

Source: Scuri check

Fake Plugins with Popuplink.js Redirect to Scam Sites

Fake Plugins with Popuplink.js Redirect to Scam SitesSince July, we’ve been observing a massive WordPress infection that is responsible for unwanted redirects to scam and ad sites. This infection involves the tiny.cc URL shortener, a fake plugin that has been called either “index” or “wp_update”, and a malicious popuplink.js file.

Infected pages typically have these two scripts in the <head> section of the page.

Continue reading Fake Plugins with Popuplink.js Redirect to Scam Sites at Sucuri Blog.

Source: Scuri check

How to Improve Your Website Posture – Part I

How to Improve Your Website Posture – Part IHave you ever wondered if your website security posture is adequate enough?

The risk of having a website compromise is never going to be zero. However, as a webmaster, you can play an important role in minimizing the chances of a website hack. A good security posture entails how to understand the importance of securing a website and how to implement security measures.

Correcting a poor security posture means recognizing problems that you might not notice.

Continue reading How to Improve Your Website Posture – Part I at Sucuri Blog.

Source: Scuri check

How to Improve Website Resilience for DDoS Attacks – Part II – Caching

How to Improve Website Resilience for DDoS Attacks – Part II – CachingIn the first post of this series, we talked about the practices that will optimize your site and increase your website’s resilience to DDoS attacks. Today, we are going to focus on caching best practices that can reduce the chances of a DDoS attack bringing down your site.

Website caching is a technique to store content in a ready-to-go state without the need (or with less) code processing. When a CDN is in place, cache stores the content in a server location closer to the visitor.

Continue reading How to Improve Website Resilience for DDoS Attacks – Part II – Caching at Sucuri Blog.

Source: Scuri check

Cookie Consent Script Used to Distribute Malware

Cookie Consent Script Used to Distribute MalwareMost websites today use cookies. Since May 25th, 2018, all websites that do business in the European Union (EU) had to make some changes to be compliant with the EU General Data Protection Regulation (GDPR). Even though cookie usage is mentioned only once in GDPR, any organization utilizing them to track users’ browsing activity have had to add a warning about how they are using them and ask for the user consent.

Continue reading Cookie Consent Script Used to Distribute Malware at Sucuri Blog.

Source: Scuri check

Cryptominers: Binary-Process-Cron Variants and Methods of Removal

Cryptominers: Binary-Process-Cron Variants and Methods of RemovalThis post provides a brief overview of how to manually remove server-side cryptominers and other types of Binary-Process-Cron malware from a server. Unlike browser-based JavaScript cryptominers that have been injected into a web page, a binary server-level cryptominer abuses server resources without affecting the computers or mobile devices of site visitors.

We will cover the attributes of these sever-level infections to provide a basic understanding of their form and function, as well as a couple of different methods of removal.

Continue reading Cryptominers: Binary-Process-Cron Variants and Methods of Removal at Sucuri Blog.

Source: Scuri check

The State of DMARC Adoption – Inbox Providers in 2018

Print

There is a lot of buzz surrounding DMARC right now.  And most people have questions like:

  • How many companies are adopting DMARC?
  • What is the volume of email sent to companies and governments that have adopted DMARC?
  • Is it necessary for your business?

As your expert in Email Delivery, MxToolbox is constantly looking at technologies that affect your business.  For years, the biggest worry for companies like yours was being blacklisted. Now, email delivery is more complex and requires constant evaluation of your email senders and their compliance with new technologies like SPF, DKIM and DMARC.  In our State of DMARC Adoption, we evaluate how quickly companies are adopting DMARC and how DMARC can affect your business.  Learn More.

 

Source: MXtoolbox

RawGit CDN is Abused by CryptoLoot Cryptominers

RawGit CDN is Abused by CryptoLoot CryptominersRecently, we came across another way to use files from GitHub repositories in malware infections.

This time the infections weren’t via GitHub.io, raw.githubusercontent.com, or github.com/<user>/<repository>/raw/ URLs. The new trick involved a third-party service called RawGit that provides a CDN for GitHub files.

This is the script that we found injected into .js and theme files on infected Drupal and WordPress sites.

Some of the infections were clearly buggy.

Continue reading RawGit CDN is Abused by CryptoLoot Cryptominers at Sucuri Blog.

Source: Scuri check

Switching to HTTPS Before It’s Too Late

Switching to HTTPS Before It’s Too LateGoogle, Mozilla, and other web authorities are pushing for website owners to adopt HTTPS. Soon, Google Chrome will start flagging sites by displaying a warning that the site is “Not secure“.

Chrome 68 is already in Beta. Before long, everyone will be able to update their browsers to Chrome 68 and see “Not Secure” warnings on websites without SSL.

Reasons Behind the HTTPS Movement

It is a fact that websites with HTTPS are ranked higher in the Google search results.

Continue reading Switching to HTTPS Before It’s Too Late at Sucuri Blog.

Source: Scuri check

Browser Extension Bug Leads to Post Injection

Browser Extension Bug Leads to Post InjectionA few years ago, we saw how a browser extension introduced a threat to serve unwanted ads. Today, the number of browser extensions available to users has grown, along with the risk for this similar behavior to occur.

We recently came across a similar case where several completely different websites contained what appeared to be a base64-encoded image, only visible from source-code view.

Base64 Encoded Images

There are a variety of approaches to displaying images on websites.

Continue reading Browser Extension Bug Leads to Post Injection at Sucuri Blog.

Source: Scuri check

Hiding Malware Inside Images on GoogleUserContent

Hiding Malware Inside Images on GoogleUserContentIf you have been following our blog for a long time, you might remember us writing about malware that used EXIF data to hide its code.

This technique is still in use. Let us show you a recent example.

Contaminated Pac-Man

This code was found at the beginning of a malicious script that steals PayPal security tokens.

As you can see, it reads “EXIF data” from a pacman.jpg image hosted on Google’s servers, probably uploaded using a Blogger or Google+ account.

Continue reading Hiding Malware Inside Images on GoogleUserContent at Sucuri Blog.

Source: Scuri check

Persistent Malicious Redirect Variants

Persistent Malicious Redirect VariantsIt’s always nice to meet an old friend or someone you used to know well. You have news to share and talk about, stories to tell, etc. But what if your “old friend” was on the criminal side of things and you are meeting him more often than you actually like? Moreover, when you see him, he keeps changing his appearance with different sunglasses, haircuts, beards, and mustaches. But you know it’s still him. And you know he’s still a criminal…

This exactly describes the case of a family of malicious injectors and redirects we have been seeing for several years.

Continue reading Persistent Malicious Redirect Variants at Sucuri Blog.

Source: Scuri check

Ask Sucuri: How Do You Find Website Backdoors?

Ask Sucuri: How Do You Find Website Backdoors?In a previous post, we have explained what website backdoors are and what they look like. Today, we want to focus on ways that we identify and remove backdoors to prevent reinfection.

Techniques to Find Backdoors

Finding a website backdoor is not an easy task because the main function of a backdoor is to keep it hidden from the website owner. However, at Sucuri we recommend the following techniques:

Whitelisting

We know what good files look like.

Continue reading Ask Sucuri: How Do You Find Website Backdoors? at Sucuri Blog.

Source: Scuri check

WordPress Update – 4.9.7 Security & Maintenance Release

WordPress Update – 4.9.7 Security & Maintenance ReleaseThe WordPress team has just released a critical security and maintenance update to resolve a number of bugs and security issues.

Included in this release is a patch that protects against a vulnerability allowing bad actors to delete files from your site. If certain circumstances are met, this vulnerability may be enough for an attacker to completely take control of your website.

Are You at Risk?

If you don’t have automatic updates enabled or are using WordPress version 4.9.6 or earlier, your site may be vulnerable to this security issue originally reported by Slavco.

Continue reading WordPress Update – 4.9.7 Security & Maintenance Release at Sucuri Blog.

Source: Scuri check

CoinImp Cryptominer and Fully Qualified Domain Names

CoinImp Cryptominer and Fully Qualified Domain NamesWe are all familiar with the conventional domain name notation, where different levels are concatenated with the full stop character (period).

E.g. “www.example.com”, where “www” is a subdomain, “example” is a second level domain, and “com” is a top level domain.

However, very few know that there is also a DNS root domain and it can be also specified in the fully qualified domain names.

Continue reading CoinImp Cryptominer and Fully Qualified Domain Names at Sucuri Blog.

Source: Scuri check

Google and Facebook Used in Phishing Campaigns

Google and Facebook Used in Phishing CampaignsWe’ve all seen sketchy looking emails or texts with malicious links to click on. There are still people who fall for these more obvious types of scams, however, phishing scam messages are designed to be deceiving. They use methods that appear valid or of some urgent matter, encouraging its victim to hand over their data.

Phishing Campaigns

Phishing attempts happen in many ways, such as:

  • deceptive email campaigns,
  • suspicious SMS alerts (called smishing),
  • fake websites designed to look and sound authentic, and more.

Continue reading Google and Facebook Used in Phishing Campaigns at Sucuri Blog.

Source: Scuri check

Sucuri Enhances Security by Disabling TLS Version 1.0 and 1.1

Sucuri Enhances Security by Disabling TLS Version 1.0 and 1.1Protecting our users’ information and privacy is extremely important to us. As a cloud-based security service, we are fully committed to complying with the PCI Data Security Standards (PCI DSS) requirements. That is why Sucuri disabled support for TLS version 1.0 and 1.1 to our WAF/CDN edge nodes on June 28, 2018.

What Is TLS?

Transport Layer Security (TLS) is a cryptographic protocol used to enhance the security of a communication channel by encrypting the traffic between the parties involved.

Continue reading Sucuri Enhances Security by Disabling TLS Version 1.0 and 1.1 at Sucuri Blog.

Source: Scuri check

What are Website Backdoors?

What are Website Backdoors?When a site gets compromised, the attackers will often leave some piece of malware behind to allow them access back to the site. Hackers want to leave a door open to retain control of the website and to reinfect it continuously. This type of malware is called a backdoor.

What Are Backdoors?

Backdoors are types of malware that allow for remote control of a compromised website by bypassing appropriate authentication methods.

Continue reading What are Website Backdoors? at Sucuri Blog.

Source: Scuri check