Malicious URLs Used as Click Bait and Delivered Through Both Email and Web
by Brian Pinnock, cyber security specialist at Mimecast
Mimecast Releases Latest Report from Cyber Resilience Think Tank
Emirates NBD issued a statement to its customers warning that they should be aware of a new phishing attack. A customer receiving an email with the subject line ‘VAT Refund Notification’ claiming to be from Emirates NBD is a phishing e-mail.
Cybercriminals are expanding their attacks to gain access to corporate data and employee data.
Mimecast to address growing instances of targeted threats, such as impersonation attacks, with the introduction of new product features
By Brandon Bekker, Managing Director at Mimecast, Africa and the Middle East
Mimecast ESRA Report Shows Sharp Rise in Impersonation Attacks
COMMENT on the “Bad Rabbit” ransomware attack by Steven Malone, Director of Security Product Management, Mimecast
Experts Will Perform Live Email Hacks and Show How to Defend Against Them at Stand D1-42 in Hall 1
Major law enforcement successes despite an increasingly professionalised cybercrime landscape
The past 12 months have seen a number of unprecedented cyber-attacks in terms of their global scale, impact and rate of spread. Already causing widespread public concern, these attacks only represent a small sample of the wide array of cyber threats we now face. Europol’s 2017 Internet Organised Crime Threat Assessment (IOCTA) identifies the main cybercrime threats and provides key recommendations to address the challenges.
Blog by Matthew Gardiner, Senior Product Marketing Manager, Mimecast
Most people live under the assumption that email is immutable once delivered, like a physical letter. A new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing. Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.
Described in more detail in a recently published security advisory, Mimecast has been able to add a defense against this exploit for our customers and also provide security recommendations that can be considered non-customers to safeguard their email from this email exploit.
So what is ROPEMAKER?
The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.
Clearly, giving attackers remote control over any aspect of ones’ applications or infrastructure is a bad thing. As is described in more depth in the ROPEMAKER Security Advisory, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users. ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.
To date, Mimecast has not seen ROPEMAKER exploited in the wild. We have, however, shown it to work on most popular email clients and online email services. Given that Mimecast currently serves more than 27K organizations and relays billions of emails monthly, if these types of exploits were being widely used it is very likely that Mimecast would see them. However, this is no guarantee that cybercriminals aren’t currently taking advantage of ROPEMAKER in very targeted attacks.
For details on email clients that we tested that are and are not exploitable by ROPEMAKER and the specifics on a security setting recommended by Apple for Apple Mail, please see the ROPEMAKER Security Advisory.
Is ROPEMAKER a software vulnerability, a form of potential application abuse/exploit, or a fundamental design flaw resulting from the intersection of Web technologies and email? Does it really matter which it is? For sure attackers don’t care why a system can be exploited, only that it can be. If you agree that the potential of an email being changeable post-delivery under the control of a malicious actor increases the probability of a successful email-borne attack, the issue simplifies itself. Experience tells us that cybercriminals are always looking for the next email attack technique to use. As an industry let’s work together to reduce the likelihood that the ROPEMAKER style of exploits gains any traction with cybercriminals!
Want to learn more? Download the full ROPEMAKER security advisory.
Dubai, UAE, July 30, 2017– Mimecast Limited (NASDAQ: MIME), a leading email and data security company, today announced the results of its third quarterly Email Security Risk Assessment (ESRA), a report of the results of tests which measure the effectiveness of incumbent email security systems. This quarter’s assessment noted a continued challenge of securing organizations from malicious attachments, dangerous files types, impersonation attacks, as well as spam – with nearly a quarter of “unsafe” email being delivered to users’ inboxes. Among the email security services assessed, the tests found that using Mimecast in conjunction with prominent cloud-based email service providers, including Google G Suite and Microsoft Office 365, would substantially improve results by blocking thousands more email-borne attacks. The report indicates the need for organizations to enhance their cyber resilience strategies for email with a multi-layered approach that includes a third-party security service provider.