Tag Archives: email

LifeLock vulnerability exposed user email addresses to public

Symantec’s identity theft protection service, LifeLock, exposed millions of customers’ email addresses.

According to security journalist Brian Krebs, the LifeLock vulnerability was in the company’s website, and it enabled unauthorized third parties to collect email addresses associated with LifeLock user accounts or unsubscribe users from communications from the company. Account numbers, called subscriber keys, appear in the URL of the unsubscribe page on the LifeLock website that correspond to a customer record and appear to be sequential, according to Krebs, and that lends itself to writing a simple script to collect the email address of every subscriber.

The biggest threat with this LifeLock vulnerability is attackers could launch a targeted phishing scheme — and the company boasted more than 4.5 million users as of January 2017.

“The upshot of this weakness is that cyber criminals could harvest the data and use it in targeted phishing campaigns that spoof LifeLock’s brand,” Krebs wrote. “Of course, phishers could spam the entire world looking for LifeLock customers without the aid of this flaw, but nevertheless the design of the company’s site suggests that whoever put it together lacked a basic understanding of web site authentication and security.”

Krebs notified Symantec of the LifeLock vulnerability, and the security company took the affected webpage offline shortly thereafter. Krebs said he was alerted to the issue by Atlanta-based independent security researcher Nathan Reese, a former LifeLock subscriber who received an email offering him a discount if he renewed his membership. Reese then wrote a proof of concept and was able to collect 70 email addresses — enough to prove the LifeLock vulnerability worked.

Reese emphasized to Krebs how easy it would be for a malicious actor to use the two things he knows about the LifeLock customers — their email addresses and the fact that they use an identity theft protection service — to create a “sharp spear” for a spear phishing campaign, particularly because LifeLock customers are already concerned about cybersecurity.

Symantec, which acquired the identity theft protection company in 2016, issued a statement after Krebs published his report on the LifeLock vulnerability:

This issue was not a vulnerability in the LifeLock member portal. The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. Based on our investigation, aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page.

LifeLock has faced problems in the past with customer data. In 2015, the company paid out $100 million to the Federal Trade Commission to settle charges that it allegedly failed to secure customers’ personal data and ran deception advertising.

In other news:

  • The American Civil Liberties Union (ACLU) of Northern California said Amazon’s facial recognition program, Rekognition, falsely identified 28 members of Congress as people who were arrested for a crime in its recent test. The ACLU put together a database of 25,000 publicly available mugshots and ran the database against every current member of the House and Senate using the default Rekognition settings. The false matches represented a disproportionate amount of people of color — 40% of the false matches, while only 20% of Congress members are people of color — and spanned both Democrats and Republicans and men and women of all ages. One of the falsely identified individuals was Rep. John Lewis (D-Ga.), who is a member of the Congressional Black Caucus; Lewis previously wrote a letter to Amazon’s CEO, Jeff Bezos, expressing concern for the potential implications of the inaccuracy of Rekognition and how it could affect law enforcement and, particularly, people of color.
  • Researchers have discovered another Spectre vulnerability variant that enables attackers to access sensitive data. The new exploit, called SpectreRSB, was detailed by researchers at the University of California, Riverside, in a paper titled, “Spectre Returns! Speculation Attacks using the Return Stack Buffer.” “Rather than exploiting the branch predictor unit, SpectreRSB exploits the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return addresses,” the research team wrote. The RSB aspect of the exploit is what’s new, compared with Spectre and its other variants. It’s also why it is, so far, unfixed by any of the mitigations put in place by Intel, Google and others. The researchers tested SpectreRSB on Intel Haswell and Skylake processors and the SGX2 secure enclave in Core i7 Skylake chips.
  • Google Chrome implemented its new policy this week that any website not using HTTPS with a valid TLS certificate will be marked as “not secure.” In the latest version of the browser, Google Chrome version 68, users will see a warning message stating that the site in not secure. Google first announced the policy in February. “Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default,” Emily Schechter, Chrome Security product manager, wrote in the announcement. “HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP.”

My views on U.S. immigration policy

Below is an e-mail I sent to all Microsoft employees today sharing my views on U.S. immigration policy.  This is an incredibly important topic and one I care deeply about.

Team,

Like many of you, I am appalled at the abhorrent policy of separating immigrant children from their families at the southern border of the U.S. As both a parent and an immigrant, this issue touches me personally.

I consider myself a product of two amazing and uniquely American things — American technology reaching me where I was growing up that allowed me to dream the dream and an enlightened immigration policy that then allowed me to live that dream. My story would not have been possible anywhere else.

This new policy implemented on the border is simply cruel and abusive, and we are standing for change. Today Brad detailed our company’s position on this issue, as well as the immigration legislation currently being considered in Congress, and I encourage you to read his blog post.

I want to be clear: Microsoft is not working with the U.S. government on any projects related to separating children from their families at the border. Our current cloud engagement with U.S. Immigration and Customs Enforcement (ICE) is supporting legacy mail, calendar, messaging and document management workloads.

Microsoft has a long history of taking a principled approach to how we live up to our mission of empowering every person and every organization on the planet to achieve more with technology platforms and tools, while also standing up for our enduring values and ethics. Any engagement with any government has been and will be guided by our ethics and principles. We will continue to have this dialogue both within our company and with our stakeholders outside.

The immigration policy of this country is one of our greatest competitive advantages, and this is something we must preserve and promote. America is a nation of immigrants, and we’re able to attract people from around the world to contribute to our economy, our communities and our companies. We are also a beacon of hope for those who need it the most. This is what makes America stronger. We will always stand for immigration policies that preserve every person’s dignity and human rights. That means standing with every immigrant who works at Microsoft and standing for change in the inhumane treatment of children at the U.S. border today. 

Satya  

My views on U.S. immigration policy

Below is an e-mail I sent to all Microsoft employees today sharing my views on U.S. immigration policy.  This is an incredibly important topic and one I care deeply about.

Team,

Like many of you, I am appalled at the abhorrent policy of separating immigrant children from their families at the southern border of the U.S. As both a parent and an immigrant, this issue touches me personally.

I consider myself a product of two amazing and uniquely American things — American technology reaching me where I was growing up that allowed me to dream the dream and an enlightened immigration policy that then allowed me to live that dream. My story would not have been possible anywhere else.

This new policy implemented on the border is simply cruel and abusive, and we are standing for change. Today Brad detailed our company’s position on this issue, as well as the immigration legislation currently being considered in Congress, and I encourage you to read his blog post.

I want to be clear: Microsoft is not working with the U.S. government on any projects related to separating children from their families at the border. Our current cloud engagement with U.S. Immigration and Customs Enforcement (ICE) is supporting legacy mail, calendar, messaging and document management workloads.

Microsoft has a long history of taking a principled approach to how we live up to our mission of empowering every person and every organization on the planet to achieve more with technology platforms and tools, while also standing up for our enduring values and ethics. Any engagement with any government has been and will be guided by our ethics and principles. We will continue to have this dialogue both within our company and with our stakeholders outside.

The immigration policy of this country is one of our greatest competitive advantages, and this is something we must preserve and promote. America is a nation of immigrants, and we’re able to attract people from around the world to contribute to our economy, our communities and our companies. We are also a beacon of hope for those who need it the most. This is what makes America stronger. We will always stand for immigration policies that preserve every person’s dignity and human rights. That means standing with every immigrant who works at Microsoft and standing for change in the inhumane treatment of children at the U.S. border today. 

Satya  

For Sale – NEXBOX T9 MiniPC (Intel Z8300 1.84GHz Quad Core CPU / 4GB RAM / 64GB Storage)

Nifty little Windows 10 PC, ideal as a media center or for light duty as a PC for browsing, email etc. Impressively nippy for such a small form factor and well connected with Ethernet, Wifi, 1 x USB3, 2 x USB2, HDMI sockets.

Mint condition with factory reset, licenced version of Windows 10 and a UK power supply.

Will be shipped with insured tracked courier or collection welcome.

Price and currency: £70
Delivery: Delivery cost is included within my country
Payment method: PPG or BT
Location: Sandy, Bedfordshire
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – NEXBOX T9 MiniPC (Intel Z8300 1.84GHz Quad Core CPU / 4GB RAM / 64GB Storage)

Nifty little Windows 10 PC, ideal as a media center or for light duty as a PC for browsing, email etc. Impressively nippy for such a small form factor and well connected with Ethernet, Wifi, 1 x USB3, 2 x USB2, HDMI sockets.

Mint condition with factory reset, licenced version of Windows 10 and a UK power supply.

Will be shipped with insured tracked courier or collection welcome.

Price and currency: £70
Delivery: Delivery cost is included within my country
Payment method: PPG or BT
Location: Sandy, Bedfordshire
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Fancy Bears hackers target International Olympic Committee

The International Olympic Committee has had its email stolen again, this time in a response to its ban on Russia from the 2018 Winter Olympics.

A hacking group that calls itself Fancy Bears posted email messages allegedly from officials at the International Olympic Committee (IOC), the U.S. Olympic Committee (USOC) and other associated groups, like the World Anti-Doping Agency (WADA). There’s no confirmation yet that the email messages are authentic, but Fancy Bears focuses on anti-doping efforts that got Russia banned from this year’s Olympic Games.

“The national anti-doping agencies of the USA, Great Britain, Canada, Australia, New Zealand and other countries joined WADA and the USOC under the guidance of iNADO [Institute of National Anti-Doping Organisations],” Fancy Bears said on its website. “However, the genuine intentions of the coalition headed by the Anglo-Saxons are much less noble than a war against doping. It is apparent that the Americans and the Canadians are eager to remove the Europeans from the leadership in the Olympic movement and to achieve political dominance of the English-speaking nations.”

Fancy Bears is believed to be the same hacking group known as Fancy Bear that claimed responsibility for the 2016 hack on the U.S. Democratic National Committee, which interfered in the 2016 presidential election. Fancy Bear hackers have been linked to Russia’s military intelligence unit, the GRU, by American intelligence officials.

The batch of email messages Fancy Bears posted is from 2016 through 2017 and mainly focuses on discrediting Canadian lawyer Richard McLaren, who led the investigation into Russia’s widespread cheating in previous Olympic Games. It was because of the findings in his investigation that many Russian athletes are banned from the 2018 games in Pyeongchang, South Korea.

The IOC declined to comment on the “alleged leaked documents” and whether or not they are legitimate.

It’s not clear how Fancy Bears allegedly breached the IOC email. However, in 2016, the same group targeted WADA with a phishing scheme and released documents that focused on previous anti-doping efforts following the 2016 Summer Olympics. In that case, the hacking group released the medical records for U.S. Olympic athletes Simone Biles, Serena and Venus Williams and Elena Delle Donne. The medical records showed that these athletes were taking prohibited medications, though they all obtained permission to use them and, thus, were not violating the rules. This release happened in the midst of McLaren’s investigation into the widespread misconduct by Russian athletes.

In one email released in this week’s dump, IOC lawyer Howard Stupp complained that the findings from McLaren’s investigation were “intended to lead to the complete expulsion of the Russian team” from the 2016 Summer Games in Rio de Janeiro and now from the 2018 Pyeongchang Games.

The 2018 Winter Olympic Games are set to start on Feb. 9, 2018, in South Korea.

In other news:

  • A former contractor at the U.S. National Security Agency has agreed to plead guilty to stealing classified information. Harold Martin is scheduled to plead guilty to one count of willful retention of nation defense information at a federal court in Baltimore on Jan. 22. Martin, who was indicted in February 2017, is accused of stealing highly sensitive government information — including national defense data — from the NSA and other agencies for 20 years. Martin could serve up to 10 years in prison and have to pay a fine of up to $250,000. Martin was employed by several private companies and worked as a contractor for various U.S. government agencies from 2003 to 2016, during which time he maintained top-secret security clearance. With his top-secret clearance, Martin was able to access highly sensitive government data, and he collected both physical and digital documents, which he stored in his home and car, according to the documents released by the court. There is no indication yet about what, if anything, Martin did with the information he stole.
  • Facebook now offers an encrypted group chat tool, despite the widespread government criticism of encrypted messaging systems. The tool, called Asynchronous Ratcheting Tree, or ART, was developed by Oxford University’s Katriel Cohn-Gordon, Cas Cremers, Luke Garratt and Kevin Milner, as well as Facebook’s Jon Millican. In their paper about ART, “On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees,” the group noted that the communication app for only two users is secure, but group messaging is not. “An adversary who compromises a single group member can intercept communications indefinitely,” the group said about group messaging. “One reason for this discrepancy in security guarantees, despite the large body of work on group key agreement, is that most existing protocol designs are fundamentally synchronous, and thus cannot be used in the asynchronous world of mobile communications.” With the ART protocol, a user can participate in a group message securely, even after one participating user is compromised. The ability comes from the use of different asymmetric keys. Technical details on the protocol can be found in the group’s proof of concept.
  • Cisco introduced a technology called Encrypted Traffic Analytics (ETA), which identifies malware in encrypted traffic without intercepting and decrypting the data. According to Cisco’s white paper, ETA is “derived by using new types of data elements or telemetry that are independent of protocol details, such as the lengths and arrival times of messages within a flow. These data elements have the attractive property of applying equally well to both encrypted and unencrypted flows.” The product has been in trials since the summer of 2017 and is now being rolled out to enterprise routing platforms. Cisco estimated that, by 2020, 80% of all traffic will be encrypted, and ETA aims to solve the problem of security scanners not being able to sift through that traffic for malware. Cisco said ETA uses “multilayer machine learning,” advanced statistical modeling and enhanced telemetry to detect malware.

The top Exchange and Office 365 tutorials of 2017

Even in the era of Slack and Skype, email remains the key communication linchpin for business. But where companies use email is changing.

In July 2017, Microsoft said, for the first time, its cloud-based Office 365 collaboration platform brought in more revenue than traditional Office licensing. In October 2017, Microsoft said it had 120 million commercial subscribers using its cloud service.

This trend toward the cloud is reflected by the heavy presence of Office 365 tutorials in this compilation of the most popular tips of 2017 on SearchExchange. More businesses are interested in moving from a legacy on-premises server system to the cloud — or at least a new version of Exchange.

The following top-rated Office 365 tutorials range from why a business would use an Office 365 hybrid setup to why a backup policy is essential in Office 365.

5. Don’t wait to make an Office 365 backup policy

Microsoft does not have a built-in backup offering for Office 365, so admins have to create a policy to make sure the business doesn’t lose its data.

Admins should work down a checklist to ensure email is protected if problems arise:

  • Create specific plans for retention and archives.
  • See if there are regulations for data retention.
  • Test backup procedures in Office 365 backup providers, such as Veeam and Backupify.
  • Add alerts for Office 365 backups.

4. What it takes to convert distribution groups into Office 365 Groups

Before the business moves from its on-premises email system to Office 365, admins must look at what’s involved to turn distribution groups into Office 365 Groups. The latter is a collaborative service that gives access to shared resources, such as a mailbox, calendar, document library, team site and planner.

Microsoft provides conversion scripts to ease the switch, but they might not work in every instance. Many of our Office 365 tutorials cover these types of migration issues. This tip explains some of the other obstacles administrators encounter with Office 365 Groups and ways around them.

3. Considerations before a switch to Office 365

While Office 365 has the perk of lifting some work off IT’s shoulders, it does have some downsides. A move to the cloud means the business will lose some control over the service. For example, if Office 365 goes down, there isn’t much an admin can do if it’s a problem on Microsoft’s end.

Businesses also need to keep a careful eye on what exactly they need from licensing, or they could end up paying far more than they should. And while it’s tempting to immediately adopt every new feature that rolls out of Redmond, Wash., the organization should plan ahead to determine training for both the end user and IT department to be sure the company gets the most out of the platform.

2. When a hybrid deployment is the right choice

A clean break from a legacy on-premises version of Exchange Server to the cloud sounds ideal, but it’s not always possible due to regulations and technical issues. In those instances, a hybrid deployment can offer some benefits of the cloud, while some mailboxes remain in the data center. Many of our Office 365 tutorials assist businesses that require a hybrid model to contend with certain requirements, such as the need to keep certain applications on premises.

1. A closer look at Exchange 2016 hardware

While Microsoft gives hardware requirements for Exchange Server 2016, its guidelines don’t always mesh with reality. For example, Microsoft says companies can install Exchange Server 2016 on a 30 GB system partition. But to support the OS and updates, businesses need at least 100 GB for the system partition.

A change from an older version of Exchange to Exchange 2016 might ease the burden on the storage system, but increase demands on the CPU. This tip explains some of the adjustments that might be required before an upgrade.

Prevent Exchange Server virtualization deployment woes

are other measures administrators should take to keep the email flowing.

In my work as a consultant, I find many customers get a lot of incorrect information about virtualizing Exchange. These organizations often deploy Exchange on virtual hardware in ways that Microsoft does not support or recommend, which results in major performance issues. This tip will explain the proper way to deploy Exchange Server on virtual hardware and why it’s better to avoid cutting-edge hypervisor features.

When is Exchange Server virtualization the right choice?

The decision to virtualize a new Exchange deployment would be easy if the only concerns were technical. This choice gets difficult when politics enter the equation.

Email is one of the more visible services provided by an IT department. Apart from accounting systems, companies rely on email services more than other information technology. Problems with email availability can affect budgets, jobs — even careers.  

Some organizations spend a sizable portion of the IT department budget on the storage systems that run under the virtual platform. It may be a political necessity to use those expensive resources for high-visibility services such as messaging even when it is less expensive and overall a better technical answer to deploy Exchange on dedicated hardware. While I believe that the best Exchange deployment is almost always done on physical hardware — in accordance with the Preferred Architecture guidelines published by the Exchange engineering team — a customer’s requirements might steer the deployment to virtualized infrastructure.

How do I size my virtual Exchange servers?

Microsoft recommends sizing virtual Exchange servers the same way as physical Exchange servers. My recommendations for this procedure are:

  • Use the Exchange Server Role Requirements Calculator as if the intent was to build physical servers.
  • Take the results, and create virtual servers that are as close as possible to the results from the calculator.
  • Turn off any advanced virtualization features in the hypervisor.

Why should I adjust the hypervisor settings?

Some hypervisor vendors say that the X or Y feature in their product will help the performance or stability of virtualized Exchange. But keep in mind these companies want to sell a product. Some of those add-on offerings are beneficial, some are not. I have seen some of these vaunted features cause terrible problems in Exchange. In my experience, most stable Exchange Server deployments do not require any fancy virtualization features.

What virtualization features does Microsoft support?

Microsoft’s support statement for virtualization of Exchange 2016 is lengthy, but the essence is to make the Exchange VMs as close to physical servers as possible.

Microsoft does not support features that move a VM from one host to another unless the failover event results in cold boot of the Exchange Server. The company does not support features that allow resource sharing among multiple VMs of virtualized Exchange.

Where are the difficulties with Exchange Server virtualization?

The biggest problem with deploying Exchange on virtual servers is it’s often impossible to follow the proper deployment procedures, specifically with the validation of storage IOPS of a new Exchange Server with Jetstress. This tool checks that the storage hardware delivers enough IOPS to Exchange for a smooth experience.

Generally, a virtual host will use shared storage for the VMs it hosts. Running Jetstress on a new Exchange VM on that storage setup will cause an outage for other servers and applications. Due to this shared arrangement, it is difficult to gauge whether the storage equipment for a virtualized Exchange Server will provide sufficient performance.  

While it’s an acceptable practice to run Exchange Server on virtual hardware, I find it often costs more money and performs worse than a physical deployment. That said, there are often circumstances outside of the control of an Exchange administrator that require the use of virtualization.

To avoid trouble, try not to veer too far from Microsoft’s guidelines. The farther you stray from the company’s recommendations, the more likely you are to have problems.

Determine if an Exchange Online migration makes sense

it just concerns moving email to the cloud. But there is a whole product suite to consider as part of this process.

The decision to shift from an on-premises email platform is not easy. Before the organization commits to this move, look at the transition from both a strategic and a technical perspective. There are a series of questions that should be answered before making the decision to switch to Exchange Online.

Is Exchange Online right for this organization?

Remember that Exchange Online is part of the Office 365 suite and is more than just email. The platform’s services address many business needs, such as file shares, document sharing, collaboration tools and simple word processing. And with certain licenses, if you buy Exchange Online, you own many of these other tools as well.

With that in mind, review the business issues below to see if an Exchange Online migration makes sense for the company:

  • The employees work in silos and require a tool to tear down these walls.
  • While emails don’t include client information, the system should automatically check that sensitive information is not sent.
  • Security is a priority. A lot of effort is made to keep that technology up to date.
  • Some employees get 250 email messages a day and must work collaboratively with other teams.
  • Company data sits in many different places, including email. Data management must be simplified.

While email is definitely part of the challenge, it’s not the only tool that runs teams and organizations. These hurdles should not hold up an Exchange Online migration. If email is a priority, consider making this phase one of the project, and then, deploy the additional tools your organization needs in different phases of the project at a later date.

Work out a path to a solid migration

Once the business works out the strategic approach, dive into the technical considerations for a smooth Exchange Online migration. First, find answers to the following questions because they will influence the user experience (UX), design and amount of time to deploy.

Should the UX be seamless, or will users log in with different credentials for Office 365 email?

Answer: I find larger organizations do not want users to log in separately, whereas smaller ones are more flexible in this area. That said, most businesses want a seamless UX. A business that wants to give users more streamlined access to resources should discuss how to implement Azure Active Directory Connect to set up password sync and single sign-on. Federation is not required, but organizations that already have it implemented find it is a good option for them. If federation is not in your environment, then look at other options.

Does the business need a failback plan?

Answer: Organizations often see a migration to the cloud as one way, but a failback plan should be included in the planning process. Ask yourself this: Would your organization migrate its on-premises Exchange deployment to a new server without a failback plan? For most companies, the answer is typically no. The only exception tends to be the very small business that just wants to be in the cloud and not maintain costly on-site infrastructure. With a failback option, the migration will be done in hybrid mode with the Hybrid Configuration Wizard. The ability to fail back mailboxes or migrated components if an unexpected issue arises provides a measure of stability for the business.

Does the business need to back up email data in Exchange Online?

Answer: This question seems straightforward, but the answer is complicated. If the business is OK without the ability to restore a mailbox, then this might work. The Deleted Item Recovery feature keeps messages for 30 days, and the retention hold options can be used to retain messages beyond 30 days. Does the organization need a way to restore a mailbox when it’s gone or recover individual items beyond 30 days? With answers to those questions, the company can then work to produce the correct technical implementation that best supports its email requirements.

Consider what the business uses in its on-premises deployment and whether that should apply in the cloud. Each organization is different from a technical perspective, so there is more to think about. These questions will help prepare the groundwork when the time comes to make a decision about an Exchange Online migration.

Scarab ransomware joins with Necurs botnet for faster spread

Researchers saw a surge of activity as the Scarab ransomware spread quickly to millions of victims via an email campaign run by botnet, but updates since that initial wave have been lacking.

Ben Gibney and Roland Dela Paz, security researcher and senior security researcher for Forcepoint Security Labs LLC, based in Dublin, reported a surge in volume of Scarab ransomware emails being blocked by security systems on Nov. 23rd. According to the researchers, more than 12.5 million emails were captured between 07:00 and 12:00 UTC, and the current campaign of Scarab ransomware used emails that looked like scanned documents, similar to “Locky ransomware campaigns distributed via Necurs.”

The Scarab ransomware was first seen in the wild in June, but the recent resurgence has been credited to the malware being spread via the Necurs botnet. Necurs was first discovered by cybersecurity vendors in 2012, and the botnet has grown steadily since that time. The Necurs botnet was previously used to spread the Dridex banking malware and Locky ransomware, though the botnet’s activity decreased sharply following a series of raids and arrests of suspect hackers in Russia last year.

“By employing the services of larger botnets such as Necurs, smaller ransomware players such as the actors behind Scarab are able to run a massive campaign with a global reach,” Gibney and Dela Paz wrote in a blog post. “It remains a question whether this is a temporary campaign, as was the case with Jaff, or if we will see Scarab increase in prominence through Necurs-driven campaigns.”

It is still unclear if the campaign was temporary or not as Forcepoint has not released any updates to its initial figures since the post on the 23rd and the company has not responded to requests for more data as of the time of this article.

Andy Norton, director of threat intelligence at Lastline, said the Necurs botnet can be a dangerous delivery system, but as yet it has only been seen propagating ransomware.

“Necurs is so popular to push malware and ransomware because it contains lots of concealment technology like the use of packers to evade static analysis, and lots of evasion technology to avoid being discovered by behavioral malware analysis platforms,” Norton told SearchSecurity. “It is able to survive inside an enterprise security environment, making it successful as a platform for delivering other subsequent malicious payloads.”