• by Ray Schultz , Columnist, April 15, 2019

Cyber felons, not content with spoofing brand names, have found a new name to hijack: that of a prominent email security firm.

Email security firm GreatHorn reports that attackers spoofed the return path and received headers of Barracuda in an attempt to steal Office 365 credentials. Microsoft was spoofed in the display name. 

It is a cruel joke, given that Barracuda itself is a steady tracker of spoofing mischief. Clearly, the hackers think use of the name will prompt people to trust the email.

Barracuda had not responded to a request for comment at deadline, but we suspect it will double down on previous warnings about cyber crime. 

Among the phishing emails sent in this case was one purportedly coming from “Email Quarantine.” It included the message-id: noreply.barracudanetworks.com 

So how did it happen?

“The attackers crafted the received headers so that it appears to have gone through multiple ‘Barracuda'" steps, Great Horn writes, before sending the email "via a server designed to look like a Barracuda server."

It continues that the attack “exploits a well-known security flaw in Google and Microsoft’s handling of authentication frameworks such as DMARC.

The company adds: “While an organization can dictate how it wants DMARC failures and exceptions to be handled, Microsoft Office 365 typically ignores those directives and, at best, treats them as spam or junk instead of quarantining or rejecting them, making it more likely for the user to interact with such spoofs.”

GreatHorn says it discovered the attack last Thursday, then found a subset on Friday.   

The firm concludes: “While the spoofing victim in this case was Barracuda, you could easily see this strategy replicated using any other well-known security company to try and trick more savvy users.”

Meanwhile, here’s another deplorable attack. The venerable U.S. Postal Service has suffered a breach of its Informed Delivery Service. 

The Informed Delivery program notifies users by email of incoming postal mail.

However, identity thieves have signed up for the program to steal credit card numbers and other information, according to the Sun Sentinel. 

It’s not all online — there is manual labor involved. The perpetrators scan the notifications, then literally rob the curbside mailboxes.

Postal inspector Ivan Ramirez told the newspaper, “Unfortunately we just learned about this [scheme].”

The USPS is tweaking the program. Is there anything lower?