DarkGate Malware Infections Increase via Microsoft Teams Phishing and Malvertising Campaigns

Infections with DarkGate malware have been increasing in recent weeks. DarkGate malware was first identified in 2017 but was only used in limited attacks as the developer chose to use the malware privately against highly specific targets; however, over the summer the malware started being advertised on Russian-language cybercriminal forums and the developer has recruited a limited number of affiliates under the malware-as-a-service model. Reportedly, the developer offered the malware for sale to 10 people for an annual cost of $100,000.

DarkGate malware is written in Delphi and primarily serves as a malware loader, capable of downloading and executing other malware payloads. Typically, the malware payloads are executed in the memory which makes them hard to detect, since no files are written to the disk. The malware can also steal browser histories and Discord tokens and has a Windows Defender exclusion, reverse shell, hidden VNC, and keylogging capabilities.

The malware uses a variety of mechanisms to evade detection, including conducting checks for identifiers used by virtual machines, sandboxes, and anti-virus solutions and will alter its behavior based on the results of the checks, and has persistence mechanisms to ensure it is reloaded on reboot.

The advertising campaign appears to have been successful as distribution of the malware has increased significantly through spamming and phishing campaigns. One of those phishing campaigns uses compromised Office 365 accounts to send phishing messages that deliver DarkGate malware via Microsoft Teams messages.

Researchers at TrueSec identified messages that tricked recipients into clicking a link in the message that directs the or a SharePoint-hosted file called “Changes to the vacation” with the message advising employees that due to circumstances out of the company’s control, vacation time for certain employees has been canceled. The Zip file contains a malicious LNK file which masquerades as a PDF file with the same name as the zip file. Clicking the file will launch a VBScript file that will ultimately lead to the downloading and execution of DarkGate malware. Microsoft has security features to block attacks such as this – Safe Attachments and Safe Links – but neither of these features identified the file or link as malicious.

Other distribution campaigns have been detected in recent months, including a malvertising campaign that uses Google Ads to direct web users to a malicious site where the malware is hosted. The web page used in this campaign offered a legitimate network scanning tool, and while that tool was provided, extra files were bundled with the installation file that executed DarkGate malware.

Businesses are encouraged to defend against attacks through a defense-in-depth approach, involving multiple layers of protection such as an advanced AI-driven spam filtering solution, web filter, and endpoint protection software. Web filters will protect against malvertising campaigns, redirects to malicious websites, and malicious file downloads from the web. The increases in the use of SMS, Teams, and instant messaging services for distributing malicious links means these methods of link distribution should be incorporated into your security awareness training programs.

If you are interested in improving email security, web security, and security awareness training, contact TitanHQ today for more information on SpamTitan, WebTitan, and SafeTitan.

TitanHQ Announces New Partnership with India’s Leading Managed Service Provider

TitanHQ has recently announced a new partnership with one of India’s leading managed service providers, Tata Tele Business Services (TTBS). TTBS is the leading provider of business connectivity and communications solutions in India and has the largest portfolio of ICT services for businesses in the country.

Like many countries, India is facing a major increase in cybercrime. 78% of Indian organizations experienced a ransomware attack in 2021, web-based attacks have jumped sharply, and a 2022 Group-IB study placed India third globally for phishing attacks in 2021 with more attacks than any other country in the Asia-Pacific region. Indian businesses need to ensure that they have the necessary defenses in place to combat increasingly sophisticated cyberattacks, especially attacks that target employees.

Businesses often turn to their managed service providers for cybersecurity and seek solutions that can protect them against malware and phishing. TTBS provides cybersecurity solutions to SMBs and its cybersecurity packages have now been improved with the addition of SpamTitan email security and the WebTitan DNS-based web filter. Both solutions are 100% cloud-based, easy for MSPs to add to their service stacks, and easy to manage.

TTBS provides advanced email security with phishing protection through the Tata Tele Email Security Plus Program, which delivers advanced threat protection for email through TitanHQ’s AI-driven SpamTitan anti-phishing solution. Protection against Internet-based threats is provided through the Tata Tele Smart Internet Program, which includes web filtering provided by WebTitan. WebTitan is fed threat intelligence from a network of 650 million endpoints, ensuring malicious websites are blocked before threats are encountered.

“We are delighted to partner TitanHQ to offer Tata Tele Email Security- an advanced email security solution that is in line with Zero Trust security agenda of enterprises,” said Vishal Rally, Sr. VP & Head – Product, Marketing and Commercial, Tata Teleservices Ltd. “As a leading technology enabler TTBS is committed to simplifying and democratizing email security for businesses of any size. This partnership will ensure the protection of enterprise sensitive data efficiently and cost effectively”.

“We are excited to partner with Tata Teleservices to offer their growing customer base our advanced threat protection layer for email and web security,” said TitanHQ CEO, Ronan Kavanagh. “Over several years Tata Teleservices has excelled in the areas of customer service and security, our partnership further cements this commitment”.

If you are an MSP that has yet to start offering cybersecurity packages to your clients, or if you are keen to improve protection through AI-driven cybersecurity solutions, give the TitanHQ channel team a call to find out more about how TitanHQ can help you better protect your clients and improve your profits.

Phishing-as-a-Service Platforms Used to Bypass Multi-Factor Authentication Controls

Phishing attacks are often conducted to obtain credentials in order to gain initial access to business networks; however, many businesses have implemented multi-factor authentication which prevents stolen credentials from being used to access accounts. With multi-factor authentication implemented, credentials alone are not sufficient as access will only be granted if one or more additional authentication mechanisms are navigated. Multifactor authentication can significantly improve protection against phishing attacks, but it does not guarantee protection against unauthorized account access, and multi-factor authentication bypass attacks are increasing.

To bypass multifactor authentication, threat actors typically use adversary-in-the-middle (AitM) techniques using a phishing-as-a-service (PhaaS) platform. PhaaS platforms such as EvilGinx, Muraena, and Modlishka use reverse proxy servers to steal session cookies that allow multi-factor authentication to be bypassed. In these attacks, the user is directed to the phishing site hosting the phishing kit and when they enter their credentials the site proxies them to the actual website that is targeted in real time. The website returns the MFA screen, which is proxied to the user, and when the user enters the additional authentication, it is proxied to the actual website. The MFA is successfully completed and a session cookie is returned, which is used by the attacker to access the targeted account as the genuine user. The phishing site redirects the user to another page, unaware that their account has been compromised. The attacker will be able to access the account for as long as the session cookie is active.

An alternative method of bypassing MFA is to use synchronous relay servers. This method is used by the Storm-1295 threat group, which provides the Greatness PhaaS platform. This PhaaS platform presents the user with a copy of the sign-in page for the website, similar to standard phishing attacks that only steal credentials. This method uses a phishing kit server that dynamically loads the phishing page and MFA request page and communicates with the PhaaS platform relay server through an API. The PhaaS platform provides a synchronous relay server to relay captured credentials and MFA codes to the sign-in service but does not proxy network traffic.

According to Microsoft, there has been a marked increase in AitM attacks this year which are being conducted through already established MFA-bypassing PhaaS platforms and there has also been an increase in phishing services incorporating AitM capabilities. Businesses need to ensure that they are properly protected against these phishing attacks. The first line of defense is still a spam filter, which will block the majority of phishing emails to ensure they do not land in inboxes where they can be clicked. SpamTitan Plus provides the best protection against phishing attacks. SpamTitan Plus has 100% coverage of ALL current market-leading anti-phishing feeds, which ensures 1.6x faster detection of phishing than all current market leaders.

End-user training is also important for improving resilience against phishing attacks. By providing ongoing training and phishing simulations, employees will learn how to recognize and avoid phishing attempts that are able to circumvent spam filters. SafeTitan is a comprehensive security awareness training and phishing simulation platform that user data shows can improve resilience to phishing by up to 80%.

The increase in the use of MFA-bypassing PhaaS platforms means businesses can no longer rely on standard MFA controls to protect their accounts. While any form of MFA is better than none, businesses should transition to the most secure MFA methods that are resistant to these phishing attacks, such as FIDO2 security keys and certificate-based authentication.

Sophisticated Ransomware Campaign Uses Business Email Compromise Tactics

Companies in Spain are being targeted by a ransomware group that uses phishing emails to distribute LockBit Locker ransomware. According to a recent warning issued by the Central Cybercrime Unit of the Policía Nacional, the campaign has a very high level of sophistication and has so far targeted architecture companies; however, the campaign may be expanded to target other sectors.

LockBit is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct ransomware attacks in exchange for a cut of any ransoms they generate. LockBit is one of the most active ransomware groups and was the most deployed ransomware variant in 2022. The LockBit Locker group conducting this campaign claims to be affiliated with the notorious LockBit group; however, those claims have yet to be verified. What is known is that this is a highly capable group that conducts sophisticated attacks targeting specific industry sectors. The lures and communications used in these attacks are very difficult to distinguish from genuine communications from legitimate companies.

The group appears to have adopted tactics used by business email compromise (BEC) threat actors who build trust with the victim over several emails. An initial communication is sent to a company and the threat actor then engages in conversations over several emails to make it appear that the firm is engaging with a legitimate company that is seeking their services.

The Policía Nacional described one of the attacks, which saw the initial email sent from the non-existent domain, The threat actor claimed to be a photography company looking for a quote from architecture firms for a renovation of their premises. The targeted company responded to the initial email, then the threat actor exchanged several more messages before proposing a date to hold a meeting to finalize the budget. As a prerequisite, documents were sent via email that contained specifications for the proposed renovation to allow the architecture form to provide an accurate quote. The archive file attached to the email contained a shortcut file that executes a malicious Python script, which establishes persistence and executes the LockBit Locker payload to encrypt files. A ransom demand is then dropped on the encrypted device, payment of which is required to recover files.

Ransomware groups are constantly changing their tactics, techniques, and procedures (TTPs) which is why it is so important to provide ongoing security awareness training to the workforce. This campaign is especially concerning because of the effort the threat actor is putting into the impersonation of a potential customer. Ransomware groups often copy each other’s tactics, and if this campaign proves to be successful, the same TTPs are likely to be used by other groups.

It is therefore recommended to incorporate these TTPs into your security awareness training and make sure that employees are made aware of this new method of attack. Companies that use TitanHQ’s SpamTitan solution can easily provide training to the workforce on specific tactics through short training modules and incorporate new tactics in their phishing simulations. Phishing simulations can be quickly and easily spun up through the platform in response to changing TTPs and administrators will be able to get instant feedback on the likelihood of employees falling for a campaign. A phishing simulation failure will immediately trigger a training module specific to the threat, ensuring employees are provided with the additional training they need to avoid similar threats in the future.

Call TitanHQ today for more information on the SafeTitan security awareness training and phishing simulation platform and find out how it can significantly improve your company’s security posture.

Chinese Hackers Compromising Patched Barracuda Email Security Appliances

The Federal Bureau of Investigation (FBI) has issued a warning that Chinese hackers are continuing to gain access to Barracuda email security appliances, even those that have been patched against a recently disclosed zero day vulnerability, and has urged organizations to immediately remove the appliances.

The vulnerability, tracked as CVE-2023-2868, affects Barracuda Network’s Email Security Gateway (ESG) appliances and occurs when the appliance screens email attachments. The vulnerability is a remote command injection vulnerability that allows the unauthorized execution of system commands with administrator privileges on the ESG appliance. Barracuda issued a patch to fix the flaw on May 20, 2023, after identifying hacks on May 19.

The vulnerability can be exploited via maliciously formatted TAR file attachments that are sent to an email address affiliated with a domain that has an ESG appliance connected to it. When the attachments are scanned it results in a command injection into the ESG, and system commands are executed with the privileges of the ESG. No user interaction is required to exploit the vulnerability.

According to the FBI, Chinese hackers have been exploiting the vulnerability since October 2022 as part of a state-run cyberespionage operation and have compromised hundreds of appliances. Mandiant assisted with investigating the hacks and said this is the broadest cyber espionage campaign conducted by Chinese state-sponsored hackers since the mass exploitation of a Microsoft Exchange vulnerability in 2021.

In a Flash Alert issued on Wednesday, the FBI recommended all affected devices be immediately replaced. “The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately,” and said the patches released by Barracuda to address the flaw were ineffective.

The advice follows that of Barracuda, which said in June that all hacked Email Security Gateway appliances should be immediately replaced, regardless of whether patches had been applied. Even after the patches had been applied, continued malicious activity was observed on the previously compromised devices. A new form of malware, dubbed Submarine, was deployed on compromised appliances, which resides in a structured query language (SQL) database on the appliance and is a backdoor that provides persistent access.

Vulnerabilities can exist in any software solution, even those that are meant to provide protection. This is why it is important to have multiple layers of protection. If one layer fails, others are there to detect and block threats. Many threats start with a malicious email, which is why email security is so important. Having SpamTitan Plus in place will provide a high degree of protection and will stop malware from reaching its intended recipient. SpamTitan Plus is a leading-edge, AI-driven anti-phishing and anti-malware solution with the newest “zero-day” threat protection and intelligence. The solution includes 100% coverage of all current market-leading anti-phishing feeds and provides 1.6x faster detection of threats than the current market leaders. SpamTitan Plus provides unrivaled protection against malicious links in emails and includes signature-based malware detection and behavioral detection through sandboxing. For more information on SpamTitan Plus, give the TiotanHQ team a call.

Simple, Yet Effective Phishing Campaign Targets Zimbra Collaboration Credentials

Phishing campaigns do not need to be especially sophisticated to be effective, as a recently identified campaign that targets Zimbra Collaboration credentials clearly demonstrates. Zimbra Collaboration, previously known as Zimbra Collaboration Suite, is a software suite that includes an email server and web client. Zimbra Collaboration email servers are targeted by a range of different threat actors, including state-sponsored hackers and cybercriminals for espionage, conducting phishing attacks, and gaining a foothold that can be used for a more extensive compromise of an organization.

This global campaign targets users’ credentials and does not appear to be targeted on any specific sector and the threat actor behind the campaign and their motives are not known. The highest number of attacks have occurred in Poland, Ecuador, and Italy. Like many phishing campaigns, the emails warn users about a security update, security issue, or pending account deactivation, and the emails appear to have been sent from an email server administrator.

The emails include an HTML attachment, which is opened as a locally hosted page in the user’s browser. The HTML file displays a Zimbra login prompt that is tailored for each organization and includes their logo and name, and the targeted user’s username is prefilled. If the user enters their password, the credentials are transmitted to the attacker’s server via an HTTPS POST request.

The campaign was identified by security researchers at ESET, who observed waves of phishing emails being sent from companies that had previously been targeted, which suggests that some of the attacks have allowed the threat actor to compromise administrator credentials and set up new mailboxes to target other organizations.

Despite the simplicity of the campaign, it has proven to be very effective, even though the login prompt in the HTTP file differs considerably from the genuine Zimbra login prompt, and the page is opened locally, which suggests a lack of security awareness training due to the failure to identify the red flags in the emails. The emails are also likely to have a low detection rate by email security solutions, as the only malicious element is a single link to a malicious host, which is within the HTML file rather than the email body,

Phishing remains one of the most effective ways for hackers to gain initial access to networks. Combatting phishing attacks requires a combination of measures. A spam filter such as SpamTitan should be used to block the emails and prevent them from reaching their intended targets. SpamTitan incorporates signature-based and behavioral detection mechanisms for identifying malware, link scanning, and reputational checks to ensure a high catch rate and low false positive rate.

No spam filtering solution will be able to block all malicious emails without also having an unacceptably high false positive rate, so it is important to also provide regular security awareness training to employees to teach them how to recognize and avoid malicious emails. Security awareness training should also incorporate phishing simulations to give employees practice at identifying threats. If a threat is not detected, it can be turned into a training opportunity. TitanHQ’s security awareness training platform – SafeTitan – delivers instant training in response to a failed phishing simulation, and also delivers training in response to other security mistakes, ensuring training is provided when it has the greatest impact. Training data shows that SafeTitan reduces employee susceptibility to phishing attacks by up to 80%, and combined with SpamTitan email security, ensures that businesses are well protected from phishing attacks and other cyber threats.

SpamTitan and SafeTitan, like all TitanHQ solutions are available on a free trial and product demonstrations can be arranged on request.

New Backdoor Malware Variants Deployed on Barracuda ESG Appliances

A zero-day vulnerability in Barracuda email security gateway (ESG) appliances was exploited to deliver three malware variants onto the devices. These previously unknown malware variants have been dubbed SeaSide, Saltwater, and Seaspy, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently reporting that an additional malware backdoor dubbed Submarine was also deployed. In the attacks.

Initially, Saltwater malware – a trojanized Barracuda SMTP daemon – was used and allowed the threat actor to perform several actions such as steal files, run shell commands remotely, and proxy traffic to evade intrusion detection systems. SeaSpy malware was deployed to provide persistence and monitor SMTP traffic, and SeaSide malware was used to establish reverse shells and connect with the attacker’s command-and-control server, which allowed remote code execution via SMTP HELO/EHLO messages and provided the attacker with complete control of the appliances, allowing additional malware payloads to be delivered.

According to CISA, “SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup.”

The zero-day vulnerability in the Barracuda ESG is tracked as CVE-2023-2868 and is a remote command injection vulnerability, a patch for which has now been released. The vulnerability could be exploited remotely by a threat actor with a malicious email message – an email with a specially crafted .tar file attachment that masqueraded as a harmless .jpeg or .dat file. The attachment was used to exploit the vulnerability and gain access to ESG appliances.

The exploits of the vulnerability have been linked with a pro-China hacking group tracked as UNC4841, which was discovered to have conducted a series of attacks in May, although CISA reports that the threat actor may have been exploiting the vulnerability undetected since as early as October 2022 to gain access to ESG appliances and steal data.

With access to ESG appliances, the threat actor was free to remotely execute code for months. The ESG appliances are used across the public and private sectors, including government organizations, so the compromising of the appliances since October 2022 is of particular concern, as the threat actor may have been able to steal sensitive data for several months undetected. Many large companies also use Barracuda’s ESG appliances including Delta Airlines, Kraft Heinz, Samsung, and Mitsubishi, all of which were affected.

While the vulnerability has been patched, UNC4841 has proven to be very persistent, switching its persistence mechanisms when the attacks were detected. Indicators of Compromise and MD5 hashes were issued by Barracuda to help clients determine if their ESG devices had been compromised and Barracuda even offered its customers a new appliance, regardless of their patch status.

These attacks involved the discovery and exploitation of a previously unknown vulnerability in the ESG appliances and were the work of highly skilled hackers, although, like many attacks, the vulnerability was exploited via a malicious email. An extra layer of protection can be provided by SpamTitan Plus, which specifically combats phishing emails and incorporates signature-based and AI-based behavioral detection mechanisms to improve protection against zero-day threats, including novel malware variants.  Using SpamTitan Plus in addition to other security solutions will greatly improve the probability of detecting and blocking malicious emails and zero-day threats. These attacks demonstrate why it is important to have multiple layers of security, and not to rely on a single cybersecurity solution.

LokiBot Malware Distributed Email Campaign Exploiting Known Vulnerabilities

Cybercriminals are exploiting unpatched remote code execution vulnerabilities to distribute an information-stealing malware called LokiBot. LokiBot, also known as LokiPWS, primarily targets Windows systems and collects sensitive information from infected devices including usernames and passwords. The malware can also log keystrokes, capture screenshots, steal information from web browsers, and empty cryptocurrency wallets. LokiBot was discovered in 2016 and has been active since at least 2015, and is primarily spread via email, most commonly through malicious email attachments.

One of the latest campaigns exploits the Microsoft Office vulnerability, CVE-2021-40444, and the Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability, CVE-2022-30190, to embed malicious macros in Office documents that deliver LokiBot. The campaign was detected by security researchers at FortiGuard Labs in May 2023, and the campaign is still active.

The infection process is different depending on which vulnerability is exploited. The Word document that exploits the CVE-2021-40444 vulnerability includes a GoFile link embedded in an XML file, which will download an HTML file that exploits the CVE-2022-30190 vulnerability, which will deliver a Visual Basic payload that delivers LokiBot. Alternatively, a Word file is used that contains a VBA macro that drops an INF file, through which a connection will be made to the command-and-control server and LokiBot will be loaded.

LokiBot may be an old malware variant, but it is regularly updated, and the methods used to distribute the malware regularly change. This campaign takes advantage of businesses that are slow to implement patches. Ensuring patches for known vulnerabilities or workarounds are implemented quickly is vital. Email filtering solutions will also protect against attacks such as these. It is important to use an email security solution that does not rely on signature-based detection methods. Malware variants are constantly updated and changed to evade signature-based detection methods, so AI-based solutions should be used that can detect novel malware variants by their behavior.

SpamTitan includes both detection methods and will scan for known malware variants and subject attachments to in-depth analysis in a sandbox to identify malicious actions, such as command-and-control center callbacks. SpamTitan also performs a barrage of front-end and advanced checks on all emails, including machine-based detection methods that can identify emails that deviate from those typically received by a business, ensuring security teams are rapidly alerted about potential threats. Security awareness training is also strongly recommended to educate end users about email-based threats and teach security best practices, such as always exercising caution with emails, email attachments, and messages containing external links.

If you want to improve your defenses against malware and other cyber threats, give the TitanHQ team a call. SpamTitan, along with other TitanHQ cybersecurity solutions, is available on a free trial to allow you to test the product in your own environment before deciding if it is right for your business.

TitanHQ Feature Updates Announced for SafeTitan, WebTitan, and SpamTitan

TitanHQ has made several enhancements to its suite of cybersecurity solutions this month, including an update to the SafeTitan security awareness training and phishing simulation platform to better meet the needs of Managed Service Providers (MSPs) and the release of a new version of the WebTitan DNS-based web filtering solution – Version 5.03, which is now being rolled out for all customers. SpamTitan users are also due to get an upgrade, with version 9.01 of the platform due to be released.

The SafeTitan update added a new Auto Campaigns feature for MSPs to better meet the needs of their SMB clients and protect them against increasingly sophisticated phishing threats. While it is vital to have an email security solution such as SpamTitan in place to block email-based threats, workforces also need to be provided with security awareness training to ensure they have the skills to recognize and avoid the full range of cyber threats.

The SafeTitan platform can be used by SMBs for training their workforces and giving them practice at identifying threats and also by MSPs to meet the training needs of their clients. The new Auto Campaigns feature is an automation tool that allows MSPs to reduce the time spent planning and managing security awareness and phishing simulation campaigns for their SMB clients. The AI-driven feature helps MSPs streamline the security training process and improve efficiency while saving time and resources. The Auto Campaigns feature allows MSPs to create an annual set of phishing simulation campaigns for all clients within minutes.

WebTitan is an award-winning web filtering solution that is used by thousands of SMBs, enterprises, and MSPs for controlling access to the Internet and blocking web-based cyber threats. The latest version of the platform includes several new features and bug fixes.

Users now benefit from a new summary report page, the custom block page has a new layout, and several new features have been added. These include support for the customization of the global default policy on the MSP level, which allows the application of a custom default policy on the creation of a customer account. Support has been added for the customization of the default policy on the customer level, it is now possible to inherit the allowed & blocked domains from the customer default policy, and support has been added for allowing/blocking a top-level domain (TLD) on a customer policy and global domains.

SpamTitan is due for an imminent upgrade which will include several new, advanced MSP features. Version 9.01 will have a new history/quarantine feature for MSPs, that will allow them to quickly act on customer emails at the MSP level. Link Lock inheritance has been added at the MSP level to avoid having to drill down to individual domains to make changes, and a new pattern filtering feature has been added which simplifies SpamTitan administration for MSPs and allows them to secure all customers from one place. There is also a simplified mail view, which improves the user experience and makes email analysis simpler.

MSPs also have an Other Products option, which allows them to easily offer other products in the TitanSecure bundle to customers – ArcTitan email archiving, WebTitan web filtering, and SafeTitan security awareness training – and provide a comprehensive, multi-layered security defense system to customers.

New Mystic Stealer Malware Proves Popular with Cybercriminal Community

A new information stealing malware variant called Mystic Stealer is proving extremely popular with hackers. The malware is currently being promoted on hacking forums and darknet marketplaces under the malware-as-a-service model, where hackers can rent access to the malware by paying a subscription fee, which ranges from $150 for a month to $390 for three months.

Adverts for the malware first started appearing on hacking sites in April 2023 and the combination of low pricing, advanced capabilities, and regular updates to the malware to incorporate requested features has seen it grow in popularity and become a firm favorite with cybercriminals. The team selling access to the malware operates a Telegram channel and seeks feedback from users on new features they would like to be added, shares development news, and discusses various related topics.

Mystic Stealer has many capabilities with more expected to be added. The first update to the malware occurred just a month after the initial release, demonstrating it is under active development and indicating the developers are trying to make Mystic Stealer the malware of choice for a wide range of malicious actors. Mystic Stealer targets 40 different web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password management applications (including LastPass Free, Dashlane, Roboform, and NortPass), and 55 cryptocurrency browser extensions. The malware can also inject ads into browser sessions, redirect searches to malicious websites, and steal Steam and Telegram credentials and other sensitive data. The most recent version is also able to download additional payloads from its command-and-control server. The malware targets all Windows versions, does not need any dependencies, and operates in the memory, allowing it to evade antivirus solutions. The malware is believed to be of Russian origin since it cannot be used in the Commonwealth of Independent States.

Mystic Stealer has recently been analyzed by researchers at InQuest, ZScaler, and Cyfirma, who report that the malware communicates with its C2 server via a custom binary protocol over TCP, and currently has at least 50 C2 servers. When the malware identifies data of interest, it compresses it, encrypts it, then transmits it to its C2 server, where users can access the data through their control panel.

The main methods of distribution have yet to be determined, but as more threat actors start using the malware, distribution methods are likely to become more diverse. The best protection is to follow cybersecurity best practices and adopt a defense-in-depth approach, with multiple overlapping layers of security to protect against all of the main attack vectors: email delivery (phishing), web delivery (pirated software, drive-by downloads, malvertising), and the exploitation of vulnerabilities.

Email security solutions should be used that have signature and behavioral-based detection capabilities and machine learning techniques for detecting phishing emails (SpamTitan). Antivirus software should be used, ideally, a solution that can scan the memory, along with advanced intrusion detection systems. To protect against web-based attacks, a web filter (WebTitan) should be used to block malicious file downloads and prevent access to the websites where malware is often downloaded (known malicious sites/warez/torrent). IT teams should ensure that software updates and patches are applied promptly, prioritizing critical vulnerabilities and known exploited vulnerabilities. In the event of infection, damage can be severely limited by having a tested incident response plan in place.

Finally, it is important to train the workforce on the most common threats and how to avoid them. Employees should be trained on how to identify phishing attempts, be told never to download unauthorized software from the Internet, and be taught security best practices. The SafeTitan security awareness training and phishing simulation platform provides comprehensive training and testing to improve human defenses against malware infections and other cyber threats.

Free OnlyFans Content Used as a Lure in DcRAT Malware Campaign

Malicious actors are distributing malware under the guise of free access to paywall-protected OnlyFans content. OnlyFans is a popular Internet content subscription platform, where visitors can pay to receive premium content from a range of different content creators such as social media personalities, musicians, and celebrities, although the 18+ subscription platform is most commonly associated with X-rated content. The malware campaign targets individuals looking to access the latter for free.

The campaign uses fake OnlyFans content and X-rated lures promising access to private photos, videos, and posts without having to pay for the content. Users are tricked into downloading an executable file, that installs a remote access Trojan. A VBScript loader is contained in a ZIP file, and if executed, will deliver a variant of the AsynchRAT called DCRAT (aka DarkCrystal) -– a remote access Trojan that provides access to the user’s device. DcRAT allows remote access, but can also access the webcam, log keystrokes, manipulate files, steal credentials, cookies, and Discord tokens, and encrypt files for extortion.

Researchers at eSentire identified the campaign after a user attempted to execute the VBscript loader, although it is currently unclear how the ZIP file containing the VBScript loader is being distributed. As such, a defense-in-depth approach is recommended to block the most likely attack vectors. Phishing emails are commonly used for distributing malware. Any email that claims to offer free access to OnlyFans is a major red flag since the site requires paid subscriptions to access content. SEO poisoning may be used to get malicious websites to appear high in the search engine results for key search terms, and malvertising – malicious adverts – may be displayed on legitimate websites through third-party ad networks that direct users to URLs where free content is offered. Compromised social media accounts may be used to post offers of free access to OnlyFans content, and SMS and instant messaging service messages may advertise the offers and include links to malicious websites.

All of these ways of making contact with users can be combatted through phishing and security awareness training using the SafeTitan platform. SafeTitan includes an extensive library of training content for creating security awareness training programs to improve awareness of threats, teach security best practices, and train users how to identify phishing attempts. The platform also includes a phishing simulator for testing responses to phishing attacks, including phishing attempts with OnlyFans-related lures.

Email security solutions should be implemented to block any phishing attempts. SpamTitan incorporates signature and behavior-based detection mechanisms for identifying malicious attachments, link scanning, and machine learning capabilities to identify zero-day phishing attacks. WebTitan Cloud can be used to improve protection against web-based attacks, such as malicious file downloads from malicious and compromised websites and to prevent access to risky categories of websites and websites that serve no work purpose. IT admins should also consider implementing restrictions for script files, such as blocking VBScript and JavaScript from launching downloaded executable content or using Group Policy Management Console to create open with parameters for script files to ensure they are opened with notepad.exe. These measures will not only be effective at blocking this OnlyFans campaign but also for blocking attempts by other malicious actors to install malware and ransomware.

New SafeTitan Release Includes New Automated Campaign Feature for MSPs

TitanHQ has updated its SafeTitan security awareness training platform to better meet the needs of Managed Service Providers (MSPs) by adding a new feature – Automatic Security Campaigns. The new feature allows MSPs to create an annual set of phishing simulations for their clients to streamline security campaign planning.

All companies should be providing security awareness training to the workforce to improve awareness of the types of threats each employee is likely to face, and security awareness training programs should incorporate ongoing phishing simulations to give employees practice at identifying potential threats outside of a training setting. While the percentage of businesses providing security awareness training is increasing, many have yet to create a program, and those that have often find it is not as effective as they expected. This is an area where MSPs can help and ensure companies get the maximum return on their investment in training.

By signing up with TitanHQ, MSPs can provide security awareness training through the SafeTitan platform. SafeTitan includes an extensive library of training content that allows MSPs to create training programs to meet the needs of each company and tailor the training for different employee groups within the company to ensure it is relevant. The training content is proven to improve understanding of threats and reduce susceptibility to phishing and other social engineering attacks. Training courses can be created quickly and the provision of training automated, with employee progress tracked and client reports scheduled to keep them up to date on how training is progressing.

Conducting phishing simulations is also straightforward, but thanks to the new Automatic Security Campaigns feature, MSPs can create and run phishing simulations more efficiently, spend less time managing the campaigns, and boost the profitability of their security awareness and phishing simulation service. MSPs can use this feature to schedule phishing simulations using messages of varying types, at the desired required frequency, over the course of the year – a process that takes just a few minutes.

“By introducing automated campaign scheduling to SafeTitan, we are empowering our MSP partners to optimize their security training efforts, boost productivity, and deliver exceptional results to their clients,” said Ronan Kavanagh, CEO, TitanHQ. “This new feature aligns perfectly with our MSP First Strategy and provides innovative solutions that simplify the complexities of managing a client’s security awareness training.”

Phishing Remains the Most Common Method Used in Cyberattacks on Businesses

Phishing is still the most common method used by cybercriminals in attacks on businesses, as has been confirmed by a new survey of IT security and identity professionals. The Identity Defined Security Alliance recently conducted a survey on 529 IT security professionals and identity professionals at organizations with more than 1,000 employees and found 62% had experienced an identity-related incident in 2022, and out of those, 93% said they had experienced an email phishing incident.

Phishing is popular with cybercriminals as it is easy to conduct campaigns, which can be largely automated and require little skill. These campaigns are low cost and they are effective, as people can easily be fooled into disclosing their credentials or downloading malicious files. Email remains the most common vector used for phishing, with emails usually including a web-based component. Users are directed to malicious websites where malware is downloaded, or their credentials are harvested.

Phishing campaigns can be made even more effective if the emails are targeted. General phishing emails that are sent in massive spamming campaigns will attract a low number of responses but certainly enough to make these campaigns worthwhile; however, by targeting small numbers of individuals the response rate increases dramatically. Spear phishing involves tailoring emails for a specific group of people or researching individuals and sending personalized phishing emails. The survey revealed 49% of respondents had experienced spear phishing attacks in the past year.

Phishing is no longer solely conducted via email, and attacks involving other attack vectors have been steadily increasing. SMS and instant messaging platforms are commonly used for phishing. These phishing attacks are referred to as smishing attacks and phishing can occur over the phone – termed vishing. 27% of respondents said they experienced smishing or vishing attacks in the past year.

Phishing attacks can be extremely costly for businesses. These attacks are conducted to gain initial access to business networks to steal sensitive data, which can be used in a wide variety of ways. Once access to networks is gained and all valuable data has been stolen, access to those networks is often sold to other threat actors such as ransomware gangs for follow-on attacks. Businesses are also increasingly being sued for data breaches by employees and customers, the attacks take time to remediate causing business disruption and often result in significant reputational damage.

Phishing attacks are increasing in sophistication as well as number. While it was once sufficient to implement a spam filtering solution and antivirus software to block attacks, defenses have had to become more comprehensive and sophisticated and provide multiple layers of protection.

TitanHQ solutions can form the basis of a robust defense against phishing. TitanHQ offers three cybersecurity solutions that work seamlessly together that can be used by businesses to mount a formidable defense against phishing attacks, with each solution tackling the threat of phishing from a different angle.

The first layer of defense comes from SpamTitan Email Security – An advanced email security solution for blocking phishing and spam emails, including attacks seeking credentials and those delivering malware. SpamTitan incorporates anti-virus software (dual AV engines) for detecting known malware variants, and behavioral analysis through sandboxing for detecting zero-day (unknown) malware threats.

Protection against the web-based element of phishing comes from the WebTitan DNS filter, which is used to prevent employees from visiting malicious websites and for controlling access to the Internet through category and keyboard-based web filtering. WebTitan blocks downloads of malicious files and risky file types, and secures the DNS to block command-control callbacks. WebTitan not only blocks phishing attacks via email but also phishing and other malicious websites encountered through web browsing, such as via redirects to malicious websites from online adverts (malvertising).

The third layer of protection is concerned with improving human defenses, which is vital considering that more than 80% of data breaches involve the human element (Verizon Data Breach Investigations Report). SafeTitan is used to create effective security awareness training, tailored to meet the needs of each business and individual. The platform includes a huge library of training content that can be tailored for user groups and individuals which covers all aspects of security. Through SafeTitan training, businesses can raise awareness of threats and eradicate bad security practices. The solution also includes a phishing simulator for testing employees, which delivers on-the-spot training in real-time in response to security mistakes.

Cybercriminals are unlikely to stop conducting attacks and they are only likely to increase in number and sophistication. Businesses therefore need to make sure their defenses are up to scratch. For more information on these TitanHQ solutions, contact the sales team today. You can also take advantage of free trials of these solutions to test them before deciding on a purchase.

RPMSG Attachments Used in Sophisticated Phishing Attacks to Steal M365 Credentials

A new phishing technique has been identified by security researchers that uses compromised Microsoft 365 accounts to send phishing emails that contain .RPMSG attachments, which are used in a sophisticated attack to gain access to Microsoft 365 accounts.

RPMSG files are used to deliver e-mails with the Rights-Managed Email Object Protocol enabled. In contrast to regular emails that are sent in plain text and can be read by anyone or any security solution, these files are encrypted and are stored as an encrypted file attachment. The files can also be used to limit the ability of users to forward or copy emails. The intended recipient can read the encrypted messages after they have been authenticated, either by using their Microsoft 365 credentials or a one-time passcode.

Phishing attacks using these files give the impression that the messages are protected and secured, as access is restricted to authorized users. If a user is unfamiliar with RPMSG files and they perform a Google search, they will quickly discover that these files are used for secure emails, giving the impression that the emails are genuine.

The use of RPMSG files in phishing attacks was discovered by researchers at Trustwave. In this scam, an email is sent from a compromised account, and since these accounts are at legitimate businesses, the emails appear genuine. For example, one of the scams used a compromised account at the payment processing company Talus Pay.

The emails are sent to targeted individuals, such as employees in the billing department of a company. The emails are encrypted, and credentials need to be entered before the content of the email can be viewed. In this campaign, the emails tell the recipient that Talus Pay has sent them a protected message, and the email body includes a “Read the message” button that users are prompted to click. The emails also contain a link that the user can click to learn about messages protected by Microsoft Purview Message Encryption.

If the recipient clicks the link to read the message, they are directed to a legitimate Office 365 webpage where they are required to authenticate with their Microsoft 365 credentials. After authentication, the user is redirected to a fake SharePoint document, which is hosted on the Adobe InDesign service. If they try to open the file, they are directed to the final destination URL that shows a “Loading… Wait” message, and while on that URL, a malicious script runs and collects system information. When that process is completed, a cloned Microsoft 365 login form is displayed, which sends the username and password to the attacker’s command and control server if entered. The script collects information such as visitor ID, connect token and hash, video card renderer information, system language, device memory, hardware concurrency, installed browser plugins, browser window details, and OS architecture.

The problem with phishing attempts involving encrypted content is email security solutions are unable to decrypt the content. In this scam, the only URL in the email directs the user to a legitimate Microsoft service which is not malicious, making these phishing attempts difficult to block without also blocking legitimate Microsoft encrypted emails. The key to preventing this type of sophisticated phishing attack is education. Through security awareness training, employees should be warned never to open unsolicited encrypted messages, even if the messages appear to have been sent by a legitimate user. They should also be conditioned to report any such messages to their IT security team for further investigation.

The SafeTitan security awareness training program can be used by businesses to create training courses for employees, tailored to each individual’s role and the threats they are likely to encounter. The training content is engaging to improve knowledge retention and can be easily updated to include information on the latest threats, such as phishing attacks involving RPMSG files. The platform also includes a phishing simulator that can be used to automate phishing simulations on the workforce, and RPMSG phishing emails can easily be incorporated into the simulator to check whether employees are fooled by these sophisticated attacks. If a user fails a phishing simulation, they are automatically provided with training content in real-time relevant to the simulation they failed. This on-the-spot training is the most effective way of re-educating the workforce and ensures training is provided at the point when it is most likely to be effective.

For more information on SafeTitan Security awareness training and phishing protection, call the TitanHQ team today.

Business Email Compromise: The Biggest Cause of Losses to Cybercrime

Business email compromise (BEC) is big business. For several years, BEC attacks have been the leading cause of losses to cybercrime according to the Federal Bureau of Investigation (FBI). Over the past 5 years, BEC incidents have resulted in more than $43 billion in losses globally, with $83,883,493 in reported losses to BEC scams in 2022.

BEC, also known as email account compromise (EAC), is a sophisticated scamming technique that targets employees and the businesses they work for. These attacks can be conducted to obtain sensitive information such as W-2 forms, which can be used for large-scale tax fraud, but most commonly attempt fraudulent payments, where an employee is tricked into changing payment details for an upcoming payment.

BEC attacks usually start with phishing emails. These can be general phishing emails to gain access to any employee email account, which is then used to send further phishing emails within a company and to vendors to get the high-value email credentials that the attackers seek. Alternatively, spear phishing emails are crafted on well-researched targets, such as employees in the finance department of a company who are likely to have responsibility for making wire transfers or employees at vendors who handle customer accounts. Social engineering techniques are used in the phishing emails to trick the targets into disclosing their credentials.

When access is gained to a targeted email account, the attacker can learn a great deal about the company and can identify vendors/clients, view invoices, and learn about upcoming payments. The style of the target’s emails can be identified, so emails can be carefully crafted using a similar writing style and language to prevent the scam from being detected. A request is then made via email to change banking details for an upcoming payment to attacker-controlled accounts. These accounts are commonly created at overseas banks in Thailand, Hong Kong, China, Mexico, and Singapore.

When the payment is made, funds are rapidly transferred to other accounts or are withdrawn, often before the fraudulent payment is detected. The payments are often large – tens of thousands, hundreds of thousands, or millions of dollars. One common tactic used in BEC attacks is to impersonate construction companies. Research is conducted online to identify a company’s current work projects, and company email accounts are targeted.  When access to accounts is gained, the scammers identify contact information, bid information, and project costs.

Construction projects often involve regular payments during construction, so the attackers change bank account information for an upcoming sizable payment. The client of the construction company expects to make a payment, so a simple change of bank account information is unlikely to arouse suspicion, especially since the request comes from a genuine company domain and email account with the correct logos and footers. Oftentimes, the victim has been communicating with the construction company through the same email account. Email communications between the victim and the scammer can span several emails, with the attackers taking their time before making the request. Reports of losses to the FBI between 2018 and 2020 show the fraudulent payments range from around $10,000 to $4 million.

Defending against BEC attacks requires a combination of measures that aim to block the initial account compromise, detect any compromises, identify suspicious requests, and monitor accounts for any irregularities. Advanced phishing defenses are required to block the initial phishing attacks where account credentials are obtained.  SpamTitan performs a barrage of tests to identify and block phishing and spear phishing emails. These attacks can involve spoofing rather than email account compromise, and SpamTitan solutions can detect and block emails from fake accounts as well as malware, which is often used to gain initial access to networks before pivoting to email accounts.

SpamTitan also incorporates machine-learning detection mechanisms to identify deviations from the standard emails that a business usually receives, which can identify and block the initial phishing emails and fraudulent emails sent from compromised accounts, since checks are performed on inbound and outbound emails. 2-factor or multi-factor authentication should also be enabled for all company email accounts.

2-factor authentication processes should also be established for any changes to account information. Any request to change account information or change upcoming payments should be verified using a second authentication mechanism such as a telephone call to a verified contact number.  Staff should also be provided with security awareness training to alert them to phishing and BEC attacks. SafeTitan security awareness training has extensive training content on phishing and BEC attacks and allows training courses to be easily developed and automated for the specific employees who are likely to be targeted in these scams to provide them with advanced training on how to detect BEC attacks.

For more information on improving email security and security awareness training, contact TitanHQ. TitanHQ solutions are available on a free trial, with full access to customer support for the duration of the trial to help you get the most out of the products.

PDF File Attachments Used for Distributing QBot Malware

When Microsoft started blocking macros in Internet-delivered Office files, threat actors had to come up with new ways of distributing malware via email. Since then, there has been a rise in the use of OneNote files in phishing attacks. OneNote files allow scripts to be embedded and serve as an ideal replacement for Office files and macros; however, Microsoft has responded with security updates for OneNote to prevent this technique from being used for malware distribution. There has also been an increase in the use of container files to bypass protections, which include compressed files such as .rar and .zip, and .iso files.

Another method of bypassing these protections has been adopted to distribute QBot malware. QBot is used to gain initial access to business networks and is often used to drop malware payloads for other threat actors. QBot used to be delivered via phishing emails using malicious macros in Office file attachments, but that technique is no longer viable due to Microsoft’s updates. Instead, the threat actor is now using a combination of .pdf files and Windows Script Files. The phishing emails have a .pdf attachment, which downloads a .wsf file, which is used to deliver QBot.

The emails used in this campaign are reply chain emails, which makes it appear that the emails have been sent as a reply to a previous conversation. That increases the chances of the email being opened as employees are usually trained to be suspicious of unsolicited emails from unknown senders. If the attachment is opened, the PDF file states that the document is protected, and the user is required to click an ‘open’ link, which will trigger a download of a .zip file that includes a Windows Script file.

If the user double clicks that file, the script will be executed, which will run a PowerShell script that will deliver QBot from a hardcoded URL and execute the malware. QBot will be injected into the Windows Error Manager program and will run silently in the background. QBot will steal sensitive data and can move laterally and compromise other devices on the network. Once data has been stolen, access to QBot-infected devices is sold to ransomware gangs. A single device infected with QBot can easily end with large-scale data theft and a network-wide ransomware attack.

The latest campaign involves PDF file attachments, but the methods used for distributing malware such as QBot often change and will continue to do so. The key to improving security is to adopt a defense-in-depth approach, where there are multiple overlapping layers of security in place. If any one measure fails, others will be in place to continue to provide protection.

An email security solution such as SpamTitan is a good place to start. SpamTitan Email Security adds multiple layers of security to your defenses by performing extensive checks on all inbound and outbound emails. Message headers are checked, as is the reputation of the sender, and machine learning techniques are used to identify messages that deviate from the normal messages a user receives. Multiple scans are conducted on email attachments looking for malware and malicious scripts, including signature-based and behavior-based detection through dual antivirus engines and a Bitdefender-powered sandbox. Links are checked and followed to block phishing and malware downloads.

A web filtering solution is an important security measure for blocking the web-based component of these attacks. All attempts to connect with a URL – including automated attempts and clicks by users – will be assessed in real time and blocked if an attempt is made to connect to a known malicious URL. WebTitan can be configured to block downloads of executable files, such as .wsf files, and controls can be implemented to restrict access to websites to confirmed benign URLs.

Email-based attacks attempt to exploit human weaknesses so it is also important to improve your human defenses through security awareness training. The SafeTitan security awareness training platform can be used to automate workforce training and teach security best practices and eliminate risky behaviors, and make employees aware of the threats they are likely to encounter. The platform also includes a phishing simulator with hundreds of phishing templates to test employees to see how they respond to real-world threats, and automatically assigns further training modules if they fail a phishing simulation. These three solutions can be adopted by businesses to greatly improve their security posture against current and evolving threats. Speak with TitanHQ today to find out more.

Effective Workforce Training to Improve Cybersecurity in Healthcare

On March 30, 2022, the U.S. Senate Homeland Security Committee cleared the Healthcare Cybersecurity Act – new legislation that promises to strengthen the cybersecurity posture of the U.S. healthcare and public health sectors. The U.S. healthcare sector has taken a battering in recent years as cybercriminals have stepped up attacks on the sector. Healthcare organizations are an attractive target due to the vast quantities of sensitive data they store. The data can easily be monetized and used for identity theft and medical fraud, and preventing access to that data puts patients at risk, which increases the probability that extortion attempts will be successful. Cyberattacks on the healthcare sector have proven to be lucrative, with healthcare providers often forced into paying huge ransom demands to decrypt their files, prevent the exposure of stolen data, and get critical systems back up and running quickly to improve patient safety.

In 2020, healthcare cyberattacks increased by 55% breaking the record set the previous year. More than 26 million medical records were compromised that year, which increased to over 40 million records in 2021 and 2022. 2023 looks like it will see similar numbers of records compromised. Healthcare is a critical industry and healthcare cybersecurity is a patient safety issue. Action is desperately at the federal level to improve resilience to cyberattacks and the Healthcare Cybersecurity Act is a step in the right direction. The Healthcare Cybersecurity Act calls for the U.S. Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services to collaborate and come up with a plan for improving the security posture of the sector. Within a year of the legislation being passed, CISA is required to complete a detailed analysis of the risks to healthcare assets and data, identify the information security challenges faced by organizations in the sector and come up with a plan to address the shortage of cybersecurity staff, including making recommendations for cybersecurity training for the workforce and enhancing incident response. The legislation also calls for the creation of a Cyber Security Operations Center specifically for the healthcare sector to share real-time threat intelligence to help defend against and respond to cyberattacks.

In the meantime, the cyberattacks continue. While hospitals and health systems are investing heavily in cybersecurity and are improving their technical defenses, hackers are developing new methods to attack the sector, often by exploiting human weaknesses. The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, health plans, and other covered entities to develop a security awareness training program for employees, but the legislation was signed into law two decades ago and provides little in the way of detail as to what such a program should include or how often training should be conducted. Follow the letter of the law and you will be compliant but will do little to improve your security posture. What is required is a comprehensive training program that can be easily tailored to all members of the workforce and training them on how to recognize the specific threats they are likely to encounter.

The ultimate goal of security awareness training is to develop a security culture, and that simply isn’t possible with an annual training session. Security awareness training needs to be ongoing, with employees up to date on the latest threats, and training needs to be reinforced. This is an area where TitanHQ can help. TitanHQ offers healthcare organizations an easy-to-use platform for developing healthcare-specific training courses covering a broad range of security topics. The platform includes training content on hundreds of topics, delivered through computer-based training courses, videos, and quizzes. The content is engaging and gamified and has been developed to be easy to fit into busy healthcare workflows, with the training content taking no more than 10 minutes per module.

Administrators can easily develop training courses for individual employees, roles, and departments to ensure it is relevant, and the platform is behavior-driven, with training content automatically generated based on specific employee behaviors such as failed phishing simulations and security errors, such as saving sensitive data in an insecure location. Since the training is generated instantly, it ensures employees receive the training when it is likely to have the maximum impact – immediately after a security mistake is made.

The platform also has enterprise-level reporting, which provides executives with a 360 view of the entire organization and the return on investment, with the data provided in an easily digestible format for management, and detailed reports for the compliance team to demonstrate full compliance with the training requirements of the HIPAA Security Rule.

If you want to improve your organization’s security posture, training the workforce to be more security aware is a great place to start. For more information on SafeTitan, to sign up for a free trial, get in touch with the TitanHQ U.S. team today.

Top Malware Threats and How to Prevent Infections

QBot, Emotet, and Formbook are currently the most prevalent malware threats according to new data from Check Point, all of which are mostly distributed using spam emails. Email is still one of the most common methods of malware distribution, and even Microsoft’s efforts to prevent the malicious use of macros have not changed that.

Last year, Microsoft disabled macros by default in Internet-delivered documents, and while this was a blow to cybercriminals who have relived on macros for their infection process, they simply changed tactics and used other methods for malware delivery. Macros were easy to abuse, as victims just needed to be tricked into enabling macros in documents and ignoring security warnings. Now that macros are disabled, cybercriminals have had to adopt new tactics for distributing malware via email, such as sending malicious links or using alternative attachments, such as OneNote files. The latter have been used to distribute Emotet, which has helped the malware return to the top of Check Point’s most wanted malware list.

OneNote files have proven popular for malware distribution as they allow scripts to be embedded and masked with overlays. The user is instructed to double-click a button in the OneNote file as they are told that the document is protected, when what they are actually doing is double-clicking an executable file embedded under the overlay, thus executing the script and triggering the downloading of a malicious payload. Microsoft has announced that this security issue is being tackled by May, but until then OneNote will continue to be used for malware delivery.

The top three malware variants share some of the same functionality but offer specialized features. QBot, also known as QakBot, was primarily a banking Trojan used to steal banking credentials but is now capable of stealing other credentials due to its keylogging capabilities. It has been in use since 2008 and is one of the oldest malware families currently in use.

Emotet has long been at the top of the most common malware variants and has survived a recent law enforcement takedown. Emotet started life as a banking Trojan but has evolved over the years and is now primarily used as a distributor of other malicious payloads under the malware-as-a-service model. Like QBot, Emotet is also extensively distributed via email, helped by its self-propagating capabilities, which allow it to hijack message threads and send copies of itself to the victims’ contacts.

FormBook has been used since at least 2016 and is an information stealer that is also marketed under the malware-as-a-service model. FormBook primarily harvests credentials from web browsers, but also logs keystrokes, collects screenshots, and can deliver additional files to infected devices. It is one of the most widely distributed malware due to its capabilities, relatively low cost, and strong evasion techniques.

These three malware variants have had a huge impact globally, with QBot infections detected at 10% of organizations worldwide and Emotet and FormBook each affecting 4% of organizations worldwide. Preventing infections requires a defense in-depth approach involving multiple layers of protection, with one of the most important layers provided by a spam filter.

All three of these malware families are extensively spread via spam email, so blocking the initial attack vector is by far the best defense. SpamTitan incorporates several layers of protection against malicious emails, including emails with malicious attachments such as OneNote files and malicious links. SpamTitan performs a multitude of front-line checks including message headers and reputation checks and has dual anti-virus engines for detecting malware and sandboxing for behavioral analysis of attachments. SpamTitan also scans links and uses machine learning algorithms to identify emails that deviate from the genuine emails typically received by businesses.

While a spam filter and endpoint protection solutions such as antivirus software were once sufficient, the speed at which new malware variants are being released and the evasion methods they use mean additional layers of protection are now required. TitanHQ recommends also deploying a web filter to block Internet-based threats. A web filter such as WebTitan augments the spam filter by blocking malware delivery via the Internet and improves protection against non-email-based threats, such as malicious links in text messages and instant messaging platforms.

Threats will occasionally bypass these protections, so it is important to provide security awareness training to the workforce. By educating the workforce on cyber threats, if one is encountered it can be recognized and avoided. Security awareness training allows businesses to train employees on security best practices and eradicate the risky behaviors that are often exploited by cybercriminals. SafeTitan is a comprehensive training platform covering all aspects of security and includes a phishing simulation platform for testing how employees respond to phishing threats and providing targeted training where it is needed.

For more information on these solutions and improving your security posture in the most cost-effective way, give the TitanHQ team a call today.

New Business Email Compromise Tactics Identified

Business email compromise tactics commonly change, so businesses need to ensure that they provide regular security awareness training to their workforce. Businesses that implement an ongoing security awareness training program can ensure that all employees are made aware of the emerging tactics so that when a threat is received, they will be able to identify it as such and report it to their security team.

BEC attacks typically involve spoofing an individual or company to get an individual to make a fraudulent wire transfer to an attacker-controlled account. The FBI has recently reported that tactics are becoming more sophisticated, and telephone numbers are also being spoofed. When the targeted individual calls to verify the authenticity of the emailed request, they speak with the scammer. It is vital to ensure that employees are told to verify the authenticity of any out-of-band requests for payments, changes to account details, requests for gift cards, and other common scam tactics but to ensure that verified contact information is used, and never the contact information supplied in the email.

Another BEC tactic that is becoming increasingly common attempts to obtain goods under false pretenses, instead of tricking people into making wire transfers. This tactic is often adopted by less advanced threat actors, as they do not have to recruit the money mules to accept the payments. According to the FBI, scammers are impersonating the email domains of U.S. companies and are spoofing emails with the real names of company employees, so if checks are performed, they will be passed.

The scammers trick vendors into believing they are conducting legitimate business transactions and fulfilling purchase orders for distribution to new customers. Scams identified by the FBI include the targeting of vendors of agricultural equipment, construction materials, computer hardware, solar energy products, and more. The goods are distributed and by the time the scam is identified, they have been moved on and cannot be traced or recovered. Since these purchase orders are often for bulk goods, thousands or hundreds of thousands of dollars can be lost.

Businesses often provide new customers with credit repayment terms such as net-30 or net-60, where they are not required to pay for the goods for 30 or 60 days. That means by the time the scam is identified the goods have long since been moved and sold. Businesses naturally conduct credit checks before offering those terms, but the attackers are supplying fake credit references and fraudulent W-9 forms to vendors to get the payment terms to allow them to purchase goods without any upfront payment.

The best way to protect against these scams is to ensure that you have an advanced email security solution in place – Such as SpamTitan – to block the initial contact via email. However, it is also important to provide security awareness training to the workforce.

SafeTitan is a modular training platform that allows businesses to develop custom training courses for different individuals, roles, and departments, and to ensure that the training provided is relevant. The platform includes hundreds of training modules and can be tailored to meet the needs of all organizations. The training content is regularly updated to include the latest tactics that are being used, allowing businesses to keep all members of the workforce 100% up to date on the latest threats.

Administrators can trigger training modules for all members of the workforce when new threats are identified. The modules are easy to fit into busy workflows and take no longer than 10 minutes. Through SafeTitan security awareness training, businesses can develop a security culture and greatly reduce susceptibility to phishing and BEC attacks. Data from the SafeTitan phishing simulation platform shows businesses can reduce susceptibility to email scams by up to 80% over time through email attack simulations.

For more information on SafeTitan Security awareness training and phishing simulations contact TitanHQ today.

BEC is Still A Leading Cause of Losses to Cybercrime and Attacks Continue to Increase

Business email compromise (BEC) may not be the most prevalent form of cybercrime, but it is one of the costliest. Over the last few years, BEC attacks have seen the greatest losses out of any form of cybercrime, and BEC attacks have been increasing. According to the Federal Bureau of Investigation (FBI), between July 2019 and December 2021, losses to BEC attacks increased by 65%, and between June 2016 and July 2019 there were 241,206 complaints about BEC attacks and $43,312,749,946 was lost to the scams. In 2022, there were almost 22,000 victims of BEC attacks and adjusted losses to these scams were more than $2.7 billion.

In a typical BEC scam, a criminal sends an email message to a targeted individual that appears to have come from a known source making a legitimate request. Commonly, a company that the victim regularly deals with sends an invoice with an updated bank account or mailing address. A scam may be conducted where the victim is asked to purchase gift cards and email the serial numbers. Scams often target homebuyers, where the message appears to come from the title company with instructions on how to wire the payment. An executive may be impersonated and the tax information of all employees may be requested. There are many variations of these scams, and they often result in thousands, hundreds of thousands, or even millions of dollars in losses.

BEC scammers often spoof an email account or a website, or they may compromise a legitimate email account through a phishing or spear phishing email. With access to email accounts, a scammer can search the accounts to find out more about the company and gain the information they need to conduct realistic scams. Malware may be sent via email that gives the attacker access to email accounts, which allows them to hijack message threads.

One of the most common types of BEC attacks involves the impersonation of an individual or company and a request to send fraudulent wire payments to attacker-controlled bank accounts. Historically, these scams have involved compromised vendor email accounts and a request to change bank account information for upcoming payments for goods and services. In its latest Internet Crime Report, the FBI said BEC scammers are increasingly targeting investment accounts, and utilizing custodial accounts held at financial institutions for cryptocurrency exchanges or requesting victims send funds directly to cryptocurrency platforms.

In the past, scammers have relied on their spoofing tactics but the scam fails if the targeted individual verifies the legitimacy of the request by phone. However, it is now becoming increasingly common for scammers to spoof legitimate business phone numbers and use these to confirm fraudulent banking details with victims. There have been many cases where the victims report they have called a title company or realtor using a known phone number, only to find out later that the phone number has been spoofed.

Defending against BEC attacks requires a combination of measures. First, since these attacks often start with a phishing email, a spam filtering solution is essential. A spam filter will block the emails that allow credentials to be stolen and email accounts compromised. Spam filters can also detect and block spoofing and are the primary defense against these attacks. TitanHQ has developed SpamTitan Email Security to help businesses defend against BEC attacks, phishing, and other email-based attacks.

Unfortunately, email filtering alone is not sufficient. A spam filter will block the majority of email threats but additional measures need to be implemented. The key to defending against BEC attacks is defense-in-depth. These attacks target human weaknesses, so it is important to train the workforce to be aware of these scams and the changing tactics of BEC scammers. Employees need to be taught the red flags they need to look for in emails and the security best practices that can thwart these scams.

TitanHQ offers the SafeTitan security awareness platform to businesses which can be used to train employees to be more vigilant and tell them what they need to look for. The platform can be used to teach security best practices, such as carefully examining the email address, URL, and spelling used in any correspondence, and the importance of not clicking on anything in an unsolicited email or text message that asks them to update or verify account information.

The increase in spoofing means it is now essential to implement two-factor or multi-factor authentication, to add an extra level of security to protect accounts from unauthorized access. It is also vital to implement policies that require requests to be independently verified using confirmed contact numbers, not those provided via email.

Adopting such a defense-in-depth approach will help you protect against these financially damaging scams. Contact TitanHQ today to find out more about how you can cost-effectively improve email security and train your workforce.

Emotet Botnet Back and Sending Malicious Emails with Malicious OneNote Attachments

The Emotet botnet has resumed activity after a break of around 3 months as the threat group attempts to build up the number of infected devices. The Emotet botnet consists of an army of devices that have been infected with Emotet malware, which gives the operators of the botnet access to those devices. That allows data to be stolen from the infected devices and for access to be sold to other threat actors to allow them to conduct attacks, such as by delivering additional malware payloads such as Cobalt Strike, banking Trojans, information stealers, and ransomware. Infected devices are also used to grow the botnet. Emotet malware can hijack email accounts, steal message threads, and send copies of itself to the victim’s contacts. Since the emails come from a trusted email account they are more likely to be opened.

Emotet campaigns do not run constantly throughout the year. The threat actor tends to have several months of downtime with the last campaign coming to an end in November 2022. The botnet is now active once again and is sending emails, which means businesses need to be on high alert. The activity commenced at the end of the first week of the month and now high volumes of emails are being sent.

While Emotet is well known for hijacking email threads and using reply-chain emails, this time around a campaign is being conducted that includes ZIP file attachments purporting to contain invoices. Some of the emails intercepted include compressed Word documents that are over 500 MB in size when they are extracted. The large file size is used to defeat antivirus software. If the documents are opened, the user is presented with a warning that the document is protected and they are told that they need to ‘enable editing’ and ‘enable content’ to preview the document. These security warnings are in place to prevent macros from running and enabling the content will see the macros run and Emotet malware be downloaded onto the device from a compromised website. The downloaded file – a DLL file – is similarly inflated to more than 500 MB to prevent scanning by AV solutions. The payloads often change to prevent detection, and detection rates are usually very low for each payload.

One of the campaigns detected in the past few days targets U.S. taxpayers. In this campaign, the Internal Revenue Service (IRS) and legitimate businesses are impersonated using fake W-9 tax forms. These W-9 tax forms are also included in a ZIP file attachment and the files are also inflated to more than 500 MB. In this campaign, the Emotet gang returns to using reply-chain emails so it appears that the emails have been sent from a trusted entity that has emailed in the past.

Fortunately, email-based attacks using macros to deliver malicious payloads are becoming much less effective due to a 2022 update from Microsoft that disables macros automatically in Internet-delivered Office files. In response, like other threat actors, the Emotet gang has changed tactics and is now sending emails with OneNote attachments, which do not support macros and therefore bypass Microsoft’s anti-macro controls. OneNote files allow embedded content, which in this case is a VBS attachment that is hidden under a view button. The user is told to double-click on the view button, but what they are really doing is double-clicking on the VBS attachment under the fake view button, which executes the script and delivers Emotet malware from a compromised website.

With Emotet back up and running it is a good idea to ensure that employees are trained to recognize these malicious emails and the SafeTitan security awareness training platform from TitanHQ allows you to easily do that and keep employees up to date on the latest Emotet tactics. SafeTitan also includes a phishing simulator that allows you to simulate Emotet emails in phishing tests to see which employees click. Those individuals can then be provided with additional training to ensure that if a real Emotet email is received, they will be able to recognize it as such.

For more information on SafeTitan Security Awareness Training, contact the TitanHQ team today.

SpamTitan Named Leader in 5 Categories in G2 Winter 2023 Grid Report

G2 (formerly G2 Crowd) has recently published its G2 Crowd Grid® Winter 2023 Report, which highlights the leading IT security products for businesses. G2 Grid Reports are based on satisfaction scores from genuine business users of IT solutions and are plotted into a quadrant along with market presence data, with each solution positioned in one of four quadrants: Leader, High Performer, Contender, and Niche. The Leader quadrant indicates products have high satisfaction scores from users and a strong market presence.

TitanHQ is happy to announce that SpamTitan Email Security has been placed in the Leader quadrant in five categories: Cloud Email Security, Small Business Email Security, Email Anti-Spam SMB, Email Protection, and Email Security, and was also given a top five position in 12 other categories.

G2 is a trusted source of reviews of technology for business and is used by thousands of businesses to help them with their purchasing decisions. G2 includes more than 2,072,000 reviews of business software from genuine users of the solutions, and those data are combined with social media reviews and other trusted online sources of data for its quarterly Grid reports. The G2 platform and Grid Reports are relied upon by more than 5 million buyers every month.

TitanHQ is a Galway, Ireland-based provider of cloud-based cybersecurity solutions. Those solutions include email security, DNS filtering, email archiving, email encryption, security awareness training, and phishing simulations. The products consistently attract high satisfaction scores from users on G2 and other business software review platforms such as Capterra, Gartner, GetApp, and Software Advice. Across those platforms, SpamTitan has attracted more than 500 5-star ratings based on customer reviews, and SpamTitan is also the category leader for email security on PeerSpot and Expert Insights, two other highly trusted review platforms.

The high scores show how much users love using SpamTitan products – SpamTitan Cloud, SpamTitan Gateway, and SpamTitan Plus – and how effective they are at blocking email-based threats. SpamTitan Plus is the latest addition to the SpamTitan family of products and was launched last year to provide leading-edge protection against phishing attacks, in particular, real-time phishing threats by utilizing AI and machine learning and extensive threat intelligence data – more than any other anti-phishing solution on the market. The result is 1.5x faster detection of malicious emails than the leading industry anti-phishing solutions from Barracuda, Proofpoint, and Mimecast. In addition to providing excellent protection, SpamTitan is easy-to-implement, easy to use, and far more affordable for businesses than many similar solutions. Users also benefit from exceptional front-line support. If any problems are experienced, help is rapidly provided.

The naming of SpamTitan as a leader in so many categories is a testament to the hard work of everyone at TitanHQ, and the considerable investment in the product. “The overwhelmingly positive feedback from SpamTitan users on independent review sites is a return for the massive investment we made into our products and threat intel,” said Ronan Kavanagh, CEO, TitanHQ.

If you want to save money on email security without sacrificing protection, why not give SpamTitan a try by taking advantage of the free trial of the solution today and see for yourself why SpamTitan products are consistently rated so highly by users.

Use Cyren for Email and Web Security? – You Need to Change Provider Immediately!

The cybersecurity company Cyren has collapsed, leaving its customers at risk. If you use Cyren for email and web security, you should change provider immediately!

It is sad news when any company is forced to significantly reduce its workforce, which for Cyren recently involved laying off 121 employees “in response to current market conditions and associated challenges with raising additional capital.” Cyren issued a press release saying that such extensive layoffs represent a significant reduction in all of the company’s workforce, and that “in the absence of additional sources of liquidity, management anticipates that the Company’s existing cash and projected cash flows from operations will not be sufficient to meet the Company’s working capital needs in the near term.”

So what does that mean for close to 1 billion users that rely on the company’s cybersecurity solutions? TitanHQ contacted the company’s CISO in relation to the news and received a response. “The SDK will work for as long as the systems in the cloud will continue running. Unfortunately, we have no personnel left to watch after the systems, so it is hard to predict how long they will run for.”

As a provider of email and web security solutions, TitanHQ can confirm that without constant updates to anti-spam signatures, the ability of a solution to block new phishing attacks will rapidly diminish, which means that customers will be exposed to threats. While it is possible that Cyren will be able to attract further investment, in the short term customers should be very concerned. Unfortunately, a mass exodus of customers is the last thing Cyren needs, but those customers need to ensure that they continue to be protected against email and web-based threats, which means switching to another solution provider.

TitanHQ has already received many calls from Cyren customers following the company’s February 1, 2023, press release announcing the financial difficulties the company is facing and has offered those customers a special deal that can provide short-term protection while they decide on the best next step, and that is to extend the free trial of SpamTitan Email Security and the WebTitan DNS Filter to 30 days.

Both solutions can be implemented in a matter of minutes and will ensure Cyren customers remain protected against email and web-based threats. The TitanHQ team has been busy helping Cyren customers get up and running with the two solutions over the past 2 weeks since the announcement was made.

Naturally, TitanHQ would love to continue to provide these solutions to Cyren customers past the 30-day free trial and hopes they continue to use the solutions, but this is a no-obligation free use of the platform aimed at helping Cyren customers stay protected. If after the end of the 30 days they decide to go elsewhere, that is no problem at all. This is a totally free offer with no obligation to continue and with no strings attached.

The TitanHQ team will be monitoring capacity – which is already hugely overprovisioned – to ensure that there is no impact on current users, and response times to queries are constantly monitored to ensure that customers are not impacted. TitanHQ’s infrastructure can also be rapidly scaled up to meet demand should the need arise.

Cyren customers wishing to take advantage of the offer should contact TitanHQ to speak to the migration team, and assistance will be provided to get you up and running quickly.

Smishing Campaign Targets Coinbase Users

SMS-based phishing attacks are becoming more common, and these attacks can be particularly effective. SMS phishing – commonly referred to as smishing – is the use of SMS messages for delivering malicious URLs. There are several advantages of smishing over phishing. Most companies have email security solutions in place such as spam filters that can easily detect malicious emails, so many phishing emails will not reach end users. Smartphones tend to have fewer cybersecurity controls than computers, so malicious SMS messages are more likely to be delivered. Another reason why smishing attacks have a high success rate is employees tend to be aware of the risk of email attacks but are more trusting about SMS messages as security awareness training tends to focus on email phishing. Further, since smartphones are often accessed on the go, people can be distracted and click links without stopping to think.

Businesses are often targeted with smishing attacks as it is an easy way of getting phishing URLs in front of employees. One recent attack targeted Coinbase employees. Coinbase is one of the world’s largest cryptocurrency exchanges with more than 1,200 employees and more than 103 million users, which makes the company a big target for cybercriminals (although smishing attacks are conducted on companies of all sizes!).

In this attack, SMS messages were sent to employees using a common ruse – They were told they needed to log in urgently about a security issue. Virtually all Coinbase employees ignored the message, but one employee responded and entered their username and password on the phishing page. Smishing campaigns do not need to fool a lot of employees. They only need to fool one person. Coinbase was protected against smishing attacks to a certain degree, as the company had implemented 2-factor authentication, so while the attackers obtained a username and password, those credentials alone would not allow access to be gained to the user’s account.

However, smishing can be combined with voice phishing to get around 2FA and MFA protections. The attackers then called the employee and pretended to be from the Coinbase IT department, and provided the employee with instructions, which were followed, allowing the attackers to bypass the 2FA protection and log in to the employee’s workstation. In this attack, unauthorized access was rapidly detected by the IT team, as the remote access generated a security alert. Fortunately, the attack was thwarted before the threat actor was able to achieve very much, although, in the short time that access was possible, the attacker was able to steal some employee data, including names, email addresses, and phone numbers. Similar attacks have been conducted on companies that did not have 2FA protection, and many attacks have not been detected rapidly by security teams, allowing much more damage to be caused.

With smishing attacks increasing, businesses need to prepare and ensure they have appropriate defenses in place, which should include 2FA or MFA protection on all accounts. As the Coinbase attack demonstrated, 2FA/MFA alone is not sufficient. Whitelisting IP addresses is recommended, and security alerts should be set up and immediately followed up on by security teams.

Web filtering can provide some protection by restricting access to the websites that employees can access, thus preventing them from accessing the phishing URLs where credentials are harvested. Another important measure is to provide security awareness training to the workforce to ensure that employees are aware of smishing and voice phishing attacks. By raising awareness, employers can greatly improve protection against these attacks.

Give TitanHQ a call today to find out how web filter and security awareness training can improve your defenses against smishing, vishing, and other types of cyberattacks targeting employees.

Namecheap Customers Targeted in Sophisticated Phishing Scam

Phishing emails often spoof a company and include its logos and branding, but one of the red flags that allow these emails to be identified by users is the email address used in the campaign is set up on a domain unrelated to the brand being spoofed. For instance, a phishing email spoofing FedEx is sent from a Gmail account. Oftentimes, a display name is created that makes the email appear to come from a genuine account used by the spoofed company – FedEx customer service for instance – but a quick check will reveal the actual email address used, allowing users to identify the phishing attack.

However, these checks sometimes fail, as highlighted by a recent phishing campaign that impersonated the logistics company DHL and the software cryptocurrency wallet provider, MetaMask that targeted customers of the domain registrar Namecheap. The emails originated from the legitimate customer communication platform SendGrid, which Namecheap uses for sending marketing communications and renewal notices to customers. Namecheap responded quickly when the attack was identified and disabled the accounts, but not in time to prevent many phishing emails from being sent.

The emails spoofing DHL included the DHL Express logo and warned recipients that their parcel was not able to be delivered because the sender did not pay the necessary delivery fees, as such, the parcel has been retained at the delivery depot and will not be released until the delivery fees are paid.

The MetaMask emails purported to be a Know Your Customer verification request, which required the recipient to verify their identity to prevent their account from being suspended. If the verification is not completed, the emails claimed, users would be unable to withdraw or transfer funds without interruption.

In both cases, the emails included a link that the users were required to click to complete the request – a marketing link that redirected users to a phishing page on an unrelated domain. This was not a data breach at Namecheap, but at the third-party system the company uses for sending emails – SendGrid. It is currently unclear how SendGrid was hijacked to send the phishing emails.

Phishing emails may be sent from legitimate company email accounts, either an account at the actual company being spoofed or other well-known services such as SendGrid. In the summer of 2022, a phishing campaign was conducted targeting customers of the hardware cryptocurrency wallet Trezor, following a hack at the email marketing platform MailChimp.

Phishing attacks such as these can sneak past email defenses and are harder for employees to identify, which is why businesses need to adopt a defense-in-depth approach. Email security solutions will block the majority of spam and phishing emails, but no email security solution will block all malicious messages. In addition to an advanced email security solution such as SpamTitan – which incorporates multiple layers of protection and machine learning mechanisms to block novel phishing attacks – businesses should invest in security awareness training for employees and should provide the training continually throughout the year. Through comprehensive training, employees can be taught more than just the basics and can learn how to recognize and avoid sophisticated phishing attacks.

A web filter is also recommended for blocking access to the malicious URLs that are used to harvest sensitive information. A web filter augments the spam filter by providing time-of-click protection against malicious links in emails and also protects against non-email methods used to drive traffic to phishing sites, such as malvertising, smishing, and vishing attacks.

If you want to improve protection against phishing, call TitanHQ to find out more about improving the depth of your security protections through spam filtering, security awareness training, and web filtering.

Improve Your Security Posture in 2023 with Effective Workforce Security Awareness Training

Cyberattacks on businesses increased during the pandemic and have continued at high levels since. Fortunately, businesses have responded and are taking cybersecurity seriously and have increased investment in cybersecurity. Data from ESG research suggests 65% of organizations are planning to increase investment in cybersecurity in 2023. While there is room for improving technical defenses to block more attacks and identify and address vulnerabilities faster before they can be exploited, it is important not to neglect the human element, which according to Verizon’s 2022 Data Breach Investigations Report, is a factor in 82% of data breaches.

While simple errors can easily lead to data breaches, many are the result of a lack of understanding of security. There is also a common view among employees that cybersecurity is the sole responsibility of the IT department. It is true that one of the roles of the IT department is to ensure that technical measures are implemented to block cyber threats and that vulnerabilities are identified and addressed promptly, but even companies that invest heavily in IT security still suffer data breaches, and that is because even sophisticated defenses can be bypassed.

Technology and hardware will block the majority of threats, but employees are still likely to encounter phishing, social engineering scams, business email compromise, and malware, and need to be provided with proper education to improve awareness of those threats and be taught the skills to allow them to identify and avoid cyber threats. The workforce needs to be educated on all aspects of security, not just how to identify a phishing email. Take password security for example. Password policies can be implemented, and employees provided with password managers, but as the recent credential stuffing attack on NortonLifeLock users revealed, many users of that password manager set a master password for their password vault that had been used elsewhere on the internet, which allowed the hackers to access their accounts.

By providing security awareness training, businesses can improve the baseline knowledge of the workforce, make sure everyone is aware of the threats they are likely to encounter, and security best practices can be taught, along with the importance of always following those best practices. The ultimate aim of security awareness training is to develop a security culture, where everyone in the organization understands that they have a role to play in the cybersecurity of the organization and that cybersecurity is not just a matter for the IT department.

Unfortunately, it is not possible to get to that point overnight. Providing a one-time security awareness training session is not enough and even conducting annual training sessions is unlikely to result in behavioral change. For training to be effective and to change employee behavior, training needs to be provided continuously, with short training sessions conducted regularly throughout the year. Training also needs to be individualized. There is no point in providing a single training course to every employee, as training needs to be role-specific and cover the specific threats each employee is likely to encounter.

The training also needs to be engaging to get employees to take the information on board, and training needs to be regularly reinforced. One of the best ways to do this is through phishing simulations, which test whether employees have understood the training and if they are applying that training day in, day out. Employees should also be empowered to help with cybersecurity by providing a phishing reporting button as an email client add-on, so they can alert the IT department when a suspicious email is encountered. Organizations that provide their workforce with training using the SafeTitan platform and conduct regular phishing simulations through the platform report significant improvements in security. Phishing simulation data also shows improvements in employee susceptibility to phishing attacks, with organizations seeing reductions of up to 92% in click rates by employees.

With 2023 looking like it will be another year with high levels of cyberattacks, January is the ideal time to review your security awareness training programs, make improvements, and implement a training program if you are not yet providing training to your employees. TitanHQ is here to help. Give the team a call today to find out more about how SafeTitan can benefit your business.

OneNote Attachments and Blank Images Used in Phishing Attacks

Phishers are constantly coming up with new ways to evade security solutions, steal credentials, and distribute malware. In January, two new tactics were observed in separate phishing campaigns, one hides malicious URLs from security solutions in a credential-stealing campaign, and the other uses OneNote attachments for distributing malware.

Blank Image Phishing Attacks

The blank image phishing attack involves hiding a Scalable Vector Graphics (SVG) image file within an HTML document sent via email. In this campaign, the email claims to include a DocuSign document, which office workers are likely to be familiar with. The email claims the document includes remittance advice. The user is required to click to view the document and will be directed to the legitimate DocuSign webpage if they do.

However, the attack starts when the user clicks to view the HTML document. The document contains a Base64 blank image file, which has embedded JavaScript that will redirect the victim to a malicious URL. The image itself contains no graphics, so does not render anything on the screen. It is just used as a placeholder for the malicious script. The URL that the user is directed to will prompt them to enter sensitive information. A similar technique using SVG files has previously been used to distribute QBot malware. Many email security solutions ignore HTML files, which increases the chance of the malicious email landing in inboxes. Security teams should consider blocking or quarantining HTML emails to protect against these types of attacks.

OneNote Attachments Used to Distribute Malware

Another campaign has been detected that uses OneNote attachments in phishing emails for distributing remote access malware, which can provide initial access to a victim’s system allowing further malicious payloads to be delivered, such as information stealers and ransomware. For many years, Office documents were the preferred attachment for distributing malware. These files can include macros that download a malicious payload, but Microsoft now blocks macros by default in Office files delivered via the internet, which has forced hackers to look for new ways to distribute their malware.

One new tactic is the use of OneNote attachments. OneNote is installed by default with Microsoft Office and Microsoft 365, which means OneNote files can be opened on most devices even if the user does not use the OneNote application. The lures used in these emails vary, although some of the intercepted emails claimed to be shipping notifications, with the details of the shipment included in the OneNote file.

OneNote files cannot contain macros, but it is possible to insert VBS attachments into a NoteBook. When opening the file, the user is told they must double-click to view the file. Doing so will launch the VBS script, which will download and install malware from a remote site. If the user does click, they will be warned that opening attachments can harm their computer. If that warning is ignored and the user chooses to open the attachment, the script will download a decoy OneNote file – a genuine file – so the user is unlikely to realize that anything untoward has happened, but the script will execute a batch file in the background and will install the second downloaded file, which is malware.

How to Defend Against Phishing Attacks

Cybercriminals are constantly developing new methods for distributing malware and stealing credentials, and phishing is the most common way to do this. Defending against these attacks requires a defense-in-depth approach, involving multiple overlapping layers of protection. If anyone measure fails to detect a threat, others are in place to detect and block the threat.

In addition to a secure email gateway or spam filter, businesses should consider a web filter for blocking the web-based component of the attack, multifactor authentication for all accounts, antivirus software/endpoint security solutions, and security awareness training for employees to help them identify and avoid phishing threats. For assistance improving your defenses against phishing, contact TitanHQ.

ChatGPT Used to Create Convincing Phishing Lures and New Malware

Toward the end of 2022, a new AI-based chatbot was made available to the public which has proven popular for creating written content. Concern is now growing about the potential for the tool to be used by cybercriminals for creating new phishing lures and for rapidly coding new malware.

ChatGPT was developed by OpenAI and was released on 30 November 2022 to the public as part of the testing process. Just a few days after its release, the chatbot had reached a million users, who were using the tool to write emails, articles, essays, wedding speeches, poems, songs, and all manner of written content. The chatbot is based on the GPT-3 natural language model and can create human-like written content. The language model was trained using a massive dataset of written content from the Internet and can generate content in response to questions or prompts that users enter into the web-based interface.

While articles written using the chatbot would be unlikely to win any awards, the content is grammatically correct, contains no spelling mistakes, and in many cases is far better than you could expect from an average high school student. One of the problems is that while the content may superficially appear to be correct, it is biased by the data it was trained on and may include errors. That said, the generated content is reasonable and sufficiently accurate to pass the Bar exam for U.S. lawyers and the US Medical Licensing exam, although only just. It is no surprise that many school districts have already implemented bans on students using ChatGPT.

To get ChatGPT to generate content, you just need to tell it what you want to create. It is no surprise that it has proven to be so popular, considering it is capable of writing content better than many humans could. While there are many benefits from using AI for chatbots that can create human-like text, there is growing concern that these natural language AI tools could be used for malicious purposes, such as creating social engineering scams and phishing and business email compromise attacks.

The potential for misuse has prompted many security researchers to put ChatGPT to the test, to see whether it is capable of generating malicious emails. The developer has put certain controls in place to prevent misuse, but those controls can be bypassed. For instance, asking ChatGPT to write a phishing email will generate a message saying the request violates the terms and conditions, but by experimenting with the queries it is possible to get the chatbot to generate the required content.

Further, it is possible to write a phishing email and spin up many different combinations that are all unique, grammatically correct, and free from spelling errors. The text is human-like, and far better than many of the phishing emails that are used in real phishing campaigns. The rapid generation of content has allowed security researchers to spin up an entire email chain for a convincing spear phishing attack. It has also been demonstrated that the technology can be rapidly trained to mimic a specific style of writing, highlighting the potential for use in convincing BEC attacks. These tests were conducted by WithSecure prior to public release and before additional controls were implemented to prevent misuse, but they continued their research after restrictions were added to the tool, clearly demonstrating the potential for misuse.

The potential for misuse does not stop there. The technology underlying the chatbot can also be used to generate code and researchers have demonstrated ChatGPT and its underlying codex technology are capable of generating functional malware. Researchers at CyberArk were able to bypass the restrictions and generated a new strand of polymorphic malware, then were able to rapidly generate many different unique variations of the code. Researchers at Check Point similarly generated malicious code, in fact, they generated the full infection process from spear phishing email to malicious Excel document for downloading a payload, and the malicious payload itself – a reverse shell.

At present, it is only possible to generate working malicious code with good textual prompts, which requires a certain level of knowledge, but even in its current form, the technology could help to rapidly accelerate malware coding and improve the quality of phishing emails. There are already signs that the tool is already being misused, with posts on hacking forums including samples of malware allegedly written using the technology, such as a new information stealer and an encryptor for ransomware.

With malicious emails likely to be generated using these tools, and the potential for new malware to be rapidly coded and released, it has never been more important to ensure that email security defenses are up to scratch. Email security solutions should be put in place that are capable of detecting computer-generated malware. SpamTitan includes signature-based detection mechanisms for identifying known malware but also sandboxing to identify new malware based on behavior, as well as machine learning mechanisms for detecting zero-day phishing threats. TitanHQ also recommends implementing multifactor authentication, web filtering for blocking access to malicious websites, and security awareness training for employees. The quality of phishing emails may get better, but there will still be red flags that employees can be trained to recognize.

HR Departments Spoofed in Phishing Campaigns Targeting Professionals

This month has seen an increase in phishing campaigns targeting professionals purporting to be messages from Human Resources advising them about salary increases, promotions, updates to policies and procedures, and other annual updates. The start of the year typically sees the HR department issue updates to employees, including notifications about changes to employee benefits, proposed pay rises, and annual updates to policies and procedures. It is therefore no surprise that cybercriminals are taking advantage of the increase in HR communications and have adopted lures related to these start-of-year messages. Several campaigns have been detected this month that have targeted employees and used HR-related lures.

The emails have realistic subject lines, appear to have been sent internally, and have lures that are likely to prompt a quick response. Messages about changes to employee benefits, pay rises, and promotions are likely to be opened by employees quickly without thinking, as are other notifications from the HR department such as updates to internal policies. Phishing simulation data shows that these types of emails have some of the highest click rates.

These emails include a combination of attachments and hyperlinks. One campaign claimed to include important information about a new benefits package and required employees to open an attached .shtml file. The email claimed employees needed to review and digitally sign the document to acknowledge receipt. In this case, opening the attached file would load a local copy of a phishing page, which generated a fake Microsoft 365 login prompt in the user’s browser. The user’s email address is populated as the username, and they are required to enter their password. The user is told that their password must be entered as they are accessing sensitive internal information.

These phishing emails may be sent from external email addresses and spoof the HR department, but internal email accounts compromised in previous phishing attacks are often used, adding to the realism of the campaign and making it harder for email security solutions to detect the emails as malicious. It is common for these campaigns to include malicious hyperlinks rather than attachments, where the user is directed to a phishing page that mimics the domain of the organization or a well-known, unrelated company. In one campaign, a healthcare organization was impersonated in an email purporting to provide details of updated medical benefits for employees. One campaign involved notifications about changes to the employee security awareness training program for the new year.

Phishing is one of the most common tactics used by cybercriminals to gain initial access to business networks. The campaigns are easy to conduct, requiring little effort by the attackers, and they are often effective. Simply opening a malicious attachment and enabling the content to view the document is all that is needed to install malware, and if a user can be convinced to disclose their Microsoft credentials, the attacker can gain access to all associated Microsoft applications, including Email, OneDrive, Teams, and SharePoint, giving them the foothold they need for conducting a more extensive attack and access to a considerable amount of sensitive company data.

Cybercriminals mimic the types of emails that employees are likely to receive at different times of the year. Over the next few weeks, it is likely that there will be an increase in phishing campaigns targeting tax professionals, and phishing campaigns targeting individuals that use tax-related lures, such as notifications about tax returns, tax rebates, and unpaid tax as tax season gets into full swing.

Businesses need to take steps to block these attacks. While antivirus software and a spam filter were once effective and could block the vast majority of email-based attacks, phishing is becoming increasingly sophisticated and the speed at which new, previously unseen malware variants can be created and released means these defenses are no longer as effective as they used to be.

To block more phishing attempts, businesses need to adopt a defense in-depth approach. In addition to antivirus/endpoint detection software and an advanced spam filter, they should consider adding a web filter to block access to the web-based component of phishing attacks and block malware downloads from the Internet. Multi-factor authentication should be implemented for accounts, although phishing kits are now being used that can bypass MFA. While any form of MFA is better than nothing, phishing-resistance MFA is ideal and should be implemented, which is based on FIDO standards and provides a much greater level of protection.

While it is the responsibility of organizations to block malicious emails and prevent them from reaching employees, it is inevitable that some will be delivered. It is therefore important to also provide security awareness training to employees to train them how to identify and avoid phishing attempts. Security awareness training combined with phishing simulations, such as those provided by TitanHQ through the SafeTitan platform, are proven to reduce susceptibility to phishing attacks.

Failure to Block Phishing Attack Results in HIPAA Fine

Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are required to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). PHI is individually identifiable information that relates to the past, present, or future health of an individual or payment for healthcare. The security safeguards are detailed in the HIPAA Security Rule and compliance is enforced by the Department of Health and Human Services’ Office for Civil Rights and state Attorneys General. When there is a data breach involving PHI, OCR investigates. Investigations are also commonly conducted by state attorneys general to determine if a data breach was the result of a failure to comply with HIPAA.

OCR and state attorneys general understand that it is not always possible to prevent data breaches. Many data breaches are reported each year that are investigated, and the cases are closed because the covered entities have implemented appropriate security measures, only for them to be bypassed. However, when insufficient measures are put in place to safeguard PHI, financial penalties are typically imposed.

The HIPAA Security Rule does not provide a list of security measures that must be implemented to block phishing attacks, as HIPAA was developed to be flexible. HIPAA-covered entities should conduct a risk analysis and reduce risks to a low and acceptable level using a range of measures and by adopting recognized security practices. HIPAA specifies access controls as a security safeguard, which involves the use of strong passwords and ideally multifactor authentication. HIPAA-covered entities must also stay abreast of recently disclosed vulnerabilities and make sure that patches are applied and software is updated to the latest version. The HIPAA Security Rule also calls for security awareness training to be provided to the workforce, and while the frequency of training is not specified, OCR has explained in its cybersecurity newsletters that the program should cover new and current threats and that the training program should be continuous, rather than providing a once-a-year training session.

Recently, Avalon Healthcare, a provider of skilled nursing and assisted living facilities, discovered that the failure to implement appropriate defenses to block phishing attacks is grounds for a financial penalty for non-compliance with the HIPAA Security Rule. After being notified by Avalon Healthcare that email accounts containing the PHI of 14,500 individuals had been accessed by unauthorized individuals, the Oregon and Utah Attorneys General launched an investigation to determine whether non-compliance with the requirements of HIPAA was a factor. The investigation was triggered by a very late breach report, which was 10 months after the phishing attack was detected when data breaches must be reported within 60 days. In addition to determining that the delay violated HIPAA and state laws, the investigation revealed a lack of security safeguards for combatting phishing.

Avalon Healthcare chose to settle the case and paid a $200,000 financial penalty and agreed to adopt a comprehensive information security program that includes email filtering and training for all members of the workforce on phishing and social engineering identification and avoidance, including conducting phishing simulations on the workforce. Had a comprehensive training program been in place, it is possible that the phishing attack would have been detected and avoided.

TitanHQ understands the importance of providing training to the workforce which is why a security awareness training solution has been added to the product portfolio. SafeTitan is a comprehensive training solution for businesses of all sizes that covers all aspects of security, including training employees to recognize phishing, social engineering, and other cyber threats. The platform also includes a phishing simulator for creating and automating phishing simulations on the workforce. SafeTitan security awareness training and phishing simulations have been shown to reduce the susceptibility of the workforce to phishing attacks by up to 80%, and will help to ensure that HIPAA-regulated entities comply with the security awareness training requirements of the HIPAA Security Rule.

If you do not currently provide ongoing security awareness training to your workforce, contact TitanHQ to find out more about the difference this will make to your security posture and how easy it is to provide training through the SafeTitan platform. Like all TitanHQ cybersecurity solutions, SafeTitan is available on a free trial to allow businesses to see for themselves how easy the platform is to use.

Cybercriminals Use Facebook Posts to Bypass Phishing Defenses

Cybercriminals are constantly coming up with new tactics for stealing credentials and other sensitive information. Phishing is one of the main ways that this is achieved, but most businesses have spam filters that block these malicious messages. If a phishing email is developed that can bypass email security measures and land in the inboxes of a business, there is a good chance that the emails will be clicked and at least some accounts can be compromised.

Spam filters such as SpamTitan incorporate a range of advanced measures for detecting phishing emails, including reputation checks of IP addresses, analyses of the message headers and bodies, and machine learning algorithms are used to determine the probability that an email is malicious. Dual anti-virus engines are used for detecting known malware, sandboxing is used to detect zero-day malware threats by analyzing the behavior of files, and hyperlinks in emails are scanned to determine if they are malicious.

To bypass email security solutions, threat actors may link a legitimate website in an email, such as providing a URL for SharePoint, Google Drive, Dropbox, or another legitimate platform. These URLs are more difficult to identify as malicious as these websites pass reputation checks. Malicious URLs on these platforms are often reported and are then blocked by email security solutions, but the URLs often change and are never used for long.

A campaign has recently been detected that uses this tactic and attempts to direct users to the genuine site, with the phishing emails containing a link to a Facebook post. The phishing email comes from a legitimate-looking domain – – and warns the user that some of the features of their Facebook account have been deactivated due to copyright-infringing material. Like many phishing emails, the user is told they must take urgent action to prevent the deletion of their account. In this case, they are threatened with the deletion of their account if there is no response within 48 hours.

A link is supplied to a post on that the user is required to click to appeal the decision. The post masquerades as a support page from Facebook Page Support, which provides a link to an external webpage that the user is required to click to “Appeal a Page Copyright Violation”. The URL includes the name of Facebook’s parent company, Meta, although the domain is actually – A domain that is not owned by Meta or Facebook. URL shortening services are used in these campaigns to hide the true URL.

If the user clicks the link they will be directed to a page that closely resembles the genuine Facebook copyright appeal page. In order to appeal the decision, the user must complete a form that asks for their full name, email address, phone number, and Facebook username. If that information is submitted through the form, geolocation information is also collected along with the user’s IP address, and the information is sent to the scammer’s Telegram account.

The next stage of the scam sees the user redirected to another page where they are asked to provide a 6-digit one-time password, which they are told is required when a user attempts to sign into their account from a new device or browser. This is a fake 2-factor authentication box, and if the user enters any 6-digit code it will produce an error, but the code entered will be captured by the attacker. The user will be directed to the genuine Facebook site if they click the “need another way to authenticate?” option on the page.

Campaigns such as this highlight the importance of layered defenses. Spam filters are effective at blocking the majority of spam and phishing emails, but some messages will bypass spam filters and will be delivered to inboxes. One of the best ways to augment your phishing defenses is to provide security awareness training to your workforce, and this is key to combatting new phishing tactics such as this Facebook phishing scam.

Employees should be taught how to identify phishing attempts and what to do if a potentially malicious email is received. In addition to providing training, phishing simulations should be conducted on the workforce to give employees practice at identifying phishing threats while they are completing their usual work duties. If a simulation is failed, the employee can be told what went wrong and how they could identify similar threats in the future.

TitanHQ offers businesses a comprehensive security awareness training and phishing simulation platform called SafeTitan. The platform includes an extensive range of training content on all aspects of security, and a phishing simulation platform with hundreds of phishing templates taken from real-world phishing attacks. SafeTitan automates the provision of training and is the only behavior-driven security awareness training platform that delivers intervention training in real-time in response to security mistakes by employees, ensuring training is provided at the time when it is likely to be most effective at changing employee behavior.

Godfather Malware Targets More Than 400 Financial Institutions

A new variant of the Android banking Trojan, Godfather, has been detected with the latest version of the malware being used to target more than 400 financial institutions worldwide, including 215 international banks, 110 cryptocurrency exchanges, and 94 cryptocurrency wallets in at least 16 countries including the United States, Canada, United Kingdom, Spain, France, and Germany.

Godfather malware is thought to have evolved from the Anubis banking Trojan, and while it was first detected 18 months ago, it has been rarely used until recently. The malware was only distributed in low volume during its first year, then it disappeared entirely in June 2022, suggesting the developers were working on a new version. That new version was released in September 2022.

While banking Trojans can have quite extensive functionality, their primary purpose is to steal the login credentials for financial institutions, which they usually obtain by generating fake login pages for the institutions that they target. What makes Godfather malware stand out is the number of financial institutions that are targeted. When installed on a device, Godfather malware will generate a fake login page when a user attempts to use the app of a targeted bank or cryptocurrency exchange. These fake login pages are overlays, that are displayed on top of the legitimate targeted app. The fake login page created by the malware will capture the user’s credentials when they are entered.

Most financial institutions have additional authentication requirements and no longer rely on a username and password for granting access. Banking Trojans therefore need to have the capability to bypass these additional authentication measures if they are to be successful. Godfather malware achieves this by masquerading as Google Play Protect and attempts to get the user to grant it accessibility rights, which allows the app to log keystrokes and also read SMS messages and perform screen captures. Those rights will allow the malware to capture the necessary information to bypass multi-factor authentication and other security features. Once credentials and other login information are harvested, accounts are accessed and emptied.

The new version of the malware was detected and analyzed by security researchers at Group-IB, who believe the malware was developed by Russian speakers, as the malware has a kill switch that will deactivate it if it detects any of the languages in former Soviet states, apart from Ukraine. The researchers believe that Godfather malware has been created for use under the malware-as-a-service model, where the developers offer the malware to a range of threat actors for a fee, allowing them to steal login credentials for financial accounts without having to develop their own malware.

Since multiple threat actors will likely be using the malware, the vectors used to distribute the banking Trojan will likely be diverse. As was the case with Anubis, one of the distribution methods is via decoy applications in the Google Play store. Godfather malware is more advanced than its predecessor and it is thought that it will grow into a major threat and will likely be modified further to target even more financial institutions.

UK Cyber Security Agency Makes Recommendations for Businesses to Combat Phishing

Phishing is one of the most common ways that cybercriminals attack businesses. Phishing is used to install malware and steal credentials, both of which will provide them with initial access to the network. Since phishing targets individuals, one of the most important steps to take to prevent phishing attacks is to provide security awareness training to the workforce.

Employees should be warned about the risk of phishing attacks and taught what to look for to help them identify, avoid, and report phishing threats. Training alone is not the answer though, as employees need practice at identifying phishing. Phishing simulations should therefore be conducted. These are realistic but fake phishing emails that are sent to all members of the workforce, the responses to which are tracked. When a user fails a phishing simulation, they can be provided with relevant training to help them identify similar threats in the future and to correct any risky behaviors. The combination of security awareness training and phishing simulations – both of which are provided through SafeTitan – can reduce susceptibility to phishing attacks by up to 80%.

Security awareness training should teach employees the red flags that indicate a phishing attempt. Employees should also be encouraged to report phishing attempts to their security team, as there is a good chance that the phishing email will not be the only such threat in the email system. When these threats are reported, security teams can remove all other copies of that message from the email system, thus preventing other users from being exposed to the threat. It is also important to encourage users to report phishing threats that they have responded to, as the faster the security team is made aware of a clicked link or file download, the faster mitigations can be implemented to reduce the harm that can be caused.

One problem for businesses is employees are often fearful of reporting responses to phishing emails due to the potential for negative repercussions, such as disciplinary action. If reporting is delayed, then mitigations are also delayed, which can potentially have serious consequences. The UK’s National Cyber Security Centre (NCSC) has recently suggested that in order to address this issue, businesses need to change their mindset. At many businesses, employees are made to feel that it is their responsibility to identify and avoid phishing attempts when the reality is it is the responsibility of the employer to block threats by implementing a range of technical controls. Employees should be trained on how to identify phishing attempts of course, but in order to develop a strong reporting culture, employees must not be made to think that a failure to avoid a phishing threat is their fault. The NCSC also takes issue with the commonly provided advice that employees should not click hyperlinks in unsolicited emails as, in many cases, that is actually a requirement of their job.

Technical Recommendations for Protecting Against Phishing Attacks

So how should businesses combat phishing? What technical measures should be implemented to improve defenses and make it much harder for phishing attacks to succeed? TitanHQ has long recommended what the NCSC suggests, and that is phishing prevention requires a defense-in-depth approach, where multiple overlapping layers of protection are implemented. This is vital, as no single anti-phishing measure will be 100% effective, 100% of the time.

The NCSC recommends multiple technical measures, the most important of which are a spam filtering solution that scans all inbound emails for phishing signatures and the setting of DMARC and SPF policies, as these are effective at blocking the majority of phishing threats. TitanHQ’s SpamTitan solution incorporates DMARC, DKIM, and SPF for blocking phishing threats, machine learning for identifying zero-day threats, as has constantly updated blacklists of malicious IP addresses and domains. SpamTitan also has a sandbox for deep behavioral inspection of attachments, in addition to dual anti-virus engines.

The NCSC also recommends implementing web proxies or web filters to prevent employees from accessing malicious websites linked in phishing emails. SpamTitan Plus rewrites URLs in phishing emails and follows them, providing protection against these malicious links. The WebTitan DNS filter will block access to known malicious websites and will also prevent downloads of malicious or risky files from the Internet, such as executable files – another recommendation of NCSC.

While not often considered by businesses as a phishing prevention measure, a password manager does provide a degree of protection against phishing attacks that harvest credentials, so businesses should provide one for their employees to use and they should encourage employees to use it. Password managers suggest strong passwords and then autofill them when they are required. Since the password is tied to a specific URL or domain, if a user lands on a phishing site that spoofs a brand, the password manager will not auto-fill the password, since the URL/domain is not associated with that password. It is also important to ensure that multi-factor authentication is enabled.  Ideally,  businesses should opt for passwordless authentication with a FIDO token.

Additional safeguards that should be considered include allow-listing to prevent executable files from running from any directories that users can write them and configuring the Registry to ensure that dangerous scripting or file types are opened in Notepad and are not executed.  NCSC also recommends using PowerShell in constrained mode, script signing, disabling the mounting of .iso files on endpoints, locking down the macro settings, and only allowing users to enable macros if they need to do so for their job. Businesses should also stay up to date on the latest threats and ensure that mitigations are implemented against those threats and that they are incorporated into security awareness training programs, as TitanHQ does with SafeTitan.

By implementing all of these mitigations and adopting a defense-in-depth approach it becomes less important that employees can recognize and avoid threats, although training is still important because one or more of the above measures may fail. Businesses should also avoid punishing employees for failing to identify phishing attempts, as that is likely to create a culture of fear rather than a culture of reporting threats.

TitanHQ can help businesses significantly improve their defenses and implement many of the NCSC recommendations for combatting phishing. For more information on TitanHQ solutions, give the team a call today, or take advantage of the free trials on all TitanHQ products.

Essential Security Layers for Preventing Phishing Attacks

Phishing is one of the most effective ways of gaining initial access to business networks, either by stealing credentials or installing malware. Phishing exploits human weaknesses and involves tricking individuals using social engineering into taking a certain action, such as visiting a website where they are asked for sensitive information or opening a file that contains malicious code.

One of the best defenses against phishing attacks is a spam filter. A spam filter will scan all incoming (and often outbound) emails looking for the signatures of spam and phishing. Suspect messages are quarantined pending a manual review and rules can be set for confirmed phishing emails, which is often to delete the messages or quarantine them for further investigation. Spam filters will prevent the majority of malicious emails from reaching inboxes, but crucially, not all. Some malicious messages will bypass the spam filter and will land in inboxes, no matter what spam filtering solution you use.

Advanced spam filters such as SpamTitan provide several layers of protection against spam, phishing, and malware but even advanced spam filters are not sufficient on their own to combat phishing. Cybercriminals are now conducting highly sophisticated attacks, so further layers need to be added to your defenses. A web filter is recommended for blocking access to the URLs linked in phishing emails. Spam filters may check links in emails, but these may be made malicious after emails are delivered. A web filter provides time-of-click protection against malicious links. Web filters can also be configured to block certain file downloads from the Internet.

To protect against credential theft, businesses should consider providing a password manager to their employees. Phishing attacks that seek credentials usually direct users to a spoofed website, such as a site with a fake Microsoft login prompt for stealing Microsoft 365 credentials. Employees are often fooled by these scams as the phishing sites look exactly the same as the brands they spoof. Password managers provide some protection. When a password is added to the password vault, it is associated with a specific URL or domain. If the user lands on that URL or domain, the password manager will autofill the password. If the user lands on an unrelated domain, the password will not be filled as the URL or domain is not associated with that password. That serves as a warning that the URL has not been visited before.

Sometimes, employees will be fooled and will disclose their login credentials. This is where multi-factor authentication helps. With multi-factor authentication enabled, compromised passwords will not grant access to accounts unless an additional factor is provided. Since phishing kits are in use that are capable of intercepting MFA codes, the choice of MFA is important. For the best protection use phishing-resistant MFA, which is based on FIDO authentication.

By implementing all of the above technical measures, businesses will be well protected against phishing attacks, but that does not mean it is not necessary to provide security awareness training to the workforce. Security awareness training forms the final layer of protection and prepares employees for the threats they are likely to encounter. Security awareness training teaches employees about phishing, malware, business email compromise, and other cyber threats, and explains best practices and why they are essential for security. The goal of security awareness training is to create a security culture where all employees are aware that they play a role in the security of their organization and to develop a reporting culture where the IT department is made aware of any threats that bypass defenses. That allows the IT department to tweak security solutions to make sure similar threats are blocked in the future.

Security awareness training should be accompanied by phishing simulations. These simulated phishing attacks identify weaknesses that can be addressed. That may be a gap in the training content or an individual who has not understood the training. Simulations allow gaps to be proactively addressed before they are exploited in real cyberattacks. Simulations also help to keep training fresh in the mind and give employees practice at identifying cyber threats.

TitanHQ can help your business to improve defenses against phishing and cyberattacks through layered defenses provided by SpamTitan email security, WebTitan web filtering, and SafeTitan security awareness training. For more information on improving your phishing defenses, give the TitanHQ team a call.

Use International Computer Security Day to Improve the Security Awareness of your Workforce

Today is International Computer Security Day – A day when the focus is on improving cybersecurity and ensuring all computers and electronic devices are appropriately secured against the increasing number of cyber threats. It has only been 30 days since the end of Cybersecurity Awareness Month, but International Computer Security Day serves as a reminder of the importance of cybersecurity.

International Computer Security Day was the brainchild of the Association for Computer Machinery (ACM), which created this national day of recognition to raise public awareness of the importance of computer security. The first International Computer Security Day was in 1988 when computers were first starting to become widely used by businesses and governments, although were yet to become popular in homes, and a year before the world wide web came into existence. Fast forward 45 years, and not only are computers used extensively in homes, but devices are also now carried in pockets that are around 1,000 times faster than the Cray-2 supercomputer of the mid-80s!

The purpose of International Computer Security Day is to raise awareness of the need to secure all computers, whether they are PCs, laptops, smartphones, or IoT devices, and to empower users of these devices to secure their digital presence. International Computer Security Day is also an ideal time for businesses to take stock of their cybersecurity defenses and assess areas where improvements can be made, and to take the day to improve the awareness of employees and reemphasize the importance of cybersecurity in the workplace.

International Computer Security Day and Cybersecurity Awareness Month are concerned with raising awareness of cybersecurity and its importance for all individuals whenever they use their computer or access the Internet, not just during these national days and months of recognition, but throughout the year. Businesses can raise awareness at these times, but cybersecurity needs to be an ongoing conversation. Security awareness training programs should be running continuously throughout the year if they are to be truly effective.

Running a once-a-year training session for the workforce on computer security is useful, but these classroom-based training sessions have their limitations. A more effective strategy for security awareness training is to run computer-based training courses continuously, with training modules completed regularly throughout the year. If you choose a training platform that delivers training in short modules lasting no more than 10 minutes, these can easily be completed by employees without disrupting workflows. 2-3 three modules completed by each employee every month will only take up 20-30 minutes of their time, but this is likely to be far more effective than a 2-hour training session once a year at helping you to develop a security culture in the workplace, where employees stop and think about security before taking any action on a computer.

An even more effective way of training is to use a training platform that provides intervention training. The most effective training is provided instantly when a mistake is made, such as when an employee responds to a phishing email, saves sensitive data in an insecure location, or engages in any other risky cyber behavior. With the right training platform in place, when employees engage in these behaviors, the platform instantly sends them the relevant snippet of the company policy, along with a short training module relevant to that behavior or threat. This is important for correcting that behavior, as in many cases, the employee in question will not be aware that they have made a mistake. Don’t provide intervention training and that risky behavior is likely to be repeated.

SafeTitan from TitanHQ is a comprehensive security awareness training platform for businesses that has been proven to improve the security awareness of employees and reduce risky cyber behaviors and susceptibility to all common cyber threats. The platform is the only behavior-driven training platform to provide intervention training to employees in real time in response to risky behaviors and security mistakes. The platform automates the provision of that training to reduce admin time and ensures consistent and repeatable training is delivered.

The SafeTitan platform also includes a phishing simulator, for sending realistic dummy phishing emails to the workforce. These are proven to reinforce training by giving employees experience at recognizing and responding correctly to phishing threats. Through SafeTitan security awareness training, intervention training, and phishing simulations, staff susceptibility to phishing threats, ransomware, malware, BEC attacks, CEO spoofing is reduced by up to 92%.

If you want to make a real difference and greatly improve your human defenses, this International Computer Security Day take advantage of the free trial of SafeTitan and sample the training content and see for yourself how easy the platform is to use. Start using SafeTitan and Next International Computer Security Day your company will have a much stronger security posture and will be significantly more resilient to cyber threats.

TitanHQ Ranks 45th in the 2022 Deloitte Technology Fast 50 Awards

Growth at TitanHQ has been tremendous over the past two years thanks to a sizable investment from the UK private equity firm, Livingbridge, in 2020, and the release of new cybersecurity solutions to better meet the needs of SMBs, enterprises, and the MSPs that serve them. TitanHQ has released SpamTitan Plus, which builds on the strong performance of SpamTitan Cloud and delivers industry-leading protection from phishing along with the security awareness training and phishing simulation platform SafeTitan – The only behavior-driven security awareness training platform that delivers security awareness training in real-time in response to security mistakes by employees.

For many years, TitanHQ has been enjoying strong organic year-on-year growth, and over the past couple of years has significantly expanded its footprint in the United States, helped by several strategic new hires and a new office in Shelton, Connecticut, staffed by a highly experienced team. That growth has recently been recognized by Deloitte, which has ranked TitanHQ as the 45th fastest-growing company in Ireland at the 2022 Deloitte Technology Fast 50 Awards. This is the second year in a row that TitanHQ has made the Top 50. The 2022 Deloitte Technology Fast 50 Awards is one of the most prestigious award programs for technology companies in Ireland and has been running for 23 years. The positions calculated by Deloitte are based on the previous four years of revenue growth.

“As the business environment becomes more complex, the Irish technology sector has shown great resilience and tenacity. This year’s ranking shows growth across a broad range of sectors with companies coming up with innovative solutions to address changing consumer and business demands while faced with adversity,” said David Shanahan, Partner, Deloitte. “It’s also encouraging to see so many new entrants, including seven in the top ten. Despite the challenges of late, the Irish indigenous tech sector continues to succeed.”

Combined, the top 50 companies in the list have generated more than €500 million in revenue, averaging €10 million per company, and in 2021 employed more than 5,500 people. The average growth rate for all companies was 594%. This year there were 17 companies that made it into the top 50 for the first time, with 7 of those companies ranking in the top 10. 8 Irish counties and all four provinces are represented in the list, and this year has seen an increase in the number of companies with female CEOs. 7 of the 50 companies are led by women.

“Organic year-on-year growth and recent significant investment have turbocharged TitanHQs growth. This has allowed TitanHQ to accelerate ambitious growth plans through increased investment in product development – and in people,” TitanHQ’s CEO, Ronan Kavanagh.


The Emotet Botnet is Back with a Large-Scale Phishing Campaign

This month has seen a return of the Emotet botnet after a 4-month period of inactivity, with a high-volume email campaign identified that is increasing the size of the botnet. Emotet started life as a banking Trojan but has been updated over the years to add new functionality. Devices infected with Emotet are added to the botnet and can be used for a variety of purposes, but one of the main functions of Emotet is as a malware dropper, delivering additional malicious payloads on devices once the botnet operator has achieved their own goals. Currently, Emotet is being used to drop a new variant of the IcedID loader. IcedID is a banking Trojan that is similarly used to drop other malware variants.

Emotet is primarily spread via phishing emails, with the campaigns typically consisting of hundreds of thousands of emails a day. The lures used in these messages are often changed, but the threat actor behind Emotet tends to opt for traditional lures such as IRS notifications and business-themed emails. The Emotet Trojan is able to hijack message threats from infected devices and reply, including a copy of itself in the emails. Since the emails come from a genuine email account and appear to be a response to a past conversation, the probability of the recipient opening the email and attachment is all the greater.

The emails in the latest campaign still use XLS attachments with Auto_Open macros to deliver the malicious payload, despite Microsoft disabling macros in files delivered via the Internet. In some of the emails, the .xls file is directly attached to the email, although it is commonly included in a .zip file. The zip files are often password-protected to prevent them from being scanned by email security solutions, with the password – and often little else other than the file name and a signature – included in the message body.

To get around Microsoft’s macro protections, the user is advised when they open to the .xls file to copy the file to a whitelisted directory and reopen it. The user is told this is a necessary requirement of their security policy to be able to view the contents of the file, with instructions provided for different Microsoft Office versions. By copying the file to the suggested location and then reopening it, Microsoft’s protections will not be applied, and the macro will be able to run. The latest campaign is predominantly targeting the United States, although it is likely that the campaign will be expanded to target other geographical regions.

Defending against Emotet requires a combination of measures. While email security solutions such as SpamTitan can detect and block Emotet phishing emails, a defense-in-depth approach is recommended that includes comprehensive security awareness training for the workforce and more advanced endpoint detection solutions than standard antivirus software.

TitanHQ offers security awareness training and phishing simulations through the SafeTitan platform which trains employees how to recognize the phishing emails that are being used to deliver Emotet. The phishing simulator includes real-world examples of the types of emails that the gang uses to trick employees into installing Emotet.

For further information on improving your defenses against Emotet and other email threats, give the TitanHQ team a call. All TitanHQ cybersecurity solutions are available on a free trial to allow you to test them for effectiveness and usability before making a decision about a purchase.

StrelaStealer Malware Distributed via Email and Targets Outlook and Thunderbird Credentials

A new malware variant called StrelaStealer has been identified that is being distributed via email that targets credentials for two of the most popular email clients: Outlook and Thunderbird. This previously unknown malware was first identified earlier this month, and so far, has been used to target Spanish speakers.

The campaign was identified by security researchers at DCSO CyTec. The intercepted emails have an ISO (optical disc image) file attachment. These files contain all the data that would normally be written to an optical such as a CD, DVD, or Blu-ray disc, sector by sector, with the content bundled into a single file.

One of the files analyzed by the researchers contained an executable file that sideloads the malware contained in the ISO file via DLL order hijacking. The ISO file also contains a .lnk file and polyglot file. A polyglot file can be treated as several different file formats depending on the application that opens it. In this case, the polyglot file is an x.html file, which is both an x.html file and a DLL program that loads StrelaStealer malware. Execution sees the malware loaded in the memory and simultaneously a decoy document is displayed in the web browser while the malware is executed.

Interestingly the malware does not target browser data, cryptocurrency wallets, and other data commonly obtained by information-stealing malware. Instead, it searches for the %APPDATA%\Thunderbird\Profiles directory looking for login.json and key4.db. The former contains the account and password, and the latter is the password database. Both are then exfiltrated to the attacker’s command and control server.

The malware also searches the Windows Registry and retrieves the Outlook software key, and locates the IMAP User, IMAP Server, and IMAP password values. The passwords for Outlook are encrypted, but the malware uses the CryptUnprotectData function of Windows to decrypt the data before exfiltrating the decrypted data to the C2 server

Cybercriminals are constantly developing new techniques for distributing malware. Security awareness training typically focuses on raising awareness of the most common methods of malware delivery, such as Office files containing malicious macros. Since employees are likely to be much less familiar with ISO files, they may not identify these emails as malicious, or may not report them to their security teams due to the decoy document that is displayed, in the belief that nothing untoward has happened.

To improve protection against campaigns such as this, businesses should consider configuring their email security solution to quarantine emails containing risky file attachments such as executable files, and also configure their web filter to block downloads of these file types from the Internet. That is a simple process with SpamTitan Email Security and the WebTitan web filter.

IceXLoader Malware Phishing Campaign Targets Corporate Devices

A new phishing campaign has been detected that is being used to distribute a relatively new malware threat called IceXLoader. The malware was first identified in the summer and is being actively developed, with version 3.3 of the malware being distributed in the latest campaign. The malware appears to be a work in progress, with the latest version of the malware having enhanced functionality and a new method of installation is now being used. While it has only been distributed for a few months, it already represents a significant threat.

As the name suggests, IceXLoader is a malware dropper that is designed to deploy additional malicious payloads on infected devices. This could include additional tools to help the operators of the malware achieve their aims or it could be offered to a range of threat actors under the malware-as-a-service model for delivering information stealers, ransomware, and other malicious payloads. The malware was first identified by researchers at Fortinet, who named the malware IceXLoader due to the presence of ICE_X strings in samples of the malware code.

The malware is delivered via phishing emails with a .zip compressed file attachment, which contains the first stage extractor. If allowed to run, this will create a new hidden folder in C:\Users\<username>\AppData\Local\Temp, and will then drop and execute the second stage executable file, which creates a new registry key and deletes the temporary folder. The second stage executable downloads a PNG file from a hardcoded URL, and converts it into an obfuscated DLL file, which is IceXLoader. The dropper will perform checks to see if it is running in a virtual environment and will wait 35 seconds before executing IceXLoader to avoid sandbox detection. IceXLoader will collect a variety of information about its host, will connect to its command-and-control server and exfiltrate that information, and will then drop additional malicious payloads.

The malware is capable of evading Windows Defender and other anti-malware programs to prevent scanning of the folder where IceXLoader resides. Researchers at Minerva Labs note that the exfiltrated data is freely accessible on the C2 server, so the threat actors are currently not interested in securing the stolen data.

Due to the ability of the malware to evade traditional antivirus software solutions, the key to blocking this threat is implement next-generation endpoint detection solutions that are able to identify malware by their behavior, and ensure that strong, multi-layered anti phishing defenses are implemented to block the initial phishing emails, including an advanced spam filter for blocking the email and web filtering technology to prevent downloads of malicious files from the Internet.

It is also important not to neglect the human element of defenses. Security awareness training for the workforce will go a long way toward preventing these and other email-based attacks from succeeding, by teaching employees email security best practices.

DHL is the Most Spoofed Brand in Phishing Attacks

Phishing attempts are often very convincing as the emails mimic trusted brands, include their logos and color schemes, and the message format is often copied from genuine company messages. The most commonly spoofed brands are well-known companies that have millions of customers, which increases the chances of the message landing in the inbox of a person who has, at least at some point in the past, used that company’s products or services.

Every quarter, Check Point releases its Brand Phishing Report, which highlights the latest phishing trends and the brands being impersonated most often. LinkedIn, Microsoft, Google, and Netflix are regulars in the top 10 List, with LinkedIn being the most commonly spoofed brand in phishing attacks in the first half of the year; however, the top spot has now gone to the German logistics and package delivery firm, DHL.

DHL accounted for 22% of all worldwide phishing attempts in Q3, 2022. DHL itself issued a warning to customers in July after the company became aware that it was being spoofed in a massive phishing campaign that was being conducted globally. It is probable that DHL will remain in the top spot in Q4 due to the increase in online purchases in the run-up to Christmas.

While there is some variation in the phishing emails impersonating DHL, one of the most common appears to have been sent by DHL Express and alerts the recipient about an undelivered package. The message warns that it will not be possible to attempt redelivery of the package unless delivery information is confirmed. The phishing emails include a link to a website to allow that information to be provided; however, the link directs the user to a website where they are required to log in and provide their name, username, password, and other sensitive information, such as payment details.

While email phishing is the most common form, DHL has been spoofed in SMS messages that achieve the same purpose. Of course, SMS messages are not subject to spam filtering controls and mobile devices are less likely to be protected by web filters, which can detect and block attempts to visit malicious websites. SMS phishing – termed smishing – has been growing in popularity in recent years.

Unsurprisingly, given the number of users, Microsoft achieved second place, accounting for 16% of phishing emails in the quarter. The phishing emails spoofing Microsoft are more varied due to the extensive product range, although OneDrive phishing emails were common. These emails claim to be collaboration requests and target businesses and ask the recipient to click on a button to view a shared document. Like many phishing emails, the messages warn the recipient that urgent action is required, as the document will be deleted in 48 hours. The user is directed to a malicious website where they are asked to enter credentials for their Microsoft account.

It is unclear why LinkedIn has fallen out of favor slightly, although it still achieved 3rd spot and accounted for 11% of phishing attempts in the quarter. The rest of the top ten consists of Google (6%), Netflix (5%), We Transfer (5%), Walmart (5%), WhatsApp (4%), HSBC (4%), and Instagram (3%).

Phishing is one of the main ways that cybercriminals gain access to business networks. The attacks are easy to conduct, low cost, and do not require extensive technical knowledge. Businesses can block the majority of these malicious messages by implementing an advanced spam filter such as SpamTitan Cloud. They should also consider adding an extra layer to their defenses – A web filter such as WebTitan Cloud.

Technical defenses such as these are vital for protecting against phishing attempts, but it is also important for businesses to ensure that they provide regular security awareness training to their employees to make them aware of the threat of phishing and to teach them how to identify phishing emails. In addition to training, phishing simulations should be conducted on the workforce. These have been proven to reduce susceptibility to phishing attempts, as they give employees practice at identifying phishing and any failures are turned into a training opportunity.

With the SafeTitan security awareness training and phishing simulation platform, training is automatically triggered in real-time in response to phishing simulation failures and other security errors, when the training is likely to have the greatest effect.

If you run a business and want to improve your defenses against phishing, give TitanHQ a call. TitanHQ products are available on a free trial to allow you to put them to the test before making a decision about a purchase. MSPs that have yet to add spam filtering, web filtering, and security awareness training to their service stacks should give the TitanHQ channel team a call to find out more about these opportunities to improve their clients’ defenses against phishing and other cyberattacks.

Failure to Stop Phishing Attack Results in £4.4 Million Financial Penalty

The construction firm Interserve has been slapped with a £4.4 million GDPR fine for failing to prevent a phishing attack and the theft of the personal and financial information of up to 113,000 employees.

Interserve is a construction and outsourcing group, which, at the time of the cyberattack in 2020, was a strategic supplier to the UK government, including the Ministry of Defense. An employee received a phishing email and forwarded it to a colleague, who opened the email and downloaded the malicious content, which saw malware installed on its network. What happened next is all too common in cyberattacks. The threat actors had a foothold in the network, then moved laterally, and compromised 283 Interserve systems and 16 accounts.

Interserve’s anti-virus software was then uninstalled by the threat actors, and ransomware was deployed to encrypt files on the network. The information accessed, encrypted, and stolen by the attackers included highly sensitive employee information such as contact information, national insurance numbers, and bank account details. Data classed as special category data under the GDPR was also compromised, including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.

The Information Commissioner’s Office (ICO) investigated the cyberattack and data breach and determined Interserve had failed to put appropriate security measures in place to prevent cyberattacks such as this, and the lack of appropriate safeguards left Interserve vulnerable to cyberattacks from March 2019 to December 2020.

The ICO identified several areas where the attack could have been identified and blocked. The initial phishing email was not blocked, nor was the malicious email detected when it was forwarded internally. The company had anti-virus software installed, which quarantined the malware and generated a security alert, yet Interserve failed to investigate the suspicious activity. Had it been investigated Interserve should have been able to determine that the attacker still had access to its network. The ICO also found outdated software systems and protocols in use, there was a lack of staff training, and insufficient risk assessments had been performed.

The failure to implement appropriate safeguards violated information privacy laws, resulting in a £4.4 million fine being proposed. The response of Interserve to that notice of intent to fine did nothing to warrant any reduction in the penalty.

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office,” said UK Information Commissioner, John Edwards.

These cybersecurity failures are all too common at businesses and they leave the door wide open for hackers, yet malware and ransomware attacks such as this can easily be prevented. In this case, following cybersecurity best practices, ensuring employees practice good cyber hygiene, and responding to security alerts quickly could have prevented or certainly reduced the severity of the data breach.

An effective email security solution should have been in place for detecting malicious emails, first when the initial email was received and again when it was forwarded. The email should have been quarantined and checked by the IT security team. Had appropriate end-user training been provided, both employees should have been aware of the threat of email-based attacks and known how to identify phishing emails. The IT security team should also have investigated the alert and suspicious network activity.

It is not possible to prevent all cyberattacks but implementing an advanced spam filter and providing security awareness training to employees will go a long way toward improving an organization’s security posture. Those are areas where TitanHQ can help. TitanHQ has developed a suite of cybersecurity solutions including SpamTitan Email Security, the SafeTitan Security Awareness and Phishing Simulation Platform, and the WebTitan DNS Filter for blocking web-based attacks.

For more information on improving your security posture to block cyberattacks, prevent data breaches, and protect against financial penalties from regulators, give the TitanHQ team a call.

TitanHQ Launches New MSP Security Awareness Training and Phishing Simulation Platform

One of the fastest areas of growth for Managed Service Providers (MSPs) is managed security services. The number of cyberattacks on businesses continues to increase and there is a major shortage of skilled cybersecurity staff. Further, the cost of hiring new talent can be prohibitively expensive for many small- and medium-sized businesses, who are turning to their MSPs to provide those services. Many MSPs have developed a technology stack to meet the demand and are offering managed security services such as identity protection and access management, endpoint security, spam filtering/email security, web security, data protection, network security, and mobile security, but one area that is often lacking in managed services is security awareness training. Currently, only 60% of MSPs offer security awareness training as part of their managed security services.

Technological solutions are implemented by MSPs to protect against hackers, malware, ransomware, and phishing attacks, and these solutions will detect and block the majority of threats, but it is not possible to prevent employees from encountering all threats. The workforce, therefore, needs to be prepared and be taught how to recognize the signs of phishing and other types of attacks, so that when these threats are encountered, they can be identified as such and avoided.

Studies conducted on companies that have conducted benchmarking phishing tests on employees prior to commencing security awareness training have shown that susceptibility to phishing attacks can be reduced considerably. Across all industry sectors, the average click rate for phishing is 37.9%. TitanHQ’s data shows that with regular security awareness training through the SafeTitan platform, susceptibility reduces to under 3%. Such a major reduction will significantly improve an organization’s security posture, yet as important as security awareness training is, a recent survey has shown that 57% of SMBs provide no security awareness training to their workforce whatsoever.

MSPs that do not offer security awareness training are missing out on easy, regular recurring revenue, and their clients are likely to be at risk of falling victim to phishing and other attacks that target employees. It is also worth noting that 69% of SMBs say they would hold their MSP accountable for a phishing attack!

TitanHQ Launches Security Awareness Training & Phishing Simulation Platform for MSPs

It has been a few months now since TitanHQ launched its new security awareness training and phishing simulation platform – SafeTitan.  The initial launch was aimed at SMBs and enterprises to help them create an effective, ongoing security awareness training program for the workforce, and conduct phishing simulations to reinforce training, identify weak links, and track improvements over time.

The platform includes an extensive library of training content on a wide range of topics including security best practices, cyber hygiene, phishing, vishing, and smishing, to allow businesses to easily create training programs to match their needs and risk profiles. The training is gamified, engaging, and delivered in short (max 10-minute) modules, which makes security awareness training enjoyable, while allowing it to be easily fit into busy workflows.

While the platform is well suited to businesses of all sizes, from the smallest of businesses to large enterprises, the platform had to be developed further to meet the needs of MSPs. To make a truly MSP-friendly solution, TitanHQ worked closely with the MSP advisory council and TitanHQ’s extensive MSP customer base to discover exactly what MSPs need to be able to start delivering security awareness training and phishing simulations as a managed service, which lead to the addition of several important new features.

TitanHQ is now happy to announce that SafeTitan for MSPs has now officially been launched. The new product incorporates an intuitive MSP dashboard, through which campaigns can be easily managed. The dashboard gives MSPs real-time live analytics and allows quick actions to be performed.

The phishing simulation platform includes more than 1.8K phishing templates, taken from real-world phishing attempts, with the campaigns easy to schedule for a group of customers, to be run at set intervals every week, month, or year. The platform allows mass training campaigns to be developed, along with mass phishing simulations. The addition of the direct email injection (Graph API) feature allows MSPs to deliver their phishing simulations directly to user inboxes, without having to spend time and effort configuring allowed lists and firewalls.

MSPs also benefit from dynamic user management, so changes can be made quickly and easily to existing campaigns if new users need to be added.  If any user fails a phishing simulation, they can be automatically enrolled in relevant training content to provide targeted training on the aspect of security relevant to the failure.

MSP clients will want to be provided with feedback on how their campaigns are progressing and the impact the training is having on phishing susceptibility, and to make this as easy as possible, the platform now includes scheduled reporting. Reports are automated and are sent to clients at regular intervals with no MSP interaction once configured.

Contact TitanHQ Today

If you have yet to add security awareness training and phishing simulations to your managed security services, contact TitanHQ today to find out more about SafeTitan for MSPs on +1 813 519 4430 (US) or +353 91 545555 (IRL).

5-Award Haul for TitanHQ in Expert Insights Fall 2022 ‘Best-Of’ Awards

TitanHQ has collected 5 awards for its cybersecurity solutions in the Expert Insights Fall 2022 ‘Best-Of’ Awards across 5 product categories.

Expert Insights is an online platform for businesses that provides independent advice on business software solutions to help businesses make informed purchasing decisions about software solutions. The advice provided on the website is honest and objective, and the site features helpful guides to help businesses purchase with confidence. The site is used by more than 85,000 businesses each month, with the website helping more than 1 million readers each year.

Twice yearly, Best-of awards are given to the top ten solutions in each of the 41 product categories. The awards showcase the best quality solutions that are helping businesses to achieve their goals and defend against the barrage of increasingly sophisticated cyberattacks. The awards are based on several factors, such as the features of products, market presence, ease of use, and customer satisfaction scores, with the award winners chosen by the in-house team of editors. The editorial team conducts research into each solution to assess its performance, functionality, and usability, and assesses the reviews from genuine business users of the solutions.

TitanHQ collected five awards for its products in the Spring 2022 Best-of awards, and this has been followed up with another 5 Fall 2022 Best-of awards. TitanHQ was given a Best-of award for SafeTitan in the Phishing Simulation and Security Awareness Training categories, SpamTitan Cloud received an award in the Email Security category, WebTitan Cloud got an award in the Web Security category, and ArcTitan won in the Email Archiving category. Further, ArcTitan Email Archiving was rated the top solution in the Email Archiving category and SpamTitan was rated the top solution in the Email Security category.

There were several big winners at the Fall 2022 Expert Insights Best-of awards, with TitanHQ joining companies such as ESET, CrowdStrike, and Connectwise in winning big.

“We are honored that TitanHQ was named as a Fall 2022 winner of Expert Insights Best-Of award for phishing simulation, email security, security awareness training, web security and email archiving” said TitanHQ CEO, Ronan Kavanagh.  “Our cloud-based platform allows partners and MSPs to take advantage of TitanHQ’s proven technology so they can sell, implement and deliver our advanced network security solutions directly to their client base”.

TitanHQ Adds Several New Features and Enhancements to the WebTitan DNS Filter

WebTitan Cloud is an award-winning DNS filter that prevents access to malicious websites and allows businesses to control the web content users can access with precision. This week, TitanHQ has announced the release of a new version of WebTitan Cloud, that includes new features to improve usability, security, protection for remote workers, and provides greater insights into DNS requests. These new features now form part of an industry-leading feature set that is in a cloud-delivered solution that is easy to set up, use, and maintain.

New UI with Advanced Reporting Features

If you are a current WebTitan Cloud user, the first change you will notice is the new user interface which provides easy access to all WebTitan Cloud features. The enhancements provide intuitive, advanced, relevant, and easy-to-digest data, through new interactive reports and data visualization tools, which are embedded into the UI to improve the user experience.

The advanced security reports show malware-infected clients, malware-infected domains, malware-infected users, blocked phishing sites, blocked phishing domains, and blocked phishing sites by user, and the view can be customized by date and client IP. New reports show behavior, blocked sites, and trends to provide insights into network use and threats. These reports have been added based on the feedback received by WebTitan Cloud users.

Interactive Threat Intelligence with DNS Data Offload

The latest version of WebTitan Cloud provides users with easier access to valuable threat intelligence to aid IT decision-making, network troubleshooting, and security planning. Users can now list DNS request history on screen, download DNS request logs, view all DNS data to gain valuable insights into activity, and easily extract DNS query data for sophisticated integrations and advanced data analysis.

DNSSEC Security Enhancements

WebTitan Cloud now benefits from security enhancements to protect against DNS attacks by strengthening authentication using Domain Name System Security Extensions (DNSSEC). DNSSEC uses digital cryptographic signatures to verify the origin and integrity of data during the DNS resolution process to protect against malicious DNS poisoning attacks. Users of WebTitan Cloud can implement DNSSEC through a simple and straightforward process to improve security.

WebTitan OTG Improvements for Protecting Off Network Users

The WebTitan On-the-Go (OTG) agent allows users to extend the protection of WebTitan Cloud to off-network users, no matter where they connect to the Internet. WebTitan OTG was introduced some time ago; however, the latest release includes several enhancements. The JSON Config filters have been replaced for OTG devices, and the agent used to protect, manage, and monitor off-network users has been significantly improved. It is also much easier to add and update exceptions to OTG devices through an easy-to-use interface.

“This WebTitan release is hitting so many key pillars of success for TitanHQ. The data offload feature has been requested by many customers and creates real differentiation for our solution in the market. This coupled with our new advanced reporting were major requests from our MSP customers,” said Ronan Kavanagh, CEO of TitanHQ. “Finally, security is at the heart of what we do and are, the addition of DNSSEC just continues to add to our credentials.”

New Reverse Proxy Phishing-as-a-Service Helps Low-Skilled Hackers Bypass MFA

When multifactor authentication is set up on accounts, attempts to access those accounts using stolen credentials will be prevented, as in addition to a correct username and password, another factor must be provided to authenticate users. Phishing attacks may allow credentials to be stolen, but that does not guarantee accounts can be accessed. More companies are implementing multifactor authentication which means phishing attacks need to be more sophisticated to bypass the protection provided by multifactor authentication.

One of the ways that multifactor authentication can be bypassed is by using a reverse proxy. In a phishing attack, an email is sent to a target and a link is provided to a malicious website hosting a phishing form that spoofs the service of the credentials being targeted – Microsoft 365 for example. Instead of just collecting the login credentials and using them to try to remotely access the user’s account, a reverse proxy is used.

The reverse proxy sits between the phishing site and the genuine service that the attacker is attempting to access and displays the login form on that service. When the credentials are entered, they are relayed in real-time to the legitimate service, and requests are returned from that service, such as MFA requests. When the login process is successfully completed, a session cookie is returned which allows the threat actor to access the genuine service as the victim. The session cookie can also contain the authentication token. In these attacks, once the session cookie has been obtained, the victim is usually presented with a notification telling them the login attempt has failed or they are directed to another site and will likely be unaware that their credentials have been stolen and their account is being accessed.

These attacks allow the victim’s account to be accessed for as long as the session cookie remains valid. If it expires or is revoked, the attacker will lose access to the account. To get around this and gain persistent access, account details may be changed or other authentication methods will be set up.

These types of phishing attacks are much more sophisticated than standard phishing attacks, but the extra effort is worth the investment of time, money, and resources. Many advanced persistent threat actors use reverse proxies in their phishing campaigns and have developed their own custom reverse proxies and tools.  There are, however, publicly available kits that can be used in phishing campaigns such as Modlishka, Necrobrowser, and Evilginx2. These kits can be used at a cost and allow MFA to be bypassed, although they can be complicated to set up and use.

Now a new phishing-as-a-Service (PaaS) platform has been identified – EvilProxy – that is being pushed on hacking forums. EvilProxy allows authentication tokens to be stolen from a range of vendors including Microsoft, Apple, Twitter, Facebook, Google, and more, according to Resecurity which recently reported on the phishing kit.

EvilProxy lowers the bar considerably and makes conducting reverse proxy phishing attacks far simpler. The service includes instructional videos, provides a user-friendly graphical interface, and even supplies templates of cloned phishing pages for stealing credentials and auth tokens. Through the graphical interface, threat actors can set up and manage their phishing campaigns with ease. EvilProxy comes at a cost, starting at $150 for 10 days up to $400 for a month. While the service is not cheap, the potential rewards can be considerable. EvilProxy allows low-skill threat actors to gain access to valuable accounts, which could be used or sold on to other threat actors such as ransomware gangs.

Multifactor authentication is strongly recommended as it will block the majority of attacks on accounts; however, it can be bypassed by using reverse proxies. Protecting against reverse proxy phishing attacks requires a defense-in-depth approach. An email security solution – SpamTitan for example – should be implemented to block the initial phishing email. A web filter – WebTitan – should be used to block attempts to visit the malicious websites used in these man-in-the-middle attacks. Security awareness training is important for training employees on how to recognize and avoid phishing threats, and employers should conduct phishing simulation tests as part of the training process. TitanHQ’s SafeTitan platform allows businesses to conduct regular training and phishing simulations with ease.

Vote for SpamTitan in the PeerSpot 2022 User Choice Awards!

For more than 10 years, PeerSpot (formerly IT Central Station) has been helping tech pros make intelligent decisions on the best information technology solutions to implement to ensure they get the solutions that perfectly address the needs of their businesses. The PeerSpot Buying Intelligence Platform is powered by the world’s largest community of enterprise tech buyers and bridges the gap between vendors and buyers. Vendors are helped through the voice of their customers, and enterprise tech buyers receive relevant and practical advice to help them make better purchasing decisions. The platform provides in-depth reviews of products, online forums, and tech buyers have access to direct Q&A support.

This year sees PeerSpot launch its first Annual User’s Choice Award program to recognize the products that are helping businesses to achieve their goals. Customers of enterprise technology vendors are invited to vote for their favorite B2B Enterprise Technology products across 11 product categories.

In 2022, those product categories are:

  • Endpoint Protection for Business
  • Firewalls
  • Backup and Recovery Software
  • Network Monitoring Software
  • HCI
  • All-Flash Storage Arrays
  • Email Security
  • Ethernet Switches
  • Application Security Tools
  • Functional Testing Tools
  • Rapid Application Development Software

In order for a solution to be included in the relevant category, it must be amongst the highest-rated products on the PeerSpot Buying Intelligence Platform. That requires a product to have generated significant user engagement on the platform and to have been rated highly by verified users of the solutions.

The winners in each category will be decided by popular vote.

TitanHQ is proud to have had its SpamTitan solution included as one of the top spam filtering, anti-phishing, and anti-malware solutions in the email security category. SpamTitan provides layered protection for enterprises, SMBs, and managed service providers and blocks email-based threats such as phishing, malware, spam, viruses, and botnets. The solution incorporates signature- and behavior-based detection to block malware threats and predictive technologies to anticipate zero-minute threats.  SpamTitan is much loved by users not just for its performance, but also ease of set up, use, maintenance, price, and the industry-leading customer support provided by TitanHQ. SpamTitan has an overall star rating of 4.6/5 on the platform.

If you love using SpamTitan and it has helped your business block more threats, cut down on the resources you have had to devote to email security, or saved you money, TitanHQ encourages you to vote for SpamTitan. Voting will take around a minute of your time. Votes are being accepted until September 16th, 2022, and the winners in each category will be announced by PeerSpot on October 25, 2022.

Vote for SpamTitan Email Security Here

Common Security Awareness Training Mistakes to Avoid

Technology is vital for defending against cyberattacks, but it is important not to neglect employee training. Training the workforce on how to recognize and avoid threats should be a key part of your security strategy, but if you want to get the best return on your investment it is important to avoid these common security awareness training mistakes.

Why Security Awareness Training is Essential

Data from the ransomware remediation firm, Coveware, shows phishing is the main way that ransomware gangs gain initial access to business networks, and IBM reports that phishing is the main way that data breaches occur. In 2021, 40% of all data breaches started with a phishing email. Businesses should implement technologies to block these attacks, such as a spam filter, antivirus software, and a web filter; however, even with these defenses in place, threats will arrive in inboxes, they can be encountered over the Internet, or via instant messaging services, SMS, or over the phone. Unless you totally isolate your business from the outside world, employees will encounter threats.

It is therefore important to provide security awareness training to teach employees how to recognize and avoid threats and to educate them on cybersecurity best practices that they should always follow. Security awareness training is concerned with equipping employees with the skills they need to play their part in the overall security of the organization, to give them practice at detecting threats, and build confidence. Through training, you can create a human firewall to add an extra layer to your cybersecurity defenses.

Security Awareness Training Mistakes to Avoid

It is important to avoid these common security awareness training mistakes, as they can seriously reduce the effectiveness of your training.

Infrequent training

Creating a training course that covers all security best practices and threats to educate the workforce is important, but if you want to change employee behavior and get the best return on your investment, it is important to ensure that your training is effective. If you provide a once-a-year training session, after a few weeks the training may be forgotten. One of the most common mistakes with security awareness training is not providing training often enough. Training should be an ongoing process, provided regularly. You should therefore be providing training regularly in small chunks. A 10-minute training session once a month is much more likely to change behavior than a once-a-year training session.

Not making training fun and engaging

Cybersecurity is a serious subject, but that does not mean that training cannot be enjoyable. If your training course is dull and boring, your employees are likely to switch off, and if they are not paying attention, they will not take the training on board. Use a third-party security awareness training course that includes interactive, gamified, and fun content that will engage employees, and use a variety of training materials, as not everyone learns in the same way.

Using the same training course for all employees

Don’t develop a training course and give the same course to everyone. Use a modular training course that teaches the important aspects of security, but tailor it to user groups, departments, and roles. Training should be relevant. There is no point in training everyone how to recognize specific threats that they will never encounter.

Not conducting phishing simulations

Training and then testing is important to make sure that the training content has been understood, but that is unlikely to change employee behavior sufficiently. The best way to reinforce training and change employee behavior is by conducting phishing simulations. These simulations should be relevant, reflect real-world threats, and should be conducted regularly. Phishing simulations will show you how employees respond to threats when they are completing their work duties and are not in a training setting. If a phishing simulation is failed, it is a training opportunity. Provide targeted training to employees who fail, specific to the mistake they made.

Not providing training in real-time

Intervention training is the most effective. When an employee makes a security mistake, training should be automatically triggered, such as when an employee fails a phishing simulation or takes a security shortcut. If the employee is immediately notified of the error and is told where they went wrong, that will be much more effective at changing behavior than waiting until the next scheduled training session.

Speak with TitanHQ About Security Awareness Training

TitanHQ offers a security awareness training and phishing simulation platform for businesses – SafeTitan – that makes workforce training simple. The platform includes an extensive library of gamified, fun, and engaging content on all aspects of security to allow businesses to create customized training for all members of the workforce and automate phishing simulations.

The platform is easy to set up, use, and customize, and the platform is the only security awareness training solution that provides intervention training in real-time in response to employees’ security errors. For more information contact TitanHQ and take the first step toward creating a human firewall.

What is Callback Phishing?

Phishing attacks are mostly conducted via email but there has been a major increase in hybrid phishing attacks over the past 12 months, especially callback phishing. Here we explain what callback phishing is, why it poses such a threat to businesses, and why threat actors are favoring this new approach.

What is Callback Phishing?

Email phishing is used for credential theft and malware distribution, but one of the problems with this type of phishing is most businesses have email security solutions that scan inbound emails for malicious content. Phishing emails and malicious files distributed via email are often identified as such and are rejected or quarantined. Some threat actors conduct voice phishing, where an individual is contacted by telephone, and attempts are made to trick them into taking an action that benefits the scammer using a variety of social engineering tactics.

Callback phishing is a type of hybrid phishing where these two methods of phishing are combined. Initially, an email is sent to a targeted individual or company that alerts the recipient to a potential problem. This could be an outstanding invoice, an upcoming payment or charge, a fictitious malware infection or security issue, or any of a long list of phishing lures. Instead of further information being provided in an attachment or on a website linked in the email, a telephone number is provided. The recipient must call the number for more information and to address the issue detailed in the email.

The phone number is manned by the threat actor who uses social engineering techniques to trick the caller into taking an action. That action is usually to disclose credentials, download a malicious file, or open a remote desktop session. In the case of the latter, the remote desktop session is used to deliver malware that serves as a backdoor into the victim’s computer and network.

This hybrid approach to phishing allows threat actors to get around email security solutions. The only malicious element in the initial email is a phone number, which is difficult for email security solutions to identify as malicious and block. That means the emails are likely to reach their targets.

Major Increase in Callback Phishing Attacks

Callback phishing was adopted by the Ryuk ransomware threat group in 2019 to trick people into installing BazarBackdoor malware, in a campaign that was dubbed BazarCall/BazaCall. Typically, the lure used in these attacks was to advise the user about an upcoming payment for a subscription or the end of a free trial, with a payment due to be automatically taken unless the trial/subscription is canceled by phone.

The Ryuk ransomware operation is no more. The threat actors rebranded as Conti, and the Conti ransomware operation has also now shut down; however, three threat groups have been formed by members of the Conti ransomware operation – Silent Ransom, Quantum, and Zeon – and all have adopted callback phishing as one of the main methods for gaining initial access to victims’ networks for conducting ransomware attacks. These three groups impersonate a variety of companies in their initial emails and trick people into believing they are communicating with a genuine company. The aim is to get the user to establish a remote desktop session. While the user is distracted by the call, a second member of the team uses that connection to install a backdoor or probe for ways to attack the company, without the user being aware what is happening.

Callback phishing is also used by other threat groups for credentials theft and malware distribution, often by impersonating a cybersecurity firm and alerting the user to a security threat that needs to be resolved quickly. These attacks see the user tricked into installing malware or disclosing their credentials. According to cybersecurity firm Agari, phishing attacks increased by 6% from Q1, 2022 to Q2, 2022, and over that same time frame hybrid phishing attacks increased by an incredible 625%.

How to Protect Against Callback Phishing Attacks

As is the case with other forms of phishing, the key to defending against attacks is to implement layered defenses. Email security solutions should be implemented that perform a range of checks of inbound emails to identify malicious IP addresses. Email security solutions such as SpamTitan incorporate machine learning mechanisms that can detect emails that deviate from those normally received by an organization. Multi-factor authentication should be implemented on accounts to block attempts to use stolen credentials.

The best defense against callback phishing is to provide security awareness training to the workforce. Employees should be told about the social engineering tactics used in these attacks, the checks everyone should perform before responding to any email, and the signs of callback phishing to look out for. Callback phishing simulations should also be conducted to gauge how susceptible the workforce is to callback phishing. A failed simulation can be turned into a training opportunity to proactively address the lack of understanding.

TitanHQ offers a comprehensive security awareness training platform for businesses – SafeTitan – that covers all forms of phishing and the platform included a phishing simulator for conducting phishing tests on employees. For more information, give the TitanHQ team a call today.

BEC Attacks on Businesses are Increasing: How To Improve Your Defenses Against These Damaging Attacks

Business Email Compromise (BEC), also known as Email Account Compromise (EAC), is one of the most financially damaging types of cyberattacks, and attacks have been increasing. These attacks involve gaining access to business email accounts, often the email account of the CEO or CFO, and using those accounts to send emails to staff that has responsibility for making payments and tricking them into wiring funds to an attacker-controlled account. The attacks can also be conducted to make changes to payroll information to get employees’ salaries deposited to attacker-controlled accounts.

BEC scams have resulted in losses in excess of $43 billion over the past 5 years according to the Federal Bureau of Investigation (FBI), and that is just complaints submitted to its Internet Crime Complaint Center (IC3). In 2021 alone, almost $2.4 billion in losses to BEC attacks were reported to IC3.

Anatomy of a BEC Attack

BEC attacks require considerable effort by threat actors, but the rewards from a successful attack are high. BEC attacks often see fraudulent transfers made for hundreds of thousands of dollars and in some cases several million. Companies are researched, individuals to target are identified, and attempts are made to compromise their accounts. Accounts can be compromised through phishing or brute force attempts to guess weak passwords.

With access to the right email accounts, the attacker can study the emails in the account. The usual communication channels can be identified along with the style of emails that are usually sent. The attacker will identify contracts that are about to be renewed, invoices that will soon be due, and other regular payments to try to divert. Timely and convincing emails can then be sent to divert payments and give the attacker sufficient time to move the funds before the scam is uncovered.

A recent report from Accenture suggests the rise in ransomware attacks is helping to fuel the rise in BEC attacks. Ransomware gangs steal data before encrypting files and publish the data on their data leak sites. The stolen data can be used to identify businesses and employees that can be targeted, and often includes contract information, invoices, and other documents that can cut down on the time spent researching targets and identifying payments to divert. Some ransomware gangs are offering indexed, searchable data, which makes life even easier for BEC scammers.

How to Improve Your Defenses Against BEC Attacks

Defending against BEC attacks can be a challenge for businesses. Once an email account has been compromised, the emails sent from the account to the finance department to make wire transfers can be difficult to distinguish from genuine communications.

Use an Email Security Solution with Outbound Scanning

An email security solution such as SpamTitan can help in this regard, as all outbound emails are scanned in addition to inbound emails. However, the key to blocking attacks is to prevent the email accounts from being compromised in the first place, which is where SpamTitan will really help. SpamTitan protects against phishing emails using multiple layers of protection. Known malicious email accounts and IP addresses are blocked, other checks are performed on message headers looking for the signs of phishing, and the content of the emails is checked, including attachments and embedded hyperlinks. Emails are checked using heuristics and Bayesian analysis to identify irregularities, and machine learning helps to identify messages that deviate from the normal emails received by a business.

Implement Robust Password Policies and MFA

Unfortunately, it is not only phishing that is used to compromise email accounts. Brute force tactics are used to guess weak passwords or credentials stuffing attacks are performed to guess passwords that have been used to secure users’ other accounts. To block this attack vector, businesses need to implement robust password policies and enforce the use of strong passwords. Remembering complex passwords is difficult for employees, so a password manager solution should be used so they don’t need to. Password managers suggest complex, unique passwords, and store them securely in a vault. They autofill the passwords when they are needed so employees don’t need to remember them. If email account credentials are compromised, they can be used to remotely access accounts. Multifactor authentication can stop this, as in addition to a password, another form of authentication must be provided.

Provide Security Awareness Training to the Workforce

Providing security awareness training to the workforce is a must. Employees need to be taught how to recognize phishing emails and should be trained on cybersecurity best practices. If employees are unaware of the threats they are likely to encounter, when the threats land in their inboxes or are encountered on the web, they may not be able to recognize them as malicious. Training should be tailored for different users, and training on BEC attacks should be provided to the individuals who are likely to be targeted: the board, finance department, payroll, etc.

Security awareness should be accompanied by phishing simulations – fake, but realistic, phishing emails sent to the workforce to test how they respond. BEC attacks can be simulated to see whether the scams can be recognized. If a simulation is failed it can be turned into a training opportunity. These campaigns can be created, and automated, with the SafeTitan Security Awareness Training and Phishing Simulation Platform.

Set Up Communication Channels for Verifying Transfer Requests

Employees responsible for making wire transfers or changing payroll information should have a communication channel they can use to verify transfers and bank account changes. Providing them with a list of verified phone numbers will allow them to make a quick call to verify changes. A quick phone call to verify a request can be the difference between an avoided scam and a major financial loss.

Speak to TitanHQ about Improving Your Defenses Against BEC Attacks

TitanHQ offers a range of cybersecurity solutions for blocking email and web-based cyber threats. For more information on SpamTitan Email Security, WebTitan Web Filtering, and SafeTitan Security Awareness Training, give the TitanHQ team a call. All solutions are quick and easy to set up and use, and all have been developed to make it easy for MSPs to offer these cybersecurity solutions to their clients. With TitanHQ solutions in place, you will be well protected from phishing, malware, ransomware, botnets, social engineering, and BEC attacks.

Twilio SMS Phishing Attack Highlights Importance of Security Awareness Training on all Forms of Phishing

Phishing is mostly conducted via email; however, a recent data breach at the cloud communication company Twilio demonstrates that phishing can be highly effective when conducted using other popular communication methods, such as SMS messages.

An SMS phishing attack – known as SMiShing – involves sending SMS messages with a link to a malicious website with some kind of lure to get people to click. Once a click occurs, the scam progresses as an email phishing attack does, with the user being prompted to disclose their credentials on a website that is usually a spoofed site to make it appear genuine. The credentials are then captured and used by the attacker to remotely access the victims’ accounts.

Twillio provides programmable voice, text, chat, video, and email APIs, which are used by more than 10 million developers and 150,000 businesses to create customer engagement platforms. In this smishing attack, Twilio employees were sent SMS messages that appeared to have been sent by the Twilio IT department that directed them to a cloned website that had the Twilio sign-in page. Due to the small screen size on mobile devices, the full URL is not displayed, but certain keywords are added to the URLs that will be displayed to add realism to the scam. The URLs in this campaign included keywords such as SSO, Okta, and Twilio.

According to Twilio EMEA Communications director, Katherine James, the company detected suspicious account activity on August 4, 2022, and the investigation confirmed that several employee accounts had been accessed by unauthorized individuals following responses to the SMS messages. The attackers were able to access certain customer data through the Twilio accounts, although James declined to say how many employees were tricked by the scam and how many customers had been affected.

Twilio was transparent about the data breach and shared the text of one of the phishing emails, which read:

Notice! [redacted] login has expired. Please tap twilio-sso-com to update your password!

The text messages were sent from U.S. carrier networks. Twilio contacted those companies and the hosting providers to shut down the operation and take down the malicious URLs. Twilio said they were not the only company to be targeted in this SMS phishing campaign, and the company worked in conjunction with those other companies to try to shut the operation down; however, as is common in these campaigns, the threat actors simply switch mobile carriers and hosting providers to continue their attacks.

The smishing attack and data breach should serve as a reminder to all businesses of the risk of smishing. Blocking these types of phishing attacks can be a challenge for businesses. The best starting point for improving your defenses is to provide security awareness training for the workforce. Security awareness training for employees usually has a strong emphasis on email phishing, since this type of phishing is far more common, but it is important to also ensure that employees are trained on how to recognize phishing in all its forms, including smishing, social media phishing, and voice phishing – vishing – which takes place over the telephone.

The easiest way to do this is to work with a security vendor such as TitanHQ. TitanHQ offers a comprehensive security awareness training platform – SafeTitan – with an extensive range of training content on all aspects of security, including smishing and voice phishing. The training content is engaging, interactive, and effective at improving cybersecurity understanding, and SafeTitan is the only security awareness training platform that delivers training in real-time in response to the behavior of employees. The platform also includes a phishing simulator for automating simulated phishing tests on employees.

For more information about improving security awareness in your organization, contact TitanHQ today.

Predictive Threat Detection Capabilities Enhanced in SpamTitan Plus

TitanHQ has announced an update has been made to its flagship anti-phishing solution, SpamTitan Plus. The new enhancements have been added to the predictive phishing detection capabilities of SpamTitan Plus to help users block personalized URL attacks.

Phishing attacks on businesses have become much more sophisticated and new tactics are constantly being developed to evade standard email security solutions. While commercial email security solutions perform well at identifying and blocking spam emails, achieving detection rates in excess of 99%, blocking phishing emails is more of a challenge and many phishing threats sneak past email security solutions and are delivered to inboxes.

One of the ways that cyber threat actors bypass email security solutions is by creating personalized URLs for their phishing emails. One of the methods used by email security solutions for blocking phishing URLs is a real-time blacklist of known malicious URLs and IP addresses. If an email is sent from an IP address that has previously been used to send spam or phishing emails, the IP address is added to a blacklist and all emails from that IP address will be blocked. The URLs in phishing campaigns are set up and massive email runs are performed. When those URLs are detected as malicious, they are also added to a blacklist and will be blocked by email security solutions.

However, it is becoming increasingly common for personalized URLs to be used. These URLs can be personalized for the targeted organizations at the path and parameter level, and since a unique URL is used in each attack, standard anti-phishing measures such as blacklists are ineffective at detecting these URLs as malicious. That means the emails containing these malicious URLs are likely to be delivered to inboxes and can only be blocked after they have been delivered. That typically means an employee needs to report the email to their security team, and the security team must then act quickly to remove all phishing emails in that campaign from the email system. That process takes time and there is a risk that the links in the emails could be clicked, resulting in credential theft or malware infections. Most of the phishing detection feeds that are used by email security solutions do not gather the necessary intelligence to be able to inform customers of the level at which a phishing campaign should be blocked. SpamTitan Plus, however, does have that capability.

“With predictive phishing detection, SpamTitan Plus can now combat automated bot phishing,” said Ronan Kavanagh, CEO of TitanHQ. “At TitanHQ we always strive to innovate and develop solutions that solve real-security problems and provide tangible value to our customers. The end goal is to have our partners and customers two or three steps ahead of the phishers and cybercriminals.”

SpamTitan Plus

SpamTitan Plus is an AI-driven anti-phishing solution that is capable of blocking even the newest zero-day phishing threats. The solution has better coverage than any of the current market leaders and provides unparalleled time-of-click protection against malicious hyperlinks in phishing emails, with the lowest false positive rate of any product. SpamTitan Plus benefits from massive clickstream traffic from 600+ million users and endpoints worldwide, which sees the solution block 10 million new, never-before-seen phishing and malicious URLs a day.

The solution protects against URL-based email threats including malware and phishing, performs predictive analyses to identify suspicious URLs, URLs are rewritten to protect users, real-time checks are performed on every click, and the solution includes 100% of all current market-leading anti-phishing feeds. That translates into a 1.5x increase in unique phishing URL detections, 1.6x faster phishing detections than the current market leaders, and 5 minutes from initial detection of a malicious URL to protecting all end user mailboxes.

For more information about the best phishing solution for businesses, give the TitanHQ team a call today. Current users of SpamTitan Plus already have these new capabilities added, at no additional cost.

Cybersecurity Companies Impersonated in Convincing Callback Phishing Campaign

A new phishing campaign is being conducted that abuses trust in cybersecurity companies. The campaign uses scare tactics to get company employers to pick up the phone and speak to the cybersecurity vendor about a recently detected data breach and potential workstation compromise.

It is becoming increasingly common for phishing scams to involve initial contact via email with requests to make a call. This tactic is often used in tech support scams, where victims are convinced they have a malware infection or another serious security issue on their device, and they are tricked into downloading malicious software such as Remote Access Trojans (RATs).

RATs give the attackers access to the user’s computer, and that access can be abused by the attacker or the access can be sold to other threat groups such as ransomware gangs. Affiliates of ransomware-as-a-service operations may use this technique to conduct attacks and are then paid a percentage of any ransom payments they generate.

In this campaign, the impersonated companies are very well-known providers of enterprise security solutions, such as CrowdStrike, and the emails are very well written and convincing. They claim that a data breach has been detected that affected the part of the cybersecurity provider’s network associated with the customer’s workstation and warns that all workstations on the network may have been compromised. As such, the cybersecurity company is conducting an audit.

The emails claim that the cybersecurity vendor has reached out to the IT department, which has instructed the vendor to contain individual users directly. The emails claim that the audit is necessary for compliance with the Consumer Privacy Act of 2018 (CCPA) and other regulations and that the agreement between the targeted individual’s company and the cybersecurity vendor allows it to conduct regular audits and security checks. A phone number is provided for the individual to make contact, and the email includes the correct corporate logo and genuine address of the cybersecurity vendor.

CrowdStrike reports that a similar scam has been conducted by the Wizard Spider threat group, which was responsible for Ryuk ransomware attacks. That campaign delivered BazarLoader malware, which was used to deliver the ransomware payload.

This type of phishing attempt is known as callback phishing. This technique can be effective at bypassing email security solutions since the emails contain no malicious content – There are no hyperlinks and no file attachments. This scam highlights the importance of conducting security awareness training on the workforce to help employees identify and avoid phishing scams.

How TitanHQ Can Help

TitanHQ provides a range of security solutions for blocking phishing attacks, including SpamTitan Email Security, WebTitan DNS Filtering, and the SafeTitan Security Awareness and Phishing Simulation Platform.

SafeTitan has an extensive library of interactive, gamified, and engaging training content for improving security awareness of the workforce, including phishing and the full range of cyberattacks that employees are likely to encounter. The training is delivered in easily assimilated modules of no more than 8 to 10 minutes, and training can be delivered in real-time in response to risky user behaviors to nip bad security practices in the bud. The platform also includes hundreds of phishing templates for conducting and automating phishing simulations on the workforce, to gain insights into the individuals who are susceptible to phishing attacks and any knowledge gaps.

For more information on improving your defenses against phishing attacks, review our solutions in the links at the top of this page or give the team a call. Products are available on a free trial and demonstrations can be arranged on request.

Social Media Phishing Attacks are on the Rise

Phishing can take many forms and while email is the most common vector used in these scams, other types of phishing such as voice phishing (vishing), SMS phishing (Smishing), and social media phishing increasing. In particular, there has been a recent spike in social media phishing attempts.

The threat from email phishing can be greatly reduced with an email security solution; however, these solutions will do nothing to block vishing, smishing, and social media phishing attempts. Businesses can improve their defenses by also using a DNS filtering solution. DNS filters block attempts to visit malicious websites and work in tandem with email security solutions to block email phishing and can also block the web-based component of smishing attacks and social media phishing to a certain extent. Unfortunately, since the social media networks where phishing takes place are not malicious websites, it will not prevent people from encountering phishing attempts.

This is why security awareness training is so important. Security awareness training gives employees the skills they need to recognize and avoid phishing attempts, no matter where the phishing attack is conducted. By training the workforce on security threats, risky behaviors can be eradicated, and employees can be taught the signs of phishing to look out for. The SafeTitan Security Awareness Training platform also delivers training in real-time, in response to risky behaviors by employees. This ensures training is delivered instantly when risky behavior is detected and training is likely to have the greatest benefit.

Social Media Phishing

Two social media phishing campaigns have recently been identified by researchers at Malwarebytes, the goal of which is to obtain the credentials for social media accounts. If the credentials are disclosed, the attacker can access the victim’s account and use it to conduct further attacks on the victim’s followers. If the credentials for a corporate social media account are stolen, attacks could be conducted on all the company’s followers. These attacks abuse the trust customers have in the company. The two campaigns have been conducted on Twitter and Discord users. Both use social engineering to trick people into disclosing their account credentials.

Twitter Phishing Campaign

In the Twitter campaign, the scammer sends a direct message to the user informing them that their account has been flagged for hate speech and threatens an immediate suspension of the account unless action is taken. The user is told that they must authenticate the account via the Twitter Help Center, a link for which is provided in the message. The link directs the user to a phishing page that spoofs Twitter where they are asked to log in. If they do, their credentials will be captured.

Discord Phishing Campaign

The Discord campaign sees a message sent from either a contact of the victim using a compromised Discord account or from strangers. The account owner is accused of disseminating explicit photographs and the sender says they are going to block the account until an explanation is provided. A link is provided to a server where the recipient has allegedly been named and shamed. If the message recipient tries to respond to the message, their message will not be sent as they will have been blocked, increasing the likelihood of their clicking the link to the server.

Victims are required to log in via a QR code and once they have attempted that they are locked out of their accounts, which are then under the full control of the scammer. The scammer is then free to use the legitimate account to continue their scam on all the victims’ contacts. Social media scams such as these try to scare or shame users into responding. This tactic can be very effective, even if the user has never said a bad word on Twitter or sent an explicit photograph to anyone on Discord.

Other Social Media Phishing Campaigns

Phishing can – and does – occur on all social media platforms. One scam that has proven successful targets Instagram users and offers them the verified Instagram badge. In order to receive the badge, they are required to log in to verify their identity, naturally via a malicious link. Doing so will allow the scammer to take full control of the user’s Instagram account.

It is a similar story on LinkedIn. One of the most common scams involves impersonating a company and sending a message to an individual about a job offer, or a message suggesting they have been headhunted. Fake connection requests are also common. In this scam, the user is provided with a link to a scam site that spoofs LinkedIn and again is conducted to harvest credentials.

On Facebook, phishing scams are rife but often they seem innocuous. If you use Facebook, you will no doubt have seen countless posts asking site users to determine their band name, porn star name, pirate name, etc., by providing information such as the month and year of birth.  Posts asking what was your first car? Where did you grow up? What was your favorite teacher’s name? and many more do not seek credentials, but the information disclosed can be used to answer security questions that are asked in order to recover accounts. These scams also make brute force attacks to guess passwords so much easier.

Dangers of Social Media Phishing

The loss of access to a social media account may not be the end of the world and is likely far better than having a bank account emptied, but the damage caused can be considerable. Many small businesses rely on social media for publicity and generating sales, and the loss of an account or scamming of customers can be devastating. The passwords used for social media accounts are often reused across multiple platforms. Scammers often conduct credential stuffing attacks on other platforms and accounts using the same password. Fall victim to a social media phishing scam and many other accounts could be compromised.

Blocking social media phishing attacks can be a challenge. You should also ensure that two-factor authentication is enabled on social media accounts, consider restricting who can send direct messages to your account, and who can view your profiles. If you encounter a scam, be sure to report it.

For businesses, employees with access to corporate social media accounts should be given specific training on social media phishing to ensure they can recognize and avoid phishing scams. The SafeTitan Security Awareness Training platform makes this simple and helps businesses instantly correct risky behaviors through the automated delivery of a relevant training course in real-time. The platform has a wealth of engaging, gamified training content and a phishing simulation platform for testing resilience to phishing attacks.

For more information on SafeTitan and improving your phishing defenses through the use of an email security solution and DNS filtering, give the TitanHQ team a call today.

Microsoft’s Automatic Blocking of Macros Has Been Temporarily Rolled Back

Microsoft previously announced a new security feature that would see VBA macros automatically blocked by default, but there has been a rollback in response to negative feedback from users.

Phishing emails are commonly used for malware delivery which contain links to websites where the malware is hosted or by using malicious email attachments. Word, Excel, Access, PowerPoint, and Visio files are commonly attached to emails that include VBA macros. While there are legitimate uses for VBA macros, they are often used for malware delivery. When the documents are opened, the macros would run and deliver a malware loader or sometimes the malware payload directly.

Office macros have been used to deliver some of the most dangerous malware variants, including Emotet, TrickBot, Qakbot, Dridex. To improve security, in February 2022, Microsoft announced that it would be blocking VBA macros by default. If macros are blocked automatically, it makes it much harder for this method of malware delivery to succeed.

With autoblocking of macros, users are presented with a security alert if a file is opened that includes a VBA macro. When opening a file with a VBA macro, the following message is displayed in red:

“SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted.”

The user would not be able to click the warning to override the blocking, instead, they would be directed to a resource that provides further information on the risk of enabling macros. They would have the option of ignoring the warning but would be strongly advised not to. Previously, a security warning was displayed in a yellow warning box that says, “Security Warning: Macros have been disabled.” The user would be presented with a prompt to Enable Content, and thus ignore the warning.

Microsoft had rolled out this new security feature, but recently Windows users started to notice that the new security warning was no longer being displayed, instead, Microsoft appeared to have rolled back to its previous system without announcing it was doing so.

Microsoft did confirm that it is rolling back this security feature and that an update announcing that has been planned; however, it had not been announced before the rollback started. The process has been heavily criticized, not for the rollback itself (although there has been criticism of that), but for starting the rollback without first making an announcement.

Microsoft said the rollback was due to negative feedback it had received, but it is not known at this stage which users had complained. It is suspected that the change posed a problem for individuals who commonly use VBA macros, and the automatic blocking made the process of running macros cumbersome. Most SMB users, however, do not deal with macros frequently, so the rollback means a reduction in security.

It took several days for Microsoft to confirm that the rollback is temporary and that it was necessary to make changes to improve usability. Microsoft said it is still committed to blocking macros by default for users. So, while this is a U-turn, it is just a temporary one.

While automatically blocking macros is important to improve security, it is still strongly recommended to implement a robust email security solution, as macros are not the only way that malware is delivered via email. Also, blocking macros will do nothing to stop phishing emails from being delivered.

With SpamTitan Email Security, phishing and malware threats can be easily blocked. For more information, give the TitanHQ team a call.

Copyright Infringement Notices used in Phishing Emails for Delivering Lockbit 2.0 Ransomware

Cybercriminals are constantly changing tactics and lures in their phishing campaigns, so it is no surprise to see a new technique being used by affiliates of the Lockbit ransomware-as-a-service operation. A campaign has been identified by researchers at AhnLab in Korea that attempts to deliver a malware loader named Bumblebee, which in turn is used to deliver the LockBit 2.0 ransomware payload.

Various lures are used in phishing campaigns for delivering malware loaders, with this campaign using a warning about a copyright violation due to the unauthorized use of images on the company’s website. As is common in phishing emails, the emails contain a threat should no action be taken – legal action. Emails that deliver malware loaders either use attached files or contain links to files hosted online. The problem with attaching files to emails is they can be detected by email security solutions. To get around this, links are often included. In this case, the campaign uses the latter, and to further evade detection, the linked file is a password-protected archive. This is a common trick used in malware delivery via email to prevent the file from being detected as malicious by security solutions, which are unable to open the file and examine the contents. The recipient of the message is provided with the password to open the file in the message body.

The password-protected zip file contains a file that masquerades as a PDF file, which the user is required to open to obtain further information about the copyright violation. However, a double file extension is used, and the attached file is actually an executable file, which will deliver the Bumblebee loader, and thereafter, LockBit 2.0 ransomware.

These types of phishing attacks are all too common. Believable lures are used to trick people into taking the requested action, a threat is included should no action be taken, and multiple measures are used to evade security solutions. Any warning about a copyright violation must be taken seriously but as with most phishing emails, there are red flags in this email that suggest this is a scam. Security-aware employees should be able to recognize the red flags and while they may not be able to confirm the malicious nature of the email, they should report such messages to their IT department or security team for further investigation. However, in order to be able to identify those red flags, employees should be provided with security awareness training.

Through regular training employees will learn the signs of phishing emails, can be conditioned to always report the emails to their security team, and can be kept abreast of the latest tactics used in phishing emails for malware delivery. It is also recommended to conduct phishing simulations to test whether employees are being fooled by phishing attempts. If employees fail phishing simulations it could indicate issues with the training course that need to be addressed, or that certain employees need to be provided with additional training. Through regular security awareness training and phishing simulations, businesses can create a human firewall capable of detecting phishing attempts that bypass the organization’s email and web security defenses.

TitanHQ can provide assistance in this regard through the SafeTitan Security Awareness Training and Phishing Simulation Platform – Further information on the solution can be found here.

How to Run Effective Phishing Simulations in the Workplace

If you want to create a culture of security in your organization, you need to provide comprehensive security awareness training to teach employees the skills they will need to be able to identify and avoid cyber threats. It is also important to conduct phishing simulations on all members of the workforce.

Phishing simulations are realistic but fake phishing emails that are sent to employees to determine the level of security awareness of the organization, assess whether employee security awareness training has been effective, identify any gaps in knowledge that need to be addressed, and to identify any individuals who require further training.

If phishing simulations are not used, organizations will be unaware whether their training has worked and has reduced the susceptibility of the workforce to phishing attacks, and gaps in knowledge could exist that could easily be exploited in real world phishing attacks.

Sending phishing emails to employees to see if they click links or open potentially malicious attachments is important, but to get the full benefits of phishing simulation exercises you need to create a structured phishing simulation program. To help you get started we have provided some tips on how to run effective phishing simulations in the workplace, and highlight some areas where businesses go wrong.

How to Run Effective Phishing Simulations at Work

One of most common assumptions made about phishing simulations is that in order to determine whether employees will respond to genuine phishing emails, employees should not be aware that you will be conducting phishing simulations. That is a mistake. When employers conduct phishing simulations on an unsuspecting workforce, it has the potential to backfire.

Employees often feel like they are being targeted and it can create friction between employees and the IT department, and that is best avoided. You should warn employees when you provide training that part of the training process will involve phishing simulations and that the simulations are not being conducted to catch employees out but to assess how effective training has been. Do not provide specific notice when you are conducting campaigns, just make the workforce aware that you do periodically run phishing simulations.

When you conduct phishing simulations, the emails you send need to be realistic. You should use templates that are based on real-world phishing attacks, after all, the aim of the simulations is to determine if employees will fall for real phishing emails.  You should use a variety of lures and send different types of phishing emails, including emails with links, attachments, and Word documents with macros. You should also vary the difficulty of the simulations and include targeted spear-phishing attacks.

Before sending simulated phishing emails to the workforce, test out the emails in small numbers, as this will allow you to correct any problems. Do not send the same email to everyone at the same time, as this often results in employees tipping each other off and will not give you accurate data. Vary the emails you send in any one campaign, and this can be avoided. Each email should include at least two red flags that will allow it to be identified as a phishing attempt. Be careful about the lures you choose. If you send an email offering a pay rise – there are genuine phishing campaigns that do this – be prepared for a backlash, as such a campaign is likely to cause upset. These types of phishing simulations are best avoided.

The first phishing campaigns you send should serve as a baseline against which you can measure how awareness improves over time, so use a moderately difficult phishing attempt, not an incredibly difficult spear phishing email. Anyone can be fooled by a phishing email so ensure that everyone is part of the program, including board members. They too need to be taught how to recognize phishing emails and be tested to see how security aware they are. The C-suite is the top target for phishers.

It is important not to name and shame employees that fail phishing simulations. A failed phishing simulation should be seen as an opportunity for further training, not a reason for punishing an employee. If you opt for positive rather than negative reinforcement, you are likely to get much better results.

Security Awareness Training and Phishing Simulations from TitanHQ

SafeTitan from TitanHQ is a comprehensive security awareness training platform with an extensive library of training courses, videos & quizzes. The content is highly interactive and fun, with short and efficient testing and a phishing simulation platform with hundreds of real-world phishing templates to use. SafeTitan is also the only behavior-driven security awareness solution that delivers security training in real-time. Phishing simulations have shown that SafeTitan reduces staff susceptibility to phishing by up to 92%.

For more information and to arrange a product demonstration, give the TitanHQ team a call.

TitanHQ Finalist in the 2022 CompTIA UK Spotlight Awards

Following on from being included in the Expert Insights’ list of the Top 100 Most Innovative Cybersecurity Companies of 2022, TitanHQ has been named a finalist in the 2022 CompTIA UK Spotlight Awards in the Innovative Vendor Award Category.

The Computing Technology Industry Association (CompTIA) is an advocate for the $5 trillion global information technology ecosystem and the estimated 75 million professionals who design, implement, manage, and safeguard the technology that powers the world’s economy.

CompTIA provides education, training, certifications, philanthropy, and market research and promotes industry growth, the development of a highly-skilled workforce, and the creation of an environment where innovation happens and opportunities are made possible through technology that is available to all.

Every year, CompTIA recognizes individual and organizational excellence in the UK tech industry through the CompTIA UK Spotlight Awards, which took place on June 16 at the CompTIA UK Business Technology Community Meeting, in Bristol.

TitanHQ is delighted to have been named a finalist at this year’s awards and to be recognized for its innovative cybersecurity solutions that are helping SMBs and Managed Service Providers defend against increasingly sophisticated cyber threats.

Over the past 12 months, TitanHQ has enjoyed excellent growth, has brought in a wealth of new talent, and has released two innovative new cybersecurity solutions to its product portfolio: SpamTitan Plus and the SafeTitan Security Awareness and Phishing Simulation Platform.

SpamTitan Plus provides cutting-edge, industry-leading protection against zero-day phishing threats. The AI-driven anti-phishing solution has better coverage, a significant uplift in phishing link detections, and faster detection speeds, with the lowest false positive rate of any product. The solution includes updates from massive clickstream traffic of 600+ million users and endpoints worldwide, which protects against 10 million+ new, never-before-seen phishing and malicious URLs each day.

According to research, 97% of users fail to identify all phishing emails, so advanced phishing protection is essential. So too is security awareness training, to teach employees how to identify phishing and other threats and increase threat reporting rates to security teams.

TitanHQ now offers a comprehensive platform that businesses can use to train their employees to be security titans and create a human firewall to complement their technical anti-phishing safeguards. SafeTitan includes an extensive library of interactive, fun, and engaging training content, a phishing simulator, and is the only behavior-driven security awareness training platform that delivers security awareness training in real-time.

If you want to benefit from these new solutions and any of TitanHQ’s other innovative cybersecurity protects – DNS filtering, email encryption, and email archiving- contact TitanHQ today.

TitanHQ Named in Top 100 List of the Most Innovative Companies in Cybersecurity

TitanHQ has collected several accolades already in 2022 for the full range of cloud-delivered solutions. The 2022 tally now includes recognition as one of the top 100 most innovative cybersecurity companies.

The Expert Insights’ Top 100 Most Innovative Cybersecurity Companies list was created to recognize the most innovative companies in cybersecurity – companies that develop highly innovative solutions to better protect businesses and consumers from increasingly sophisticated cyber threats. The Top 100 list is broken down into 12 different categories, with TitanHQ included in the Email and Messaging Security Category.

It is vital for businesses of all sizes to implement robust defenses to block email-based attacks. Email is the leading vector for malware delivery and phishing attacks are increasing in number and sophistication. As TitanHQ CEO, Ronan Kavanagh, pointed out, “The overwhelming feedback from our users and customer base has been that phishing attacks are becoming more advanced, proficient and dangerous. Phishing is the number one problem to solve in the email security community.”

TitanHQ’s SpamTitan suite of products provides cutting-edge, robust, and rapid protection against phishing attacks, malware threats, and other email-borne cyberattacks. In addition to the SpamTitan Gateway and SpamTitan Cloud solutions, TitanHQ recently released SpamTitan Plus, which provides best-in-class protection against phishing attacks, with the most comprehensive coverage of any solution, incorporating 100% of current market-leading anti-phishing feeds. That translates into 1.5x faster URL threat detection, 1.6x faster phishing detection than the current market leaders, and just 5 minutes from initial detection of malicious URLs to protecting all mailboxes.

“Over the past year, TitanHQ has significantly grown its global presence, strengthened its executive leadership team, and added to its product and services portfolio, all of which have contributed to our impressive placement on the 2022 Expert Insights’ Top 100 Most Innovative Cybersecurity Companies list,” said Kavanagh.

The latest accolade follows on from TitanHQ collecting no fewer than five Expert Insights’ ‘Best of’ Awards in the spring for SpamTitan Email Security, WebTitan DNS Filter, ArcTitan Email Archiving, with two awards for SafeTitan Security Awareness Training.

Webinar: June 7, 2022: Employee Cyber Risks in a Growing Organization: Balancing Safety and Agility

On June 7, TitanHQ, in partnership with the Oxford Cyber Academy, will be hosting a webinar to discuss employee cyber risks in growing organizations, and how to balance safety and agility.

Organizations are facing an increasing number of threats when trying to stay agile, competitive, and innovative in a digital world, and for small- and medium-sized businesses, those threats have significant potential to threaten growth. Businesses of all sizes are being targeted by cyber threat actors, and successful attacks can cause significant damage to a business’s hard-won market reputation and operations. Those threat actors target a common weak point in security defenses – employees. Digital security needs to be front and center of your continued innovation, but it can be a challenge to stay competitive whilst sustaining a cyber-savvy workforce. Help is at hand, however.

During this webinar, attendees will be provided with valuable information on the changing nature of the cyber threats facing small- and mid-sized businesses and will discover what they need to protect, what they have to lose if they fail to protect it, how to balance technology and human cyber risks, and how to improve employee security awareness and achieve measurable changes in employee behavior through easy, intuitive, personalized and targeted training that is delivered where it’s needed the most.

Join TitanHQ on June 7th where Nick Wilding, Neil Sinclair, Cyber Programme Lead, UK Police Crime Prevention Initiatives, and Richard Knowlton, Director of Security Studies at the Oxford Cyber Academy will discuss:

If you can’t make the event, register anyway and you will receive the webinar to watch on-demand at any time.

Register for the Webinar Today

Tom Watson Appointed as New TitanHQ Channel Chief

TitanHQ has recruited the popular channel veteran Tom Watson, who will serve as the company’s new Channel Chief to help bring profitable growth to all TitanHQ Managed Service Provider (MSP) partners.

TitanHQ is committed to serving the MSP community and channel and offers a wide range of cybersecurity solutions that have been developed from the ground up to meet the needs of MSPs. The TitanHQ product portfolio now includes best-in-class email security, DNS filtering, email archiving, email encryption, and security awareness training and phishing simulation solutions, that are easy to implement, manage, and fit seamlessly into MSP’s service stacks. The solutions are delivered through an MSP-centric platform to allow MSPs to provide defense-in-depth security solutions to their SMB and enterprise clients.

Demand from MSPs in North America for TitanHQ solutions has prompted a major expansion of US operations. TitanHQ is well aware that such tremendous growth must be supported by locally sourced experienced advisors such as Tom Watson. Tom brings considerable experience to TitanHQ, having previously owned an MSP business and served as Channel Chief at top-level vendors such as NinjaOne and Axcient. Tom will be based at TitanHQ’s new North American base in Shelton, Connecticut, where he will be working alongside locally sourced talent such as TitanHQ VP of Sales, Jeff Benedetti, and his North American team.

Tom has been tasked with managing TitanHQ’s MSP tradeshows, roadshows, and webinars, and will oversee the creation of a brand-new MSP partner program. “I see my role as being more of a liaison than anything,” said Tom, regarding his new position at TitanHQ. “TitanHQ already has a fantastic offering. You’ll be hearing me talk about that in the future. For now, I think it’s more important to highlight the commitments TitanHQ has made to the channel. This is a company that is 100% dedicated to making sure they serve the MSP community.”

Tom went on to explain the reason why he chose to join the TitanHQ team. “I’ve wanted to work for a rising cybersecurity company for quite a while now. Here I know I can use my skills and understanding of MSP operations, sales, and marketing to help MSPs succeed. Working together with TitanHQ we can give MSPs everything they need to provide quality cyber services to their clients.”

Everyone at TitanHQ is excited about Tom joining the company and the role he will play in ensuring TitanHQ remains the leading provider of cloud-based cybersecurity solutions to MSPs serving the SMB market by supporting growth in the North American market.

“As we continue to further expand into the North American market, introducing industry experts like Tom to our team is vital to allow us to continue to partner with MSPs looking for best in class cybersecurity solutions,” said TitanHQ CEO, Ronan Kavanagh. “We are thrilled to welcome Tom to the team, his wealth of experience working with the MSP sector will serve us well as we continue on our growth journey.”

New ‘Eternity Project’ Malware-as-a-Service Operation Offers Extensive Attack Capabilities

A new malware-as-a-service operation has been identified named Eternity Project which is offering a modular malware with extensive capabilities, allowing threat actors to conduct a range of malicious activities based on the modules they pay for. The capabilities of the malware are being enhanced to include further modules. Currently, the threat group is offering an information stealer, clipper, miner, dropper, worm, and ransomware, with distributed-denial-of-service (DDoS) bots to be provided in an upcoming module.

The threat actors claim the stealer module will allow users to obtain passwords stored in multiple browsers, data from email clients, instant messaging services, password managers, VPN clients, gaming software, system credentials, cryptocurrency wallets, and more. The miner allows victim devices to become cryptocurrency mining slaves, the clipper allows data to be stolen from the clipboard, which specifically targets cryptocurrency wallets and replaces them with the threat actors’ crypto-wallet addresses, with the ransomware allowing data encryption, although no data exfiltration. The worm module allows the user to infect other devices on the network, with the dropper used to drop the payload of choice onto infected devices. The Eternity Project malware was analyzed by researchers at Cyble, who report that the malware is being offered via a Telegram channel which, at the time of publication, had over 500 subscribers, as well as on the threat group’s TOR website.

Malware-as-a-service operations such as the Eternity Project give unskilled hackers the capability to conduct a range of attacks that they would otherwise not be able to perform. According to Cyble, the malware modules are being offered from as little as $90 up to $490 for the most expensive module – ransomware. Those costs could easily be recovered from the capabilities provided. The methods used to distribute Eternity malware will depend on the capabilities of the threat actors that pay for the modules. Since multiple methods of distribution could be used, defending against Eternity malware and other malware-as-a-service offerings requires a defense-in-depth approach and for security best practices to be followed.

Email Security

Phishing remains the number one vector for delivering malware. Campaigns are easy and cheap to conduct, and phishing campaigns can be very effective. Email security solutions are fed threat intelligence and have anti-virus components, but many solutions rely on signature-based detection and are only effective at detecting known malware. Behavior-based detection methods are needed for detecting heavily obfuscated malware and zero-day threats. SpamTitan combines signature-based threat detection using dual AV engines and a Bitdefender-powered sandbox for identifying zero-day malware threats and allows the blocking of specified attachments such as zip files and executable files. SpamTitan protects against malicious links in emails and scans all inbound emails in real-time, using advanced threat protection methods such as Bayesian analysis, machine learning, greylisting, and heuristics which provide a market-leading 99.99% spam catch rate with a 0.003% false-positive rate

DNS Filtering

Defense-in-depth against phishing is critical for blocking malware threats. Protection can be significantly improved using DNS filtering. DNS filtering is used to block the web-based component of phishing attacks by providing time-of-click protection to prevent users from visiting malicious web pages linked in phishing emails. DNS filtering is used to filter out malicious websites by preventing users from visiting those sites when web browsing, blocking redirects to malicious sites, and category and keyword-based filters to control the content that users can access, preventing access to risky websites. DNS filters can also be used to block downloads of certain file types from the Internet, such as those associated with malware.

The WebTitan DNS Filter provides these capabilities without latency, and protections can be applied for users on or off the network, no matter where they access the Internet. WebTitan is fed threat intelligence from more than 500 million endpoints worldwide and provides AI-based protection against active and emerging phishing URLs and zero-minute threats.

Security Awareness Training & Phishing Simulations

Technical measures to block email and web-based threats are essential, but it is also important to provide security awareness training to the workforce on security best practices and to teach employees how to recognize and avoid threats such as phishing. Security awareness training should be provided regularly, and phishing simulations conducted to identify gaps in knowledge to allow them to be addressed before they can be exploited.

SafeTitan is the only behavior-driven security awareness solution that delivers security awareness training in real-time in response to specific user behaviors and includes an extensive library of training content that is delivered in easy-to-digest chunks for creating a human firewall to augment your technical cybersecurity measures.

Enforce Multifactor Authentication

Multifactor authentication should be implemented on all accounts and services to prevent compromised, stolen, or leaked credentials from being used to gain access to accounts. It is especially important to apply multifactor authentication to administrator accounts and for remote access services. Multifactor authentication requires an additional factor to be provided before access is granted, in addition to a password.

Backup Regularly

To protect against destructive malware attacks involving wipers and ransomware, it is essential to back up data regularly and to test backups to ensure that file recovery is possible. A good approach to take is the 3-2-1 method for backing up – make three copies, stored on at least two different media, and ensure that one copy is stored securely off-site. Backup files should also be encrypted.

Patch Promptly

You should ensure that updates for software and operating systems are applied promptly, with patching prioritized to address the most critical vulnerabilities first.

Change Default Credentials and Set Strong Passwords

Default credentials should be changed, as should the default configurations of off-the-shelf software and strong, unique passwords should be set to protect against brute force attacks. Threat actors can easily gain initial access to the network through brute force attempts to steal passwords, such as password spraying – using passwords compromised in previous data breaches.

How Phishing Emails Led to The Theft of $23.5 Million from the U.S. Department of Defense

Phishing is commonly used to gain access to credentials to hijack email accounts for use in business email compromise (BEC) attacks. Once credentials have been obtained, the email account can be used to send phishing emails internally, with a view to obtaining the credentials of the main target. Alternatively, by spear phishing the target account, those steps can be eliminated.

If the credentials are obtained for the CEO or CFO, emails can be crafted and sent to individuals responsible for wire transfers, requesting payments be made to an attacker-controlled account. A common alternative is to target vendors, in an attack referred to as vendor email compromise (VEC). Once access is gained to a vendor’s account, the information contained in the email accounts provides detailed information on customers that can be targeted.

When a payment is due to be made, the vendor’s email account is used to request a change to the account for the upcoming payment. When the payment is made to the attacker-controlled account, it usually takes a few days before the non-payment is identified by the vendor, by which time it may be too late to recover the fraudulently transferred funds. While BEC and VEC attacks are nowhere near as common as phishing attacks, they are the leading cause of losses to cybercrime due to the large amounts of money obtained through fraudulent wire transfers. One attack in 2018 resulted in the theft of $23.5 million dollars from the U.S. Department of Defense.

In this case, two individuals involved in the scam were identified, including a Californian man who has just pleaded guilty to six counts related to the attack. He now faces up to 107 years in jail for the scam, although these scams are commonly conducted by threat actors in overseas countries, and the perpetrators often escape justice. The scam was conducted like many others. The BEC gang targeted DoD vendors between June 2018 and September 2018 and used phishing emails to obtain credentials for email accounts. An employee at a DoD vendor that had a contract to supply Aviation JA1 Turbine fuel to troops in southeast Asia for the DoD received an email that spoofed the U.S. government and included a hyperlink to a malicious website that had been created to support the scam.

The website used for the scam had the domain, which mimicked the official website, and email accounts were set up on that domain to closely resemble official email accounts. The phishing emails directed the employee to a cloned version of the government website,, which harvested the employee’s credentials. The credentials allowed the scammer to change bank account information in the SAM (System for Award Management) database to the account credentials of the shell company set up for the scam. When the payment of $23,453,350 for the jet fuel was made, it went to the scammers rather than the vendor.

Security systems were in place to identify fraudulent changes to bank account information, but despite those measures, the payment was made. The SAM database is scanned every 24 hours and any bank account changes are flagged and checked. The scammers learned of this and made calls to the Defense Logistics Agency and provided a reason why the change was made and succeeded in getting the change manually approved, although flags were still raised as the payment was made to a company that was not an official government contractor. That allowed the transfer to be reverted. Many similar scams are not detected in time and the recovery of funds is not possible. By the time the scam is identified, the scammers’ account has been emptied or closed.

The key to preventing BEC and VEC attacks is to deal with the issue at its source to prevent phishing emails from reaching inboxes and teach employees how to identify and avoid phishing scams. TitanHQ can help in both areas through SpamTitan Email Security and the SafeTitan security awareness training and phishing simulation platform. Businesses should also implement multifactor authentication to stop stolen credentials from being used to access accounts.

Tips for Effective Security Awareness Training

Providing security awareness training to the workforce is necessary for compliance and is often a requirement for getting cybersecurity insurance, but the real purpose of security awareness training is to reduce risk and avoid costly cyberattacks and data breaches.

To get the full benefits you need an effective security awareness training program, where susceptibility to phishing attacks is reduced and your resilience to cyberattacks targeting employees is significantly improved. To help you, we offer some top tips for creating an effective security awareness training program.

Security Awareness Training Must be a Continuous Process

Security awareness training should not be seen as a checkbox item for compliance. To be effective, training needs to be an ongoing process, where the training is reinforced over time. That if unlikely to happen with a once-a-year training session. Another reason for providing ongoing training is cyber threat actors are constantly changing their tactics and regularly come up with new scams. It would be unreasonable to expect employees to be able to recognize these new threats if they have not been covered in training sessions. Through regular training, provided in bite-sized chunks, you can make your employees are made aware of the latest threats which will help them to recognize them when they are encountered.

Make Sure Your Training Content is Interesting

Different employees will respond to different training methods. A classroom-based training session may be good for some employees, but others will respond better to computer-based training, infographics, videos, and quizzes. Keep your training varied to make sure it appeals to a wide audience and try to make the training interesting and engaging to improve knowledge retention, such as using storytelling to trigger emotions and the imagination, and don’t be afraid to use humor. Cybersecurity can be a pretty dry topic for many people and if they can enjoy it, they are more likely to retain the information and apply the training on a day-to-day basis.

Get Buy-in from the C-Suite

If you want to create a security culture in your organization, you will need to get buy in from the C-suite.  Any change in culture in an organization needs to start at the top. The C-Suite must be made aware of the importance of security awareness training and cybersecurity, and using data is usually the best approach. Using a security awareness training company that can provide data on the effectiveness of training at reducing risk will help. You will be able to prove the return on investment you are likely to achieve.

Conduct Phishing Simulations After Providing Training

Providing security awareness training is only one step toward developing a security culture and reducing risk. You also need to conduct tests to determine whether your training is being applied on a day-to-day basis, and the best way to test that is with phishing simulations. Conduct realistic simulations to determine whether the training has been effective. If employees fail simulations, provide extra training.

Do Not Punish Employees for Failing Phishing Simulations

Many companies operate a three strikes and you’re out policy for failing phishing simulations or penalize employees in other ways for falling for phishing emails. Around 40% of organizations take disciplinary action against employees for cybersecurity errors such as phishing simulation failures. Punishing employees for failing to identify phishing simulations often does not have the desired effect.

If you want to encourage employees to be more security-aware and create a security culture, creating a culture of fear is unlikely to help. This approach is likely to cause stress and anxiety, which can lead to the creation of a hostile working environment, and that does not help employees become more security aware. Further, when mistakes are made, employees will be much less likely to report their mistakes to the security team out of fear of negative consequences.

Conduct Real-Time Security Awareness Training

Training is likely to be most effective immediately after employees have made a mistake. By using a security awareness training solution such as SafeTitan, the only behavior-driven security training solution that delivers contextual training in real-time, you can deliver relevant training immediately and explain how a mistake was made and how similar errors can be avoided in the future. For instance, if an employee is discovered to be downloading free software from the Internet, an immediate alert can be delivered explaining why it is not allowed and the risks of installing software without approval from the IT department. If a phishing simulation is failed, employees can be alerted immediately, and it can be turned into a relevant training session.

Benchmark to Learn the Effectiveness of Security Awareness Training

Businesses conduct security awareness training to reduce susceptibility to phishing attacks and other cyber threats, but to gauge the effectiveness of the training there must be a benchmark to measure against. Conducting phishing simulations prior to providing training will allow you to measure how effective the training has been. You can use pre-training simulations to determine how many employees are falling for scams and the percentage of simulated phishing emails that are being reported. You can then reassess after providing training and can determine exactly how effective the training has been.

Security Awareness Training and Phishing Simulations are Not Enough

Providing regular security awareness training and conducting phishing simulations are important for improving resilience to cyber threats and will allow you to prove training has been provided for compliance or insurance purposes, but you also need to make sure that training has been absorbed by employees. Don’t just provide training – use quizzes to assess whether the training has been absorbed. You should also analyze the results of phishing simulations to identify any knowledge gaps that need to be addressed with future training courses. If employees are still falling for a certain type of scam, it could be your training that is the issue.

For more information about security awareness training, conducting phishing simulations, and to discover the benefits of real-time security awareness training, contact TitanHQ today for more information about SafeTitan. You can also take advantage of a free trial of the solution before deciding on a purchase.


Have You Created a Human Firewall?

It is important for security to implement an advanced spam filtering solution to block email threats such as phishing and malware, but security awareness training for the workforce is still necessary. The reason why phishing attacks are successful is that they target a weak point: employees. Humans make mistakes and are one of the biggest vulnerabilities as far as security is concerned. All it takes is for one phishing email to sneak through your defenses and land in an inbox and for the recipient to click a link in the email or open a malicious attachment for a threat actor to get the foothold they need in your network.

The easiest way to target employees is with phishing emails. The majority of phishing emails will be blocked by your spam filter, but some emails will be delivered. It doesn’t matter how advanced and effective your spam filter is, it will not block every single phishing email without also blocking an unacceptable number of genuine emails.

Phishing emails are used to achieve one of three aims: To trick individuals into disclosing credentials, to trick them into emailing sensitive data, or to trick them into installing malware. There are many tactics, techniques, and procedures (TTPs) employed in phishing attacks to make the emails realistic, convincing, and to get employees to act quickly. The emails may closely match standard business emails related to deliveries, job applications, invoices, or requests for collaboration. Spoofing is used to make the messages appear to have come from a trusted sender. Emails can spoof brands and often include the correct corporate logos, formats, and color schemes. While phishing emails include red flags that indicate all is not what it seems, busy employees may not notice those flags. Further, sophisticated, targeted phishing attacks contain very few red flags and are very difficult to identify. Even system administrators can be fooled by these attacks.

Businesses cannot expect every employee to be an expert at identifying phishing emails and other email threats, nor should they assume that employees have a good understanding of security practices that need to be employed. The only way to ensure employees know about security practices and how to recognize a phishing email is to provide security awareness training.

Security Awareness Training Improves Resilience to Phishing Attacks

The purpose of security awareness training is to make the workforce aware of the threats they are likely to encounter and to provide them with the tools they need to recognize and avoid those threats. Security awareness training is not a checkbox item that needs to be completed for compliance, it is one of the most important steps to take to improve your organization’s security posture and it needs to be an ongoing process. You could provide a classroom-based training session or computer-based training session once a year, but the TTPs of cyber threat actors are constantly changing, so that is not going to be sufficient. More frequent training, coupled with security reminders, newsletters, and updates on the latest threats to be wary of will ensure that security is always fresh in the mind, and it will help you to develop a security culture in your organization.

One of the most effective strategies is to augment training with phishing simulations. Phishing simulations involve sending fake but realistic phishing emails to employees to see how they respond. If you do not conduct these tests, you will not know if your training has been effective. The simulations will identify employees that require further training and the simulations will give employees practice at recognizing malicious emails. Reports from these simulations allow security teams to assess how resilient they are to phishing attacks and other email threats and will allow them to take action and focus their efforts to make immediate improvements.

SafeTitan Security Awareness Training & Phishing Simulations

TitanHQ can now help businesses create a human firewall through SafeTitan Security Awareness Training. SafeTitan is the only behavior-driven security awareness platform that delivers training in real-time and will greatly improve resilience to social engineering and advanced phishing attacks.

If you want to improve your resilience to cyberattacks, prevent more data breaches, and avoid the costs and reputation damage caused by those incidents, you need to be training your workforce and running phishing simulations. Get in touch with TitanHQ today for more information and get started creating your human firewall.

New TTPs Help Emotet Regain its Place as the Top Malware Threat

It took 10 months for the operators of the Emotet botnet to return after their botnet infrastructure was shut down in an international law enforcement operation, and then just a further 3 months for Emotet malware to regain its position as the most widely deployed malware.

According to Check Point, in March 2022, Emotet reestablished itself as the most widely distributed malware. Emotet has emerged like a phoenix from the flames, and infections have been soaring, with March seeing an astonishing increase in infections. Check Point says as many as 10% of all organizations globally were infected with Emotet in March, which is twice the number of infections the firm recorded in February.

Emotet first appeared in 2014 and was initially a banking Trojan; however, the malware has evolved considerably. Like many other banking Trojans, modules have been added to give the malware new functionality and today the malware is operated under the malware-as-a-service model, with access to Emotet-infected devices sold to other cybercriminal operations, which in the past has included the TrickBot operators and ransomware gangs.

In November 2021, 10 months after the botnet’s infrastructure was taken down, security researchers started reporting the resurrection of Emotet. The TrickBot operators helped to rebuild the Emotet botnet by using their malware to download Emotet as a secondary payload, and in the past couple of months, massive spamming campaigns have been launched to distribute Emotet which have proven to be highly successful. Emotet is also a self-propagating malware and the emails used to distribute it are convincing. One of the Emotet spam email campaigns being tracked by Kaspersky has been scaled up considerably, increasing 10-fold in just one month. That campaign is being used to distribute Emotet and the linked malware QBot. In February, Kaspersky intercepted 3,000 emails. In March, 30,000 emails were intercepted.

Like previous campaigns distributing Emotet, business email threads are hijacked and replies are sent to those messages that contain malicious hyperlinks or attachments. Since the messages come from trusted senders and appear to be responses to genuine messages, the chance of them attracting a click is high. This campaign highlights the importance of having an email security solution than conducts scans of outbound as well as inbound mail. Security Awareness training is also important to condition the workforce to constantly be on the lookout for potential threats, even when emails appear to have been sent internally from corporate accounts or other trusted senders.

Some of the spam email campaigns have revealed new tactics, techniques, and procedures (TTPs) are being tested to distribute the malware. This April, Microsoft started blocking macros in Office files downloaded from the Internet by default. This is a problem for threat actors that have previously relied on macros in Excel spreadsheets and Word documents to download their malware, so it is no surprise to see the Emotet operators changing their tactics to get around this.

One campaign has been identified that uses XLL files – a type of dynamic link library (DLL) file – rather than Excel and Word files. XLL files increase the functionality of Excel, and using these files gets around the problem of VBA macros being blocked. Emotet is known for large spamming campaigns; however, this campaign was conducted on a small scale, possibly to test its effectiveness. Should the campaign prove successful, it will likely be scaled up. In this campaign, the emails are linked to OneDrive, and if the link in the email is clicked, the XLL file is downloaded in a password-protected .zip file. The password to unlock the .zip file is provided in the message body.

Emotet is also being distributed via Windows shortcut files (.LNK). The Emotet operators have used this tactic in the past in combination with VBS code; however, this campaign does away with the VBS code, and instead, the .LNK files are used to directly execute PowerShell commands that download the Emotet payload.

Is likely that the operators will switch to new variants that have lower detection rates by AV engines, as has been done many times in the past, which is why it is important to have an email security solution that is not reliant on signature-based detection mechanisms. Behavioral analysis is vital for detecting these new variants. An email security solution with email sandboxing will help to protect against new malware variants that have not had their Signatures uploaded into AV engines.

TitanHQ Collects Five Expert Insights Spring 2022 Best-Of Awards

This month, TitanHQ has collected five prestigious awards for its cloud-based security solutions from Expert Insights. Expert Insights is an online publication with editorial and technical teams in the UK and US, that provide insights into cybersecurity and cloud-based technologies to help businesses make the right purchasing decisions.

Hundreds of B2B solutions are covered on the website, along with editorial buyers’ guides, blog articles, and industry analyses, with interviews and technical product reviews written by industry experts. More than 80,000 business owners, IT admins, and users visit the website every month to research products ahead of making a purchase.

Expert Insights issues ‘Best-Of’ awards to recognize companies that have developed products that provide essential services to businesses, help drive business growth, improve efficiency, and secure their IT environments against an ever-increasing range of cyber threats. The Expert Insights’ Spring 2022 Best-Of awards are issued across a range of categories, including cloud software, security, and storage, with up to 11 vendors chosen in each category. Vendors and their products are selected based on extensive research into the solutions by industry experts, and from feedback from genuine business users of the solutions. “These awards recognize the continued excellence of the providers in these categories,” said Joel Witts, Expert Insights’ Content Director.

TitanHQ collected awards for SpamTitan Email Protection, WebTitan DNS Filter, ArcTitan Email Archiving, and SafeTitan Security Awareness Training, with each product being awarded Best-in-Class in their respective categories.

SpamTitan was named as the Best Email Security Gateway and was ranked the number 1 solution. WebTitan ranked best in the Web Security Solution category, ArcTitan was ranked number 1 in the Email Archiving Solution for Business category, and SafeTitan collected two best-of awards, one in the Security Awareness Training Category and another in the Phishing Simulation category.

“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said TitanHQ CEO Ronan Kavanagh. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure, and reliable experience to their customers.”

LinkedIn is Now the Most Impersonated Brand in Phishing Attacks

LinkedIn has jumped to the top of the list of the most impersonated brands in phishing attacks, now accounting for 52% of all phishing attacks involving brand impersonation – a 550% increase from the 8% in the previous quarter, according to Check Point.

LinkedIn phishing scams take various forms, although one of the most common is a fake request from an individual to connect on the platform. The phishing emails include the official LinkedIn logo and are indistinguishable from the genuine LinkedIn communications that they spoof. If the user clicks on the Accept button, they are directed to a phishing webpage that is a carbon copy of the genuine LinkedIn page aside from the domain.

The increase in LinkedIn phishing attacks is part of a trend in attacks targeting social media credentials. While these credentials do not provide an immediate financial return, social media account credentials are valuable to cybercriminals as they allow them to conduct highly effective spear phishing attacks. If a corporate social media account is compromised, trust in the company can be abused to distribute malware and links can be added to direct followers to malicious websites.

Failed delivery and shipping notifications are still a common theme in phishing emails targeting businesses and consumers. Around 22% of phishing attacks in Q1, 2022 involved the impersonation of shipping and delivery companies. The package delivery firm DHL is the second most spoofed brand accounting for 14% of brand impersonation attacks. Many of these shipping and delivery phishing emails are conducted to distribute malware, usually through the downloading of fake documents that include malicious code that installs malware such as remote access Trojans.

Phishing is the number one threat faced by businesses. Most successful cyberattacks start with a phishing email, with stolen credentials or malware providing cybercriminals with the foothold they need in a corporate network to launch an extensive attack. Phishing attacks are cheap and easy to conduct and they target employees, who can easily be fooled into installing malware or disclosing their credentials.

This month, a healthcare data breach was reported by Christie Clinic in the United States that involved a hacker gaining access to a single email account. That account was used in a business email compromise attack to divert a large vendor payment. Business email compromise attacks are the main cause of losses to cybercrime according to the Federal Bureau of Investigation. In this breach, the compromised email account contained the personal data of more than half a million patients. Cyberattacks such as this only require one employee to respond to a phishing email for a costly data breach to occur.

Also this month, a new malware distribution campaign has been identified that attempts to install the Meta information stealer, which is capable of stealing passwords stored in browsers and cryptocurrency wallets. The malware is delivered via phishing emails with Excel spreadsheet attachments, which include malicious macros that download and install malware via HTTPS from GitHub. In this campaign, the lure used to trick recipients into opening the file claims to be a notification about an approved transfer of funds to Home Depot, the details of which are detailed in the attached spreadsheet. In order to view the contents of the spreadsheet, the user is told they must enable content to remove DocuSign protection. Enabling content allows the macros to run.

An advanced spam filtering solution such as SpamTitan will help to ensure that inboxes are kept free of phishing emails and any emails containing malicious scripts or attachments are not delivered. SpamTitan includes dual antivirus engines to ensure malware is identified and sandboxing to catch malware variants that bypass signature-based detection mechanisms.

While a spam filter used to be sufficient for blocking phishing emails, the sophisticated nature of phishing attacks today and the sheer volume of phishing emails being sent, mean some phishing emails will inevitably arrive in inboxes. For this reason it is also important to provide regular security awareness training to the workforce. TitanHQ can help in this regard through SafeTitan security awareness training and phishing simulations. SafeTitan is the only behavior-driven security awareness solution that delivers security awareness training in real-time. The solution is proven to significantly improve resilience to phishing attacks.

Scary Browser-in-the-Browser Phishing Attack Steals Credentials Using Realistic SSO Popups

Phishing remains the top cybersecurity threat to businesses. Phishing scams can be realistic and difficult for people to identify for the scams that they are. The sender field is often spoofed to make it appear that the emails have been sent by known individuals or trusted companies, the body of the messages often contains well-known branding, and templates are used for messages that are carbon copies of the genuine emails they impersonate.

The emails may contain malicious attachments if the aim is to install malware, and malicious hyperlinks if credential harvesting is the goal. The hyperlinks direct users to a website where they are asked to enter their credentials – a web page that is difficult to distinguish from the genuine web page being spoofed. As if those messages were not convincing enough, there is now a new Chrome phishing toolkit that makes credential theft even easier.

Most Internet users will be familiar with websites that use Single Sign-on popups to authenticate users. Rather than requiring website users to register an account, they can authenticate using an existing Google, Apple, or Facebook account. This way of logging in is popular, as users do not need to create and remember another set of login credentials. There is, however, a problem with this approach, and that is that single sign-on popups are easy to spoof in Chrome.

As previously mentioned, phishing scams can be convincing, but there are often red flags and the biggest flag is the URL of the website used for phishing. If you are expecting to sign in to Facebook for example, and you are directed to what is clearly not a Facebook-owned domain, the phishing scam can be easily identified.

The latest toolkit does not produce this red flag. The single sign-on popup generated on the webpage looks exactly the same as the genuine popup being spoofed, including the URL. If an individual is directed to one of these fake phishing forms, it is highly unlikely that they would be able to identify it as malicious and their credentials will be stolen.

A phishing email could be sent advising the recipient that a file has been shared with them, inviting them to log in to Dropbox for instance. The link is clicked, and the user will be directed to the website and will be presented with the login box which includes the address bar with the URL of the login form. For example, if you attempt to log in with your Google account, the URL will start with The phishing toolkit uses pre-made templates that are fake, but incredibly realistic. These Chrome popup windows allow a custom address URL and title to be displayed.

This toolkit was created by the security researcher dr. d0x, who made them available on GitHub. They allow any would-be hacker to quickly and easily create a highly convincing SSO pop-up window, which could be added to any website and be used for a browser-in-the-browser phishing attack. This attack method is nothing new, as fake SSO pop-up windows have been created in the past, but previous attempts have not been particularly convincing, as they do not exactly replicate the genuine pop-ups. The popups have previously been used on fake gaming websites to harvest credentials from the unwary. This kit is different as it is so convincing, and could easily be used to steal credentials and even 2FA codes.

Critical Infrastructure Organizations Targeted by Ransomware Gangs

2019 was a particularly bad year for ransomware attacks, and while there was a reduction in the use of ransomware in 2020, attacks increased sharply in 2021, with the education sector and government organizations the most attacked sectors, although no industry sector is immune to attacks.

There is growing concern about the increase in attacks on critical infrastructure organizations, which are an attractive target for ransomware gangs. According to the data from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), 14 of the 16 critical infrastructure sectors in the United States reported ransomware attacks in 2021, including the defense industrial base, emergency services, healthcare, food and agriculture, information technology, and government facilities. Cybersecurity agencies in the United Kingdom and Australia have also said critical infrastructure has been targeted.

Critical Infrastructure Organizations Warned About AvosLocker Ransomware Attacks

This week, a warning has been issued by the Federal Bureau of Investigation (FBI), the U.S. Department of the Treasury, and the U.S. Treasury Financial Crimes Enforcement Network (FinCEN) about ransomware attacks using AvosLocker ransomware.

AvosLocker was first identified as a threat in late June 2021 and despite being a relatively new threat, poses a significant risk. Attacks using the ransomware increased in the latter half of 2021, with spikes in attacks occurring in November and December. Variants of AvosLocker ransomware have now been developed to attack Linux as well as Windows systems.

As is now common, the attackers engage in double extortion and demand payment for the keys to decrypt files and to prevent the release of stolen data. The gang operates a data leak site where a sample of stolen data is uploaded and made accessible to the public. The gang says it then sells the stolen data to cybercriminals if payment is not made. AvosLocker is one of a handful of ransomware operations that also makes contact with victims by phone to encourage them to pay the ransom. The gang is known to issue threats of Distributed Denial of Service (DDoS) to further pressure victims into paying the ransom.

AvosLocker is a ransomware-as-a-service operation where affiliates are recruited to conduct attacks for a percentage of any ransom payments they generate. Consequently, the attack vectors used in attacks depend on the skillsets of the affiliates. Common vulnerabilities are known to be exploited to gain initial access to networks, including vulnerabilities associated with Proxy Shell and unpatched vulnerabilities in on-premises Microsoft Exchange Servers. However, over the past year, spam email campaigns have been a primary attack vector.

Email Filtering Vital for Defending Against Ransomware Attacks

Spam email is a common attack vector used by ransomware gangs. Spam email campaigns are effective and provide low-cost access to victim networks. Phishing and spam campaigns either use malicious attachments or embedded hyperlinks in emails, along with social engineering techniques to convince end users to open the attachments or click the links.

The primary defense against these attacks is email filters. Email filters scan all inbound emails and attachments and prevent malicious messages from being delivered to inboxes. Since cyber actors are constantly changing their lures, social engineering methods, and strategies to bypass email security solutions, it is vital to have an email security solution in place that can respond to changing tactics.

Email security solutions that use artificial intelligence and machine learning to identify and block threats outperform solutions that rely on antivirus engines and blacklists of known malicious IP addresses. SpamTitan incorporates artificial intelligence in addition to blacklists, dual antivirus engines, and sandboxing to identify malicious emails, and has comprehensive threat intelligence feeds to identify new threats rapidly. SpamTitan also provides time-of-click protection against malicious hyperlinks in emails to ensure users are well protected against phishing, malware, ransomware, and other email threats.

Don’t Neglect Security Awareness Training for the Workforce

It is also important to provide security awareness training to all members of the workforce from the CEO down. The FBI and the U.S. Treasury Department recommended in the latest alert to “Focus on cyber security awareness and training,” and “Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).” TitanHQ can help in this regard with SafeTitan – “The only behavior-driven security awareness solution that delivers security training in real-time.”

For more information on improving your defenses against ransomware and other cyber threats, give the TitanHQ team a call to inquire about email filtering, web filtering, and security awareness training for your workforce.

TitanHQ Recruits 12 New High Profile Staff Members in Response to Blistering U.S. Growth

Less than two months after hiring channel chief Jeff Benedetti, TitanHQ has announced 12 further strategic new hires who will form a new North American team to service the US and Canadian Managed Service Provider (MSP) market.

The new team members have extensive channel experience, having previously held positions at the likes of Datto, Skout Cybersecurity, Agile Blue, and Barracuda and are based in TitanHQ’s new North American base in Shelton, Connecticut, headed up by Channel Chief Benedetti.

The new team includes Eric Morano, who has been appointed Director of Channel Development. Eric has 15 years of sales leadership and GTM experience at Datto, Skout Cybersecurity (BarracudaMSP), AgileBlue XDR, CDW, and Verizon. Moreno will be responsible for optimizing TitanHQ’s partner engagement and growth.

New Channel Account Managers include Craig Somma, who has 25 years of technology sales GTM leadership that was gained at Tech Dept, Micro Warehouse, and Gov Connection, Joseph Rende who has 10+ years of channel sales experience at Gartner and Datto, Pat DeAngelis who has 10+ years of MSP technology experience at Datto, Threatlocker and Armor Cybersecurity, and Jeff Brown has 10+ years of sales experience at Datto, SKOUT Cybersecurity, Agile Blue. New Account Executives include Alex De Los Santos, who has 8 years of sales experience at Datto and ADP, Alex Nankervis, who has 8 years of sales experience at Datto and Indeed, Kyle Leyerzapf, who has 5 years of sales experience at Datto, Patrick Barry who has 6 years of sales and accounts experience with Accu-Tech Corporation and Maxim Healthcare, and Jamal Ibrahim, who has 4 years account management experience with Altium and RCG. Marc Bonnaci has also joined the Sales Development team and has 7 years of sales and professional experience most recently at Agile Blue.

The new TitanHQ North American Team

The past three months have seen significant activity at TitanHQ. In addition to bringing in Benedetti to head the channel team, TitanHQ launched its SpamTitan Plus Anti Phishing solution in December 2021 and announced the acquisition of Cyber Risk Aware in February, and launched SafeTitan Security Awareness Training.

SpamTitan Plus is a cutting-edge, AI-driven anti-phishing solution with more comprehensive “zero-day” threat protection and intelligence than all of the current market leaders, with significant uplifts in phishing link detections and much faster detection speeds. This new addition to the SpamTitan product family has been very well received.

Cyber Risk Aware is a global leader in security awareness training to mitigate human cyber risk, and the platform is used by many companies to train their workforces to improve threat awareness. The platform, which has been re-launched as SafeTitan, is an intuitive, real-time security awareness training platform that improves awareness and human resilience to ransomware, malware, BEC attacks, and phishing. Demand for the new SafeTitan security awareness training and phishing simulation platform has been exceptional, with huge interest coming from MSPs and IT departments globally.

On top of these major launches, TitanHQ recorded record-breaking growth in January and February 2022 and has generated the highest revenue and new MSP partner figures in its 20-year history. More than 2,200 MSPs now use TitanHQ’s best-in-class SaaS Cybersecurity Platform daily, with the numbers continuing to grow at an incredible rate, especially in the United States and Canada, hence the need to open a new U.S. office and bring in a wealth of new talent.

Lapsus Ransomware Gang Ups the Ante with Impresa and NVIDIA Attacks

The Lapsus ransomware gang has arrived on the scene and has already claimed several high-profile targets, with victims including Impresa – the largest media conglomerate in Portugal, Brazil’s Ministry of Health (MoH), the Brazilian telecommunications operator Claro, and most recently, the Santa Clara, CA-based GPU vendor NVIDIA.

The Lapsus ransomware gang – also referred to as Lapsus$ – is a relatively new threat actor and is making a reputation for itself in an already crowded ransomware market. Most ransomware gangs now practice double extortion, where prior to encrypting files they exfiltrate sensitive data and threaten to publish the data if the ransom is not paid. Triple extortion tactics are now becoming common, where threats are also issued to notify shareholders, partners, and customers about attacks. The Lapsus gang has taken things a step further still and is boasting about its attacks and causing major embarrassment for victims.

In January, the Lapsus ransomware gang attacked the Brazilian car rental firm Localiza, which is one of the largest car rental firms in South America. In addition to stealing data and encrypting files, the gang redirected the company’s website to an adult website and publicly announced that the company is now a porn site. The redirection was only in place for a few hours, but it was enough to damage the company’s reputation.

Also in January, Impresa was targeted. Impresa is the owner of SIC and Expresso, the largest TV channel and weekly newspaper in Portugal. The attack targeted Impresa’s online IT servers resulting in company websites being taken offline and the temporary loss of Internet streaming services. The gang defaced the company’s websites by adding their ransom note and claimed they had taken control of Impresa’s Amazon Web Services account. The gang then used the hijacked Expresso Twitter account and sent a tweet stating, “Lapsus$ is officially the new president of Portugal.” The gang also gained access to its newsletter and sent phishing emails to subscribers informing them in the emails that the President of Portugal had been murdered.

On February 25, NVIDIA experienced a cyberattack that saw parts of its IT infrastructure taken offline for a couple of days. NVIDIA announced that it was investigating a security incident, and then the Lapsus gang said it was behind the attack and issued a threat to leak around 1TB of data. The gang published screenshots indicating they had leaked password hashes for NVIDIA employees, source code, and highly sensitive proprietary company information.

There was some good news – the Lapsus gang then experienced its own ‘ransomware’ attack. There have been reports in the media that NVIDIA hacked back and gained access to the attackers’ virtual machine and encrypted its data, although security research Marcus Hutchins offered an alternative view, suggesting this could have been due to the gang installing Nvidia’s corporate agent on their virtual machine and then triggering a data loss prevention policy.

In addition to demanding a ransom, the Lapsus ransomware gang also demanded NVIDIA remove its lite hast rate (LHR) limitations on its GeForce 30 series firmware – which halve the hash rate when it detects the GPUs are being used for mining Ethereum – and also requested NVIDIA commits to completely open source their GPU drivers forever. If the demands are not met, the gang said it will release the complete silicon, graphics, and computer chipset files for its most recent GPUs.

While many ransomware gangs are focused purely on extortion, the Lapsus gang appears to like the limelight and brags about their attacks, which makes attacks by the gang even more serious for victims due to the brand and reputation damage they cause.

The extent of the attack vectors used by the gang is not known, but they appear to have used phishing emails to gain access to some victims’ networks, including the attack on Impresa. Phishing is a popular attack vector in ransomware attacks. Around half of all ransomware attacks start with a phishing email, according to a recent Statista survey. Employees respond to phishing emails and disclose their credentials, which give the attackers the foothold in the network they need for a deeper compromise.

Businesses could be lulled into a false sense of security with the disbanding of major ransomware operations and arrests of key gang members. The REvil ransomware gang may be no more, and DarkSide has been shut down, but other ransomware gangs are more than happy to plug the gap. Lapsus only announced its presence on the scene at the start of the year but is already growing into a major threat.

The best defense against Lapsus ransomware attacks and other cyberattacks is to adopt a defense-in-depth strategy. That should include an advanced spam filtering solution to block email phishing attacks, content filtering to prevent employees from visiting malicious websites, multi-factor authentication on all email accounts and local/cloud apps, ensuring patches and software updates are applied promptly, and providing ongoing security awareness training to the workforce to help employees identify and avoid phishing and social engineering attempts.

TitanHQ can help organizations improve their defenses against the full range of cyberattacks by providing advanced cybersecurity solutions for SMBs, enterprises, and Managed Service Providers, including spam filtering, DNS filtering, email encryption, email archiving, and security awareness training.

LinkedIn Phishing Attacks Soar as Scammers Take Advantage of “The Great Resignation”

Microsoft may be the most impersonated brand in phishing attacks, but the impersonation of LinkedIn is also common and there has been a massive increase in phishing attacks spoofing the professional networking platform in recent weeks.

LinkedIn is an ideal brand to impersonate in phishing attacks and now is the perfect time to be running phishing campaigns due to the Great Resignation. For those unaware of the term, the Great Resignation is a phenomenon where record numbers of employees quit their jobs. The term was coined in May 2021 by Professor Anthony Klotz of Texas A&M University, who predicted that when the pandemic ends there will be a mass exodus of people leaving their jobs.

While there were mass layoffs as a result of the pandemic, many workers who retained their jobs chose not to leave due to the uncertainty of the job market, but now many workers who are not living from paycheck to paycheck are reconsidering their positions. There has certainly been an upward trend in workers voluntarily leaving their jobs since the start of 2021, indicating the great resignation has begun.

LinkedIn is used by job seekers to identify contacts, network, research companies, and find new employment opportunities. A phishing email that spoofs LinkedIn and indicates a potential employer has been reading a user’s profile, shows a message has been sent through the platform, or advises the user about a new job opportunity is likely to be clicked.

LinkedIn phishing campaigns are helped by the regular email communications from LinkedIn advising users of the platform of the number of searches they appeared in, new messages, and alerts about jobs. That means that users of the platform are used to receiving regular communications from the platform, so if a phishing email is received that looks exactly like a LinkedIn communication, there is likely to be less scrutiny of the email that there would be of an email from a platform that rarely communicates with users via email.

The latest LinkedIn phishing campaign uses HTML templates that include the LinkedIn logo and the color scheme used in official LinkedIn communications. The emails also have the same footer as genuine email communications from the platform, including the correct address and unsubscribe option. The display name is spoofed to make it appear as if the emails are official communications; however, closer inspection will reveal the emails have been sent from webmail addresses.

The phishing emails include subject lines such as “Who’s searching for you online”, “You Have 1 New Message,” and “You appeared in 4 searches this week,” exactly mirroring official LinkedIn emails and they also reference well-known companies such as American Express and Tesla to make it appear that the user is being headhunted by a major corporation. The emails have an HTML button to click that will direct the user to a website where LinkedIn credentials are harvested.

LinkedIn phishing campaigns can be highly effective, but as with all phishing scams, there are ways of blocking the attacks. The first is to ensure that an advanced email security solution is deployed to block the phishing emails at the gateway to prevent them from being delivered to inboxes. SpamTitan Plus uses machine learning techniques and predictive analysis to identify suspicious URLs in emails and provides time-of-click protection. If a link is found to be unsafe, a user will be presented with a block page containing additional information and further options.

SpamTitan Plus has 100% coverage of all current market-leading anti-phishing feeds, a 1.5X increase in unique phishing URL detections, and 1.6X faster phishing detections than the current market leaders, with 10 million net new, previously undiscovered phishing URLs added to the solution every single day.

It is also important to provide security awareness training to the workforce to teach employees how to identify phishing emails and to encourage following email security best practices. TitanHQ has created SafeTitan security awareness training to help train the workforce to be security titans. SafeTitan provides behavior-driven security awareness training tailored for the behaviors of individual employees, includes an extensive library of training courses, videos, and quizzes, and provides real-time intervention training combined with simulated phishing attacks. The solution is proven to reduce employee susceptibility to phishing attacks by up to 92%.

For more information on SpamTitan Plus and SafeTitan security awareness training, give the TitanHQ team a call and take the first step toward improving your defenses against phishing attacks.

BEC Scammers Use Virtual Meeting Platforms to Trick Employees into Making Fraudulent Wire Transfers

Business Email Compromise (BEC) is the leading cause of financial losses to cybercrime. The U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) received 19,369 complaints about BEC scams in 2020, resulting in adjusted losses of $1.87 billion. While BEC crime ranked number 10 based on victim count, it topped the list in terms of the losses sustained by victims, with three times as much lost to the scams as the second-biggest loss to cybercrime – Confidence/romance fraud.

Business Email Compromise scams usually start with a phishing attack to gain access to email credentials. The attackers seek the credentials of the CEO, CFO, or another executive, and either target those individuals directly with spear phishing emails or compromise the email accounts of lower-level employees and use their email accounts to send phishing emails to the targeted individuals. Once the right credentials have been obtained, the executive’s email account is used to send messages to individuals responsible for wire transfers to trick them into making substantial wire transfers to attacker-controlled bank accounts. While these scams require planning and research, the time spent setting up the scams is well spent, as BEC attacks are often successful.

While BEC scams are usually conducted via email, BEC scammers are increasingly using virtual meeting platforms such as Microsoft Teams and Zoom in their scams. The scammers have taken advantage of the increase in remote working due to the pandemic and the popularity of virtual meeting platforms for communication and collaboration.

Once the scammers have access to the CEO’s email account, they identify their next target and send a request for a virtual meeting. When the target connects to the meeting, the scammer explains that they are having problems with their audio and video, so the meeting proceeds with the scammer on text chat. Oftentimes they will insert a picture of the CEO for added realism. The scammer then provides a reason for the out-of-band request, then asks the employee to make a wire transfer, either in the meeting or after the meeting via email.

The FBI has recently issued a warning to businesses about the increase in the use of virtual meetings for BEC scams, having observed an increase in the use of these platforms for BEC scams between 2019 and 2021. Scammers are also compromising employee email accounts and are inserting themselves into work meetings to gather information about the day-to-day processes at businesses. Since the scammers use genuine email accounts to connect, and audio/visual problems are relatively common, they are able to gather information and steal funds without being detected. The scammers also use compromised CEO email accounts to send emails to employees claiming they are stuck in a virtual meeting and unable to arrange an important wire transfer and ask an employee to initiate the transfer on their behalf.

There are several steps that businesses can take to improve their defenses against BEC attacks. Defending against these attacks should start with an advanced email security solution to block the phishing attacks that allow scammers to gain access to email accounts. SpamTitan has industry-leading detection of phishing URLs in emails and can prevent employees from visiting the web pages where credentials are harvested.

Security awareness training is important as some malicious emails bypass all spam filters. Employees need to be trained on how to identify scam emails. Security awareness training is concerned with creating a ‘human firewall’ to augment technical defenses and should make employees aware of BEC scams and how to identify scam emails from internal email accounts. TitanHQ has recently launched a new security awareness platform called SafeTitan to help businesses with training. SafeTitan is the only behavior-driven security awareness platform that provides real-time training to deal with threats targeting employees.

It is also recommended to implement policies and procedures that require secondary channels or two-factor authentication to verify requests for any changes to account information or atypical requests for bank transfers.

TitanHQ Completes Acquisition of Cyber Risk Aware

TitanHQ, the leading cybersecurity SaaS business, today announced its acquisition of Cyber Risk Aware. Established in 2016, Cyber Risk Aware is a global leader in security awareness and mitigation of human cyber risk, providing assistance to companies to train the workforce on how to protect the company network.

Cyber Risk Aware delivers real-time cyber security awareness training to staff in response to actual staff network behavior. This intuitive and real-time security awareness training reduces the likelihood users will be impacted by the latest threats such as ransomware, BEC attacks, and data breaches, whilst also enabling organizations to meet compliance obligations. Leading global businesses that trust Cyber Risk Aware include Standard Charter, Glen Dimplex, and Invesco.

The acquisition will further bolster TitanHQ’s already extensive cybersecurity offering. The combination of intelligent security awareness training with phishing simulations and TitanHQ’s advanced email protection and DNS security solutions creates a powerful, multi-layered cybersecurity platform that secures end users from compromise. This is the go-to cybersecurity platform for IT Managed Service Providers and internal IT teams.

“This is a fantastic addition to the TitanHQ team and solution portfolio. It allows us to add a human protection layer to our MSP Security platform, with a fantastic feature-rich solution as demonstrated by the high caliber customers using it. Stephen and his team have built a great company over the years, and we are delighted to have them join the exciting TitanHQ journey.” said TitanHQ CEO Ronan Kavanagh.

The solution is available to both new and existing customers and MSP partners at and has been re-branded as SafeTitan, Security Awareness Training. Cyber Risk Aware existing clients are unaffected and will benefit from improvements in the platform in terms of phishing simulation content and an exciting, innovative product roadmap.

Stephen Burke, CEO of Cyber Risk Aware, commented: “I am incredibly proud that Cyber Risk Aware has been acquired by TitanHQ, cybersecurity business that I have greatly admired for a long time. Today’s announcement is fantastic news for both our clients and partners. We will jointly bring together a platform of innovative security solutions that address the #1 threat vector used by bad actors that cause 99% of security breaches, “End User Compromise”. When I first started Cyber Risk Aware, my aim was to be the global security awareness leader in delivering the right message, to the right user at the right time. Now as part of TitanHQ, I am more excited than ever about the unique value proposition we bring to market”.

For more information on TitanHQ’s new Security Awareness Solution, visit

Phishing Campaign Uses CSV Email Attachments to Deliver BazarBackdoor Malware

If you provide security awareness training to the workforce, you will no doubt have highlighted the risk of opening Microsoft Office email attachments, especially when sent from unknown individuals. Microsoft Office files can include macros, which if allowed to run, can silently deliver malicious payloads. Comma-separated values (CSV) files are often not viewed as malicious, as they are simple text files, but a campaign has been identified by security researcher Chris Campbell that uses CSV files to deliver BazarBackdoor malware.

BazarBackdoor is a fileless malware that is believed to have been created by the threat actors behind the TrickBot banking Trojan. BazarBackdoor is used as the first stage of an attack that provides threat actors with remote access to an infected device, which can be leveraged to conduct more extensive compromises and deliver other malicious payloads. BazarBackdoor is fileless malware, which makes it difficult to detect. It resides in the memory, does not touch the hard drive, and does not leave a footprint.

Throughout the pandemic, BazarBackdoor has been delivered using COVID-19-themed and business-related lures via embedded hyperlinks in emails. The links direct users to a web page where they are tricked into downloading and running an executable file. The landing pages often claim to be web-hosted PDF, Word, or Excel files. When the file is downloaded and executed, it delivers BazarBackdoor malware. The latest campaign is a departure from the typical method of malware delivery and is one that could easily fool users as CSV files are often viewed as benign.

CSV files are often used to transfer data between different applications, such as databases and spreadsheets. A CSV file contains text separated by commas, with each comma denoting a new column and each line denoting a new row. Since a CSV file is a text file, it cannot contain any macros and cannot, by itself, execute any malicious code; however, that does not mean CSV files are entirely benign, as this latest campaign demonstrates.

The issue is not the CSV file itself, but a feature of Microsoft Excel that allows CSV files to be used in a malicious way. Excel supports Dynamic Data Exchange (DDE), which is a message-based protocol for sharing data between applications running under Windows systems. DDE can be used to execute commands that have their output inputted into an open spreadsheet, including CSV files.

The CSV files used in this campaign are like any other, with data separated by commas; however, the file includes a WMIC call that launches a PowerShell command. If the CSV file is opened using Excel – on most devices CSV files are associated with Excel – DDE uses WMIC to create a PowerShell process, which opens a remote URL that uses PowerShell to download a .jpg file, which is saved as a DLL file and executed using rundll32.exe. The DLL file installs BazarLoader, which in turn downloads and executes BazarBackdoor. If the CSV file is opened in Excel, two warnings will be generated, but users may ignore those warnings, and it would appear many have done so.

Since BazarBackdoor and other fileless malware are difficult to detect, the key to protecting against campaigns such as this is to block the threat before the malware can be delivered, which requires a combination of technical measures and end user training.

The lures and techniques used to deliver malware via phishing emails are diverse and new methods are constantly being developed to fool end users and email security solutions. While the use of Office files for delivering malware is common, other files can also be used so it is important to teach employees to be wary of any email file attachment and to never ignore any security warnings. An advanced email security solution is required to identify malicious email attachments, but antivirus engines alone will not block threats such as this. Email security solutions that include sandboxing are important. Suspicious email attachments are opened in the sandbox and are subjected to in-depth analysis. It is also recommended to also use a web filter to block access to malicious websites and control the files that can be downloaded to users’ devices.

If you want to improve your defenses against email- and web-based cyber threats, give the TitanHQ team a call. TitanHQ has developed advanced, effective, and easy-to-use cloud-based cybersecurity solutions for SMBs, enterprises, and managed service providers to protect against all email- and web-delivered threats. You may be surprised to discover how little it costs to implement these solutions and ensure malware and phishing threats never trouble your business.

Jeff Benedetti Joins TitanHQ as New VP of Sales – North America

TitanHQ has appointed channel veteran Jeff Benedetti as the company’s new Vice President of Sales – North America.

Jeff Benedetti – TitanHQ VP of Sales, North America

TitanHQ is the leading web filtering, email filtering, and email archiving Software-as-a-Service (SaaS) business and already has a strong presence in North America, with the North American operations run from TitanHQ’s U.S. base in Tampa, Florida. TitanHQ has been enjoying strong growth in the region and the new appointment will help to ensure the growth continues over the long term.

Jeff Benedetti has nearly two decades of experience in sales and go-to-market leadership in the technology and security markets. Benedetti joins the TitanHQ Go-to-Market leadership team from SKOUT Cybersecurity, where he led the Sales and Marketing teams. The firm was acquired by Barracuda Networks last summer. Prior to the position at SKOUT Cybersecurity, Benedetti served as the Director of US Sales at Datto where he played a key role in improving partner growth and expansion in the U.S. while Datto achieved unicorn status and an acquisition by Vista Private Equity. Benedetti has also held leadership roles at Apple Inc. and Tech Depot.

“End-user compromise is the #1 threat vector for bad actors and causes 99% of security breaches. As the cyber problem compounds, MSPs continue to be a single resource to secure their customers’ users, networks, and infrastructure,” said Benedetti. “The opportunity to enable our partners with a best-in-class security platform and partner program built for growth is massive.”

TitanHQ has been providing security solutions to business and managed service providers (MSPs) for more than 20 years and now provides email security, DNS security, email archiving, and email encryption services to more than 8,500 businesses worldwide. Among TitanHQ’s customers are more than 2,500 MSPs, which use TitanHQ solutions to protect themselves and their clients from malware, ransomware, botnets, viruses, phishing attacks, and other cyber threats.

TitanHQ has developed its solutions to meet the needs of MSPs, with MSP needs factored into the products at the development stage. The company has grown to become the leading provider of cloud-based email and web cybersecurity solutions for MSPs serving the SMB market, and the company is enjoying continued, strong growth. TitanHQ is looking to continue to build long-term growth and as the IT service provider of choice for MSPs.

“We are thrilled Jeff has joined TitanHQ to further expand our already strong growth in the U.S. market. As a well-respected International sales executive within cybersecurity, Jeff is an important addition to TitanHQ. His decades of expertise will be pivotal in driving growth and will benefit partners and customers as TitanHQ continues to innovate and grow,” said TitanHQ CEO Ronan Kavanagh.

Meet the TitanHQ Team at Zero Trust World 2022

This coming February, some of the world’s brightest cybersecurity professionals will be converging at Threatlocker’s Zero Trust World 2022 in Orlando, Florida. Over the course of the two-and-a-half-day event which runs February 21-23, attendees will be treated to live hacking demonstrations, will be able to take part in hands-on exercises in workshops, and there will be training opportunities and certification labs. The event is very much focused on providing valuable insights into how to become an even more successful MSP and IT professional.

This year, attendees will hear from some of the world’s leading cybersecurity professionals who will be discussing the importance of zero trust in today’s cyber threat landscape and other important cybersecurity topics. They will provide expert advice that can be actioned when attendees return to their jobs to better defend against the full range of cyber threats.

This year, TitanHQ is excited to be attending the event and will be exhibiting and showcasing SpamTitan Email Security, WebTitan DNS filtering, ArcTitan email archiving, and EncryptTitan email encryption.

For the past 20 years, TitanHQ has been providing cloud-based security solutions to SMBs and managed service providers serving the SMB market. Today, more than 12,000 businesses rely on TitanHQ’s security solutions, including more than 2,500 MSPs in 150 countries.

If you are attending the event, be sure to visit the TitanHQ stand to find out more about TitanHQ solutions and to discover how they can make your life easier, protect against cyber threats, and improve the profitability of your business.

If you have not yet booked your place at the event, you can register here.

Interpol Operation Targeting Nigerian Cybercrime Gang Sheds Light on Extensive BEC Operation

A recent law enforcement operation led by Interpol has seen 11 members of a Nigerian cybercrime gang arrested for their role in a massive campaign of business email compromise (BEC) attacks. The operation has shed light on how the gangs operate and defraud their victims.

According to the FBI, business email compromise (BEC) is the costliest type of computer fraud. While the number of BEC attacks is relatively low compared to phishing, the attacks result in the largest losses of any type of cybercrime, even ransomware attacks. In 2020, $1.8 billion was lost to BEC scams and $5 billion has been lost to the scams between 2018 and 2020.

BEC attacks often involve the impersonation of a vendor. A vendor email account is compromised, and an email is sent to a customer requesting a change to payment details for an upcoming invoice. The victim is tricked into sending the payment to an attacker-controlled account, and by the time the scam is detected, the money has usually been withdrawn from the account and is unrecoverable. The transfers are often for tens of thousands, hundreds of thousands, or even millions of dollars.

These scams usually start with phishing emails. A spear phishing email is sent to the targeted company with a view to compromising the email account of the CEO, CFO, or another individual high up in the organization. With access to the account, the attacker is able to monitor communications and forward emails of interest to their own account – messages containing payment, invoice, transfer, and those containing payment information. The emails are redirected to the attacker’s account before they can be viewed by the account holder or are hidden in service directories. The attacker can then send their version of a message with altered payment details. In some of the scams, both parties – the victim and a business partner – believe they are communicating with each other, when they are each communicating with the scammer.

Another version of the scam involves the use of a compromised company email account to send messages to employees with responsibilities for making SWIFT transfers asking for payments to be made. Since the emails are sent from the CEO or CFO’s email account and the attackers copy the writing style of the account holder, these requests are often not questioned and the payments are made per the requests.

The Nigerian gang is tracked as Silver Terrier by Palo Alto Networks, which assisted Interpol in the investigation. Around 500 individuals in Nigeria are believed to be involved in the attacks. In this operation, rather than targeting the money mules, the law enforcement operation targeted the individuals involved in the technical infrastructure of the operation such as malware development, phishing attacks, and the domain infrastructure.

One suspect’s computer was found to contain th800,000 usernames and passwords that could potentially be used to hack into corporate email accounts. Another suspect’s computer showed he was monitoring conversations between 16 companies and their clients with a view to diverting legitimate payments as they were about to be made.

Once BEC scammers have access to corporate email accounts, it can be difficult to identify their scam emails. While policies can be introduced that require all requests for bank account changes or changes to the method of payment be verified by telephone, that is often impractical for every single transaction.

The best method of avoiding becoming a victim of these scams is to implement robust email security measures to block the initial phishing emails, ensure strong credentials are set for email accounts, and multi-factor authentication is implemented. The Nigerian gangs are prolific malware developers and use their malware to provide access to victims’ computers to steal credentials. It is essential for antimalware solutions to be deployed on all endpoints, and to have an email security solution with strong antimalware controls.

TitanHQ’s SpamTitan suite of email security solutions provides protection against phishing and malware attacks that are used to obtain credentials to access email accounts. SpamTitan Plus has faster and more comprehensive detection of links in phishing emails than any of the current market-leading email security solutions and the entire suite of products has excellent protection against malware, thanks to dual antivirus engines and sandboxing.

If you want to improve your defenses against phishing, malware, and BEC attacks, give the TitanHQ team a call today.

How to Protect Against Redline Malware and Other Email Malware Threats

Cyberattacks are now being reported at an incredible rate, with many of those attacks having devastating consequences for small- and medium-sized businesses. According to Cybersecurity Ventures, around 60% of small- to medium-sized companies go out of business within 6 months of suffering a data breach. Cyberattacks are becoming much more sophisticated, but oftentimes these incredibly damaging attacks are not conducted by highly skilled hackers. The bar for conducting these attacks can be incredibly low, which means anyone with a modicum of skill can conduct attacks and profit. One of the ways that would-be hackers can start conducting attacks is by taking advantage of the many ransomware-as-a-service and malware-as-a-service offerings on hacking forums and darknet marketplaces. Take Redline malware for example.

Redline malware is a commodity information stealer that is easily obtained on hacking and cybercrime forums. The malware costs between $100-$200, and payment can be made anonymously using cryptocurrencies. At such a low price it is available to virtually anyone, and conducting attacks requires little effort or skill.

The Redline stealer was first identified in March 2020 and soon became one of the most prevalent malware threats with the number of attacks continuing to grow. Redline malware has been used in attacks on a wide range of businesses, with the manufacturing and healthcare sectors two of the most commonly attacked sectors.

Redline malware has been updated several times since it first emerged, with new features added such as the ability to exfiltrate credentials, steal cryptocurrency wallets, FTP authentication data, passwords stored in browsers, and gather information about the infected system. It is also capable of loading remote payloads and uses a SOAP API for C2 communication. One successful attack could see the attacker recover the purchase cost many times over.

Like many other malware variants, the most common method of delivery is email. Emails are broadcast using huge mailing lists, which can also be purchased at a low cost on cybercrime forums.  Alternatively, more targeted campaigns can be conducted on specific businesses, with the emails often having a much higher chance of success due to the personalization of the emails.

The emails usually contain a malicious hyperlink and use social engineering techniques to trick employees into clicking. When the link is clicked, the binary file is downloaded and installed on the user’s device. While antivirus software should identify and block the malware threat, there have been many cases where AV engines have failed to detect the malware.

Redline malware will obtain a list of processes running on an infected device, including the security solutions in place. Attackers can interact with the malware remotely and view information about the infected system, can create and download remote files, silently run commands on an infected machine, and steal highly sensitive information. One of the biggest threats is the ability to steal data from browsers, including passwords stored in the Chrome, Edge, and opera browsers.  Most browsers encrypt stored passwords, but Redline malware can programmatically decrypt the password store in Chromium-based browsers, provided they are logged in as the same user. Redline malware runs as the user that infected the device and can steal that user’s passwords from their password file.

Not everyone stores their passwords in their browser, but there is still a threat. When the browser suggests storing a password and the request is refused, a record is kept about that refusal so a further request will not be suggested next time the user visits that particular website. That record can be stolen from the browser, so the attacker will discover what accounts the user has and can then conduct phishing campaigns to obtain the passwords or use credential stuffing attacks. Much of the data stolen in redline malware attacks can easily be monetized on cybercrime forums.

Malware-as-a-service has opened up cyberattacks to a much broader range of individuals, but ultimately the attacks depend on employees being tricked into clicking links in emails or opening infected email attachments. Blocking those emails is the best approach to blocking the malware threats, which is where SpamTitan is invaluable.

SpamTitan Plus includes 100% of all current market-leading anti-phishing feeds. That translates into a 1.5x increase in phishing URL detections and 1.6x faster phishing detections than the current market leaders. 10 million net new, previously undiscovered phishing URLs are identified every day, and it takes just 5 minutes from a phishing URL being detected to all end users’ inboxes being protected. Time-of-click verification of links in emails involves multiple dynamic checks of redirects and there are dual anti-virus engines and a Bitdefender-powered sandbox to identify any malicious files attached to emails.

If you want to protect against malware and phishing attacks and ensure your company does not suffer an incredibly damaging cyberattack and data breach, give the TitanHQ team a call for more information on SpamTitan.

Join TitanHQ at the Free Channel Pitch Exclusive MSP Livestream Event on January 21, 2022

Managed Service Providers have a great opportunity on January 21, 2022, to discover some of the key products they can incorporate into their service stacks to help grow their business and provide even better value to their clients.

The Channel Pitch Livestream Event is totally free of charge for MSPs, MSSPs, ISPs, VARs, IT solution providers, and consultants and will introduce attendees to products from 7 innovative technology vendors that have been specifically curated for the Chanel Pitch event. The technology vendors have had their solutions adopted by some of the most successful MSPs and are being used to better protect their clients, improve efficiency, and significantly improve their bottom lines.

The event is being hosted by Serial Tech Entrepreneur Kevin Lancaster and Channel Evangelist Matt Solomon, both of whom are highly esteemed MSP industry professionals. They will be introducing 7 emerging technology vendors, each of which will give a 7-minute presentation on a key product for MSPs and other service providers.

TitanHQ is happy to announce that Conor Madden, Director of Sales, will be hosting one of the 7-minute presentations to introduce MSPs to TitanHQ’s award-winning cybersecurity solutions that have been proven to help MSPs significantly improve their profits while also ensuring downstream businesses are well protected from cyber threats.

The LiveStream Event will take place on January 21, 2022, at 4.00 p.m. GMT, 11 a.m. EST, 8 a.m. PST and attendees will be able to see presentations from the following vendors:

  • TitanHQ – Email and Web Security
  • Hook Security – Security Awareness Training
  • Nerdio – Azure
  • Nuvolex – XaaS Management
  • Speartip – SOC
  • Threatlocker – Application Whitelisting
  • Zomentum – Sales Automation

Attendees will be able to engage directly with vendors or provide 100% anonymous feedback.

Register Your FREE Place Here!


Study Sheds Light the Employees Most Likely to Fall for Phishing Scams

Phishing is the attack vector of choice for many cybercriminals. Attacks are easy to perform, they are often successful, and they provide the foothold in business networks that is required for more extensive compromises. The best defense against phishing is to implement a technological solution – a spam filter – to prevent phishing emails from reaching inboxes. If phishing emails are blocked at the email gateway, they will not arrive in inboxes where they can fool employees.

End-user training is also important, as no spam filter will block all malicious emails. A recent large-scale study has been conducted to determine whether end-user training and phishing warnings are effective, how vulnerability to phishing attacks evolves over time, which employees are most likely to fall for a phishing scam, and whether employees can actually play an important role in phishing email detection, The results of the survey are interesting and provide insights into susceptibility to phishing attacks that can be used by businesses to develop effective employee training programs.

The study was conducted on 14,733 participants by researchers at ETH Zurich and over a period of 15 months and involved another company sending phishing email simulations to see who opened the messages and who clicked on links in the emails. The employees that were tested had no knowledge that simulations were being conducted to make the simulations closely mirror real-world phishing attacks.

Book a free SafeTitan Security Awareness Training demonstration with an expert.
Book Free Demo

There were notable differences in susceptibility to phishing attacks with different age groups, with younger employees more likely to respond to the phishing emails than all other age groups. 18- and 19-year-olds were by far the most likely age group to fall for phishing emails, with the over 60s the least likely. From ages 20 to 59, the percentage of dangerous actions taken in response to phishing emails increased for each age group, with 20- to 29-year olds the least likely to take dangerous actions.

Individuals who are not required to use computers for their day-to-day jobs might be considered to be most at risk of falling for a phishing scam, but that was not the case. Infrequent computer users were the least likely to fall for the scams followed by frequent users, with individuals who use specialized software for repetitive tasks the most susceptible to phishing emails.

In this study, men and women were found to be equally susceptible to phishing emails across the entire study. This contrasts with several other studies that suggest there is a gender bias, with women less likely to fall for phishing scams than men. However, there were differences between the genders when combined with the frequency of computer use data. Men who use specialist software to automate tasks were the most likely to fall for phishing emails, followed by women who used specialist software, then women who are frequent users of computers, and men who are infrequent users. Female infrequent users were the least likely to fall for phishing scams.

The study confirmed the findings of several others in that some individuals are prone to respond to phishing emails. After responding to one simulated phishing email they would go on to respond to more. 30.62% of individuals who clicked on one phishing email were repeated clickers, and 23.91% of individuals who took dangerous actions such as enabling macros in email attachments did it on more than one occasion. These findings show the importance of conducting phishing email simulations to identify weak links who can receive additional training.

Behaviour driven security awareness platform that delivers security training in real-time.
Book Free Demo

Phishing simulations are often conducted by businesses to test the effectiveness of their training programs, but one notable finding was that voluntary training when a simulated phishing email attracted a response was not effective. In fact, not only was this not effective, it appeared to make employees even more susceptible to phishing emails.

Another interesting finding related to adding warnings to emails. When warnings about potential phishing emails, such as emails coming from an external email address, were included in emails, employees were less likely to be duped. However, the lengthier the warning, the less effective it is. Detailed warnings were less likely to be read and acted upon.

When a phishing email reporting option was added to the mail client, employees often reported phishing emails. This feature involved a phishing email button that sent a warning to the IT team. There did not appear to be any waning of reporting over time, with employees not appearing to suffer from reporting fatigue. A few reports would be submitted within 5 minutes of an email arriving, around 30% of reports were within 30 minutes, and over 50% came within 4 hours. The reports could give IT security teams time to take action to remove all instances of phishing emails from the mail system or send warnings to employees.

Free SafeTitan Security Awareness Training demonstration with an expert. Ask any questions.
Book Free Demo

What the study clearly demonstrated is that even employees who are adept at identifying phishing emails are likely to fall for one eventually, so while security awareness training is important, having an effective spam filtering solution is vital. Even individuals who were regularly exposed to phishing emails were eventually duped into clicking a phishing link or taking a dangerous action. Across the entire study, 32.1% of employees clicked on at least one dangerous link or opened a potentially dangerous email attachment.

Personal and Health Information of 398K Patients Exposed in Mon Health Phishing Attack

Healthcare data carries a high value on the black market as it can be monetized in a variety of ways. One of the main methods used to gain access to the healthcare networks where patient data are stored is phishing emails. Phishing emails are also a leading vector for malware delivery, and initial access brokers often target healthcare providers with phishing emails to steal credentials, then provide access to healthcare networks to ransomware gangs.

This month, a major phishing attack was reported by Morgantown, WV-based Monongalia Health System (Mon Health) which affected two of its hospitals. Hackers sent phishing emails to Mon Health employees, with the responses to those messages providing the hackers with the credentials they needed to access corporate email accounts. Those email accounts contained the personal and protected health information of patients and employee information. Notification letters have recently been sent to 398,000 individuals affected by the attack.

While healthcare data is valuable, this phishing attack was conducted for another reason, although it is possible healthcare data were stolen by the attackers. This attack was what is commonly referred to as a business email compromise (BEC) attack.

SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now.
Book Free Demo

BEC attacks can involve the theft of sensitive data but they are most commonly conducted to trick individuals responsible for making wire transfers into making fraudulent transfers to attacker-controlled accounts or to change payroll details to get direct deposits of salaries paid into the attacker’s account.

BEC attacks often start with a phishing email. Once access is gained to an employee’s account, phishing emails are sent to other employees to compromise more accounts. When the required accounts are compromised, the account owner is impersonated and an email is sent to an individual responsible for wire transfers that requests a change to bank account information on file.

In this attack, the attackers gained access to a contractor’s email account that was used to change payment details. Since the email requesting the payment details change came from a legitimate and trusted email account, the change was made and the attack went undetected. The BEC attack was detected when a payment issue was reported, and it was confirmed that the payment had left Mon Health’s account.

Mon Health is far from the only U.S. healthcare organization to suffer an attack such as this. Also this month, Florida Digestive Health Specialists started notifying 212,000 patients about an email breach that occurred in December 2020. Again, the attack was conducted to try to divert payments to an attacker-controlled account. In this case, the process of checking every email and attachment for sensitive patient data took 11 months.

These attacks risk the loss of funds through fraudulent transfers, but even if patient data are not stolen, the Health Insurance Portability and Accountability Act (HIPAA) requires patients to be notified, and usually, it is necessary to offer complimentary credit monitoring and identity theft protection services to affected patients. Those costs, in addition to the investigation and mitigation measures, can be substantial.

Once an employee email account has been compromised it can be difficult to detect and block an attack, and recovering funds after they have been transferred may not be possible unless the fraudulent wire transfer is detected quickly. The key to blocking these attacks and preventing losses is to prevent the phishing emails from reaching employee inboxes, to provide training to the workforce to help employees identify phishing emails that are delivered, and to implement multifactor authentication on email accounts to make it harder for stolen credentials to be used to access accounts.

With SpamTitan Plus malicious URL protection, we take a multi-layered approach to combat malicious links.
Book Free Demo

SpamTitan Gateway and SpamTitan Cloud are two excellent choices for businesses looking to improve their defenses against phishing attacks. The solutions block more than 99.97% of spam and phishing emails from reaching inboxes, and also include outbound scanning to help identify compromised mailboxes. SpamTitan Plus, a new phishing solution released this month, takes protection to another level. SpamTitan Plus includes all major phishing feeds and has faster and better detection of malicious URLs in emails than any of the current market-leading anti-phishing solutions.

If you want to improve your defenses against phishing and BEC attacks, give the TitanHQ team a call for further information on the SpamTitan suite of products.

TitanHQ Placed 33 in 2021 Deloitte Technology Fast 50 List

TitanHQ has been included in the 2021 Deloitte Technology Fast 50 List of the fastest-growing tech companies in Ireland. The Award program has now been running for 22 years and celebrates innovation and entrepreneurship in Ireland’s indigenous technology sector.

Deloitte compiles the list based on percentage revenue growth over the past 4 years, with TitanHQ ranking in position 33 in the list after a long period of sustained growth. That growth continued throughout the COVID-19 pandemic when many businesses have struggled. Not only has the company significantly increased its customer base over the past 4 years, the workforce has also had a major expansion. Between September 2020 and April 2021, TitanHQ’s workforce doubled in size.

As well as impressive organic growth, TitanHQ has benefitted from investment from Livingbridge Investor Group which has allowed the company to continue to recruit the best talent to support its business and invest in product development. As well as making improvements to its existing product portfolio, the company released a new product this month – SpamTitan Plus.

SpamTitan Plus builds on the protection provided by SpamTitan Gateway and SpamTitan Cloud but significantly improves detection of the malicious URLs in emails that are used for phishing and malware distribution. SpamTitan Plus has coverage of all major phishing feeds and has the fastest and best detection rates of malicious URLs than any of the market-leading anti-spam solutions.

“As a result of increased demand globally for our solutions, we have invested heavily in product development and embarked on a recruitment campaign to double our workforce in a program that will allow that growth to continue,” said TitanHQ CEO, Ronan Kavanagh. “The quick move to remote working last year has made us all aware of how important it is to be adaptable and have the right security solutions in place to protect users, customers, company data, and systems.”

TitanHQ’s customer base has now increased to more than 12,000 businesses, including over 2,500 managed service providers in 150 countries, with much of TitanHQ’s growth over the past 4 years due to the increase in overseas customers. That growth was also recognized by Deloitte, which awarded TitanHQ runner-up spot in the Scale Up Award. The Scale Up Award recognizes companies that have enjoyed significant overseas growth over the past 4 years.

“Congratulations to all of the companies that ranked this year. This is the first year we have seen the impact the pandemic has had on revenues of Irish tech companies,” said David Shanahan, Partner, Deloitte “It will come as no surprise that many of this year’s winners have achieved accelerated growth and scale as a result of the pandemic and being able to capitalize on the global move to a digital way of life.”

Hijacked Email Threads with Malicious Links to Fake PDF Files Used to Distribute the Emotet Trojan

The Emotet botnet was one of the largest ever seen and certainly one of the most dangerous. Phishing emails were used to infect devices with Emotet malware, which added the devices to the botnet. The operators of Emotet then sold access to other threat actors such as ransomware gangs. The botnet was shut down by an international law enforcement effort and the cleanup operation saw the malware removed from all infected devices. While that severely disrupted the Emotet operation for several months, the botnet is now back with a vengeance.

The TrickBot Trojan was one of the malware variants downloaded by Emotet, but it was used in the early stages of rebuilding the Emotet botnet, with the two malware operations completely reversing roles. The Emotet botnet has been rapidly rebuilt and is being used once again to infect victims’ devices with malware Qbot. Emotet is no longer relying on TrickBot to infect devices.

Emotet is once again being distributed by hijacking email threads and sending messages that appear to a reply to a previous conversation. While this method has previously seen malicious attachments added to those threads, according to Bleeping Computer a new tactic is now being used. A malicious hyperlink is inserted into the message threads that appears to be a link to a PDF file hosted on a remote server. In one example, “Please see attached and thanks” was inserted along with a hyperlink in response to a previous conversation.

If the link is clicked, the user is directed to what appears to be a shared document on Google Drive, where the user is asked to click the link to preview the PDF file. However, clicking the link attempts to open an appinstaller file hosted on Microsoft Azure. The user is required to accept the appinstaller prompt, which appears to be attempting to install an Adobe PDF component with permissions to use all system resources.

The package has a valid certificate and includes the Adobe PDF logo, but it will install a malicious appxbundle that will infect the user’s device with the Emotet Trojan. Emotet will then download other malicious payloads, which often lead to a ransomware attack. The Cryptolaemus group, which tracks and reports on Emotet activity, says the new URL-based lures are being used in addition to the standard Emotet tactics of distributing the malware using .zip and .docx email attachments.

The Emotet botnet has been rebuilt at a tremendous pace and there has been a massive increase in Emotet activity in the past few days. Malwarebytes detected a major spike in activity on November 26 and reported an even bigger spike on December 1, when 447% more malicious sites were being used to distribute the malware than in early November. Emotet has once again grown into a significant threat and its infrastructure has been upgraded to make it even more resilient and prevent any further takedown attempts by law enforcement. It is looking like the Emotet botnet is back and stronger than it was before the takedown.

So how can businesses protect against Emotet? End user training is important, but the tactics used by the Emotet gang are effective and fool many users into starting the infection process. The key to protection is to block the phishing emails that are the initial attack vector and that requires an advanced spam filtering solution.

TitanHQ has recently launched a new product – SpamTitan Plus – with significantly improved protection against malicious links which, coupled with dual antivirus protection and sandboxing, can protect against phishing and malware threats delivered by email.

To find out more about how TitanHQ solutions can protect your business against malware, phishing, and ransomware attacks, give the TitanHQ team a call.

UK Omicron Phishing Campaign Takes Advantage of New WHO Variant of Concern

A new Omicron phishing scam has been detected in the UK that spoofs the NHS and attempts to steal personal and financial information using a free COVID Omicron PCR test as a lure. The campaign is likely to be one of many taking advantage of fears about the latest SARS-CoV-2 variant of concern.

COVID-19 phishing scams have been a regular feature of the pandemic, so it is no surprise that the latest turn of events has triggered a wave of new phishing emails. The emergence of Omicron, a variant of concern that has the potential to escape the protections provided by COVID-19 vaccines, has naturally alarmed scientists and the general public alike and has created an opportunity for phishers.

Phishers use fear and urgency in their phishing scams to convince people to take an action that they would otherwise not do. The emergence of the Omicron variant has already generated fear, and the phishers are providing a solution. The Omicron phishing campaign was detected in the United Kingdom and impersonates the National Health Service (NHS). The emails offer a newly developed COVID-19 PCR test that is able to detect infection with the Omicron variant. The campaign is being conducted via email and text message, but this approach could easily be conducted by telephone.

SpamTitan Plus provides leading edge anti-phishing protection with “zero-day” threat protection and intelligence.
Book Free Demo

One of the intercepted phishing emails tells the recipient that “NHS scientists have warned that the new Covid variant omicron spreads rapidly, can be transmitted between fully vaccinated people, and makes jabs less effective,” echoing the current fears of scientists. The email goes on to say, “However, as the new covid variant (Omicron) has quickly become apparent, we have had to make new test kits as the new variant appears dormant in the original tests.”

In order to receive the new test, the victim must click on a hyperlink in the email and will be directed to a webpage that spoofs the NHS patient portal. They are asked to enter their personal information, including their name, address, date of birth, contact telephone numbers, and email address. The NHS is a free healthcare service; however, the scammers request payment to cover postage costs. In order to pay the £1.24 delivery charge, the phishing page asks for bank account/credit card information and mother’s maiden name.

As is common in phishing campaigns, emails also include a threat. In a section titled, “What happens if you decline a COVID-19 Omicron test?”, victims are told that they will be required to isolate. While the emails contain red flags, such as multiple spelling and grammatical errors, the NHS branding and email address used to send the messages – contact-nhs[@] – may be enough to convince people that the request is legitimate.

The success of this Omicron phishing scam depends on people taking action without carefully considering what they are being asked to do. While Omicron is a genuine cause of concern, always stop and think about any request for sensitive information via email, text message, social media messages, or phone calls. Official messages from the NHS will be free of spelling mistakes and the NHS will never ask for payment for sending COVID-19 tests.

While this Omicron phishing scam targets individuals, many COVID-19 phishing campaigns have targeted businesses and attempt to either obtain credentials or deliver malware. Businesses need to ensure they implement an anti-phishing solution that is capable of identifying and blocking phishing emails.

Even greater protection against phishing attacks. Book a free SpamTitan Plus demo.
Book Free Demo

TitanHQ has developed a suite of cybersecurity solutions to protect businesses from cyberattacks such as phishing, with the latest solution – SpamTitan Plus – providing even greater protection against phishing attacks. SpamTitan Plus includes additional measures to improve malicious URL detection along with time-of-click protection to prevent employees from visiting the malicious websites linked in phishing emails.

If you want to improve protection against phishing attacks and the full range of email threats, contact TitanHQ today for more information on the best phishing solution to meet the needs of your business.

SpamTitan Plus Launched by TitanHQ to Combat Zero-Day Phishing Attacks

Phishing is the number one cybersecurity threat faced by businesses and attacks are becoming highly sophisticated. Phishing is used to obtain sensitive information such as login credentials and for distributing malware and ransomware. 91% of all cyberattacks start with phishing emails.

Many businesses now provide security awareness training for the workforce to raise awareness of the threat from phishing and to teach employees the skills that will allow them to identify and avoid phishing emails, but the click rates in phishing emails remain high. According to Security Affairs, 97% of users fail to identify phishing emails. The reason is phishing emails are now being created that are virtually indistinguishable from genuine communications from trusted sources and phishers are experts at social engineering.

The best defense against phishing is a spam filter – A technical solution that scans all inbound (and outbound) emails and performs a wide range of checks and analyses, all of which must be passed in order for an email to be sent to an inbox. Spam filters scan the message headers and message body for signs of spam and phishing, and attachments are scanned using anti-virus engines that identify known malware variants. Hyperlinks in messages are also checked; however, phishers are constantly developing new techniques for hiding malicious URLs from email security solutions.

TitanHQ’s spam and phishing protection solution – SpamTitan – already provides excellent protection from spam and phishing emails; however, a new product – SpamTitan Plus – has now been launched that significantly improves detection rates. SpamTitan Plus provides advanced phishing protection with better coverage, better phishing link detections, faster detection speed, and also has the lowest false positive rate of any product.

“The overwhelming feedback from our users and customer base has been that phishing attacks are becoming more advanced, proficient, and dangerous. Phishing is the number one problem to solve in the email security community,” said TitanHQ CEO Ronan Kavanagh. “With that in mind, we allocated resources and investment to develop a solution with new, cutting-edge, robust, fast phishing threat intelligence driven by a team of security specialists. We’re very happy with the result – SpamTitan Plus”.

SpamTitan Plus includes leading-edge, AI-driven anti-phishing prevention and incorporates the newest “zero-day” threat intelligence, providing better protection than current market-leading email security solution providers at neutralizing malicious links in emails.

All URLs in emails are inspected to determine if they are malicious and are rewritten, and a time-of-click analysis is performed. This is important as the URLs in phishing emails may not be malicious at the time of delivery and may be weaponized with malware after they have passed email security checks. The time-of-click protection involves several dynamic checks, including a page evaluation to identify spoofed websites and login pages and the following of any redirects. If a user clicks on a malicious URL, instead of being directed to the website they will be sent to a local block page that provides further information.

Independent tests of SpamTitan Plus show:

  • 100% coverage of phishing threats from the current market-leading anti-phishing feeds
  • 5X increase in unique phishing URL threat detection than the current market leaders
  • 6X faster and more rapid phishing detection than the current market leaders

10 million new, previously undiscovered phishing URLs are detected every single day and there is only a 5-minute delay from the initial detection of a malicious URL to protect an end user’s mailbox.

SpamTitan is relied upon by 12,000 customers and 3,000 Managed Service Providers for protecting against spam and phishing emails. They can now choose to significantly improve protection with SpamTitan Plus. For more information about SpamTitan Plus, Give the TitanHQ team a call today.

Warning Issued About Brand Phishing Attacks and the Widespread Availability of Scampage Tools

The Federal Bureau of Investigation (FBI) has issued a warning about an increase in spear phishing campaigns impersonating big name brands. Brand phishing is incredibly common and is an effective way of getting individuals to disclose sensitive information such as login credentials or install malware.

Brand phishing abuses trust in a brand. When individuals receive an email from a brand they know and trust, they are more likely to take the action requested in the email. Brand phishing emails usually include the logo of the targeted brand, and the emails use the same message formats as genuine communications from those brands. Links are usually included to malicious web pages that are often hidden in buttons to hide the true destination URL.

If a user clicks the link, they are directed to an attacker-controlled domain that similarly uses branding to fool the victim and make them think they are on the genuine website of the spoofed brand. These webpages include forms that harvest sensitive data. Alternatively, malicious files may be downloaded, with social engineering techniques used to trick victims into opening the files and installing malware.

SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now.
Book Free Demo

Cyber threat actors are offering scampage tools on underground marketplaces to help other cybercriminals conduct more effective phishing campaigns. These scampage tools are offered under the product-as-a-service model and allow individuals to conduct convincing phishing campaigns, even people who do not possess the skills to conduct phishing campaigns. With phishing opened up to would-be cybercriminals, the threat to individuals and businesses increases.

The FBI says the scampage tools now being offered can recognize when individuals use their email address as their login ID for a website. Websites require a unique username to be provided when creating an account, and many use an individual’s email address as their username by default.

The scampage tools can identify when a user has set their email address as their username, and when that is detected, they will be directed to a scampage for the same email domain. The user is required to enter their password to log in, which will allow the threat actor to obtain the password and access the victim’s email. With access to the email account, attackers can intercept 2-factor authentication codes, thus bypassing this important control mechanism. With 2FA codes, the attacker will be able to gain access to accounts and make changes, including updating passwords to lock users out of their accounts or change security rules before the owner of the account can be notified.

“Much like the threat with ransomware-as-a-service, this type of product-as-a-service distribution of scampage and credential harvesting tools presents an increased nationwide risk to private sector businesses and their consumers,” said the FBI in its public service announcement. “Brand-phishing email campaigns and scampage tools that help bypass 2FA security measures represent another aspect to this emerging cyber threat.”

With SpamTitan Plus malicious URL protection, we take a multi-layered approach to combat malicious links.
Book Free Demo

To counter the threat, businesses should implement an advanced spam filtering solution to block phishing emails and prevent them from being delivered to employee inboxes. Password policies should be created that require strong passwords to be set, and checks performed to ensure commonly used or weak passwords cannot be set on accounts. Employees should be told to never reuse passwords on multiple accounts and to ensure that all business accounts have unique passwords. Security awareness training should be provided to the workforce to teach email security best practices and train employees on how to identify phishing emails and other scams.

Given the increase in the use of scampage tools, if there is the option, users should set a unique username for an account that is not associated with their primary email address. 2-factor authentication should be configured, and where possible, a software-based authenticator program should be used or a USB security key as the second factor. Alternatively, provide a mobile number for a 2FA code and avoid using a primary email address to receive 2FA codes. If an email address is required, it is best to use an alternative email account.

LinkedIn Phishing Attacks on the Rise

There has been an increase in LinkedIn phishing scams of late that attempt to trick professionals into installing malware, disclosing their login credentials, or providing sensitive information that can be used to create convincing spear phishing emails.

Watch Out for LinkedIn Phishing Attacks!

Many professionals rely on LinkedIn for getting new business and finding employment. The professional networking platform has proven to be incredibly popular and, being business-related, notifications from the platform are less likely to be turned off, as they often are with social media networks such as Facebook.

A notification from LinkedIn could be a prospective client, a potential job opportunity, or an opportunity to grow your network but LinkedIn notifications may not be what they seem.

With SpamTitan Plus malicious URL protection, we take a multi-layered approach to combat malicious links.
Book Free Demo

Common LinkedIn Phishing Scams

LinkedIn phishing attacks can take many forms and are conducted to achieve a variety of objectives. One common denominator in LinkedIn phishing emails is the use of LinkedIn logos and color schemes to make it appear that the notifications are genuine.

One of the most common scams involves messages that appear to have been sent via the professional networking platform from an individual looking to do business with a company. The emails include buttons that appear at face value to direct a user to LinkedIn, yet the destination URL is different. The landing page displays the LinkedIn login box, which has been scraped from the genuine website. The scam aims to steal LinkedIn credentials, which can be used to hijack accounts and conduct scams on the user’s connections. These scams can be identified quite easily by checking the destination URL in the message before clicking. If a link is clicked, always check the URL in the address bar before attempting to log in to ensure you are on the genuine LinkedIn website.

There has been an uptick in another type of LinkedIn phishing scam of late. Standard LinkedIn email templates, such as information about the number of profile views a user has received and the number of searches they have appeared in are common. As with the previous scam, while the messages look genuine, the hyperlinks in the messages do not direct the user to the LinkedIn website, instead they direct them to URLs hosting phishing kits. The landing pages use a variety of ruses to get the user to disclose sensitive information. One common scam is an online survey that asks a series of questions to obtain information that can be used to create convincing spear phishing emails.

Scammers often create fake profiles in an attempt to trick platform users into thinking they are conversing with a genuine user. These profiles tend to be used in targeted attacks for cyberespionage purposes. These attacks often see the scammer engage in conversations with the targets to build trust, before tricking them into visiting a malicious website or opening an emailed document that installs malware. These scams can be more difficult to identify than the previous two scams, although there are clues that this is a scam. Always check the profile of any potential connection. Fake profiles often have incomplete or inconsistent information, suspiciously low numbers of connections, and odd connections given the individual’s claimed job. Even if the profile appears genuine, you should always be wary of any links or documents that are shared.

See how SpamTitan Plus inspects all URLs to identify links to malicious websites. Book a free demo.
Book Free Demo

A Spam Filtering Solution Could be Your Savior!

Some of the scams are easy to identify, but many are very realistic and have convincing lures that can be difficult to distinguish from genuine emails. These scams fool many people into disclosing sensitive information or installing malware, even individuals who believe they are security-aware and would not be fooled by phishing scams. Vigilance is the key to identifying the scams but an advanced spam filtering solution will ensure that you are not troubled by these scam emails and phishing attempts.

Businesses that rely on the basic spam protections provided with the Microsoft 365 license should consider investing in a more advanced spam filtering solution, as many phishing emails bypass the Exchange Online Protection (EOP) mechanisms provided free with Microsoft 365 accounts.  For greater protection, consider a spam filtering solution such as SpamTitan, which augments Microsoft 365 defenses and will better protect you against phishing attacks.

For more information about SpamTitan and how it can protect you and your employees from phishing attacks, botnets, viruses, malware, and ransomware attacks, give the TitanHQ team a call or sign up for the free trial and find out for yourself the different SpamTitan makes.

TrickBot Infrastructure Being Used to Rebuild the Emotet Botnet

At the start of 2021, a Europol and Eurojust-led operation involving law enforcement agencies in 8 countries successfully took down the infamous Emotet botnet. The botnet consisted of an estimated 1.6 million devices worldwide that had been infected with the Emotet Trojan.

The Emotet Trojan first appeared in 2014 and was originally a banking trojan, although it evolved into a malware downloader that was rented out to cybercrime gangs under the malware-as-a-service model. The botnet was used to give those threat actors a foothold in victims’ environments and allowed them to install malware such as IcedID, QakBot, and TrickBot. Those malware variants were then used to deliver ransomware such as Conti and Ryuk.

Emotet posed a massive threat to businesses worldwide prior to its takedown. In addition to being a malware distribution tool, the botnet was used to launch Distributed Denial of Service (DDoS) attacks and largescale spamming campaigns against high-profile targets around the world.

The Emotet botnet was controlled by a network of hundreds of servers worldwide. The takedown, which occurred on January 27, 2021, saw its infrastructure taken over by law enforcement. On April 25, 2021, law enforcement in Germany launched a cleanup operation that added a module that removed the Emotet Trojan from victims’ systems. 2 individuals were arrested who were suspected of involvement in maintaining the botnet, and in the weeks and months that followed no Emotet activity was detected. However, that has now changed.

The Emotet Botnet is Back

Law enforcement took control of the command-and-control infrastructure of Emotet and removed the Emotet Trojan from all infected devices, and while that was sufficient to kill the botnet, it was not enough to prevent its return. Researchers at GData, Advanced Intel, and Cryptolaemus have all discovered instances where the TrickBot Trojan has delivered an Emotet loader.

The Emotet botnet operators have previously worked with the threat actors behind the Trickbot Trojan, using their botnet to grow the TrickBot botnet. That process is now happening in reverse. A new version of the loader and Emotet Trojan have been created and it appears that the Emotet botnet is being reconstructed from scratch.

At this stage, there are relatively few devices infected with Emotet but that is not likely to remain the case for long. Around 246 devices are known to have had the Emotet Trojan installed, and they are being used as its command-and-control infrastructure at present.

Emotet was known for conducting malspam campaigns to grow the botnet, and spamming campaigns have already been detected using several different lures and a variety of attachments. Spam emails spreading Emotet have used Word files and Excel spreadsheets with malicious macros, and to prevent analysis by email security solutions, some emails have used password-protected zip files. Some of the lures detected by security researchers in the first campaigns include notifications about canceled dental insurance, Cyber Monday and Black Friday sales, notifications about canceled meetings, and requests for political party donations.

How to Protect Against Infection with Emotet

Protecting against Emotet involves implementing measures that also protect against TrickBot infections. Since both Emotet and TrickBot are extensively delivered via malspam emails, implementing an advanced email security solution is a good place to start.

One of the most effective tactics used by the Emotet gang was hijacking message threads. This involves sending replies to previous message conversations and adding a malicious hyperlink or infected email attachment. Since the messages were sent from email accounts known to the recipient, links were often clicked, and attachments opened.

Security awareness training often teaches employees to be suspicious of unsolicited messages from unknown individuals. It is important to make employees aware that malicious emails may also come from known individuals and to warn employees that hijacked message threads are used to deliver malware. Security awareness training can be effective, but it is nowhere near as effective as technical solutions that block malicious messages.

Security can be improved by choosing an email security solution with outbound email scanning. This feature will scan outgoing messages to detect compromised email accounts, allowing security teams to take prompt action to isolate infected devices. You should also ensure that your email security solution includes sandboxing in addition to antivirus engines, as the latter can only detect known malware variants. Attachments that pass standard AV scans are sent to a sandbox where they are subjected to in-depth analysis to identify malicious actions.

These features and many more are included in SpamTitan from TitanHQ. SpamTitan is effective at blocking the full range of email-based threats and is easy to implement and use. If you want to improve your defenses against dangerous email threats such as TrickBot, IcedID, QakBot, and Emotet without breaking the bank, give the TitanHQ team a call for more information about SpamTitan.

SpamTitan is available on a free trial and product demonstrations can be arranged on request.

Ransomware Attacks Increased by 900% in 1H 2021

There has been an alarming surge in ransomware attacks in 2021. Attacks have been conducted on businesses of all sizes, from large international enterprises with multi-million-dollar cybersecurity budgets to small businesses with just a handful of employees. The attacks have shown that no business is to large or small to be targeted.

Ransomware is a form of malware that is used to encrypt files to prevent them from being accessed. The attacker holds the keys to allow data to be decrypted, and those keys will only be provided if a ransom is paid. Ransom demands can range from a few thousand dollars for individual devices up to tens of millions of dollars for large companies.

900% Increase in Ransomware Attacks in 2021

This year has seen ransomware attacks conducted at an alarming level. CybSafe‘s data has revealed a 900% increase in ransomware attacks in the first 6 months of 2021 compared to the corresponding period last year. In addition to the increase in number, the cost of mitigating the attacks has increased and the ransom demands have been growing. This week, for example, Europe’s largest consumer electronics retailer – MediaMarkt – confirmed it was the victim of a Hive ransomware attack. The attackers reportedly demanded a payment of $240 million for the keys to decrypt files.

2021 has shown no company is off limits with multiple attacks conducted on critical infrastructure firms. One attack on Colonial Pipeline in the United States resulted in the shutdown of a fuel pipeline serving the Eastern Seaboard of the United States for a week. A ransom payment of $4.4 million was paid to the attackers to recover data.

The U.S. software company Kaseya, which provides a range of software solutions to businesses and managed service providers, suffered a major ransomware attack involving REvil ransomware. The REvil gang demanded a payment of $70 million for the keys to decrypt files. The attack affected around 40 managed service providers and an estimated 1,500 downstream businesses.

Attacks have also been conducted on many healthcare providers, with those attacks disrupting healthcare services and putting patient safety at risk. In May 2021, Ireland’s Health Service Executive (HSE) suffered a ransomware attack which is believed to have started with a phishing email. The response gave the Conti ransomware gang the access needed to encrypt files. A $20 million ransom demand was issued, although the attackers provided the keys free of charge in the end. Even so, the HSE took months to recover from the attack at considerable cost.

Ransomware Gangs Targeted by Law Enforcement

The above attacks represent just a tiny percentage of the ransomware attacks that have been publicly disclosed this year and it is clear that the threat of attack is unlikely to wane any time soon.

There has been some good news, however. The attacks on critical infrastructure firms have forced the U.S. government to step up its efforts to target ransomware-related crime. Following the attacks, ransomware attacks were elevated to a level akin to terrorist attacks, and with that comes additional resources.

Already the United States and law enforcement partners around the worked have succeeded in disrupting the activities of several ransomware gangs. The REvil ransomware infrastructure taken down and arrests have been made, the Darkside operation shut down and its suspected successor BlackMatter also. Suspected members of the Clop ransomware operation have been arrested, and Europol has arrested 12 individuals in connection with LockerGoga, MegaCortex, and Dharma ransomware attacks.

While the arrests and infrastructure takedowns will have a short-term effect, ransomware threat actors are likely to regroup, set up new operations, and recommence their attacks as they have done in the past.

An Easy Step to Take to Improve Ransomware Defenses

Businesses need to take steps to combat the ransomware threat, but since many different methods are used to gain access to networks, this can be a challenge. The best place to start is to make sure defenses against phishing emails are put in place. Most ransomware attacks start with a phishing email, which either delivers malware or gives attackers credentials that provide them with the foothold in networks that they need to conduct their attacks.

Email security solutions such as SpamTitan filter out malicious messages and prevent them from reaching inboxes where they can fool employees. Technical solutions such as email security gateways are far more effective than end user training at blocking threats, although it is also important to make sure employees are aware of cybersecurity best practices and are taught how to identify a phishing email.

Email filtering solutions such as SpamTitan perform an in-depth analysis of all email content and can detect malicious links and email attachments. When emails fail the checks, they are sent to the quarantine folder where they can be reviewed. This allows security teams to gain a better understanding of the threats that are targeting their organization and also allows false positives to be identified so filtering rules can be updated.

SpamTitan incorporates dual antivirus engines, sandboxing that allows suspicious attachments to be analyzed to identify new malware variants, and machine learning technology to ensure that spam filtering improves over time.

A huge array of checks and controls ensure malicious messages are blocked, but that all happens behind the scenes. Administrators benefit from a clean, easy-to-use interface that requires no technical skills to navigate and use. All information and controls are intuitive.

If you would like to find out more about improving your defenses against ransomware, malware, phishing, and other email and web-based threats, give the TitanHQ team a call. All TitanHQ cybersecurity solutions are available on a free trial, allowing you to put them to the test in your own environment before making a decision about a purchase.

Warning of Phishing Attacks on Users of Robinhood Trading Platform

The stock trading platform Robinhood has announced a major breach of the personal data of 7 million of its customers, who now face an elevated risk of phishing attacks.

Phishing attacks on businesses are incredibly common. While phishing can take many forms, the most common method involves sending emails to company employees and using social engineering tactics to get them to take a specific action. That action is often to click on a malicious hyperlink in the email that directs them to a website where they are asked to provide sensitive information such as their login credentials.

Phishing can also occur via SMS messages, instant messaging platforms, or social media networks. While it is less common for phishing to occur over the telephone – termed vishing – this method actually predates email phishing attacks. Vishing attacks are more labor-intensive and are a form of spear phishing, where a small number of individuals are targeted.

See how SpamTitan Plus inspects all URLs to identify links to malicious websites. Book a free demo.
Book Free Demo

Vishing Attack Allowed Attacker to Obtain 5 Million Email Addresses

It was a vishing attack that allowed a threat actor to obtain the personal data of Robinhood customers. The threat actor called a Robinhood customer service employee and used social engineering techniques over the phone to get the employee to disclose sensitive information. The information obtained allowed the threat actor to access its customer service system, through which it was possible to obtain a limited amount of data of a portion of its customer base.

It is unclear what tactics the threat actor used, although, in these types of attacks, tech support scams are common. This is where a threat actor impersonates the IT department and tricks an employee into disclosing credentials under the guise of a software update or a fix for a malware infection.

Regardless of the lure, the threat actor was able to access its system and stole a list of 5 million customer email addresses, a list of the full names of 2 million individuals, and the names, dates of birth, and zip codes of 310 individuals.

No financial information or Social Security numbers are believed to have been obtained in the attack, but the Robinhood data breach is still serious for affected individuals who now face an elevated risk of phishing attacks.

Robinhood said after the customer lists were exfiltrated, a ransom demand was received. Robinhood did not say whether the ransom was paid, only that the cybersecurity firm Mandiant was investigating, and the incident has been reported to law enforcement.

SpamTitan Plus provides leading edge anti-phishing protection with “zero-day” threat protection and intelligence.
Book Free Demo

Risk of Phishing Attacks in Wake of Robinhood Data Breach

Attacks such as this where an attempt is made to extort money from a company after sensitive data are stolen are commonplace. If a company refuses to pay, the attack is monetized by selling the stolen data. Even if a ransom is paid, there is no guarantee that data will not be sold. A list of the email addresses of users of a trading platform would be highly sought after by cybercriminals, who could craft convincing phishing emails to obtain sensitive data to allow users’ accounts to be accessed.

There have been many cases where email addresses have been used in phishing campaigns that reference the breach itself, spoofing the company that was attacked although all manner of lures could be used. There is a fair probability that phishing campaigns will be conducted using the stolen data, so users of the Robinhood platform should be on high alert.

Robinhood has advised customers to be wary of any emails that claim to be from the company and said it would never send a hyperlink in an email to access an account, instead users should only trust Robinhood messages that are sent within the app. For further protection, 2-factor authentication should be enabled, and users of the app should be cautious when opening any email messages, and to be particularly wary about any message that requests sensitive information or includes a hyperlink or email attachment, especially if it is an unsolicited email from an unknown sender.

TitanHQ Recognized as Leading Irish Cybersecurity Company

With the number of cyber threats increasing, it has never been more important for business leaders to ensure their networks and systems are well defended. Throughout the pandemic, companies have been reporting data breaches at an alarming rate, with many of those cyberattacks having a devastating impact on victims.

Look no further than the ransomware attacks on the Irish Department of Health and the Health Service Executive in May 2021. Those attacks saw highly sensitive data stolen, files encrypted, and doctors and nurses were prevented from accessing patient records. The attacks resulted in almost all systems being taken offline, all core services were affected, and many outpatient services had to be canceled. The effects of the cyberattacks were still being felt several months later.

In light of the increased threat of attack and the seriousness of the consequences should an attack succeed, Think Business, Ireland has raised awareness to the importance of improving cybersecurity defenses. To help Irish businesses find the cybersecurity solutions they need, Think Business, Ireland has recently compiled a list of the top 26 Irish-owned businesses that are leading the charge in the fight against cybercrime.

Ireland punches well above its weight when it comes to cybersecurity. Ireland is a top investment location for global cybersecurity players, but there are many homegrown Irish companies that provide truly world-class cybersecurity solutions on the global stage, including software-as-a-service offerings and cloud-based security solutions.

One of those companies is Salthill, Galway-based TitanHQ, which has been included in the list of the country’s top cybersecurity firms. TitanHQ has been in business for 25 years and has won multiple awards for its email security, web filtering, and email archiving solutions and the company has been enjoying impressive growth at a time when many businesses were under incredible strain due to the COVID-19 pandemic.

The company has ambitious growth plans and has been heavily investing in product development and people, with that investment expected to significantly improve on the 12,000 businesses and 2,500 managed service providers that rely on its solutions to keep cyber threats at bay.

Helped by significant investment from Livingbridge investor group, the company’s growth has been turbocharged. Over the past 18 months, TitanHQ has more than doubled its workforce, which now consists of a rock-solid team of 90+ people. The company has certainly earned its place in Think Business, Ireland’s list of the top 26 Irish cybersecurity companies to watch out for.

“We are delighted to be listed next to some of the biggest names in the Irish Cybersecurity space. As the threat landscape continues to be a significant risk to organizations across the globe, we are dedicated to continuous innovation to provide consistent, secure, and reliable protection to our customers,” said TitanHQ CEO, Ronan Kavanah.

Left to Right: Ronan Kavanagh, CEO, Diane Wright, people operations manager, Sean Morris, chief technical officer, Gina Mc Grath, digital marketing executive, and Dryden Geary, marketing director.

Left to Right: Ronan Kavanagh, CEO, Diane Wright, people operations manager, Sean Morris, chief technical officer, Gina Mc Grath, digital marketing executive, and Dryden Geary, marketing director.

TodayZoo Phishing Kit Being Used in Extensive Phishing Campaigns Targeting Microsoft 365 Credentials

Phishing involves sending emails that try to trick the recipients into taking a specific action, which could be to send sensitive data via email, open an infected email attachment, or click a link to a malicious website.

Phishing campaigns require little effort or skill to conduct. Lists of email addresses can easily be purchased on hacking forums or can be scraped from websites using widely available programs. Malware does not need to be developed, as this can be purchased through many malware-as-a-service operations. Phishing campaigns that direct individuals to a malicious website where credentials are harvested require those websites to be set up to trick users and capture credentials, but even that process is made simple with phishing kits.

Phishing kits can easily be purchased on hacking forums. These kits contain files that can be uploaded to compromised or owned websites that will collect and transmit credentials when they are entered. Phishing kits are usually sold on hacking forums for a one-time payment and typically contain everything required to start conducting phishing campaigns, including scripts, HTML pages, images, and often phishing email templates. Phishing kits allow individuals without much knowledge of how to conduct a phishing campaign to easily start running their own campaigns.

New Phishing Kit Being Used in Extensive Series of Phishing Campaigns

There are many phishing kits currently available on hacking forums, but a new one has recently been discovered that appears to have been developed using at least six other phishing kits. The new phishing kit, which Microsoft calls TodayZoo, combines the best features of other available phishing kits and is believed to have been developed by an individual who has decided to get into the phishing kit market by plagiarizing others.

The TodayZoo kit has been active since at least December 2020 and is known to have been used in an extensive series of phishing campaigns to steal Microsoft 365 credentials. The TodayZoo phishing campaigns detected so far impersonate Microsoft, with the emails using lures such as password resets, and fake notifications about faxes and shared scanned documents.

The messages direct the recipients to a webpage hosting the phishing kit that similarly impersonates Microsoft, with victims told they must log in with their Microsoft 365 credentials to either reset their password or view the fake faxes or documents. If credentials are entered, the phishing kit captures the information and transmits it to the person running the campaign.

A large part of the TodayZoo phishing kit has been taken from the DanceVida kit, with Microsoft’s analysis revealing it also includes code from the Botssoft, FLCFood, Office-RD117, WikiRed, and Zenfo phishing kits.

So not only are phishing kits purchased for conducting campaigns, but those also kits themselves can be copied and customized and used by individuals to launch their own phishing-as-a-service operations.

Phishing Prevention Requires a Defense in Depth Approach

Phishing kits lower the bar for conducting phishing campaigns, and along with malware-as-a-service and ransomware-as-a-service offerings, allow low-level threat actors to start conducting their own campaigns with ease. These services are fueling the increase in cyberattacks on businesses. Fortunately, there are low-cost cybersecurity solutions that businesses can use to block these phishing and malware campaigns.

Unfortunately, there is no silver bullet. It is no longer sufficient given the level of the threat to rely on one method of blocking attacks. A defense-in-depth approach is required, which means implementing multiple layers of protection. If one of those layers fails to block a threat, others are there to provide protection.

Phishing protection should start with a spam filter. Spam filters conduct a range of checks on all incoming emails and will block more than 99% of spam and phishing emails. TitanHQ’s email security solution, SpamTitan, has been independently tested and shown to block in excess of 99.9% of spam and phishing emails. SpamTitan also includes dual anti-virus engines to detect malicious attachments, and a sandbox to subject attachments that pass AV controls to an in-depth analysis. SpamTitan uses blacklists of malicious IP addresses, performs a range of checks on the message body and headers, and incorporates machine learning technology to detect messages that deviate from standard messages ensuring the spam filter improves over time.

A web filter is another important security measure that should be included in a defense-in-depth strategy to block phishing and malware attacks. A web filter works in tandem with a spam filter but blocks the web component of the attacks. When a user clicks a link in an email that directs them to a phishing website, that attempt is blocked. A web filter also allows users to block certain file downloads from the Internet, such as those commonly associated with malware.

Antivirus software should be installed on all endpoints as additional protection against malicious file downloads, and security awareness training should be regularly provided to the workforce. In the event of credentials being obtained in a phishing attack, multifactor authentication can prevent those credentials from being used to gain access to accounts. With these measures in place, businesses will be well protected.

For further information on spam filtering, web filtering, and to find out more about SpamTitan and WebTitan, give the TitanHQ team a call today. Both solutions are available on a 100% free trial to allow you to evaluate the products in your own environment to see how effective they are and how easy they are to use before committing to a purchase.

Squirrelwaffle Malware Loader Being Distributed in Spam Emails

A new malware variant dubbed Squirrelwaffle has been identified which is being distributed via spam emails. Squirrelwaffle was first identified in September 2021, with the number of spam emails distributing the malware increasing throughout the month and peaking at the end of September.

The takedown of the Emotet botnet in January 2021 left a gap in the malware-as-a-service market, and several new malware variants have since emerged to fill that gap. Emotet was a banking Trojan that was used to distribute other malware variants to Emotet-infected machines, with Squirrelwaffle having similar capabilities. Squirrelwaffle allows the threat group to gain a foothold in compromised devices and networks, which allows other malware variants to be delivered.

Investigations of the malspam campaign have revealed it is currently being used to distribute Qakbot and Cobalt Strike, although the malware could be used to download any malware variant. The spam emails that deliver Squirrelwaffle include a hyperlink to a malicious website which is used to deliver a .zip file that contains either a .doc or .xls file. The Office files have a malicious script that will deliver the Squirrelwaffle payload.

The Word documents use the DocuSign signing platform to lure users to activate macros, claiming the document was created using a previous version of Microsoft Office Word which requires the user to “enable editing” then click “enable content” to view the contents of the file. Doing so will execute code that will deliver and execute a Visual Basic script, which retrieves the Squirrelwaffle payload from one of 5 hardcoded URLs. Squirrelwaffle is delivered as a DLL which is then executed when downloaded and will silently download Qakbot or Cobalt Strike, which both provide persistent access to compromised devices.

As was the case with the Emotet Trojan, Squirrelwaffle can hijack message threads and send malspam emails from infected devices. Since replies to genuine messages are sent from a legitimate email account, a response to the message is more likely. This tactic proved to be highly effective at distributing the Emotet Trojan. The campaign is mostly conducted in English, although security researchers have identified emails in other languages including French, German, Dutch, and Polish.

The similarities with Emotet could indicate some individuals involved in that operation are attempting a return after the law enforcement takedown, although it could simply be an attempt by unrelated threat actors to fill the gap left by Emotet. Currently, the malware is not being distributed in anywhere near the volume of Emotet but it is still early days. Squirrelwaffle may turn out to be the malware distribution vehicle of choice in the weeks and months to come.

To counter the threat, it is vital for email security measures to be implemented to block the malspam at source and ensure the malicious messages are not delivered to inboxes. Since message threads are hijacked, a spam filtering solution that also scans outbound emails– SpamTitan for example – should be used. Outbound scanning will help to identify compromised devices and prevent attacks on other individuals in the organization and address book contacts. SpamTitan also incorporates sandboxing, which works in conjunction with antivirus engines. Suspicious attachments that bypass the AV engines are sent to the sandbox for in-depth analysis.

As part of a defense-in-depth strategy, other measures should also be deployed. A web filter is a useful tool for blocking C2 communications, endpoint security solutions will help to protect against Squirrelwaffle downloads, and regular security awareness training for the workforce is recommended to teach cybersecurity best practices and train employees how to identify malicious emails.  Employees should be told to never click links or open attachments in unsolicited emails or messages and to be wary of messages from unknown accounts. It is also important to explain that some malware variants can hijack message threads, so malicious emails may come from colleagues and other address book contacts.

TA505 is Conducting Large Scale Phishing Campaigns that Deliver a RAT via Weaponized Excel Files

The threat group known as TA505 (aka Hive0065) is known for conducting large-scale phishing campaigns but has not been active since 2020. Now phishing campaigns have been detected that indicate the threat group is conducting attacks once again, with the first mass-phishing campaigns by the group detected in September 2021.

The initial campaigns were small and consisted of a few thousand phishing emails, but as the month progressed larger and larger campaigns were conducted, with phishing campaigns conducted by the group now consisting of tens of thousands of messages. The geographic range has also been increased beyond North American where the gang was initially concentrating its attacks.

Social engineering techniques are used to convince victims to open email attachments or visit links and view shared files, with a variety of lures used by the gang in its phishing attacks. Emails intercepted from the latest campaigns claim to provide insurance claims paperwork, situation reports, media release requests, health claims, and legal requests. Many of the campaigns so far have targeted employees in financial services.

One of the hallmarks of the group is using Excel file attachments in emails that contain malicious macros which deliver a Remote Access Trojan (RAT), the downloading and execution of which gives the group control over victims’ devices. The group is also known to use HTML files that link to malicious websites where the malicious Excel files are downloaded.

While the attacks often start with a file attachment, later in the attack process a Google feedproxy URL is used with a SharePoint and OneDrive lure that appears to be a file share request, which delivers the weaponized Excel file.

The initial infection stage involves the downloading of a Microsoft installer package, which delivers either a KiXtart or REBOL malware loader, which pulls a different MSI package from the C2 server, which then installs and executes the malware. TA505 is known to use the FlawedGrace RAT, which first appeared in 2017, and the latest campaign delivers a new variant of this malware using a malware loader dubbed MirrorBlast. According to an analysis of MirrorBlast by Morphisec labs, the malware will only run in 32-bit versions of Microsoft Office as there are compatibility issues with ActiveX objects.

Macros are disabled by default in Microsoft Excel as a security measure, so social engineering techniques are used in the attacks to convince victims to enable macros. Macros are more commonly used in Excel files than Word files, and end users may not be as suspicious of Excel macros as Word macros.

Email security solutions are capable of detecting files containing Excel macros, especially email security solutions with sandboxing. In an attempt to bypass those measures and ensure the emails are delivered, TA505 uses lightweight, legacy Excel 4.0 XLM macros rather than the newer VBA macros, which has seen many of the messages bypass email security gateways.

TA505 is a highly creative threat group that regularly changes its attack techniques to achieve its goals, with the gang known to have conducted campaigns to deliver the Dridex banking Trojan, Locky and Jaff ransomware, and the Trick banking Trojan.

The group is known for conducting high-volume phishing campaigns that have targeted a range of different industry sectors and geographical areas.

TA505’s tactics, techniques, and procedures are expected to continue to evolve so it is vital for organizations to ensure email security defenses are implemented to block the emails. Security awareness training should also be provided to the workforce and employees should be made aware of the latest tricks and tactics used by the gang, including raising awareness of the use of Excel files with macros in phishing emails.

TitanHQ Achieves Clean Sweep at Expert Insights Annual Awards

Expert Insights has announced its Fall 2021 Best-of Cybersecurity Awards and each of TitanHQ’s products was ranked No1 in their respective categories. This is the second successive year where TitanHQ has had a clean sweep and topped the list for Best Email Security Gateway, Best Web Security Solution, and Best Email Archiving Solution for Business. In addition, SpamTitan ranked top in the Best Email Security Solution for Office 365 category.

Expert Insights is a recognized online cybersecurity publication and industry analyst, that has technical and editorial teams in both the United States and United Kingdom. The publication covers cybersecurity and cloud-based technologies, and its website is used by more than 80,000 business owners, IT admins, and others each month to research B2B solutions. Expert Insights produces editorial buyers’ guides, blog posts, conducts interviews, and publishes industry analyses and technical product reviews from industry experts.

The annual awards are intended to recognize the leading cybersecurity companies and their products, with the winners selected based on industry recognition, customer feedback, and research conducted by its editorial team and independent technical analysts.

SpamTitan Email Security and WebTitan Web Security were both recognized for their powerful threat protection, and along with ArcTitan Email Archiving, were praised for ease-of-use, cost-effectiveness, and industry-leading technical and customer support.

“TitanHQ are proud to have received continued recognition for all three of our advanced cybersecurity solutions. As the threat landscape continues to be a significant risk to organizations across the globe, we are dedicated to continuous innovation to provide consistent, secure, and reliable protection to our customers,” said Ronan Kavanagh, TitanHQ CEO.

The advanced threat protection, ease-of-use, and cost-effectiveness of the solutions are part of the reason why TitanHQ is the leading provider of cloud-based security solutions for managed service providers serving the SMB market. These factors have helped to make the solutions the gold standard for SMBs looking to improve security and ensure compliance.

5 Ways to Protect Against Healthcare Phishing Attacks

The healthcare industry has long been targeted by cybercriminals looking to gain access to sensitive patient data, which is easy to sell on the black market to fraudsters such as identity thieves. In recent years hackers have turned to ransomware. They gain access to healthcare networks and encrypt data to prevent patient information being accessed and issue a ransom demand to the keys to decrypt files. Since the start of 2020, these two goals have been combined. Hackers have been gaining access to healthcare networks, then exfiltrate data prior to deploying ransomware. If the ransom is not paid, the data is leaked online or sold on. Patient data may even be sold even if the ransom is paid.

Both of these attack types can be achieved using phishing. Phishing allows threat actors to steal credentials and raid email accounts and use the credentials for more extensive attacks on the organization. Phishing emails can also trick healthcare employees into downloading malware that gives attackers persistent access to the network.

Protecting against phishing attacks is one of the most important ways to prevent data breaches and stop ransomware attacks, but there is no single measure that can be implemented that will provide total protection. Here we explain 5 steps that healthcare organizations should take to protect against healthcare phishing attacks. These include measures required by the HIPAA Security Rule so can help to ensure you achieve and maintain compliance.

SpamTitan Plus provides leading edge anti-phishing protection with “zero-day” threat protection and intelligence.
Book Free Demo

5 Measures to Protect Against Healthcare Phishing Attacks

Each of the measures we have listed below is important and will work with the others to significantly improve your security posture; however, the first measure is the most important of all as it will stop the majority of phishing emails from being delivered to employee inboxes.

Spam Filtering

To achieve Security Rule compliance, HIPAA regulated entities must implement technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information. A spam filter is one of the most important technical safeguards to protect against email-based attacks such as phishing. Spam filters will generally block in excess of 99% of spam and phishing emails and 100% of known malware.

Any inbound email must pass through the spam filter where it will be subjected to a variety of checks. These include antivirus scanning to block malware, checks against blacklists of known malicious IP and email addresses, and frameworks such as SPF, DKIM, and DMARC to identify and block email impersonation attacks. Advanced spam filters such as SpamTitan include additional malware protection through the use of a sandbox. Email attachments are executed in this safe environment and are checked for potentially malicious actions. This measure helps to identify previously unknown malware and ransomware variants.

SpamTitan also uses techniques such as Bayesian analysis to determine the probability of an email being spam or malicious. Greylisting is also used, which involves the initial rejection of a message with a request to resend. Spam servers do not tend to respond to these requests, so the lack of response or delay is a good indicator of spam.

SpamTitan also incorporates machine learning techniques, ensuring spam filtering improves over times. Thresholds can also be set for individual users, user groups, departments, and organization-wide, to give the greatest protection to accounts that are most likely to be targeted.

With SpamTitan Plus malicious URL protection, we take a multi-layered approach to combat malicious links.
Book Free Demo

2-Factor or Multi-Factor Authentication

2-factor or multi-factor authentication is another technical safeguard to protect against phishing attacks. 2FA/MFA blocks the next stage of a phishing attack, where credentials for an account have already been obtained by an attacker, either through phishing, brute force attacks or other methods.

In addition to a password, a second factor must be provided before an individual is authenticated. This is often a token on a verified device. When an attempt is made to use a password to access the account from an unfamiliar device, location, or IP address, another factor must be provided before access is granted. This is typically a code sent to a mobile phone. 2-factor authentication will block more than 99.9% of automated attempts to gain access to an account according to Microsoft.

Security Awareness Training

Security awareness training is concerned with educating the workforce about threats such as phishing and teaching them how to recognize and avoid those threats. In security awareness training, employees are taught how to identify phishing emails and social engineering scams and are taught cybersecurity best practices to eradicate risky behaviors. Employees are targeted by phishers and not all phishing emails will be blocked by a spam filter. By training the workforce, and providing regular refresher training sessions, employees will get better at identifying and avoiding threats.

The HHS’ Office for Civil Rights explained in guidance for the healthcare industry that teaching employees how to recognize phishing is part of the requirements for HIPAA compliance. Financial penalties have been imposed for organizations that have not provided security awareness training to the workforce.

Conduct Phishing Email Simulations

Training for the workforce will raise awareness of threats, but it is important to test whether training has been assimilated and if it is being applied in real world situations. By setting up a phishing simulation program, security teams will be able to gauge how effective training has been. A failed phishing simulation can be turned into a training opportunity, and employees who regularly fail phishing email simulations can be provided with further training.

Phishing email simulation programs use real-world phishing examples on employees to see how good they are at identifying phishing emails. They can be used to gain an understanding of the types of phishing emails that are being opened and which links are being clicked. This information can be used to improve security awareness training programs.

SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now.
Book Free Demo

Sign Up to Receive Threat Intelligence

Another important step to take to protect against phishing attacks is to stay up to date on the latest threats. The tactics, techniques, and procedures (TTP) of hackers and phishers is constantly evolving, and being aware of the latest TTPs will help healthcare organizations mitigate the threats.

Stay up to date by reading the threat alerts published by agencies such as CISA, the FBI, NSA, and HC3, and consider signing up an information sharing and analysis center to receive timely cyber threat intelligence updates. Knowing about new phishing campaigns targeting the sector will allow steps to be taken to block those threats, whether that is a cybersecurity newsletter for staff, implementing new spam filter rules, or other proactive steps to reduce risk.

Common Phishing Threats You Should be Aware of

Phishing is one of the most common ways that cybercriminals gain access to networks to steal credentials and sensitive data, deploy malware, and conduct ransomware attacks. Phishing is most commonly conducted via email and uses deception and ‘social engineering’ to trick people into disclosing sensitive information or running code that downloads malicious software.

Phishing emails often impersonate trusted individuals or companies. The email addresses used to send these messages can appear legitimate, and the messages often include the logos and layouts of the genuine communications they spoof. The emails often include a hyperlink to a website where credentials are harvested. The online component of the phishing scam similarly spoofs a trusted entity and, in many campaigns, it is difficult to distinguish the phishing website from the genuine site being spoofed.

Phishing attacks are increasing and for one very simple reason. They work. Not only do these messages fool huge numbers of people, they are also easy to conduct and there is little risk of phishers being caught. Even the Italian mafia and other organized crime operations have adopted phishing in addition to the standard protection rackets as a way to rake in money. This week, Europol announced it broke up an organized crime gang with links to the Italian mafia which had raked in €10 million in revenue from phishing and other online fraud scams in the past year.

Phishing Lures are Constantly Changing

The lures used in phishing scams are constantly evolving. While standard phishing campaigns involving fake invoices and resumes, missed deliveries, and fake account charge notifications are regularly used, topical lures related to news stories and COVID-19 are also thrown in into the mix. The lures may change, but there are commonalities with these phishing scams that individuals should be able to recognize.

Phishing scams attempt to get the recipient to take a specific action, such as visit a link in the email or open an email attachment. There is usually a sense of urgency to get recipients to take prompt action, such as a threat of account closure or potential legal action. While suspicions may be raised by these messages, many people still take the requested action, either through fear of missing out or fear of negative repercussions if no action is taken.

It is best to adopt a mindset where every email received is potentially a phishing scam, and any request suggested in an email could well be a scam. Any email received that threatens account closure if no action is taken can easily be checked for legitimacy by logging in to the account via a web browser (never use the links in the email). If there is an unauthorized charge or a problem with the account, this will be clear when you login.

If you receive a message from a company stating there is an unpaid invoice or an order has been made that is not recognized, search for the company online and use trusted contact information to verify the legitimacy of the email.

If you receive an email from your IT team telling you to install a program or take another action that seems suspicious, give the support desk a call to verify the legitimacy of the request.

Links in emails are the most common way to direct people to phishing webpages. You should always hover your mouse arrow over the link to check the true destination, and if the URL is not on an official domain, do not click.

Common Phishing Lures You Should be Aware Of

  • An email about a charge that has been applied to your account that has been flagged as suspicious and requires you to login to block the charge
  • An email threatening imminent account closure or loss of service if you do not take immediate action to correct the issue
  • An email from law enforcement threatening arrest or legal action for a crime you are alleged to have committed
  • An email from the IRS or another tax authority offering a refund as you have overpaid tax, or legal action over nonpayment of tax
  • An email with an invoice for a product or service you have not purchased
  • An email telling you malware has been detected on your computer that requires a software download to remove it
  • An email with a link that requires you to provide credentials to view content or confirm your identify by verifying your credit/debit card number.

If you receive any message, the important thing is to stop and think before taking any action and to carefully assess the legitimacy of the request.

Spam Software will Block the Majority of Phishing Emails

One of the best ways that businesses can improve email security is to implement an advanced spam filtering solution. SpamTitan provides protection against phishing and other malicious emails using a wide range of tools that include machine-learning to identify suspicious messages, sandboxing, dual anti-virus engines, greylisting, and malicious link detection mechanisms. SpamTitan will ensure that malicious messages are not delivered to end users where they can be clicked. When combined with security awareness training to teach cybersecurity best practices, businesses can mount a formidable defense against phishers.

To find out more about how you can protect against phishing and other malicious emails, give the TitanHQ team a call. SpamTitan is available on a free trial, product demonstrations can be arranged on request, and you may be surprised to discover how little it costs to improve protection against all types of email attacks.

SpamTitan 7.11 Release Includes New Geo-blocking Email Security Feature

TitanHQ has released a new version of its award-winning email security solution that includes a new security feature – Geo-blocking email filtering, as well as several other security updates and fixes to improve usability.

Geo-blocking is a feature that has been requested by customers and has now been included in the product at no additional cost to users. Geo-blocking, as the name suggests, allows SpamTitan users to block or allow emails originating from certain geographical locations, based on either IP address or country. This feature allows businesses to add an extra layer of protection to block geographic threat vectors and stop malware, ransomware, and phishing emails from reaching inboxes.

The new feature allows businesses and organizations to block emails coming from any country. This extra control is important, as most malware-containing emails come from a handful of overseas countries – Countries that most small- to medium-sized businesses do not normally work with. Blocking emails from those countries eliminates threats, without negatively impacting the business.

Activating the geo-blocking feature could not be any easier. SpamTitan users can click to restrict emails from any country in the SpamTitan Country IP Database and all emails coming from those countries will be blocked. There will naturally be instances where things are not so cut and dry, but that is not a problem. Geo-blocking can be activated for a specific country, and IP addresses, domains, or email addresses of trusted senders within those countries can simply be whitelisted to ensure their messages are delivered.

“Geoblocking has been a much-requested feature and as always we listen to our customers and provide what they need to implement the very best email security they can,” said TitanHQ CEO Ronan Kavanagh. “After experiencing 30% growth in 2021, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”

Several other security enhancements have been made to further improve the already excellent threat detection and blocking mechanisms within SpamTitan. SpamTitan 7.11 includes an upgraded sandboxing feature to provide even greater protection against malware, ransomware, phishing, spear-phishing, Advanced Persistent Threats, and malicious URLs embedded in emails. These enhancements also provide more detailed information into new threats to help SpamTitan users mitigate risk.

As always with a new release, recently reported bugs have been fixed, and SpamTitan has been further improved with enhanced email rendering in Mail Viewer. Users also now have the ability to remove quarantine report token expiry and improve domain verification, to name but a few of the enhancements.

SpamTitan is delivered either as a 100% cloud-based solution or as an anti-spam gateway, which is run as a virtual appliance on existing hardware. Existing SpamTitan Cloud customers need do nothing to upgrade to the new version of the solution, released on September 14, 2021. SpamTitan Cloud is automatically updated to the latest version.

Users of SpamTitan Gateway will need to manually upgrade to the latest version via System Setup > System Updates.

A full description of the latest updates in SpamTitan 7.11 is available here.

New Hampshire Town Loses $2.3 Million to BEC Scammers

Ransomware attacks are being conducted at alarming rates, but even though the cost of these attacks is considerable, they are not the leading cause of losses to cybercrime. According to figures from the Federal Bureau of Investigation (FBI), business email compromise attacks are the costliest type of cyber fraud. In 2020, the FBI’s Internet Crime Complaint Center (IC3) received 19,369 complaints about business email compromise scams. $1.8 billion was lost to these sophisticated email scams in 2020 and many of these scams are never reported.

Business email compromise (BEC) scams, also known as email account compromise (EAC) scams, involve business email accounts being compromised by attackers and then used to send messages to individuals in the company responsible for making wire transfers. The goal of the attacks is to compromise the email account of the chief executive officer (CEO) or the chief financial officer (CFO), and to use that account to send messages to others in the company asking them to make a wire transfer to an attacker-controlled account.

Attacks are also conducted on vendors and their accounts are used to send requests to change payment methods or the destination account for an upcoming payments. In addition to requesting wire transfers, the scammers are also known to request sensitive data such as W2 forms, the information on which can be used to submit fraudulent tax returns to claim tax refunds. BEC scammers are also known to request gift cards or request changes to payroll direct deposit information.

BEC scams can result in major losses. Recently, a town in New Hampshire (Peterborough) was targeted by BEC scammers who successfully redirected multiple bank transfers before the scam was uncovered. The attackers sent forged documents to staff members in the Finance Department of the town to make changes to account information for various payments. The scam was sophisticated, and the scammers participated in multiple email exchanges between staff members. The attackers had conducted extensive research to find out about the most valuable transactions to redirect.

The scam was uncovered when the ConVal School District notified the town when they failed to receive a $1.2 million transfer of funds. Peterborough officials confirmed that the transfer had been made, with the investigation revealing the bank account details had been changed. Further investigation revealed two large bank transfers to the contractor used for the Main Street Bridge Project had also been redirected to attacker-controlled accounts. In total, $2.3 million was lost to the scammers and there is little hope of any of the funds being recovered.

BEC attacks are sophisticated, the attackers are skilled at what they do, and it is all too easy for employees in the finance department to be fooled into thinking they are conversing with the CEO, CFO, or a vendor via email, since the genuine email account is being used. The attackers also study the style of emails sent by the owner of the account and copy that style so as not to arouse suspicion.

There are steps that organizations can take to block the initial attack vector and to identify scams in time to stop any fraudulent transfers of funds. The primary defense against BEC attacks is a spam filtering solution, which will block the initial phishing emails used to obtain the credentials for internal email accounts. SpamTitan incorporates a range of features to detect and block these phishing emails, including machine learning technology that can identify email messages that deviate from the normal messages usually received by individuals. Outbound scanning is also incorporated, which can detect phishing attempts as the attackers try to use employee email accounts to compromise the accounts of their final target – the CFO or CEO. Rules can also be set to flag attempts to send sensitive data – such as W-2 forms – via email.

In addition to spam filtering, it is important for organizations to raise awareness of the threat of BEC attacks with the workforce, especially employees in the finance department. Policies and procedures should also be put in place that require any change to payment details to be verified by telephone using previously confirmed contact information. Implementing these simple measures can be the difference between blocking an attack and transferring millions of dollars directly to the attackers’ accounts.

If you want to improve your defenses against BEC and phishing attacks, give the TitanHQ team a call. Demonstrations of SpamTitan can be booked on request, and the full product – including full technical and customer support – is available on a free trial to allow you to see the solution in action and test it within your own environment before making a decision about a purchase.