Blog

Warning Issued About Brand Phishing Attacks and the Widespread Availability of Scampage Tools

The Federal Bureau of Investigation (FBI) has issued a warning about an increase in spear phishing campaigns impersonating big name brands. Brand phishing is incredibly common and is an effective way of getting individuals to disclose sensitive information such as login credentials or install malware.

Brand phishing abuses trust in a brand. When individuals receive an email from a brand they know and trust, they are more likely to take the action requested in the email. Brand phishing emails usually include the logo of the targeted brand, and the emails use the same message formats as genuine communications from those brands. Links are usually included to malicious web pages that are often hidden in buttons to hide the true destination URL.

If a user clicks the link, they are directed to an attacker-controlled domain that similarly uses branding to fool the victim and make them think they are on the genuine website of the spoofed brand. These webpages include forms that harvest sensitive data. Alternatively, malicious files may be downloaded, with social engineering techniques used to trick victims into opening the files and installing malware.

Cyber threat actors are offering scampage tools on underground marketplaces to help other cybercriminals conduct more effective phishing campaigns. These scampage tools are offered under the product-as-a-service model and allow individuals to conduct convincing phishing campaigns, even people who do not possess the skills to conduct phishing campaigns. With phishing opened up to would-be cybercriminals, the threat to individuals and businesses increases.

The FBI says the scampage tools now being offered can recognize when individuals use their email address as their login ID for a website. Websites require a unique username to be provided when creating an account, and many use an individual’s email address as their username by default.

The scampage tools can identify when a user has set their email address as their username, and when that is detected, they will be directed to a scampage for the same email domain. The user is required to enter their password to log in, which will allow the threat actor to obtain the password and access the victim’s email. With access to the email account, attackers can intercept 2-factor authentication codes, thus bypassing this important control mechanism. With 2FA codes, the attacker will be able to gain access to accounts and make changes, including updating passwords to lock users out of their accounts or change security rules before the owner of the account can be notified.

“Much like the threat with ransomware-as-a-service, this type of product-as-a-service distribution of scampage and credential harvesting tools presents an increased nationwide risk to private sector businesses and their consumers,” said the FBI in its public service announcement. “Brand-phishing email campaigns and scampage tools that help bypass 2FA security measures represent another aspect to this emerging cyber threat.”

To counter the threat, businesses should implement an advanced spam filtering solution to block phishing emails and prevent them from being delivered to employee inboxes. Password policies should be created that require strong passwords to be set, and checks performed to ensure commonly used or weak passwords cannot be set on accounts. Employees should be told to never reuse passwords on multiple accounts and to ensure that all business accounts have unique passwords. Security awareness training should be provided to the workforce to teach email security best practices and train employees on how to identify phishing emails and other scams.

Given the increase in the use of scampage tools, if there is the option, users should set a unique username for an account that is not associated with their primary email address. 2-factor authentication should be configured, and where possible, a software-based authenticator program should be used or a USB security key as the second factor. Alternatively, provide a mobile number for a 2FA code and avoid using a primary email address to receive 2FA codes. If an email address is required, it is best to use an alternative email account.

LinkedIn Phishing Attacks on the Rise

There has been an increase in LinkedIn phishing scams of late that attempt to trick professionals into installing malware, disclosing their login credentials, or providing sensitive information that can be used to create convincing spear phishing emails.

Watch Out for LinkedIn Phishing Attacks!

Many professionals rely on LinkedIn for getting new business and finding employment. The professional networking platform has proven to be incredibly popular and, being business-related, notifications from the platform are less likely to be turned off, as they often are with social media networks such as Facebook.

A notification from LinkedIn could be a prospective client, a potential job opportunity, or an opportunity to grow your network but LinkedIn notifications may not be what they seem.

Common LinkedIn Phishing Scams

LinkedIn phishing attacks can take many forms and are conducted to achieve a variety of objectives. One common denominator in LinkedIn phishing emails is the use of LinkedIn logos and color schemes to make it appear that the notifications are genuine.

One of the most common scams involves messages that appear to have been sent via the professional networking platform from an individual looking to do business with a company. The emails include buttons that appear at face value to direct a user to LinkedIn, yet the destination URL is different. The landing page displays the LinkedIn login box, which has been scraped from the genuine website. The scam aims to steal LinkedIn credentials, which can be used to hijack accounts and conduct scams on the user’s connections. These scams can be identified quite easily by checking the destination URL in the message before clicking. If a link is clicked, always check the URL in the address bar before attempting to log in to ensure you are on the genuine LinkedIn website.

There has been an uptick in another type of LinkedIn phishing scam of late. Standard LinkedIn email templates, such as information about the number of profile views a user has received and the number of searches they have appeared in are common. As with the previous scam, while the messages look genuine, the hyperlinks in the messages do not direct the user to the LinkedIn website, instead they direct them to URLs hosting phishing kits. The landing pages use a variety of ruses to get the user to disclose sensitive information. One common scam is an online survey that asks a series of questions to obtain information that can be used to create convincing spear phishing emails.

Scammers often create fake profiles in an attempt to trick platform users into thinking they are conversing with a genuine user. These profiles tend to be used in targeted attacks for cyberespionage purposes. These attacks often see the scammer engage in conversations with the targets to build trust, before tricking them into visiting a malicious website or opening an emailed document that installs malware. These scams can be more difficult to identify than the previous two scams, although there are clues that this is a scam. Always check the profile of any potential connection. Fake profiles often have incomplete or inconsistent information, suspiciously low numbers of connections, and odd connections given the individual’s claimed job. Even if the profile appears genuine, you should always be wary of any links or documents that are shared.

A Spam Filtering Solution Could be Your Savior!

Some of the scams are easy to identify, but many are very realistic and have convincing lures that can be difficult to distinguish from genuine emails. These scams fool many people into disclosing sensitive information or installing malware, even individuals who believe they are security-aware and would not be fooled by phishing scams. Vigilance is the key to identifying the scams but an advanced spam filtering solution will ensure that you are not troubled by these scam emails and phishing attempts.

Businesses that rely on the basic spam protections provided with the Microsoft 365 license should consider investing in a more advanced spam filtering solution, as many phishing emails bypass the Exchange Online Protection (EOP) mechanisms provided free with Microsoft 365 accounts.  For greater protection, consider a spam filtering solution such as SpamTitan, which augments Microsoft 365 defenses and will better protect you against phishing attacks.

For more information about SpamTitan and how it can protect you and your employees from phishing attacks, botnets, viruses, malware, and ransomware attacks, give the TitanHQ team a call or sign up for the free trial and find out for yourself the different SpamTitan makes.

TrickBot Infrastructure Being Used to Rebuild the Emotet Botnet

At the start of 2021, a Europol and Eurojust-led operation involving law enforcement agencies in 8 countries successfully took down the infamous Emotet botnet. The botnet consisted of an estimated 1.6 million devices worldwide that had been infected with the Emotet Trojan.

The Emotet Trojan first appeared in 2014 and was originally a banking trojan, although it evolved into a malware downloader that was rented out to cybercrime gangs under the malware-as-a-service model. The botnet was used to give those threat actors a foothold in victims’ environments and allowed them to install malware such as IcedID, QakBot, and TrickBot. Those malware variants were then used to deliver ransomware such as Conti and Ryuk.

Emotet posed a massive threat to businesses worldwide prior to its takedown. In addition to being a malware distribution tool, the botnet was used to launch Distributed Denial of Service (DDoS) attacks and largescale spamming campaigns against high-profile targets around the world.

The Emotet botnet was controlled by a network of hundreds of servers worldwide. The takedown, which occurred on January 27, 2021, saw its infrastructure taken over by law enforcement. On April 25, 2021, law enforcement in Germany launched a cleanup operation that added a module that removed the Emotet Trojan from victims’ systems. 2 individuals were arrested who were suspected of involvement in maintaining the botnet, and in the weeks and months that followed no Emotet activity was detected. However, that has now changed.

The Emotet Botnet is Back

Law enforcement took control of the command-and-control infrastructure of Emotet and removed the Emotet Trojan from all infected devices, and while that was sufficient to kill the botnet, it was not enough to prevent its return. Researchers at GData, Advanced Intel, and Cryptolaemus have all discovered instances where the TrickBot Trojan has delivered an Emotet loader.

The Emotet botnet operators have previously worked with the threat actors behind the Trickbot Trojan, using their botnet to grow the TrickBot botnet. That process is now happening in reverse. A new version of the loader and Emotet Trojan have been created and it appears that the Emotet botnet is being reconstructed from scratch.

At this stage, there are relatively few devices infected with Emotet but that is not likely to remain the case for long. Around 246 devices are known to have had the Emotet Trojan installed, and they are being used as its command-and-control infrastructure at present.

Emotet was known for conducting malspam campaigns to grow the botnet, and spamming campaigns have already been detected using several different lures and a variety of attachments. Spam emails spreading Emotet have used Word files and Excel spreadsheets with malicious macros, and to prevent analysis by email security solutions, some emails have used password-protected zip files. Some of the lures detected by security researchers in the first campaigns include notifications about canceled dental insurance, Cyber Monday and Black Friday sales, notifications about canceled meetings, and requests for political party donations.

How to Protect Against Infection with Emotet

Protecting against Emotet involves implementing measures that also protect against TrickBot infections. Since both Emotet and TrickBot are extensively delivered via malspam emails, implementing an advanced email security solution is a good place to start.

One of the most effective tactics used by the Emotet gang was hijacking message threads. This involves sending replies to previous message conversations and adding a malicious hyperlink or infected email attachment. Since the messages were sent from email accounts known to the recipient, links were often clicked, and attachments opened.

Security awareness training often teaches employees to be suspicious of unsolicited messages from unknown individuals. It is important to make employees aware that malicious emails may also come from known individuals and to warn employees that hijacked message threads are used to deliver malware. Security awareness training can be effective, but it is nowhere near as effective as technical solutions that block malicious messages.

Security can be improved by choosing an email security solution with outbound email scanning. This feature will scan outgoing messages to detect compromised email accounts, allowing security teams to take prompt action to isolate infected devices. You should also ensure that your email security solution includes sandboxing in addition to antivirus engines, as the latter can only detect known malware variants. Attachments that pass standard AV scans are sent to a sandbox where they are subjected to in-depth analysis to identify malicious actions.

These features and many more are included in SpamTitan from TitanHQ. SpamTitan is effective at blocking the full range of email-based threats and is easy to implement and use. If you want to improve your defenses against dangerous email threats such as TrickBot, IcedID, QakBot, and Emotet without breaking the bank, give the TitanHQ team a call for more information about SpamTitan.

SpamTitan is available on a free trial and product demonstrations can be arranged on request.

Ransomware Attacks Increased by 900% in 1H 2021

There has been an alarming surge in ransomware attacks in 2021. Attacks have been conducted on businesses of all sizes, from large international enterprises with multi-million-dollar cybersecurity budgets to small businesses with just a handful of employees. The attacks have shown that no business is to large or small to be targeted.

Ransomware is a form of malware that is used to encrypt files to prevent them from being accessed. The attacker holds the keys to allow data to be decrypted, and those keys will only be provided if a ransom is paid. Ransom demands can range from a few thousand dollars for individual devices up to tens of millions of dollars for large companies.

900% Increase in Ransomware Attacks in 2021

This year has seen ransomware attacks conducted at an alarming level. CybSafe‘s data has revealed a 900% increase in ransomware attacks in the first 6 months of 2021 compared to the corresponding period last year. In addition to the increase in number, the cost of mitigating the attacks has increased and the ransom demands have been growing. This week, for example, Europe’s largest consumer electronics retailer – MediaMarkt – confirmed it was the victim of a Hive ransomware attack. The attackers reportedly demanded a payment of $240 million for the keys to decrypt files.

2021 has shown no company is off limits with multiple attacks conducted on critical infrastructure firms. One attack on Colonial Pipeline in the United States resulted in the shutdown of a fuel pipeline serving the Eastern Seaboard of the United States for a week. A ransom payment of $4.4 million was paid to the attackers to recover data.

The U.S. software company Kaseya, which provides a range of software solutions to businesses and managed service providers, suffered a major ransomware attack involving REvil ransomware. The REvil gang demanded a payment of $70 million for the keys to decrypt files. The attack affected around 40 managed service providers and an estimated 1,500 downstream businesses.

Attacks have also been conducted on many healthcare providers, with those attacks disrupting healthcare services and putting patient safety at risk. In May 2021, Ireland’s Health Service Executive (HSE) suffered a ransomware attack which is believed to have started with a phishing email. The response gave the Conti ransomware gang the access needed to encrypt files. A $20 million ransom demand was issued, although the attackers provided the keys free of charge in the end. Even so, the HSE took months to recover from the attack at considerable cost.

Ransomware Gangs Targeted by Law Enforcement

The above attacks represent just a tiny percentage of the ransomware attacks that have been publicly disclosed this year and it is clear that the threat of attack is unlikely to wane any time soon.

There has been some good news, however. The attacks on critical infrastructure firms have forced the U.S. government to step up its efforts to target ransomware-related crime. Following the attacks, ransomware attacks were elevated to a level akin to terrorist attacks, and with that comes additional resources.

Already the United States and law enforcement partners around the worked have succeeded in disrupting the activities of several ransomware gangs. The REvil ransomware infrastructure taken down and arrests have been made, the Darkside operation shut down and its suspected successor BlackMatter also. Suspected members of the Clop ransomware operation have been arrested, and Europol has arrested 12 individuals in connection with LockerGoga, MegaCortex, and Dharma ransomware attacks.

While the arrests and infrastructure takedowns will have a short-term effect, ransomware threat actors are likely to regroup, set up new operations, and recommence their attacks as they have done in the past.

An Easy Step to Take to Improve Ransomware Defenses

Businesses need to take steps to combat the ransomware threat, but since many different methods are used to gain access to networks, this can be a challenge. The best place to start is to make sure defenses against phishing emails are put in place. Most ransomware attacks start with a phishing email, which either delivers malware or gives attackers credentials that provide them with the foothold in networks that they need to conduct their attacks.

Email security solutions such as SpamTitan filter out malicious messages and prevent them from reaching inboxes where they can fool employees. Technical solutions such as email security gateways are far more effective than end user training at blocking threats, although it is also important to make sure employees are aware of cybersecurity best practices and are taught how to identify a phishing email.

Email filtering solutions such as SpamTitan perform an in-depth analysis of all email content and can detect malicious links and email attachments. When emails fail the checks, they are sent to the quarantine folder where they can be reviewed. This allows security teams to gain a better understanding of the threats that are targeting their organization and also allows false positives to be identified so filtering rules can be updated.

SpamTitan incorporates dual antivirus engines, sandboxing that allows suspicious attachments to be analyzed to identify new malware variants, and machine learning technology to ensure that spam filtering improves over time.

A huge array of checks and controls ensure malicious messages are blocked, but that all happens behind the scenes. Administrators benefit from a clean, easy-to-use interface that requires no technical skills to navigate and use. All information and controls are intuitive.

If you would like to find out more about improving your defenses against ransomware, malware, phishing, and other email and web-based threats, give the TitanHQ team a call. All TitanHQ cybersecurity solutions are available on a free trial, allowing you to put them to the test in your own environment before making a decision about a purchase.

Warning of Phishing Attacks on Users of Robinhood Trading Platform

The stock trading platform Robinhood has announced a major breach of the personal data of 7 million of its customers, who now face an elevated risk of phishing attacks.

Phishing attacks on businesses are incredibly common. While phishing can take many forms, the most common method involves sending emails to company employees and using social engineering tactics to get them to take a specific action. That action is often to click on a malicious hyperlink in the email that directs them to a website where they are asked to provide sensitive information such as their login credentials.

Phishing can also occur via SMS messages, instant messaging platforms, or social media networks. While it is less common for phishing to occur over the telephone – termed vishing – this method actually predates email phishing attacks. Vishing attacks are more labor-intensive and are a form of spear phishing, where a small number of individuals are targeted.

Vishing Attack Allowed Attacker to Obtain 5 Million Email Addresses

It was a vishing attack that allowed a threat actor to obtain the personal data of Robinhood customers. The threat actor called a Robinhood customer service employee and used social engineering techniques over the phone to get the employee to disclose sensitive information. The information obtained allowed the threat actor to access its customer service system, through which it was possible to obtain a limited amount of data of a portion of its customer base.

It is unclear what tactics the threat actor used, although, in these types of attacks, tech support scams are common. This is where a threat actor impersonates the IT department and tricks an employee into disclosing credentials under the guise of a software update or a fix for a malware infection.

Regardless of the lure, the threat actor was able to access its system and stole a list of 5 million customer email addresses, a list of the full names of 2 million individuals, and the names, dates of birth, and zip codes of 310 individuals.

No financial information or Social Security numbers are believed to have been obtained in the attack, but the Robinhood data breach is still serious for affected individuals who now face an elevated risk of phishing attacks.

Robinhood said after the customer lists were exfiltrated, a ransom demand was received. Robinhood did not say whether the ransom was paid, only that the cybersecurity firm Mandiant was investigating, and the incident has been reported to law enforcement.

Risk of Phishing Attacks in Wake of Robinhood Data Breach

Attacks such as this where an attempt is made to extort money from a company after sensitive data are stolen are commonplace. If a company refuses to pay, the attack is monetized by selling the stolen data. Even if a ransom is paid, there is no guarantee that data will not be sold. A list of the email addresses of users of a trading platform would be highly sought after by cybercriminals, who could craft convincing phishing emails to obtain sensitive data to allow users’ accounts to be accessed.

There have been many cases where email addresses have been used in phishing campaigns that reference the breach itself, spoofing the company that was attacked although all manner of lures could be used. There is a fair probability that phishing campaigns will be conducted using the stolen data, so users of the Robinhood platform should be on high alert.

Robinhood has advised customers to be wary of any emails that claim to be from the company and said it would never send a hyperlink in an email to access an account, instead users should only trust Robinhood messages that are sent within the app. For further protection, 2-factor authentication should be enabled, and users of the app should be cautious when opening any email messages, and to be particularly wary about any message that requests sensitive information or includes a hyperlink or email attachment, especially if it is an unsolicited email from an unknown sender.

TitanHQ Recognized as Leading Irish Cybersecurity Company

With the number of cyber threats increasing, it has never been more important for business leaders to ensure their networks and systems are well defended. Throughout the pandemic, companies have been reporting data breaches at an alarming rate, with many of those cyberattacks having a devastating impact on victims.

Look no further than the ransomware attacks on the Irish Department of Health and the Health Service Executive in May 2021. Those attacks saw highly sensitive data stolen, files encrypted, and doctors and nurses were prevented from accessing patient records. The attacks resulted in almost all systems being taken offline, all core services were affected, and many outpatient services had to be canceled. The effects of the cyberattacks were still being felt several months later.

In light of the increased threat of attack and the seriousness of the consequences should an attack succeed, Think Business, Ireland has raised awareness to the importance of improving cybersecurity defenses. To help Irish businesses find the cybersecurity solutions they need, Think Business, Ireland has recently compiled a list of the top 26 Irish-owned businesses that are leading the charge in the fight against cybercrime.

Ireland punches well above its weight when it comes to cybersecurity. Ireland is a top investment location for global cybersecurity players, but there are many homegrown Irish companies that provide truly world-class cybersecurity solutions on the global stage, including software-as-a-service offerings and cloud-based security solutions.

One of those companies is Salthill, Galway-based TitanHQ, which has been included in the list of the country’s top cybersecurity firms. TitanHQ has been in business for 25 years and has won multiple awards for its email security, web filtering, and email archiving solutions and the company has been enjoying impressive growth at a time when many businesses were under incredible strain due to the COVID-19 pandemic.

The company has ambitious growth plans and has been heavily investing in product development and people, with that investment expected to significantly improve on the 12,000 businesses and 2,500 managed service providers that rely on its solutions to keep cyber threats at bay.

Helped by significant investment from Livingbridge investor group, the company’s growth has been turbocharged. Over the past 18 months, TitanHQ has more than doubled its workforce, which now consists of a rock-solid team of 90+ people. The company has certainly earned its place in Think Business, Ireland’s list of the top 26 Irish cybersecurity companies to watch out for.

“We are delighted to be listed next to some of the biggest names in the Irish Cybersecurity space. As the threat landscape continues to be a significant risk to organizations across the globe, we are dedicated to continuous innovation to provide consistent, secure, and reliable protection to our customers,” said TitanHQ CEO, Ronan Kavanah.

Left to Right: Ronan Kavanagh, CEO, Diane Wright, people operations manager, Sean Morris, chief technical officer, Gina Mc Grath, digital marketing executive, and Dryden Geary, marketing director.

Left to Right: Ronan Kavanagh, CEO, Diane Wright, people operations manager, Sean Morris, chief technical officer, Gina Mc Grath, digital marketing executive, and Dryden Geary, marketing director.

TodayZoo Phishing Kit Being Used in Extensive Phishing Campaigns Targeting Microsoft 365 Credentials

Phishing involves sending emails that try to trick the recipients into taking a specific action, which could be to send sensitive data via email, open an infected email attachment, or click a link to a malicious website.

Phishing campaigns require little effort or skill to conduct. Lists of email addresses can easily be purchased on hacking forums or can be scraped from websites using widely available programs. Malware does not need to be developed, as this can be purchased through many malware-as-a-service operations. Phishing campaigns that direct individuals to a malicious website where credentials are harvested require those websites to be set up to trick users and capture credentials, but even that process is made simple with phishing kits.

Phishing kits can easily be purchased on hacking forums. These kits contain files that can be uploaded to compromised or owned websites that will collect and transmit credentials when they are entered. Phishing kits are usually sold on hacking forums for a one-time payment and typically contain everything required to start conducting phishing campaigns, including scripts, HTML pages, images, and often phishing email templates. Phishing kits allow individuals without much knowledge of how to conduct a phishing campaign to easily start running their own campaigns.

New Phishing Kit Being Used in Extensive Series of Phishing Campaigns

There are many phishing kits currently available on hacking forums, but a new one has recently been discovered that appears to have been developed using at least six other phishing kits. The new phishing kit, which Microsoft calls TodayZoo, combines the best features of other available phishing kits and is believed to have been developed by an individual who has decided to get into the phishing kit market by plagiarizing others.

The TodayZoo kit has been active since at least December 2020 and is known to have been used in an extensive series of phishing campaigns to steal Microsoft 365 credentials. The TodayZoo phishing campaigns detected so far impersonate Microsoft, with the emails using lures such as password resets, and fake notifications about faxes and shared scanned documents.

The messages direct the recipients to a webpage hosting the phishing kit that similarly impersonates Microsoft, with victims told they must log in with their Microsoft 365 credentials to either reset their password or view the fake faxes or documents. If credentials are entered, the phishing kit captures the information and transmits it to the person running the campaign.

A large part of the TodayZoo phishing kit has been taken from the DanceVida kit, with Microsoft’s analysis revealing it also includes code from the Botssoft, FLCFood, Office-RD117, WikiRed, and Zenfo phishing kits.

So not only are phishing kits purchased for conducting campaigns, but those also kits themselves can be copied and customized and used by individuals to launch their own phishing-as-a-service operations.

Phishing Prevention Requires a Defense in Depth Approach

Phishing kits lower the bar for conducting phishing campaigns, and along with malware-as-a-service and ransomware-as-a-service offerings, allow low-level threat actors to start conducting their own campaigns with ease. These services are fueling the increase in cyberattacks on businesses. Fortunately, there are low-cost cybersecurity solutions that businesses can use to block these phishing and malware campaigns.

Unfortunately, there is no silver bullet. It is no longer sufficient given the level of the threat to rely on one method of blocking attacks. A defense-in-depth approach is required, which means implementing multiple layers of protection. If one of those layers fails to block a threat, others are there to provide protection.

Phishing protection should start with a spam filter. Spam filters conduct a range of checks on all incoming emails and will block more than 99% of spam and phishing emails. TitanHQ’s email security solution, SpamTitan, has been independently tested and shown to block in excess of 99.9% of spam and phishing emails. SpamTitan also includes dual anti-virus engines to detect malicious attachments, and a sandbox to subject attachments that pass AV controls to an in-depth analysis. SpamTitan uses blacklists of malicious IP addresses, performs a range of checks on the message body and headers, and incorporates machine learning technology to detect messages that deviate from standard messages ensuring the spam filter improves over time.

A web filter is another important security measure that should be included in a defense-in-depth strategy to block phishing and malware attacks. A web filter works in tandem with a spam filter but blocks the web component of the attacks. When a user clicks a link in an email that directs them to a phishing website, that attempt is blocked. A web filter also allows users to block certain file downloads from the Internet, such as those commonly associated with malware.

Antivirus software should be installed on all endpoints as additional protection against malicious file downloads, and security awareness training should be regularly provided to the workforce. In the event of credentials being obtained in a phishing attack, multifactor authentication can prevent those credentials from being used to gain access to accounts. With these measures in place, businesses will be well protected.

For further information on spam filtering, web filtering, and to find out more about SpamTitan and WebTitan, give the TitanHQ team a call today. Both solutions are available on a 100% free trial to allow you to evaluate the products in your own environment to see how effective they are and how easy they are to use before committing to a purchase.

Squirrelwaffle Malware Loader Being Distributed in Spam Emails

A new malware variant dubbed Squirrelwaffle has been identified which is being distributed via spam emails. Squirrelwaffle was first identified in September 2021, with the number of spam emails distributing the malware increasing throughout the month and peaking at the end of September.

The takedown of the Emotet botnet in January 2021 left a gap in the malware-as-a-service market, and several new malware variants have since emerged to fill that gap. Emotet was a banking Trojan that was used to distribute other malware variants to Emotet-infected machines, with Squirrelwaffle having similar capabilities. Squirrelwaffle allows the threat group to gain a foothold in compromised devices and networks, which allows other malware variants to be delivered.

Investigations of the malspam campaign have revealed it is currently being used to distribute Qakbot and Cobalt Strike, although the malware could be used to download any malware variant. The spam emails that deliver Squirrelwaffle include a hyperlink to a malicious website which is used to deliver a .zip file that contains either a .doc or .xls file. The Office files have a malicious script that will deliver the Squirrelwaffle payload.

The Word documents use the DocuSign signing platform to lure users to activate macros, claiming the document was created using a previous version of Microsoft Office Word which requires the user to “enable editing” then click “enable content” to view the contents of the file. Doing so will execute code that will deliver and execute a Visual Basic script, which retrieves the Squirrelwaffle payload from one of 5 hardcoded URLs. Squirrelwaffle is delivered as a DLL which is then executed when downloaded and will silently download Qakbot or Cobalt Strike, which both provide persistent access to compromised devices.

As was the case with the Emotet Trojan, Squirrelwaffle can hijack message threads and send malspam emails from infected devices. Since replies to genuine messages are sent from a legitimate email account, a response to the message is more likely. This tactic proved to be highly effective at distributing the Emotet Trojan. The campaign is mostly conducted in English, although security researchers have identified emails in other languages including French, German, Dutch, and Polish.

The similarities with Emotet could indicate some individuals involved in that operation are attempting a return after the law enforcement takedown, although it could simply be an attempt by unrelated threat actors to fill the gap left by Emotet. Currently, the malware is not being distributed in anywhere near the volume of Emotet but it is still early days. Squirrelwaffle may turn out to be the malware distribution vehicle of choice in the weeks and months to come.

To counter the threat, it is vital for email security measures to be implemented to block the malspam at source and ensure the malicious messages are not delivered to inboxes. Since message threads are hijacked, a spam filtering solution that also scans outbound emails– SpamTitan for example – should be used. Outbound scanning will help to identify compromised devices and prevent attacks on other individuals in the organization and address book contacts. SpamTitan also incorporates sandboxing, which works in conjunction with antivirus engines. Suspicious attachments that bypass the AV engines are sent to the sandbox for in-depth analysis.

As part of a defense-in-depth strategy, other measures should also be deployed. A web filter is a useful tool for blocking C2 communications, endpoint security solutions will help to protect against Squirrelwaffle downloads, and regular security awareness training for the workforce is recommended to teach cybersecurity best practices and train employees how to identify malicious emails.  Employees should be told to never click links or open attachments in unsolicited emails or messages and to be wary of messages from unknown accounts. It is also important to explain that some malware variants can hijack message threads, so malicious emails may come from colleagues and other address book contacts.

TA505 is Conducting Large Scale Phishing Campaigns that Deliver a RAT via Weaponized Excel Files

The threat group known as TA505 (aka Hive0065) is known for conducting large-scale phishing campaigns but has not been active since 2020. Now phishing campaigns have been detected that indicate the threat group is conducting attacks once again, with the first mass-phishing campaigns by the group detected in September 2021.

The initial campaigns were small and consisted of a few thousand phishing emails, but as the month progressed larger and larger campaigns were conducted, with phishing campaigns conducted by the group now consisting of tens of thousands of messages. The geographic range has also been increased beyond North American where the gang was initially concentrating its attacks.

Social engineering techniques are used to convince victims to open email attachments or visit links and view shared files, with a variety of lures used by the gang in its phishing attacks. Emails intercepted from the latest campaigns claim to provide insurance claims paperwork, situation reports, media release requests, health claims, and legal requests. Many of the campaigns so far have targeted employees in financial services.

One of the hallmarks of the group is using Excel file attachments in emails that contain malicious macros which deliver a Remote Access Trojan (RAT), the downloading and execution of which gives the group control over victims’ devices. The group is also known to use HTML files that link to malicious websites where the malicious Excel files are downloaded.

While the attacks often start with a file attachment, later in the attack process a Google feedproxy URL is used with a SharePoint and OneDrive lure that appears to be a file share request, which delivers the weaponized Excel file.

The initial infection stage involves the downloading of a Microsoft installer package, which delivers either a KiXtart or REBOL malware loader, which pulls a different MSI package from the C2 server, which then installs and executes the malware. TA505 is known to use the FlawedGrace RAT, which first appeared in 2017, and the latest campaign delivers a new variant of this malware using a malware loader dubbed MirrorBlast. According to an analysis of MirrorBlast by Morphisec labs, the malware will only run in 32-bit versions of Microsoft Office as there are compatibility issues with ActiveX objects.

Macros are disabled by default in Microsoft Excel as a security measure, so social engineering techniques are used in the attacks to convince victims to enable macros. Macros are more commonly used in Excel files than Word files, and end users may not be as suspicious of Excel macros as Word macros.

Email security solutions are capable of detecting files containing Excel macros, especially email security solutions with sandboxing. In an attempt to bypass those measures and ensure the emails are delivered, TA505 uses lightweight, legacy Excel 4.0 XLM macros rather than the newer VBA macros, which has seen many of the messages bypass email security gateways.

TA505 is a highly creative threat group that regularly changes its attack techniques to achieve its goals, with the gang known to have conducted campaigns to deliver the Dridex banking Trojan, Locky and Jaff ransomware, and the Trick banking Trojan.

The group is known for conducting high-volume phishing campaigns that have targeted a range of different industry sectors and geographical areas.

TA505’s tactics, techniques, and procedures are expected to continue to evolve so it is vital for organizations to ensure email security defenses are implemented to block the emails. Security awareness training should also be provided to the workforce and employees should be made aware of the latest tricks and tactics used by the gang, including raising awareness of the use of Excel files with macros in phishing emails.

TitanHQ Achieves Clean Sweep at Expert Insights Annual Awards

Expert Insights has announced its Fall 2021 Best-of Cybersecurity Awards and each of TitanHQ’s products was ranked No1 in their respective categories. This is the second successive year where TitanHQ has had a clean sweep and topped the list for Best Email Security Gateway, Best Web Security Solution, and Best Email Archiving Solution for Business. In addition, SpamTitan ranked top in the Best Email Security Solution for Office 365 category.

Expert Insights is a recognized online cybersecurity publication and industry analyst, that has technical and editorial teams in both the United States and United Kingdom. The publication covers cybersecurity and cloud-based technologies, and its website is used by more than 80,000 business owners, IT admins, and others each month to research B2B solutions. Expert Insights produces editorial buyers’ guides, blog posts, conducts interviews, and publishes industry analyses and technical product reviews from industry experts.

The annual awards are intended to recognize the leading cybersecurity companies and their products, with the winners selected based on industry recognition, customer feedback, and research conducted by its editorial team and independent technical analysts.

SpamTitan Email Security and WebTitan Web Security were both recognized for their powerful threat protection, and along with ArcTitan Email Archiving, were praised for ease-of-use, cost-effectiveness, and industry-leading technical and customer support.

“TitanHQ are proud to have received continued recognition for all three of our advanced cybersecurity solutions. As the threat landscape continues to be a significant risk to organizations across the globe, we are dedicated to continuous innovation to provide consistent, secure, and reliable protection to our customers,” said Ronan Kavanagh, TitanHQ CEO.

The advanced threat protection, ease-of-use, and cost-effectiveness of the solutions are part of the reason why TitanHQ is the leading provider of cloud-based security solutions for managed service providers serving the SMB market. These factors have helped to make the solutions the gold standard for SMBs looking to improve security and ensure compliance.

5 Ways to Protect Against Healthcare Phishing Attacks

The healthcare industry has long been targeted by cybercriminals looking to gain access to sensitive patient data, which is easy to sell on the black market to fraudsters such as identity thieves. In recent years hackers have turned to ransomware. They gain access to healthcare networks and encrypt data to prevent patient information being accessed and issue a ransom demand to the keys to decrypt files. Since the start of 2020, these two goals have been combined. Hackers have been gaining access to healthcare networks, then exfiltrate data prior to deploying ransomware. If the ransom is not paid, the data is leaked online or sold on. Patient data may even be sold even if the ransom is paid.

Both of these attack types can be achieved using phishing. Phishing allows threat actors to steal credentials and raid email accounts and use the credentials for more extensive attacks on the organization. Phishing emails can also trick healthcare employees into downloading malware that gives attackers persistent access to the network.

Protecting against phishing attacks is one of the most important ways to prevent data breaches and stop ransomware attacks, but there is no single measure that can be implemented that will provide total protection. Here we explain 5 steps that healthcare organizations should take to protect against healthcare phishing attacks. These include measures required by the HIPAA Security Rule so can help to ensure you achieve and maintain compliance.

5 Measures to Protect Against Healthcare Phishing Attacks

Each of the measures we have listed below is important and will work with the others to significantly improve your security posture; however, the first measure is the most important of all as it will stop the majority of phishing emails from being delivered to employee inboxes.

Spam Filtering

To achieve Security Rule compliance, HIPAA regulated entities must implement technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information. A spam filter is one of the most important technical safeguards to protect against email-based attacks such as phishing. Spam filters will generally block in excess of 99% of spam and phishing emails and 100% of known malware.

Any inbound email must pass through the spam filter where it will be subjected to a variety of checks. These include antivirus scanning to block malware, checks against blacklists of known malicious IP and email addresses, and frameworks such as SPF, DKIM, and DMARC to identify and block email impersonation attacks. Advanced spam filters such as SpamTitan include additional malware protection through the use of a sandbox. Email attachments are executed in this safe environment and are checked for potentially malicious actions. This measure helps to identify previously unknown malware and ransomware variants.

SpamTitan also uses techniques such as Bayesian analysis to determine the probability of an email being spam or malicious. Greylisting is also used, which involves the initial rejection of a message with a request to resend. Spam servers do not tend to respond to these requests, so the lack of response or delay is a good indicator of spam.

SpamTitan also incorporates machine learning techniques, ensuring spam filtering improves over times. Thresholds can also be set for individual users, user groups, departments, and organization-wide, to give the greatest protection to accounts that are most likely to be targeted.

2-Factor or Multi-Factor Authentication

2-factor or multi-factor authentication is another technical safeguard to protect against phishing attacks. 2FA/MFA blocks the next stage of a phishing attack, where credentials for an account have already been obtained by an attacker, either through phishing, brute force attacks or other methods.

In addition to a password, a second factor must be provided before an individual is authenticated. This is often a token on a verified device. When an attempt is made to use a password to access the account from an unfamiliar device, location, or IP address, another factor must be provided before access is granted. This is typically a code sent to a mobile phone. 2-factor authentication will block more than 99.9% of automated attempts to gain access to an account according to Microsoft.

Security Awareness Training

Security awareness training is concerned with educating the workforce about threats such as phishing and teaching them how to recognize and avoid those threats. In security awareness training, employees are taught how to identify phishing emails and social engineering scams and are taught cybersecurity best practices to eradicate risky behaviors. Employees are targeted by phishers and not all phishing emails will be blocked by a spam filter. By training the workforce, and providing regular refresher training sessions, employees will get better at identifying and avoiding threats.

The HHS’ Office for Civil Rights explained in guidance for the healthcare industry that teaching employees how to recognize phishing is part of the requirements for HIPAA compliance. Financial penalties have been imposed for organizations that have not provided security awareness training to the workforce.

Conduct Phishing Email Simulations

Training for the workforce will raise awareness of threats, but it is important to test whether training has been assimilated and if it is being applied in real world situations. By setting up a phishing simulation program, security teams will be able to gauge how effective training has been. A failed phishing simulation can be turned into a training opportunity, and employees who regularly fail phishing email simulations can be provided with further training.

Phishing email simulation programs use real-world phishing examples on employees to see how good they are at identifying phishing emails. They can be used to gain an understanding of the types of phishing emails that are being opened and which links are being clicked. This information can be used to improve security awareness training programs.

Sign Up to Receive Threat Intelligence

Another important step to take to protect against phishing attacks is to stay up to date on the latest threats. The tactics, techniques, and procedures (TTP) of hackers and phishers is constantly evolving, and being aware of the latest TTPs will help healthcare organizations mitigate the threats.

Stay up to date by reading the threat alerts published by agencies such as CISA, the FBI, NSA, and HC3, and consider signing up an information sharing and analysis center to receive timely cyber threat intelligence updates. Knowing about new phishing campaigns targeting the sector will allow steps to be taken to block those threats, whether that is a cybersecurity newsletter for staff, implementing new spam filter rules, or other proactive steps to reduce risk.

Common Phishing Threats You Should be Aware of

Phishing is one of the most common ways that cybercriminals gain access to networks to steal credentials and sensitive data, deploy malware, and conduct ransomware attacks. Phishing is most commonly conducted via email and uses deception and ‘social engineering’ to trick people into disclosing sensitive information or running code that downloads malicious software.

Phishing emails often impersonate trusted individuals or companies. The email addresses used to send these messages can appear legitimate, and the messages often include the logos and layouts of the genuine communications they spoof. The emails often include a hyperlink to a website where credentials are harvested. The online component of the phishing scam similarly spoofs a trusted entity and, in many campaigns, it is difficult to distinguish the phishing website from the genuine site being spoofed.

Phishing attacks are increasing and for one very simple reason. They work. Not only do these messages fool huge numbers of people, they are also easy to conduct and there is little risk of phishers being caught. Even the Italian mafia and other organized crime operations have adopted phishing in addition to the standard protection rackets as a way to rake in money. This week, Europol announced it broke up an organized crime gang with links to the Italian mafia which had raked in €10 million in revenue from phishing and other online fraud scams in the past year.

Phishing Lures are Constantly Changing

The lures used in phishing scams are constantly evolving. While standard phishing campaigns involving fake invoices and resumes, missed deliveries, and fake account charge notifications are regularly used, topical lures related to news stories and COVID-19 are also thrown in into the mix. The lures may change, but there are commonalities with these phishing scams that individuals should be able to recognize.

Phishing scams attempt to get the recipient to take a specific action, such as visit a link in the email or open an email attachment. There is usually a sense of urgency to get recipients to take prompt action, such as a threat of account closure or potential legal action. While suspicions may be raised by these messages, many people still take the requested action, either through fear of missing out or fear of negative repercussions if no action is taken.

It is best to adopt a mindset where every email received is potentially a phishing scam, and any request suggested in an email could well be a scam. Any email received that threatens account closure if no action is taken can easily be checked for legitimacy by logging in to the account via a web browser (never use the links in the email). If there is an unauthorized charge or a problem with the account, this will be clear when you login.

If you receive a message from a company stating there is an unpaid invoice or an order has been made that is not recognized, search for the company online and use trusted contact information to verify the legitimacy of the email.

If you receive an email from your IT team telling you to install a program or take another action that seems suspicious, give the support desk a call to verify the legitimacy of the request.

Links in emails are the most common way to direct people to phishing webpages. You should always hover your mouse arrow over the link to check the true destination, and if the URL is not on an official domain, do not click.

Common Phishing Lures You Should be Aware Of

  • An email about a charge that has been applied to your account that has been flagged as suspicious and requires you to login to block the charge
  • An email threatening imminent account closure or loss of service if you do not take immediate action to correct the issue
  • An email from law enforcement threatening arrest or legal action for a crime you are alleged to have committed
  • An email from the IRS or another tax authority offering a refund as you have overpaid tax, or legal action over nonpayment of tax
  • An email with an invoice for a product or service you have not purchased
  • An email telling you malware has been detected on your computer that requires a software download to remove it
  • An email with a link that requires you to provide credentials to view content or confirm your identify by verifying your credit/debit card number.

If you receive any message, the important thing is to stop and think before taking any action and to carefully assess the legitimacy of the request.

Spam Software will Block the Majority of Phishing Emails

One of the best ways that businesses can improve email security is to implement an advanced spam filtering solution. SpamTitan provides protection against phishing and other malicious emails using a wide range of tools that include machine-learning to identify suspicious messages, sandboxing, dual anti-virus engines, greylisting, and malicious link detection mechanisms. SpamTitan will ensure that malicious messages are not delivered to end users where they can be clicked. When combined with security awareness training to teach cybersecurity best practices, businesses can mount a formidable defense against phishers.

To find out more about how you can protect against phishing and other malicious emails, give the TitanHQ team a call. SpamTitan is available on a free trial, product demonstrations can be arranged on request, and you may be surprised to discover how little it costs to improve protection against all types of email attacks.

SpamTitan 7.11 Release Includes New Geo-blocking Email Security Feature

TitanHQ has released a new version of its award-winning email security solution that includes a new security feature – Geo-blocking email filtering, as well as several other security updates and fixes to improve usability.

Geo-blocking is a feature that has been requested by customers and has now been included in the product at no additional cost to users. Geo-blocking, as the name suggests, allows SpamTitan users to block or allow emails originating from certain geographical locations, based on either IP address or country. This feature allows businesses to add an extra layer of protection to block geographic threat vectors and stop malware, ransomware, and phishing emails from reaching inboxes.

The new feature allows businesses and organizations to block emails coming from any country. This extra control is important, as most malware-containing emails come from a handful of overseas countries – Countries that most small- to medium-sized businesses do not normally work with. Blocking emails from those countries eliminates threats, without negatively impacting the business.

Activating the geo-blocking feature could not be any easier. SpamTitan users can click to restrict emails from any country in the SpamTitan Country IP Database and all emails coming from those countries will be blocked. There will naturally be instances where things are not so cut and dry, but that is not a problem. Geo-blocking can be activated for a specific country, and IP addresses, domains, or email addresses of trusted senders within those countries can simply be whitelisted to ensure their messages are delivered.

“Geoblocking has been a much-requested feature and as always we listen to our customers and provide what they need to implement the very best email security they can,” said TitanHQ CEO Ronan Kavanagh. “After experiencing 30% growth in 2021, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”

Several other security enhancements have been made to further improve the already excellent threat detection and blocking mechanisms within SpamTitan. SpamTitan 7.11 includes an upgraded sandboxing feature to provide even greater protection against malware, ransomware, phishing, spear-phishing, Advanced Persistent Threats, and malicious URLs embedded in emails. These enhancements also provide more detailed information into new threats to help SpamTitan users mitigate risk.

As always with a new release, recently reported bugs have been fixed, and SpamTitan has been further improved with enhanced email rendering in Mail Viewer. Users also now have the ability to remove quarantine report token expiry and improve domain verification, to name but a few of the enhancements.

SpamTitan is delivered either as a 100% cloud-based solution or as an anti-spam gateway, which is run as a virtual appliance on existing hardware. Existing SpamTitan Cloud customers need do nothing to upgrade to the new version of the solution, released on September 14, 2021. SpamTitan Cloud is automatically updated to the latest version.

Users of SpamTitan Gateway will need to manually upgrade to the latest version via System Setup > System Updates.

A full description of the latest updates in SpamTitan 7.11 is available here.

New Hampshire Town Loses $2.3 Million to BEC Scammers

Ransomware attacks are being conducted at alarming rates, but even though the cost of these attacks is considerable, they are not the leading cause of losses to cybercrime. According to figures from the Federal Bureau of Investigation (FBI), business email compromise attacks are the costliest type of cyber fraud. In 2020, the FBI’s Internet Crime Complaint Center (IC3) received 19,369 complaints about business email compromise scams. $1.8 billion was lost to these sophisticated email scams in 2020 and many of these scams are never reported.

Business email compromise (BEC) scams, also known as email account compromise (EAC) scams, involve business email accounts being compromised by attackers and then used to send messages to individuals in the company responsible for making wire transfers. The goal of the attacks is to compromise the email account of the chief executive officer (CEO) or the chief financial officer (CFO), and to use that account to send messages to others in the company asking them to make a wire transfer to an attacker-controlled account.

Attacks are also conducted on vendors and their accounts are used to send requests to change payment methods or the destination account for an upcoming payments. In addition to requesting wire transfers, the scammers are also known to request sensitive data such as W2 forms, the information on which can be used to submit fraudulent tax returns to claim tax refunds. BEC scammers are also known to request gift cards or request changes to payroll direct deposit information.

BEC scams can result in major losses. Recently, a town in New Hampshire (Peterborough) was targeted by BEC scammers who successfully redirected multiple bank transfers before the scam was uncovered. The attackers sent forged documents to staff members in the Finance Department of the town to make changes to account information for various payments. The scam was sophisticated, and the scammers participated in multiple email exchanges between staff members. The attackers had conducted extensive research to find out about the most valuable transactions to redirect.

The scam was uncovered when the ConVal School District notified the town when they failed to receive a $1.2 million transfer of funds. Peterborough officials confirmed that the transfer had been made, with the investigation revealing the bank account details had been changed. Further investigation revealed two large bank transfers to the contractor used for the Main Street Bridge Project had also been redirected to attacker-controlled accounts. In total, $2.3 million was lost to the scammers and there is little hope of any of the funds being recovered.

BEC attacks are sophisticated, the attackers are skilled at what they do, and it is all too easy for employees in the finance department to be fooled into thinking they are conversing with the CEO, CFO, or a vendor via email, since the genuine email account is being used. The attackers also study the style of emails sent by the owner of the account and copy that style so as not to arouse suspicion.

There are steps that organizations can take to block the initial attack vector and to identify scams in time to stop any fraudulent transfers of funds. The primary defense against BEC attacks is a spam filtering solution, which will block the initial phishing emails used to obtain the credentials for internal email accounts. SpamTitan incorporates a range of features to detect and block these phishing emails, including machine learning technology that can identify email messages that deviate from the normal messages usually received by individuals. Outbound scanning is also incorporated, which can detect phishing attempts as the attackers try to use employee email accounts to compromise the accounts of their final target – the CFO or CEO. Rules can also be set to flag attempts to send sensitive data – such as W-2 forms – via email.

In addition to spam filtering, it is important for organizations to raise awareness of the threat of BEC attacks with the workforce, especially employees in the finance department. Policies and procedures should also be put in place that require any change to payment details to be verified by telephone using previously confirmed contact information. Implementing these simple measures can be the difference between blocking an attack and transferring millions of dollars directly to the attackers’ accounts.

If you want to improve your defenses against BEC and phishing attacks, give the TitanHQ team a call. Demonstrations of SpamTitan can be booked on request, and the full product – including full technical and customer support – is available on a free trial to allow you to see the solution in action and test it within your own environment before making a decision about a purchase.

OnePercent Ransomware Delivered via Phishing Emails

Ransomware attacks have been rife in 2021, with the increase in attacks seen in 2020 continuing throughout 2021. The number of attacks conducted in 2021 has been staggering. There were more attempted ransomware attacks in the first 6 months of 2021 than there were in all of 2020, according to one report.

Ransomware-as-a-service (RaaS) operations that were active throughout 2020 have increased their attacks, and while some RaaS operations have been shut down, attack volume is showing no sign of reducing. There is also a new ransomware threat to defend against.  The Federal Bureau of Investigation (FBI) has issued a warning about a new ransomware threat actor that has been particularly active in the United States. The group, known as OnePercent, has been using its ransomware to attack U.S. businesses since at least November 2020, according to a recent FBI Flash Alert. The group is known to use the legitimate penetration testing tool Cobalt Strike in its attacks, and prior to using their OnePercent ransomware variant to encrypt files, the attackers exfiltrate sensitive data from victims’ systems.  A ransom demand is issued for the keys to decrypt files and to prevent the publication of the stolen data on the group’s data leak sites on the TOR network and the publicly accessible Internet.

Like many ransomware gangs, the initial attack vector is phishing emails. Phishing emails are sent to targeted organizations that have malicious .ZIP email attachments which contain Word documents or Excel spreadsheets with malicious macros that deliver the IcedID banking Trojan. The Trojan downloads and installs Cobalt Strike on endpoints to allow the attacker to move laterally within victims’ networks to compromise as many devices as possible. The group is also known to use PowerShell, Mimikatz, SharpKatz, BetterSafetyKatz, and SharpSploit, and Rclone for data extraction.

The attackers are known to take their time within networks to identify and steal critical data. In attacks reported to the FBI, the group has spent up to a month from the initial compromise to the deployment of OnePercent ransomware. During that time, considerable volumes of data are exfiltrated. The ransomware itself encrypts files and uses a random 8-character extension for encrypted files.

As is now the norm, there is no fixed ransom payment. Victims are required to make contact with the attackers to receive ‘technical support’ recovering their files and to discover how much needs to be paid for the decryptors and to ensure data deletion. If the ransom is paid, the attackers say they will deliver the decryption keys within 48 hours. The threat group is also known to contact the victim by telephone using spoofed telephone numbers to pressure victims into paying by threatening to publish the stolen data. The group has also threatened to sell the stolen data to the Sodinokibi ransomware gang to list for sale at a public auction.

Since the group uses phishing emails as the initial attack vector, preventing those messages from reaching inboxes is the best defense against attacks. That requires an advanced spam filtering solution such as SpamTitan. It is also recommended to configure emails to display a warning when they are received from a sender that is outside the organization.

It is also important to follow cybersecurity best practices such as network segmentation to limit the potential for lateral movement, to audit user accounts with admin privileges and restrict their use as far as possible, and to configure access controls using the principle of least privilege. All critical data should be backed up offline on an external hard drive or storage device that is disconnected once the backup has been performed. Backups should also be tested to make sure file recovery is possible.

While the OnePercent ransomware gang is only known to use phishing emails as the attack vector, other methods of attack may also be adopted. It is therefore recommended to ensure that remote access and RDP ports are disabled if not used, to monitor remote access/RDP logs, to keep computers and applications up to date and to apply patches promptly, and to ensure that strong passwords are set and multi-factor authentication is implemented.

Ransomware and BEC Attacks Often Start with a Phishing Email: Are Your Phishing Defenses Good Enough?

Ransomware attacks can be incredibly expensive and business email compromise (BEC) scams can result in transfers of millions of dollars to attackers, but these breaches often start with an email.

Phishing emails are sent to employees that ask them to click on a link, which directs them to a webpage where they are asked to provide their login credentials, for Microsoft 365 for example. Once credentials are entered, they are captured and used to access that individual’s account. The employee is often unaware that anything untoward has happened.

The stolen credentials give an attacker the foothold in the network that is needed to launch a major cyberattack on the business. The phisher may use the email account to send further phishing emails to other employees in the company, with the aim being to gain access to the credentials of an individual with administrative privileges or the credentials of an executive.

An executive’s account can be used to send emails to an individual in the company responsible for making wire transfers. A request is sent for a wire transfer to be made and the transfer request is often not recognized as fraudulent until the funds have been transferred and withdrawn from the attacker’s account. These BEC scams often result in tens of thousands of dollars – or even millions – being transferred.

An alternative attack involves compromising the email accounts of employees and sending requests to payroll to have direct deposit information changed. Salaries are then transferred into attacker-controlled accounts.

Phishers may act as affiliates for ransomware-as-a-service (RaaS) gangs and use the access they gain through phishing to compromise other parts of the network, steal data, and then deploy ransomware, or they may simply sell the network access to ransomware gangs.

When email accounts are compromised, they can be used to attack vendors, customers, and other contacts. From a single compromised email account, the damage caused is considerable and often far reaching. Data breaches often cost millions of dollars to mitigate. All this from a single response to a phishing email.

Phishing campaigns require very little skill to conduct and require next to no capital investment. The ease at which phishing attacks can be conducted and the potential profits that can be gained from attacks make this attack method very attractive for cybercriminals. Phishing can be used to attack small businesses with poor cybersecurity defenses, but it is often just as effective when attacking large enterprises with sophisticated perimeter defenses. This is why phishing has long been one of the most common ways that cybercriminals attack businesses.

How to Deal with the Phishing Threat

Phishing attacks may lead to the costliest data breaches, but they are one of the easiest types of cyberattacks to prevent; however, some investment in cybersecurity and training is required. The most important first step is to purchase an advanced spam filter. This technical control is essential for preventing phishing emails from reaching end users’ inboxes. If the phishing emails do not arrive in an inbox, they cannot be clicked by an employee.

Not all spam filtering solutions are created equal. Basic spam filters are effective at blocking most threats, but some phishing emails will still be delivered to inboxes. Bear in mind that phishers are constantly changing tactics and are trying to get one step ahead of cybersecurity firms. Most spam filtering solutions will block messages from malicious IP addresses and IP addresses with poor reputations, along with any messages identified in previous phishing campaigns and messages containing known variants of malware.

Advanced spam filtering solutions use AI and machine learning techniques to identify messages that deviate from the normal emails a business typically receives, are able to detect previously unseen phishing emails, and incorporate Sender Policy Framework and DMARC to identify email impersonation attacks. Sandboxing is also included which is used to identify previously unseen malware threats. Greylisting is a feature of advanced spam filters that involves initially rejecting a message and requesting it be resent. The delay in a response, if one is received at all, indicates the mail server is most likely being used for spamming. Spam servers are usually too busy on huge spam runs to resend messages that have initially been rejected.

Advanced spam filters also feature outbound email scanning, which can identify compromised email accounts and can block phishing messages from being sent internally or externally from a hacked mailbox.

SpamTitan incorporates all of these advanced controls, which is why it is capable of blocking more threats than basic spam filters. Independent tests have shown SpamTitan blocks in excess of 99.97% of malicious messages.

Don’t Neglect End User Training

No spam filter will be 100% effective at blocking phishing threats, at least not without also blocking an unacceptable number of genuine emails. It is therefore important to provide regular security awareness training to the workforce, with a strong emphasis on phishing. Employees need to be taught how to identify a phishing email and conditioned how to respond when a threat is received (alert their security team).

Since phishing tactics are constantly changing, regular training is required. When training is reinforced, it is easier to develop a security culture and regular training sessions will raise awareness of the latest phishing threats. It is also recommended to conduct phishing simulation exercises to test the effectiveness of the training program and to identify individuals who require further training.

Web Filtering is an Important Anti-Phishing Control

The key to blocking phishing attacks is to adopt a defense-in-depth approach. That means implementing multiple overlapping layers of security. One important additional layer is a web filtering solution. Spam filters target the phishing emails, whereas web filters work by blocking access to the webpages hosting the phishing kits that harvest credentials. With a spam filter and web filter implemented, you are tackling phishing from different angles and will improve your defenses.

A web filter will block access to known malicious websites, providing time-of-click protection against malicious hyperlinks in phishing emails. A web filter will also prevent employees from being redirected to phishing web pages from malicious website adverts when browsing the Internet. Web filters also analyze the content of web pages and will block access to malicious web content that has not previously been identified as malicious. Web filters will also block malware and ransomware downloads.

WebTitan is a highly effective DNS-based web filtering solution that protects against phishing, malware, and ransomware attacks. The solution can protect office workers but also employees who are working remotely.

Speak to TitanHQ Today About Improving your Phishing Defenses

TitanHQ has been developing anti-phishing and anti-malware solutions for more than two decades. TitanHQ’s email and web security solutions are cost effective, flexible, easy to implement, and easy to maintain. They are consistently given top marks on software review sites and are a big hit with IT security professionals and managed service providers (MSPs). TitanHQ is the leading provider of email and web security solutions to MSPs serving the SMB market.

If you want to improve your phishing defenses and block more threats, contact the TitanHQ team today for further information on SpamTitan and WebTitan. Both solutions are available on a 100% free trial of the full product complete with product support. Product demonstrations can also be booked on request.

Sneaky Tactics Used in Two Ongoing Phishing Campaigns Targeting User Credentials

New phishing campaigns are constantly being launched that impersonate trusted companies, organizations, and individuals, and use social engineering techniques to trick end users into divulging sensitive information such as their email credentials. Two such phishing campaigns have recently been discovered that use sneaky tactics to fool the unwary.

Sneaky Tactics Used to Obtain Office 365 Credentials

Organizations using Office 365 are being targeted in a sneaky phishing campaign that has been ongoing for several months. The phishing campaign incorporates a range of measures to fool end users and email security solutions. The goal of the campaign is to steal Office 365 credentials.

The phishing emails are sent from believable email addresses with spoofed display names to make the sender appear legitimate. The campaign targets specific organizations and uses believable usernames and domains for sender display names related to the target and the messages also include genuine logos for the targeted company and Microsoft branding.

The messages use believable Microsoft SharePoint lures to trick end users into clicking an embedded hyperlink and visiting the phishing URL. Recipients of the messages are informed that a colleague has sent a file-share request that they may have missed, along with a link directing the recipient to a webpage hosting a fake Microsoft Office 365 login box.

To encourage users to click, the emails suggest the shared file contains information about bonuses, staff reports, or price books. The phishing emails include two URLs with malformed HTTP headers. The primary phishing URL is for a Google storage resource which points to an AppSpot domain. If the user signs in, they are served a Google User Content domain with an Office 365 phishing page. The second URL is embedded in the notification settings and links to a compromise SharePoint site, which again requires the user to sign in to get to the final page.

To fool email security solutions, the messages use extensive obfuscation and encryption for file types often associated with malicious messages, including JavaScript, in addition to multi-layer obfuscation in HTML. The threat actors have used old and unusual encryption methods, including the use of morse code to hide segments of the HTML used in the attack. Some of the code segments used in the campaign reside in several open directories and are called by encoded scripts. Microsoft researchers discovered and tracked the campaign and likened it to a jigsaw puzzle, where all the pieces look harmless individually and only reveal their malicious nature when correctly pieced together.

This campaign is particularly sneaky, with the threat actor having gone to great lengths to fool both end users and security solutions.

FINRA Impersonated in Phishing Campaign

A new phishing campaign has recently been detected that impersonates the U.S. Financial Industry Regulatory Authority (FINRA). In this campaign, cyber threat actors have used domains that mimic FINRA, which are close enough to the genuine finra.org domain to fool unsuspecting individuals into disclosing sensitive information.

The phishing emails have been sent from three fraudulent domains: finrar-reporting.org, finpro-finrar.org, and gateway2-finra.org. The use of hyphens in phishing domains is very common, and it is often enough to trick people into thinking the site is a subdomain of the official website that the campaign mimics.

The emails ask the recipients to click a link in the email to “view request.” If the link is clicked, the users are prompted to then provide information to complete the request. As is typical in phishing campaigns, there is a threat should no action be taken, which in this case is “late submission may attract financial penalties.”

The financial services regulator has taken steps to take down these fraudulent domains, but it is likely that the threat actor will continue using other lookalike domains. Similar domains were used in the campaign spoofing FINRA earlier this year, including finra-online.com and gateway-finra.org.

These campaign highlights the need for security awareness training, an advanced email security solution, and other anti-phishing measures such as a web filter.

If you are concerned about your cybersecurity defenses and want to block threats such as these, give the TitanHQ team a call for advice on security solutions that can be easily implemented to block phishing and other email threats to improve your security posture and prevent costly data breaches.

Phishing Attacks Surge and Businesses are Struggling to Deal with the Threat

Ransomware attacks have increased significantly since the start of 2020 and that increase has continued in 2021. While these attacks are occurring more frequently than ever, the threat from phishing has not gone away and attacks are still rife. Phishing attacks may not make headline news like ransomware attacks on hospitals that threaten patient safety, but they can still be incredibly damaging.

The aim of many phishing attacks is to obtain credentials. Email credentials are often targeted as email accounts contain a treasure trove of data. That data can be extremely valuable to cybercriminals. In healthcare for example, email accounts contain valuable healthcare data, health insurance information, and Social Security numbers, which can be used to commit identity theft, obtain medical treatment, and for tax fraud. Entire email accounts are often exfiltrated in the attacks and the accounts used to send tailored phishing emails to other individuals in the company.

Many data breaches start with a phishing email, with phishing often used by an attacker to gain a foothold in a network that can be used in a much more extensive attack on an organization. Phishing emails are often the first step in a malware or ransomware attack.

Multiple surveys have recently been conducted on IT leaders and employees that show phishing is a very real and present danger. Two recent surveys conducted in the United States and United Kingdom indicate almost three quarters of businesses have experienced a data breach as a result of a phishing attack in the past 12 months. One study indicated over 50% of IT leaders had seen an increase in phishing attacks in the past 12 months, while the other put the figure at 80%.

During the pandemic, many businesses were faced with the option of switching to a remote workforce or shutting down. The increase in remote working was a godsend for phishers, who increase their attacks on employees. Many IT departments lacked visibility with a remote workforce and found it harder to block phishing attacks than when employees are in the office. Staff shortages in IT have certainly not helped.

Staff training is important to raise awareness of the threat from phishing, but remote working has made that harder. Training needs to be provided regularly as it can easily be forgotten and bad habits can slip in. Phishing tactics are also constantly changing, so regular training is needed to keep employees aware of the latest threats and phishing techniques, so they know what to look for. It does not help that phishing attacks are increasingly targeted and more sophisticated and can be difficult for employees to spot even if they have received regular training.

So how can businesses combat the threat from phishing and avoid being one of the three quarters of companies that experience a phishing data breach each year? Training is important, but the right technology is required.

Two of the most important technical solutions that should be implemented to block phishing attacks are spam filters and web filters. Both are effective at combatting phishing, albeit from different angles. When both are used together, protection is better than the sum of both parts.

A spam filter must have certain features to block sophisticated phishing threats. Blacklists are great for identifying emails from known malicious IP addresses, but IP addresses frequently change. Machine learning approaches are needed to identify previously unseen phishing tactics and threats from IP addresses not known to be malicious. Multiple AV engines can help to block more malware threats, while sandboxing can be used identify new malware variants. DMARC is also vital to block email impersonation attacks, while outbound scanning is important to rapidly detect compromised mailboxes. All of these features are employed by SpamTitan, which is why the solution has such a high block rate (over 99.97%) and low false positive rate.

Web filters are primarily used to restrict access to malicious and undesirable websites, whether they are sites with pornographic content or malicious sites used for phishing and malware distribution. Web filters, especially DNS-based filters, greatly improve protection against threats and will block access to known malicious websites. They will also block malware downloads and restrict access to questionable websites that serve no work purpose but increase risk. WebTitan will do this and more, and can easily be configured to protect remote workers, no matter where they choose to access the Internet.

With phishing attacks increasing it is important that businesses deploy solutions to counter the threat to stay one step ahead of the phishers. For further information on SpamTitan and WebTitan, and how they can protect your business, give the TitanHQ team a call. Both solutions are available on a free trial to allow you to see for yourself the difference they make. You can sign up for a free trial of SpamTitan here, and WebTitan on this link.

ZLoader Banking Trojan Distributed in Phishing Campaign That Disables Office Macro Warnings

One of the most common ways for malware to be distributed is in phishing emails. These emails usually require some user interaction, such as clicking on a link and opening an attached Microsoft Office file. Word and Excel files are often used in malware distribution, with macros used to deliver the malicious payload.

Macros are potentially dangerous as they can contain malicious code, so they are usually disabled by default and will only be allowed to run if they are manually enabled by the end user.  When an Office file is opened which contains a macro, a warning message will appear instructing the user that there is a macro and that it is potentially malicious. If the macro is not manually enabled by the end user, malware cannot be downloaded.

A phishing campaign has recently been detected that is typical of most phishing campaigns distributing malware. The initial attack vector is a phishing email, and Office files are used which contain macros that download the malware payload – in this case ZLoader. However, a novel method is used to deliver the malicious Office files that disables to usual macro warnings and protection mechanism.

In this campaign, malicious DLLs – Zloader malware – are delivered as the payload, but the initial phishing email does not contain the malicious code. The phishing email has a Microsoft Word attachment which will trigger the download of a password-protected Excel spreadsheet from the attacker’s remote server when the file is opened and macros are enabled.

The attack relies on Microsoft Word Visual Basic for Applications (VBA) and the Dynamic Data Exchange (DDE) fields of Microsoft Excel, and is effective on systems that support the legacy .xls file format.

Once the encrypted Excel file is downloaded, Word VBA-based instructions in the document read the cell contents from the specially crafted XLS file. Word VBS then writes the cell contents into XLS VBA to create a new macro for the XLS file. When the macros are ready, Excel macro defenses are disabled by the Word document by setting the policy in the registry to Disable Excel Macro Warning. The Excel VBA is then run and downloads the malicious DLL files, which are executed using rundll32.exe.

While the malicious files will be silently downloaded and executed, this attack still requires the victim to enable macros in the initial Word document. Victims are tricked into doing this by telling them “This document created in previous version of Microsoft Office Word. To view or edit this document, please click ‘Enable editing’ button on the top bar, and then click ‘Enable content’,” when they open the Word file. That one click will start the entire infection chain.

ZLoader is a variant of the infamous Zeus banking Trojan, which first appeared in 2006. The malware is also known by the name ZBot and Silent Night and is used by multiple threat groups. The malware was used in large scale campaigns in 2020 using COVID-19 themed lures, such as COVID-19 prevention tips, along with more standard lures such as job applications.

Once installed, the malware uses webinjects to steal passwords, login credentials and browser cookies. When an infected computer is used to access online banking and financial accounts, banking information and other sensitive data are stolen and exfiltrated to the attacker’s C2 server.

If you want to improve your defenses against malware and phishing, give the TitanHQ team a call and enquire about SpamTitan Email Security and WebTitan Web Security. These solutions can both be downloaded, configured, and protecting you from the full range of web and email threats in under an hour, and both are available on a no obligation 14-day free trial so you can see for yourself how easy they are to use and how effective they are at blocking threats before making a purchase decision.

Mac Users Targeted in Phishing Campaign Distributing XLoader Malware

Apple Mac users are comparatively safe when it comes to malware as most malware variants target Windows users; however, the number of malware variants targeting Mac users has been increasing. When there is a very low risk of a malware infection, it is easy to become complacent, but threats do come along so it is important to remain on one’s guard.

That is especially true now as a new malware threat has been discovered and Mac users are in the attackers’ crosshairs. Further, this is not some half-baked malware. This is a very serious threat. This new malware variant is very malicious, very dangerous, and it has been getting past Apple Mac security defenses.

The threat is more likely to be familiar to Windows users, as it is them who have previously been targeted; however, the malware has now jumped platforms and is being used to target Mac users. The malware is a new variant of FormBook malware. FormBook malware is a well-known commercially available malware that has been around since 2016. The malware, which was rebranded as XLoader last year, is sold as-a-service on hacking forums and is usually delivered via malicious attachments in emails – often PowerPoint documents. The malware has been developed to log keystrokes and, as the name suggests, grab data from online forms when input by users. It can also steal data from instant messenger apps, email clients, and FTP clients. In the latter half of 2020, attacks involving the malware increased substantially, and during the first 6 months of 2021 it has been prolific.

The Apple version of the malware similarly has a wide range of malicious capabilities. It will harvest credentials from web browsers, steal form data, take screenshots, monitor and log keystrokes, and can also download and execute files from the attackers’ C2 servers. The malware also incorporates several features to resist attempts at reverse engineering.

The Mac version of XLoader is under active development and it is likely that throughout the remainder of 2021 it will grow into an even bigger threat. Already, this version is able to move much deeper into systems and move much faster.

Mac users may be complacent as they are not often targeted, but this is not due to Macs being harder to attack. Malware developers simply choose to target Windows devices as there are many more users that can be targeted. Fewer Mac users mean the potential profits from attacks will be lower, but attacks are growing and the complacency of Mac users works to the advantage of attackers. It makes it easier to get their malware installed as users are not anticipating threats. A much broader range of threat actors will be able to use the latest XLoader version and target Mac users, as they can simply pay a licensing fee and use it under the malware-as-a-serve model. That fee can be as low as $69.

As with the Windows campaigns, XLoader is primarily delivered via phishing emails, mostly using malicious Microsoft Office documents. Check Point says it has tracked infections in 69 countries, although the majority of infected devices are in the United States.

Since the malware can bypass Mac security defenses, it is important to check whether it has already been installed by looking for suspicious filenames in the LaunchAgents directory in the library, which is normally hidden from view. While various different file names have been used, an example of XLoader is com.wznlVRt83Jsd.HPyT0b4Hwxh.plist.

Blocking attacks is actually straightforward. Antivirus software should be installed and kept up to date, and businesses should implement a spam filtering solution such as SpamTitan to block the malicious emails that deliver the malware. End users should also exercise caution opening emails and should never open attachments or click links in emails from unknown sources or click unsolicited links in messaging apps.

LemonDuck Malware Campaign Escalates with Attacks on Windows and Linux Systems Increasing

The threat actors behind LemonDuck malware have escalated their operation and have added new capabilities to the malware making it far more dangerous. LemonDuck malware is best known for its botnet and cryptocurrency mining objectives; however, the malware is being actively developed. While its bot and cryptocurrency mining activities continue, the malware is also capable of removing security controls on infected devices, rapidly moving laterally within networks, dropping a range of tools onto infected devices, and stealing and exfiltrating credentials. The malware is also capable of spreading via email.

The threat group behind the malware is known to take advantage of the latest news and events to create topical and convincing phishing emails to spread the malware, often through malicious Microsoft Office attachments; however, the threat actor also takes advantage of new exploits to infect devices, as well as several older vulnerabilities. Last year, the threat group was distributing the malware using phishing emails with OVID-19 themed lures, and while phishing emails are still being used to distribute the malware, the threat actor has also been exploiting the recently disclosed vulnerabilities in Microsoft Exchange to gain access to systems, according to a recent security alert from Microsoft.

LemonDuck malware is a somewhat atypical bot malware, as it is relatively rare for these types of malware variants to be used to attack both Windows and Linux systems. The malware operators like to have sole control of infected devices and remove competing malware if they are encountered. To make sure no other malware variants are installed, after gaining access to a device, the vulnerability LemonDuck exploited to gain access to a system is patched.

If the malware is installed on a device with Microsoft Outlook installed, a script is run that uses saved credentials to gain access to the mailbox and copies of itself are then sent in phishing emails to all contacts in the mailbox, using a preset message and the a malware downloader as an attachment.

The malware was first detected in May 2019, with the earlier forms of LemonDuck malware used in attacks within China, but the malware is now being distributed much more widely. It has now been detected in United States, United Kingdom, Russia, France, India, Germany, Korea, Canada, and Vietnam.

Microsoft has identified two distinct operating structures that both use LemonDuck malware which could indicate the malware is being used by different groups with different objectives. The ‘LemonCat’ infrastructure was used in a campaign exploiting Microsoft Exchange Server vulnerabilities to install backdoors, steal credentials and data, and deliver other malware variants, including Ramnit.

Blocking attacks involving this malware requires a combination of approaches. An advanced spam filter such as SpamTitan should be used to block the phishing emails used to deliver the malware. SpamTitan also scans outbound messages to prevent malware variants with emailing capabilities from being sent to contacts. Since vulnerabilities are exploited to gain access to networks, it is important to have a rigorous patch management policy and to apply patches quickly after they are released.  Antivirus software should be implemented and set to automatically update, and a web filter is recommended to block malware downloads over the Internet.

For further information on improving your defenses against LemonDucck malware and other malware threats, give the TitanHQ team a call. Both the SpamTitan email security and WebTitan web security solutions are available on a free trial, and can be implemented, configured, and protecting your devices in less than an hour.

Fake Windows 11 Installers Being Used to Deliver Malware

On June 24, 2021, Microsoft announced Windows 11 will soon be released. Windows 11 is a major upgrade of the Windows NT operating system, which will be the successor to Windows 10. Such a major release doesn’t happen that often – Windows 10 was released in 2015 – so there has been a lot of interest in the new operating system. The new Windows version is due for public release at the end of 2021, but there is an opportunity to get an early copy for free.

On June 28, Microsoft revealed the first Insider Preview of Windows 11. Upgrading to the new Windows version is straightforward. For a lucky few (or unlucky few if Windows 11 turns out to be exceptionally buggy), an upgrade just requires a user to enroll in the Dev channel of the Windows Insider Program.  That said, many people have been trying to get an upgrade from unofficial sources.

Unsurprisingly, unofficial ISOs that claim to provide Windows 11 do not. Instead, they deliver malware. Threat actors have been distributing these fake Windows 11 installers and using them to deliver a wide range of malicious payloads. At best, these fake Windows 11 installers will deliver adware or unwanted programs. More likely, malware will be installed with various degrees of maliciousness, such as Remote Access Trojans and backdoors that give the attackers full access to the victims’ devices, information stealers such as keyloggers that steal passwords and other sensitive data, cryptocurrency miners, and ransomware.

Researchers at Kaspersky Lab have identified several fake Windows 11 installers doing the rounds, including one seemingly legitimate installer named 86307_windows 11 build 21996.1 x64 + activator.exe. Despite the name and 1.76GB file size, it was not what it seemed. If the user executed the file and agreed to the terms and conditions, the file would proceed to download a different executable that delivers a range of malicious software onto the user’s device.

As the hype builds ahead of the official release date, we can expect there to be many other fake installers released. Hackers do love a major software release, as its easy to get users to double click on executable files. Malicious adverts, websites, and emails offering free copies of Windows 11 will increase, so beware.

Ensure you have an advanced and effective spam filtering solution such as SpamTitan in place to protect against malicious emails, and a web filter such as WebTitan installed to block malicious file downloads. You should also make sure that you only install software or applications from official sources and take care to ensure that you really are on the official website of the software developer before downloading any files. A double click on a malicious executable file could cause a great deal of pain and expense for you and your employer.

MSPs Targeted in Phishing Campaign Using Fake Kaseya Update to Deliver Cobalt Strike

On July 2, 2021, IT management software provider Kaseya suffered a ransomware attack that impacted its managed service provider (MSP) customers. Ransomware was pushed out to users of the Kaseya Virtual System Administrator (VSA) platform through the software update mechanism and, through them, to MSP clients. Kaspersky Lab said it found evidence of around 5,000 attempts to infect systems with ransomware across 22 countries in the first 3 days since the attack was identified. Kaseya recently said it believes around 1,500 of its direct customers and downstream businesses were affected.

The attackers exploited vulnerabilities in the KSA platform that had been reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD) in April. Kaseya had issued updates to fix four of the seven reported vulnerabilities in April and May and was working on patches to fix the remaining three flaws. One of those flaws, CVE-2021-30116, was a credential leaking flaw which was exploited by the REvil ransomware gang before the patch was released.

Kaseya detected the attack quickly and was able to implement mitigations that limited the extent of the attacks. the steps taken by Kaseya have been effective at blocking any further attacks, customers are now at risk from Kaseya phishing campaigns.

Cybercriminals have started conducting phishing campaigns targeting Kaseya customers pushing Cobalt Strike payloads disguised as Kaseya VSA security updates. Cobalt Strike is a legitimate penetration testing and threat emulation tool, but it is also extensively used by hackers and ransomware gangs to gain remote access to business networks.

The campaign was first detected by the Threat intelligence team at Malwarebytes. The emails contain an attachment named SecurityUpdates.exe and a hyperlink that claims to provide a Microsoft update to fix the Kaseya vulnerability exploited by the ransomware gang.

Users are told to open the attached file or click the link in the email to update the Kaseya VSA to protect against ransomware attacks but doing so delivers Cobalt Strike beacons and will give attackers persistent access to victims’ networks.

Since Kaseya is working on a patch to fix the flaw exploited in the attack, customers will be expecting a security update and may be fooled into installing the fake update.

Kaseya has issued a warning to all customers telling them not to open any attachments or click links in emails that claim to provide updates for the Kaseya VSA. Kaseya said any future email updates it sends to customers will not include any hyperlinks or attachments.

A similar campaign was conducted following the Colonial Pipeline ransomware attack. The emails claimed to provide system updates to detect and block ransomware attacks.

Any email received that claims to offer a security update should be treated as suspicious. Do not click links in those emails or open attachments, instead visit the software vendor’s official website to check for security updates that have been released.

10 Reasons MSPs Choose SpamTitan to Protect Against Email Threats

Phishing is the most common way that cybercriminals gain access to business networks, and the primary defense against these attacks is a spam filter. Spam filters inspect all inbound emails for the signatures of spam, phishing, and malware and keep inboxes free of these threats.

There are many spam filtering solutions on the market that can protect against advanced email threats, but why have so many managed service providers (MSP) chosen TitanHQ has their email security solution provider? What does SpamTitan provide that is proving to be such a bit hit with MSPs?

Why Managed Service Providers Choose SpamTitan Email Security for Their Clients

SpamTitan in a multi-award-winning anti-spam solution that incorporates powerful features to protect against phishing and other email-based attacks. The solution is currently used by more than 1,500 MSPs worldwide with that number growing steadily each month.

We have listed 10 of the main reasons why SpamTitan is proving to be such a popular choice with MSPs.

Excellent malware protection

SpamTitan includes dual anti-virus engines from two leading AV providers and sandboxing that incorporates machine learning and behavioral analysis to safely detonate suspicious files.

Defense in depth protection for Office 365 environments

SpamTitan includes multiple protection measures that provide defense in depth against email threats, with easy integration into Office 365 environments to significantly improve defenses against phishing and email-based malware attacks.

Advanced email blocking

SpamTitan supports upload block and allow lists per policy, advanced reporting, recipient verification and outbound email scanning, with the ability to whitelist/blacklist at both a global level as well as a domain level.

Protection against zero-day attacks

SpamTitan uses machine learning predictive technology to block zero-day threats, with AI-driven threat intelligence to block zero-minute attacks.

Data leak prevention

Easily set powerful data leak prevention rules and tag data to identify and prevent internal data loss.

Simple integration

SpamTitan is easy to integrate into your existing Service Stack through TitanHQ API’s and MSPs benefit from streamlined management with RMM integrations.

Competitive pricing with monthly billing

MSPs benefit from a fully transparent pricing policy, competitive pricing, generous margins, and monthly billing. There is also a short sales cycle – only 14 days of a free trial is required to fully test the solution.

White label option to reinforce your brand

SpamTitan can be provided to managed service providers as a white label version that can be fully rebranded to reinforce an MSPs brand.

Intuitive multi-tenant dashboard

MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis. SpamTitan is also a set and forget solution, requiring minimal IT service intervention.

Industry-leading customer support

TitanHQ provides the best customer service in the industry. MSPs benefit from world class pre-sales and technical support and sales & technical training. MSPs get a dedicated account manager, assigned sales engineer support, access to the Global Partner Program Hotline, and 24/7 priority technical support.

If you have not yet started offering SpamTitan to your clients, give the TitanHQ channel team a call today for more information, to get started on a free trial, or for a product demonstration.

HMRC Phishing Attacks Increased by 87% in the Past 12 Months

Cybercriminals often impersonate trusted entities in phishing campaigns. While Microsoft tops the list of the most impersonated brand, phishing scams impersonating tax authorities are also common. In the United Kingdom, Her Majesty’s Revenue and Customs (HMRC) – the UK government department responsible for tax collection – it is often impersonated, and phishing attacks are on the rise. In the past 12 months, the number of phishing attacks impersonating HMRC increased by 87%.

The number of HMRC phishing attacks jumped from 572,029 in 2019/2020 to 1,069,522 in 2020/2021, according to official figures obtained by Lanop Outsourcing under a Freedom of information request.

Phishing can take many forms, but email scams are the most common. The number of HMRC phishing attacks conducted via email increased by 109% to 630,193 scams in 2020/2021. The most common lures used in these phishing campaigns were fake notifications about tax rebates and refunds, which were up 90% year-over-year. There were also major increases in text-based phishing (smishing) scams, which rose 52% year-over-year, and voice phishing (vishing) scams which increased by 66%.

There was an even bigger increase in phishing scams impersonating the Driver and Vehicle Licensing Agency (DVLA). In 2019/2020, HMRC received 5,549 reports of phishing scams impersonating the DVLA, but in 2020/2021 there was a whopping 661% increase with 42,233 reports.

Phishing scams impersonating HMRC and the DVLA target individuals, but they are dangerous for businesses too. The aim of these scams is to obtain sensitive data such as passwords, which could then be used in attacks on businesses. Phishing scams are also conducted to distribute malware. If malware is downloaded onto the business network, the attackers can use the access provided by the malware to move laterally and compromise an entire network.

Protecting against phishing scams requires a defense in depth approach. End user training is important as it is employees who are targeted. Employees need to be taught how to identify phishing scams and told what to do if a suspicious email is received. This is even more important at a time when employees are working from home as IT departments often lack visibility into the devices of remote workers.

Even with training, employees make mistakes. One study conducted on home workers revealed many have taken security shortcuts when working from home which has put their organization at risk. It is therefore important to implement technical defenses to ensure phishing emails do not reach inboxes.

An advanced spam filtering solution is a must. A spam filter is the most important technical measure to implement to block phishing attacks. While spam filters are good at blocking phishing emails from known malicious IP addresses, advanced spam filters such as SpamTitan have superior detection rates and can identify never-before-seen phishing scams. SpamTitan uses predictive technologies and AI to identify zero-day attacks involving IP addresses that have yet to be identified as malicious. Sandboxing provides protection from malware that has yet to have its signature added to antivirus engines, while DMARC is used to block email impersonation attacks such as those impersonating HMRC.

In phishing attacks, a lure is sent via email but the harvesting of credentials takes place on an attacker-controlled website. Links in emails to known malicious sites will be blocked, but protection can be significantly improved by using a web filter. A web filter will also block attempts to visit malicious sites via smishing messages and through web browsing as well and will block downloads of files associated with malware.

If you want to protect your business from phishing attacks, malware and ransomware and avoid costly data breaches, give the TitanHQ a team a call and find out more about improving your security posture by blocking more email- and web-based threats.

How to Improve Your Defenses Against Business Email Compromise Attacks

The recent TitanHQ/Osterman Research survey of IT security professionals showed the most common security incidents experienced by businesses were business email compromise (BEC) attacks. A BEC attack is where a cybercriminal spoofs a trusted contact or company, usually to trick an employee into making a fraudulent wire transfer, send sensitive data via email, or obtain money by other means.

In a BEC attack, the attacker usually spoofs an email account or website or uses a genuine, trusted email account that has previously been compromised in a phishing attack. If a compromised email account is not used, an individual is usually spoofed by changing the display name to make it appear that the email has been sent by a genuine contact, often the CEO, CFO, or a vendor.

It is also common for lookalike domains to be used in BEC attacks. The attacker discovers the spoofed company’s format for email accounts, and copies that format using a domain that very closely resembles the genuine domain used by that company. At first glance, the spoofed domain appears perfectly legitimate.

BEC attacks are usually highly targeted. An email is carefully crafted to target an individual within an organization or a person in a particular role. Since many attacks attempt to get employees to make fraudulent wire transfers, it is most common for individuals in the finance department to be targeted, although BEC attackers also commonly target the HR department, marketing department, IT department, and executives.

Since the requests in the emails are plausible and the message format, signatures, and branding are often copied from genuine emails, the BEC emails can be very convincing. It is also not uncommon for the attacks to involve conversations that span multiple messages before the attacker makes a request.

While phishing attacks are more common, losses to BEC attacks are far greater. According to FBI figures, BEC attacks are the leading cause of losses to cybercrime.

Defending against BEC attacks requires a combination of measures. Naturally, since these attacks target employees, it is important to raise awareness of the threat and teach employees how to identify a BEC attack. Policies and procedures should also be implemented that require any email request to change bank account details, payment methods, or make changes to direct deposit information for payroll to be verified using trusted contact information. A quick telephone call could easily thwart an attack.

While these measures are important, the best defense is to prevent BEC emails from reaching end users’ inboxes as that eliminates the potential for human error. For that you need to have solid email security. A good email security solution will block attempts to steal email credentials – the precursor to many BEC attacks.  An advanced spam filtering solution that incorporates machine learning techniques can detect and block zero-day attacks – the tailored, often unique messages that are used by the attackers to target individuals. Solutions that incorporate DMARC and sender policy framework (SPF) will help to detect emails from individuals not authorized to send messages from a particular domain – A vital protection against BEC attacks.

SpamTitan incorporates all of those measures – and more – to keep businesses protected. When combined with end user training and administrative measures, businesses can greatly improve their defenses against BEC attacks. For more information on how SpamTitan can protect your business from the full range of email attacks, give the TitanHQ team a call today.

You can also find out about other measures you can implement to block phishing and ransomware attacks at the upcoming TitanHQ webinar on June 30, 2021 – How to Reduce the Risk of Phishing and Ransomware. During the webinar – hosted by TitanHQ and Osterman Research – you will discover the results of the latest TitanHQ survey of security professionals and gain valuable insights into how you can improve your cybersecurity posture.

You can REGISTER YOUR PLACE HERE.

Colonial Pipeline Ransomware Attack Started with a Compromised Password

In April 2021, hackers gained access to the network of Colonial Pipeline and deployed ransomware that forced the shutdown of a fuel pipeline system serving the Eastern Seaboard of the United States. With fuel supplies threatened, there was panic buying of fuel by Americans on the East Coast which led to local fuel shortages. Gasoline prices rose to their highest level in more than 6 years, and stockpiles of gasoline on the East Coast fell by 4.6 million barrels.

The attack has been attributed to the DarkSide ransomware-as-a-service operation, which has since shut down. Prior to the shutdown, Colonial Pipeline paid a $4.4 million ransom for the keys to unlock the encrypted files.  The decision to pay the ransom was made because of the threat to fuel supplies. Colonial Pipeline supplied 45% of fuel to the East Coast, and while paying the attackers was a difficult decision, payment was made due to the threat to fuel supplies given how long it was likely to take to recover without the attacker-supplied decryption keys.

Such a major attack on a critical infrastructure firm should have been difficult; however, an investigation into the cyberattack revealed gaining access to the company’s computer system couldn’t have been simpler. The attackers used a compromised password to remotely access Colonial Pipeline’s systems, and that account was not protected with multi-factor authentication.

The password was for a virtual private network account, according to Charles Carmakal, senior vice president at cybersecurity firm Mandiant which was involved in the investigation. The account was not in use, but it was still possible to use the login credentials to access Colonial Pipeline’s network.

It is not known how the hackers obtained the password. The password has since been found in a database of breached passwords that was leaked on the darkweb. It is possible that an individual had set a password for the account that had been used on another account that had been breached. It is common for passwords from data breaches to be attempted in brute force attacks as password reuse is common. Passwords are also often obtained in phishing attacks.

Mandiant looked for evidence of how the password was obtained by the hackers. The researchers found no signs of attacker activity before the April 29, 2021 nor any evidence of phishing. How the password was obtained and the username determined may never be known.

What is clear is that the attack could have easily been prevented had cybersecurity best practices been followed such as conducting audits of accounts and shutting down accounts that are no longer in use, setting unique, complex passwords for each account, implementing multi-factor authentication to stop compromised passwords from being used, and implementing an effective anti-spam solution to block phishing emails.

Webinar June 30, 2021: How to Reduce the Risk of Phishing and Ransomware Attacks

The two main cybersecurity threats that businesses now have to deal with are phishing and ransomware attacks and those threats have become even more common over the past 12 months. Cybercriminals stepped up their attacks during the pandemic with many phishing campaigns launched using the novel coronavirus as a lure. These campaigns sought to distribute malware and steal credentials.

Ransomware attacks also increased in 2020. Several new ransomware-as-a-service (RaaS) operations were launched in 2020 and the number of attacks on businesses soared. In addition to encrypting files, data theft was also highly prevalent n 2020, with most ransomware operators stealing data prior to encrypting files. This double extortion tactic proved to be very effective. Many businesses were forced to pay the ransom even though they had backups and could have recovered their files. Payments were made to ensure data stolen in the attack was deleted and not misused, published, or sold.

Phishing and ransomware attacks often go hand in hand and are often used together in the same attack. Phishing emails are used to install malware, which in turn is used to provide access for ransomware gangs. The Emotet and TrickBot Trojans are notable examples. Operators of both of those Trojans teamed up with ransomware gangs and sold access once they had achieved their own objectives. The credentials stolen in phishing attacks are also sold onto RaaS affiliates and provide the foothold they need to conduct their devastating attacks.

Phishing campaigns are easy to conduct, low cost, and they can be very effective. Largescale campaigns involve millions of messages, and while most of those emails will be blocked by email security solutions or will be identified by employees as a threat, all it takes is for one employee to respond to a phishing email for an attacker to gain the access they need.

TitanHQ recently partnered with Osterman Research to explore how these and other cyber threats have affected businesses over the past 12 months. This new and original study involved an in-depth survey of security professionals to find out how those threats have affected their organization and how effective their defenses are at repelling attackers.

The survey showed the most common security incidents suffered by businesses were business email compromise (BEC) attacks, where employees are tricked into taking an action suggested in a scam email from the CEO, CFO or another high-level executive. These attacks often involve the genuine email account of an executive being compromised in a phishing scam and the attacker using that account to target employees in the same organization.

The next biggest threat was phishing emails that resulted in a malware infection, followed by phishing messages that stole credentials and resulted in an account compromise. The survey showed that these attacks are extremely common. 85% of interviewed security professionals said they had experienced one or more of 17 different types of security breaches in the past 12 months. While attacks were common, only 37% of respondents said their defenses against phishing and ransomware attacks were highly effective.

There are several steps that can be taken to improve defenses against phishing and ransomware attacks. End user training is important to teach employees what to look for and how to identify these types of threats. However, there is always potential for human error, so training alone is not the answer. Email security is the best defense. By blocking these threats at source, they will not land in inboxes and employees will not be tested. Email security should be combined with a web security solution to block the web-based component of phishing attacks and stop malware and ransomware downloads from the Internet.

The findings of the Osterman and TitanHQ survey will be explained in detail at an upcoming webinar on June 30, 2021. Attendees will also learn how they can significantly reduce the risk of ransomware and phishing attacks.

The webinar will be conducted by Michael Sampson, Senior Analyst at Osterman Research and Sean Morris, Chief Technology Officer at TitanHQ.  You can Register Your Place Here

Sophisticated COVID-19 Phishing Campaign Targets Employees Returning to Offices

Threat actors seized the opportunities provided by the pandemic and conducted many phishing campaigns using COVID-19 themed lures. These campaigns took advantage of global interest in the novel coronavirus and preyed on fears of contracting COVID-19 to get people to open the emails, click on malicious hyperlinks, or open attachments that downloaded malware and ransomware payloads. Now that a large percentage of the population has been vaccinated, employers are opening up their offices again and employees are returning to the workplace.

The return to offices has presented another opportunity for scammers, who have launched a new phishing campaign targeting workers returning to offices. The emails appear to be a message from the CIO welcoming employees back to the workplace and claims to provide information about post-pandemic protocols and the procedures that have been put in place to accommodate returning workers to reduce the risk of infection.

The emails have been crafted to make them appear as if they have been sent internally, and include the logo of the targeted company and are signed by the CIO. The emails include a hyperlink that directs employees to a fake Microsoft SharePoint page that hosts two documents, both of which have the company’s branding. The documents are a COVID-19 factsheet and an implementation letter that includes steps that the company has taken based on updates provided by the Centers for Disease Control and Prevention (CDC), World Health Organization (WHO), and local health officials.

Most phishing campaigns would simply direct people to a landing page that hosts a phishing form where they are asked to enter their Office 365 credentials. This campaign is more sophisticated and includes an additional step. Nothing happens when an employee lands on the page. They are first required to click to open a document before the phish is activated. When the document is clicked, a fake Microsoft login prompt appears and credentials must then be entered in order to view the documents.

If credentials are entered, a message is then generated advising the employee that their account or password is not correct, and they are made to reenter their credentials several times before they are finally redirected to a genuine Microsoft page and are given access to the documents on OneDrive, most likely unaware that their credentials have been phished.

This COVID-19 phishing scam, like many others conducted throughout the pandemic, has a plausible lure. In this case, the emails have been well written and have been targeted for specific companies, making them very believable and likely to fool a great many employees. It is unclear what aims the attackers have once credentials have been harvested. They could be used to plunder sensitive information in Office 365 email accounts, would give the attackers a foothold in the corporate network for a more extensive compromise, or they could be sold to other threat groups such as ransomware gangs.

The best way to counter the threat is to prevent the malicious emails from arriving in inboxes, which requires an advanced spam filtering solution such as SpamTitan. With SpamTitan in place, phishing threats such as this will be identified and blocked at the gateway to ensure that employees’ phishing email identification skills are not put to the test.

If you want to improve your security posture and block more phishing threats, give the TitanHQ team a call today to discover how SpamTitan Email Security and the WebTitan DNS Filter can improve cybersecurity in your organization.

How Can MSPs Make Office 365 More Profitable?

Reselling Office 365 doesn’t offer much in the way of profit for MSPs, although there are benefits for MSPs that come from offering Office 365 and it is possible to make Office 365 more profitable.

Before explaining where the margin is for MSPs in Office 365, let’s first take a look at the benefits for MSPs from offering Office 365.

Benefits for MSPs from Offering Office 365 to Clients

SMBs are increasingly moving from on-premises solutions to the cloud and Office 365 is one of the most popular cloud services. Office 365 now has more than 135 million commercial monthly users and that number is growing rapidly.

MSPs may not be able to make much from Office 365 alone, but by providing Office 365 MSPs can win more business and gain a competitive advantage. There is no outlay involved with offering Office 365 to clients, the product is great and meets clients’ needs, and money can be made from handling Office 365 migrations.

MSPs can also benefit from migrating existing clients from Exchange or SBS Exchange to Office 365. Office 365 is far easier to manage so they stand to save a great deal of time on troubleshooting and maintenance, which can be a major headache with Exchange.

By offering Office 365 you can win more business, reduce operational costs, and stay competitive. However, the best way to make money from Office 365 is through add-on services.

How MSPs Can Make Office 365 More Profitable

The margins for MSPs on Office 365 are rather thin to say the least. Many MSPs find that offering Office 365 on its own doesn’t provide any profit at all. Charging extra per license to improve profitability is an option, but clients could just go direct to avoid the extra cost.

The margins may be small, but managing Office 365 does not require a great deal of effort. You may only make around 50c or $1 per user but sign up enough clients and you could get a reasonable return. There is an opportunity for profit at scale; however, to make a decent return you need to sell services around Office 365.

One of the best ways to make Office 365 more profitable is by offering additional security services. Security is an area where Office 365 can be significantly improved, especially spam filtering. Microsoft has incorporated a spam filter and anti-phishing protections into Office 365, but they fall short of the protection offered by a dedicated third-party spam filter.

Phishing is the number one security threat faced by businesses and Office 365 anti-phishing protections leave a lot to be desired. By offering enhanced spam and phishing protection through a third-party spam filter, not only can MSPs make a decent margin on the add-on solution, by blocking phishing attacks and malware at source, a considerable amount of time can be saved on support. Offering spam filtering can help to generate additional recurring revenue, with SpamTitan provided as a high margin, subscription based SaaS solution.

There are plenty of other opportunities for selling third-party solutions to make up for the lack of options in Office 365. Email archiving is an easy sell and a quick win for MSPs. An email archive is important for compliance and security, saves on storage space, and improves efficiency, and gives clients access to emails from any location. Email archiving is available with office 365, but the solution has some severe drawbacks, and may not meet compliance requirements. Offering a feature-rich email archiving solution that is fully compliant, easy to use, with lightning fast search and retrieval should be an easy sell to Office 365 users.

Spam filtering, email archiving, web filtering, and encryption can be bundled together as an enhanced security package, with each element providing a decent return for MSPs. Given the cost of mitigating a data breach, by preventing breaches, an enhanced security offering will pay for itself and should not be too difficult to sell to Office 365 users.

Office 365 MSP Add-ons from TitanHQ

For more than 20 years TitanHQ has been developing innovative security solutions for businesses. Today, more than 7,500 businesses are protected by TitanHQ security solutions and more than 2,000 MSPs have signed up to the TitanHQ Alliance Program.

All TitanHQ solutions have been developed from the ground to meet the needs of the SMB marketplace and MSPs. TitanHQ’s spam filtering solution – SpamTitan, email archiving solution – ArcTitan, and web filtering solution – WebTitan, save MSPs support and engineering time, have great margins, and can be easily integrated into MSPs security stacks to make Office 365 more profitable. All TitanHQ solutions are quick and easy to deploy, and can be implemented into your existing Service Stack through API’s and RMM integrations. The MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis. MSPs benefit from competitive pricing strategies, including monthly billing as we understand your clients are billed monthly.

There are multiple hosting options, including hosting the solution within your own data center, and all TitanHQ products can be supplied as a white label, ready to take your own branding. We have made our solutions as easy as possible to use, with intuitive controls and everything placed at your fingertips. However, should you ever have a problem, you will benefit from the best customer service in the industry, as well as scalable pre-sales and technical support and sales & technical training.

Why SpamTitan is Perfect for MSP’s?

  • The best spam and virus protection for MSPs with dual AV engines and Bitdefender-powered sandboxing
  • Low management overhead – A set and forget solution
  • Use our private cloud or your own data center
  • Extensive suite of APIs for integration into your central management system
  • Multi-tenant solution with multiple management roles
  • Scalable to thousands of users
  • In and outbound email scanning with IP domain protection
  • Extensive drill down reporting
  • Flexible pricing models to suit your needs, including monthly billing
  • Generous margins for MSPs
  • Fully customizable branding

TitanSHIELD Program for MSPs

To make it as easy as possible for MSPs to incorporate our world class network security solutions into their service stacks, TitanHQ developed the TitanSHIELD program. The TitanShield MSP Program allows MSPs to take advantage of TitanHQ’s proven technology so that they can sell, implement and deliver our advanced network security solutions directly to their client base. Under the TitanSHIELD program you get the following benefits:

TitanSHIELD Benefits

Sales Enablement

Marketing

Partner Support Private or Public Cloud deployment Access to the Partner Portal
Dedicated Account Manager White Label or Co-branding Co-Branded Evaluation Site
Assigned Sales Engineer Support API integration Social Network participation
Access to Global Partner Program Hotline Free 30-day evaluations Joint PR
Access to Partner Knowledge Base Product Discounts Joint White Papers
Technical Support Competitive upgrades Partner Events and Conferences
24/7 Priority Technical Support Tiered Deal Registration TitanHQ Newsletter
5 a.m. to 5 p.m. (PST) Technical Support Renewal Protection Better Together Webinars
Online Technical Training and FAQs Advanced Product Information Partner Certificate – Sales and technical
Access to Partner Technical Knowledge Base Competitive Information and Research Sales Campaigns in a box
Not-for-Resale (NFR) Key Public Relations Program and Customer Testimonials
Product Brochures and Sales Tools TitanHQ Corporate Style Guide and Logo Usage
Partner Advisory Council Eligibility TitanHQ Partner Welcome Kit
QTRLY Business Planning and Review Access to TitanHQ’s MVP Rewards Program
Access to Partner Support

To find out more about TitanHQ’s MSP offerings, for details of pricing and MSP margins, contact the TitanHQ Alliance Program team today and take the first step toward making Office 365 more profitable.

How to Defend Against Phishing Attacks

Phishing is the leading cause of data breaches and 2020 saw phishing-related data breaches increase again. The recently released Verizon 2021 Data Breach Investigations Report shows there was an 11% increase in phishing attacks in 2020, with work-from-home employees extensively targeted with COVID-19 themed phishing lures.

Phishing attacks are conducted to steal credentials or deliver malware, with the former often leading to the latter. Once credentials have been obtained, they can either be used by threat actors to gain access to business networks to steal data and launch further attacks on an organization. Credentials stolen in phishing attacks are often sold to other threat groups such as ransomware gangs. From a single phishing email, a business could be brought to its knees and even prevented from operating.

The fallout from a phishing attack can be considerable, and it is therefore no surprise that many businesses fail after a successful cyberattack. According to ID Agent, 60% of companies go out of business within 6 months of a cyberattack – The cost of recovery and the damage to the company’s reputation can simply be too great.

Considering the potentially devastating consequences of a phishing attack it is surprising that many businesses fail to implement appropriate protections to block attacks and do not make sure their employees are able to recognize and avoid phishing threats.

A recent study conducted by the phishing simulation vendor KeepNet Labs highlighted just how often employees fall for these scams. In a test involving 410,000 simulated phishing emails, more than half of the emails were opened, 32% of individuals clicked a (fake) malicious link or opened an attachment, and 13% of individuals provided their login credentials in response to the emails.

How to Defend Against Phishing Attacks

It is vital for the workforce to be prepared, as phishing emails can easily end up in inboxes regardless of the security protections in place to block the messages. Fortunately, through regular security awareness training, employees can be trained how to spot a phishing email. Following security awareness training, phishing email simulations are useful for identifying weak links – employees that need further training. Over time, it is possible to significantly improve resilience to these damaging and incredibly costly cyberattacks.

The importance of solid technical email security defenses cannot be overestimated as even with training, phishing emails can be very difficult for employees to identify. Phishing emails often have plausible lures, the email messages can be extremely well written, and often appear to have come from trusted sources. It is common for the emails to impersonate trusted companies and include their color schemes and logos and the websites that users are directed to are often carbon copies of the genuine websites they spoof.

There are three technical solutions that can be implemented in addition to the provision of training that can greatly improve the security posture of an organization against phishing attacks. These three solutions provide three layers of defenses, so should one fail to detect and block a threat, the others will be in place to provide protection.

3 Essential Technical Phishing Controls for Businesses

The most important technical control against phishing is a spam filter. A spam filter will block the majority of phishing and spam emails and will stop them reaching inboxes, but the percentage of emails blocked can vary considerably from solution to solution. Most spam filters will block 99% or more of spam and phishing emails, but what is needed is a solution that will block more than 99.9% of spam and malicious emails. SpamTitan for instance, has an independently verified catch rate of 99.97%, ensuring your inboxes are kept free of threats.

An often-neglected area of phishing protection is a web filter. Web filters are extensively used by businesses and the education sector for blocking access to inappropriate web content such as pornography. Web filters are also an important anti-phishing measure for blocking the web-based component of phishing attacks. When an employee clicks a link in an email that directs them to a phishing page, the web filter will block access. WebTitan Cloud is constantly updated with new malicious URLs as they are created via multiple threat intelligence feeds. WebTitan blocks malware downloads from the Internet and can be configured to block access to risky websites that serve no work purpose.

The last measure that should be implemented is multi-factor authentication for email accounts. In addition to a password, MFA requires another form of authentication to be provided before access is granted.  Without that additional factor, the account cannot be accessed. This is an important security measure that kicks in when credentials have been stolen to block unauthorized account access.

If you want to improve your defenses against phishing, these three technical controls along with end user training will keep your business safe. To find out more, and how little these protections cost, give the TitanHQ team a call today!

TitanHQ Launches WebTitan OTG (on-the-go) for Chromebooks with Latest WebTitan Cloud Release

TitanHQ has announced the release of a new version of WebTitan Cloud that includes new security features, easier administration, and the introduction of WebTitan OTG (on-the-go) for Chromebooks for the education sector.

One of the main changes introduced with WebTitan Cloud version 4.16 is the addition of DNS Proxy 2.06, which supports filtering of users in Azure Active Directory. This is in addition to on-premise AD and directory integration for Active Directory. The support for Azure Active Directory will make it easier for customers to enjoy the benefits of WebTitan Cloud, while making management easier and less time-consuming. Support for further directory services will be added with future releases to meet the needs of customers.

Current WebTitan customers do not need to do anything to upgrade to the latest version of WebTitan, as updates to WebTitan Cloud are handled by TitanHQ and users will be upgraded to the latest version automatically to ensure they benefit from improved security, the latest fixes, and new functionality.

The latest WebTitan Cloud release has allowed TitanHQ to introduce a new solution specifically to meet the needs of clients in the education sector – WebTitan OTG (on-the-go) for Chromebooks.

The use of Chromebooks has grown significantly over the past year, which corresponds with an increase in student online activity. WebTitan OTG for Chromebooks allows IT professionals in the education sector to ensure compliance with federal and state laws, including the Children’s Internet Protection Act (CIPA), and ensure students can use their Chromebooks safely and securely.

WebTitan OTG for Chromebooks is a DNS-based web filtering solution that requires no proxies, VPNs or any additional hardware and since the solution is DNS-based, there is no impact on Internet speed. Once implemented, filtering controls can be set for all Chromebook users, no matter where they connect to the Internet. The controls will be in place in the classroom and at home and all locations in between.

Administrators can easily apply filtering controls for all students, different groups of students, and staff members, including enforcing Safe Search. The solution will block access to age-inappropriate content, phishing web pages, malicious websites used for distributing malware, and any category of website administrators wish to block. Chromebooks can also easily be locked down to prevent anyone bypassing the filtering controls set by the administrator.

WebTitan OTG for Chromebooks delivers fast and effective user- and device-level web filtering and empowers students to discover the Internet in a safe and secure fashion. Reports can be generated on demand or scheduled which provide information on Chromebook user locations, the content that has been accessed, and any attempts to bypass filtering, with real-time views of Internet access also possible.

“This new release comes after an expansive first quarter. The launch of WebTitan Cloud 4.16 brings phenomenal new security features to our customers,” Said TitanHQ CEO, Ronan Kavanagh. “After experiencing significant growth in 2020, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”

Further information on the Azure AD app is available here.

Further Information on WebTitan OTG for Chromebooks is available here.

Passwordstate Breach Notification Letters Spoofed to Distribute Malware

Following on from a supply chain attack that saw the software update feature of the Passwordstate password manager hijacked the threat group developed a convincing phishing campaign targeting enterprise users of the password manager solution.

The supply chain attack was used to infect users of the password manager with malware dubbed Moserpass. Between April 20 and April 22, users of the password manager who downloaded an update through the In-Pass Upgrade mechanism may have had a malicious file downloaded – a malformed Passwordstate_upgrade.zip file.

Downloading the file started a chain of events that resulted in Moserpass being installed, which collected and exfiltrated information about the computer, users, domains, running services and processes, along with password data from the Passwordstate app. The malware also had a loader module, so could potentially download other malware variants onto victims’ devices. Since passwords were potentially compromised, affected users have been advised to reset all of their passwords.

The attack only lasted 28 hours before it was identified and blocked, but in order to remove the malware from customers’ devices, Click Studios, the developer of the password app, emailed customers and encouraged them to apply a hotfix to remove the malware.

Some customers who received the email from Click Studios shared a copy of the message on social media networks. The threat group behind the attack were monitoring social media channels, obtained a copy of the genuine Click Studios email about the hotfix, and used the exact same email for a phishing campaign. Instead of directing users to the hotfix to remove Moserpass malware, the phishing email directed users to a website not under the control of Click Studios which installed an updated version of Moserpass malware.

Since the Passswordstate breach notification emails were virtual carbon copies of genuine communications from Click Studios they were very convincing. Users who followed the instructions in the email would likely think they were removing malware, when they were actually installing it. The fake versions of the emails do not have a domain suffix used by Click Studios, request the hotfix is downloaded from a subdomain, and claim an ‘urgent’ update is required to fix a bug, but it is easy to see how these messages could fool end users.

Click Studios supplies its password manager to around 29,000 enterprises and the solution has hundreds of thousands of users, many of whom will have heard of the breach and be concerned about a malware infection. Click Studios said only a very small number of its customers were affected and had the malware installed – those who downloaded the update in the 28-hour period between April 20 and April 22 – but anyone receiving the fake email could well have been convinced that the email was genuine and taken the requested action.

Phishers often use fake security warnings as a lure, and data breach notifications are ideal for use in phishing attacks. This Passswordstate breach notification phishing campaign highlights the importance of carefully checking any message for signs of phishing, even if the email content seems genuine and the message includes the right branding, and the risks of posting copies of genuine breach notification letters on social media networks.

Many phishing attacks are sophisticated, and it can be difficult for employees to differential between genuine and malicious messages, which is why advanced spam and phishing defenses are required. If you want to improve your defenses against phishing, get in touch with TitanHQ and discover how SpamTitan Email Security can improve your security posture and better protect your organization from phishing and other email-based threats.

What is a Common Indicator of a Phishing Attempt?

Virtually everyone uses email which makes it an attractive attack vector for cybercriminals who use phishing emails to steal credentials, deliver malware, and gain a foothold in corporate networks, but what is a common indicator of a phishing attempt? How can these malicious emails be identified and avoided?

In this post we will list some of the main signs of phishing emails that that all email users should be looking out for in their inboxes.

Phishing is the Number 1 Attack Vector!

In 2021, and for several years previously, phishing has been the main way that cybercriminals obtain login credentials to allow them to access sensitive business data and gain the foothold they need in business networks for more extensive compromises. Phishing emails are also used to deliver malware that provides persistent access to computers and the networks to which they connect. Malware downloaders are commonly delivered via email that download other malicious payloads such as ransomware. Most data breaches start with a phishing email!

Phishing emails were once easy to detect, but that is not always the case now. Many phishing attempts are extremely sophisticated. Emails may only be sent to a handful of people, and even individuals are targeted. The emails are convincing and can be almost impossible to distinguish from the genuine email messages that they spoof.

With an advanced email security solution in place, the majority of these messages will be blocked; however, no email security solution will block every malicious message without blocking an unacceptable number of genuine messages. That means all employees must have the necessary skills to identify a phishing email when it arrives in their inbox.

What is a Common Indicator of a Phishing Attempt?

In order to identify a phishing email, you need to know what to look for, so what is a common indicator of a phishing attempt? Listed below are some of the most common signs of phishing emails for you to look out for.

Unfortunately, there is no single common indicator of a phishing attempt. Tactics, techniques, and procedures are constantly changing, but if you identify any of these signs in an email in your inbox or spam folder, there is a reasonable chance that the message is not genuine and should be reported to your security team. Chances are, there will be other copies of the message in the email system that will need to be removed.

The message is in your spam folder

There is a reason why messages are classified as spam by email security solutions. Analysis of the message has highlighted telltale signs of spam or phishing, but not enough for the message to be blocked at the email gateway. If a message is sent to your spam folder you should exercise caution when opening the message.

It is an unsolicited message

Phishing emails are unsolicited – You certainly didn’t ask to be phished! There may be a seemingly valid reason why you have been sent the message, but if you didn’t request the email and are not on a marketing list for the company or individual sending the message it should be treated as suspect.

Important information is in an attachment

One of the ways that phishers attempt to conceal their malicious intent is to use email attachments. This could be a link in an attached file that you need to click (why not just add it to the message body?) or commonly, you must enable content in an Office file to view the content of the attachment. Doing so will allow macros to run that will download a malicious file. Zip files are also commonly used as they are hard for spam filters to access, or files may be password protected. The files must always be scanned with AV software prior to opening and, even then, treat them with extreme caution.

Urgent action is required and there is a threat in the email

Phishing emails often convey a sense of urgency to get people to respond quickly without thinking too much about the request. There may be a threat of bad consequences if no action is taken – your account will be closed – or some other sense of urgency, such as missing out on an amazing opportunity. Always take time to carefully consider what is being asked and check the email for other signs of phishing.

You are asked to click a link in an email

Spam filters scan messages for malware, so it is common for the malware to be hosted on a website. A link is included that users must click to obtain information or to download a file. The link may take you to a website where you are required to enter your login credentials, and that site may have an exact copy of your usual login prompt – for Google or Office 365 for example. You should carefully check the link to find out the true destination (hover your mouse arrow over it) and then double check the full URL on the destination site. You may have been redirected to a different site after clicking. Is the page on the genuine website used by that company?

The sender of the email is not known to you or the email address is suspect

Phishers spoof email addresses and change the display name to make it appear that the email has been sent from a contact or official source. Check that the actual email address is legitimate – it is the correct domain for the company or individual. Check against past messages received from that individual or company to make sure the email address is the same. Remember, the sender’s email account may have been compromised, so even if the email address is correct that doesn’t necessarily mean the account holder sent the message!

The message has grammatical and spelling errors

Grammatical and spelling errors are common in phishing emails. This could be because English is not the first language of the sender or be deliberate to only get people to respond who are likely to fall for the next stage of the scam. Business emails, especially official communications and marketing emails, do not contain spelling errors or have grammatical mistakes.

The request is unusual, or the tone seems odd

Often the language used in phishing emails is a little odd. Emails impersonating known contacts may be overly familiar or may seem rather formal and different to typical emails you receive from the sender. If the tone is off or you are addressed in a strange way, it could well be a phishing attempt. Phishing emails will also try to get you to take unusual actions, such as send data via email that you have not been asked to send before. A quick phone call using trusted contact information is always wise to verify the legitimacy of an unusual request.

How Businesses can Improve their Phishing Defenses

If you want to block more phishing emails and malware you will need an advanced email security solution. The email security gateway is the first line of defense against malicious emails, but it is not necessary to spend a fortune to have good protection. If you have a limited budget or simply want to save money on email security, TitanHQ is here to help.

SpamTitan is an award-winning advanced email security solution that blocks in excess of 99.97% of malicious messages and spam. The solution is easy to implement, configure, maintain and use, the pricing policy is transparent and extremely competitive, and with TitanHQ you will benefit from industry-leading customer support. You can even try SpamTitan for free to see for yourself how effective it is. Get in touch with us today to find out more via email or just pick up the phone and speak to our friendly and knowledgeable sales team.

Try SpamTitan for Free Today

UK Universities Schools Increasingly Targeted by Ransomware Gangs

Ransomware attacks on the education sector in the United Kingdom have increased sharply since February, and the sector was already extensively targeted by threat groups long before then. The education sector is an attractive target for cybercriminals as sizeable amounts of sensitive data are stored within computer systems that can be easily monetized if stolen.

Students’ personally identifiable information is of more value than that of adults, and it can often be used for years before any fraud is detected. Higher education institutions often have intellectual property and research data that is incredibly valuable and can easily be sold on for a huge profit. Ransomware attacks prevent access to essential data, and with the pandemic forcing the education sector to largely switch to online learning, when communication channels and websites are taken out of action learning can grind to a halt.

In the United Kingdom, the reopening of schools and universities has only been possible with COVID-19 testing and contact tracing, which is also disrupted by ransomware attacks. Files are encrypted which prevents access to essential testing and monitoring data, further hampering the ability of schools, colleges, and universities to operate.

As is the case with healthcare, which has also seen a major increase in cyberattacks during the pandemic, services are majorly disrupted without access to computer systems, and there is considerable pressure on both industries to pay the ransom demands to recover from the attacks more quickly. Ransoms are more likely to be paid than in other industry sectors.

What makes the education sector an even more attractive prospect for cybercriminals is poorer security defenses than other industries. The lack of security controls makes attacks much more likely to succeed. On top of that, students often use their own devices to connect to networks so security can be very difficult to police, and many departments make their own IT decisions, which can easily result in vulnerabilities being introduced and remaining unaddressed.

The ease and profitability of attacks has made education a top target for ransomware gangs. Emsisoft reports education was the sector most targeted by ransomware gangs in 2020.

The increase in ransomware attacks on educational institutions in the United Kingdom prompted the UK’s National Cyber Security Center to issue a warning in March to all entities in the education sector about the risk of cyberattacks. NCSC noted in its alert that there was a significant increase in attacks in August and September 2020, and a further rise in attacks since February 2021.

University of Hertfordshire Suffers Major Cyberattack

One of the most damaging university cyberattacks in recent months occurred at the University of Hertfordshire. Late on April 14, cybercriminals struck, with the attack impacting all of the university’s systems. No cloud systems were available, nor MS Teams, Canvas, or Zoom. The attack forced the university to cancel all of its online classes for the following day, although in person teaching was able to continue provided computer access was not necessary.

It has been more than a week since the attack, and while some systems are now back online, disruption is still being experienced with student records, university business services, learning resource centre services, data storage, student services, staff services, and the postgraduate application portal, with the email system also considered to be at risk.

The university has not confirmed the nature of the attack, but it has the hallmarks of a ransomware attack, although the university has issued a statement stating that the attack did not involve data theft.

The University of Hertfordshire is certainly not alone. In March, South and City College of Birmingham was hit with a ransomware attack that took all of its computer systems out of action, with the college forced to switch to online learning for its 13,000 students.

UK Schools also Under Attack

The cyberattacks in the United Kingdom have not been limited to universities. School systems have also suffered more than their fair share of attacks. In March, the Harris Federation, which runs 50 schools in the UK, suffered a ransomware attack that took out communications systems and majorly affecting online learning for 37,000 students.

Also in March, the Nova Education Trust suffered a ransomware attack that took its systems out of action and affected 15 schools, all of which lost access to their communication channels including the phone system, email, and websites. The Castle School Education Trust also suffered a ransomware attack in March that disrupted the online functions of 23 schools.

What Can Be Done to Stop Cyberattacks in Education?

Cybersecurity must become a major focus for schools, colleges, and universities. The attacks are being conducted because they are easy and profitable and, until that changes, the attacks are not likely to slow and, in all likelihood, will continue to increase.

To protect against attacks, the education sector needs to implement multi-layered security defenses and find and address vulnerabilities before they are discovered by ransomware gangs and other cybercriminal operations.

The best place to start is by improving security for the two main attack vectors: email and the Internet. That is an area where TitanHQ can help. To find out more, get in touch with the TitanHQ team today and take the first step towards improving your security posture and better protecting your networks and endpoints from extremely damaging cyberattacks.

Saint Bot Malware: A New Malware Dropper Being Distributed via Phishing Emails

A previously unknown malware variant dubbed Saint Bot malware is being distributed in phishing emails using a Bitcoin-themed lure. With the value of Bitcoin setting new records, many individuals may be tempted into opening the attachment to get access to a bitcoin wallet. Doing so will trigger a sequence of events that will result in the delivery of Saint Bot malware.

Saint Bot malware is a malware dropper that is currently being used to deliver secondary payloads such as information stealers, although it can be used to drop any malware variant. The malware was first detected and analyzed by researchers at Malwarebytes who report that while the malware does not use any novel techniques, there is a degree of sophistication to the malware and it appears that the malware is being actively developed. At present, detections have been at a relatively low level but Saint Bot malware could develop into a significant threat.

The phishing emails used to distribute the malware claim to include a Bitcoin wallet in the attached Zip file. The contents of the Zip file include a text file with instructions and a LNK file that has an embedded PowerShell script. A PowerShell downloader delivers an obfuscated .Net dropper and downloader, which in turn deliver a BAT script that disables Windows Defender and the Saint Bot malware binary.

The malware is capable of detecting if it is in a controlled environment and terminates and deletes itself should that be the case. Otherwise, the malware will communicate with its hardcoded command and control servers, send information gathered from the infected system, and download secondary payloads to the infected device via Discord.

The malware has not been linked with any specific threat group and could well be distributed to multiple actors via darknet hacking forums, but it could well become a major threat and be used in widespread campaigns to take advantage of the gap in the malware-as-a-service (MaaS) market left by the takedown of the Emotet Trojan.

Protecting against malware downloaders such as Saint Bot malware requires a defense in depth approach. The easiest way of blocking infections is to implement an advanced spam filtering solution such as SpamTitan to block the phishing emails that deliver the malware. Antivirus software should also be installed on all endpoints and set to update automatically, and communication with the C2 servers should be blocked via firewall rules.

In addition to technical defenses, it is important to provide security awareness training to the workforce to help employees identify malicious emails and condition them how to respond when a potential threat is detected.

How SpamTitan Can Protect Against Phishing and Malware Attacks

SpamTitan is an award-winning anti-spam and anti-phishing solution that provides protection against the full range of email threats from productivity-draining spam to dangerous phishing and spear phishing emails, malware and ransomware.

SpamTitan has a catch rate in excess of 99.99% with a low false positive rate and uses a variety of methods to detect malicious emails, including dual antivirus engines, sandboxing for detecting new malware variants, and machine learning techniques to identify zero-day threats.

SpamTitan’s advanced threat protection defenses include inbuilt Bayesian auto learning and heuristics to defend against sophisticated threats and evolving cyberattack techniques, with 6 specialized Real Time Blacklists to block malicious domains and URLs, DMARC to block email impersonation attacks, and outbound email policies for data loss prevention.

SpamTitan is quick and easy to set up and configure and is frequently praised for the level of protection provided and ease of use. SpamTitan is a 5-star rated solution on Spiceworks, Capterra, G2 Crowd and has won no less than 37 consecutive Virus Bulletin Spam awards.

If you want to improve your email defenses at a very reasonable price and benefit from industry-leading customer support, give the TitanHQ team a call today. Product demonstrations can be arranged, and you can trial the solution free of charge, with full support provided during the trial to help you get the most out of SpamTitan.

IcedID Malware Distribution Increases Using Phishing Emails and Hijacked Web Forms

Threat actors are constantly changing their tactics, techniques, and procedures (TTP) to increase the chances of getting their malicious payloads delivered. Spam and phishing emails are still the most common methods used for delivering malware, with the malicious payloads often downloaded via the web via hyperlinks embedded in emails.

A new tactic that has been adopted by the threat group behind the IcedID banking Trojan cum malware downloader involves hijacking contact forms on company websites. Contact forms are used on most websites to allow individuals to register interest. These contact forms typically have CAPTCHA protections which limit their potential for use in malicious campaigns, as they block bots and require each contact request to be performed manually.

However, the threat actors behind the IcedID banking Trojan have found a way of bypassing CATCHA protections and have been using contact forms to deliver malicious emails. The emails generated by contact forms will usually be delivered to inboxes, as the contact forms are trusted and are often whitelisted, which means email security gateways will not block any malicious messages.

In this campaign, the contact forms are used to send messages threatening legal action over a copyright violation. The messages submitted claim the company has used images on its website that have been added without the image owner’s permission. The message threatens legal action if the images are not immediately removed from the website, and a hyperlink is provided in the message to Google Sites that contains details of the copyrighted images and proof they are the intellectual property of the sender of the message.

Clicking the hyperlink to review the supplied evidence will result in the download of zip file containing an obfuscated .js downloader that will deliver the IcedID payload. Once IcedID is installed, it will deliver secondary payloads such as TrickBot, Qakbot, and Ryuk ransomware.

IcedID distribution has increased in recent weeks, not only via this method but also via phishing emails. A large-scale phishing campaign is underway that uses a variety of business-themed lures in phishing emails with Excel attachments that have Excel 4 macros that deliver the banking Trojan.

The increase in IcedID malware distribution is likely part of a campaign to infect large numbers of devices to create a botnet that can be rented out to other threat groups under the malware-as-a-service model. Now that the Emotet botnet has been taken down, which was used to deliver different malware and ransomware variants, there is a gap in the market and IcedID could be the threat that takes over from Emotet. In many ways the IcedID Trojan is very similar to Emotet and could become the leading malware-as-a-service offering for delivering malware payloads.

To find out how you can protect your business against malware and phishing threats at a reasonable price, give the TitanHQ team a call today and discover for yourself why TitanHQ email and web security solutions consistently get 5-star ratings from users for protection, price, ease of use, and customer service and support.

Strong Growth Sees TitanHQ Almost Double Workforce in 6 Months

It has been an exceptionally busy year for TitanHQ with global demand for TitanHQ solutions has skyrocketing. Enterprises, SMBs and Managed Service Providers (MSPs) have been turning to TitanHQ to provide the security they need to protect their now largely distributed workforces from email and web-based attacks during the pandemic and block malware, ransomware, phishing attacks and other growing threats.

TitanHQ’s email security solution – SpamTitan; web security solution – WebTitan; and email archiving solution – ArcTitan, have now been adopted by more than 12,000 businesses worldwide, including more than 2,500 MSPs, with customers including well-known names such as Pepsi, Virgin, T-Mobile, O2, Nokia, Datto, Viasat, and Purple.

The past year has seen tremendous organic year-on-year growth and during the pandemic the company received significant investment from the Livingbridge investor group, which has really helped turbocharge company growth with significant investment in product development.

While many businesses have been forced to contract during the pandemic, business has gone from strength to strength for TitanHQ, as can clearly be seen from the huge investment in people. TitanHQ has embarked upon a major recruitment drive that has seen the TitanHQ workforce almost double since September 2020, with many of the new members of the workforce widely distributed and working remotely.

“As a result of increased demand globally for our solutions, we have invested heavily and embarked on a recruitment campaign to double our workforce in a programme that will allow that growth to continue,” said TitanHQ CEO, Ronan Kavanagh. “We have also invested because while we believe remote working is a by-product of the current pandemic, it is very much going to be the mode of future work. The quick move to remote working last year has made us all aware of how important it is to be adaptable and have the right security solutions in place to protect users, customers, company data, and systems.”

The ambitious growth plans are sent to continue, with new roles created across many departments including sales, technical support, software development, and marketing, with the expanded workforce helping the company to achieve even greater heights and reach even more clients internationally.

If you want to join the growing team at TitanHQ and become a member of an innovative and growing workforce, positions are still available.

Universities Targeted with IRS Phishing Scam Promising Tax Refunds

During tax season, tax professionals and tax filers are targeted with a variety of IRS phishing scams that attempt to obtain sensitive information that can be used by the scammers to steal identities and file fraudulent tax returns in the names of their victims. The potential rewards for the attackers are significant, with the fake tax returns often resulting in refunds of thousands of dollars being issued by the U.S. Internal Revenue Service (IRS).

This year is certainly no exception. Several tax season phishing scams have been identified in 2021 with one of the latest scams using phishing lures related to tax refund payments. The phishing emails have subject lines such as “Tax Refund Payment” and “Recalculation of your tax refund payment” which are likely to attract the recipient’s attention and get them to open the emails.

The emails use the genuine IRS logo and inform recipients that they are eligible to receive an additional tax refund, but in order to receive the payment they must click a link and complete a form. The form appears to be an official IRS.gov form, with the page an exact match of the IRS website, although the website on which the form is hosted is not an official IRS domain.

The form asks for a range of highly sensitive personal information to be provided in order for the refund to be processed. The form asks for the individual’s name, date of birth, Social Security number, driver’s license number, current address, and electronic filing PIN. For added realism, the phishing page also displays a popup notification stating, “This US Government System is for Authorized Use Only”, which is the same warning message that is displayed on the genuine IRS website.

The attackers appear to be targeting universities and other educational institutions, both public and private, profit and nonprofit with many of the reported phishing emails from staff and students with .edu email addresses.

Educational institutions should take steps to reduce the risk off their staff and students being duped by these scams. Alerting all .edu account holders to warn them about the campaign is important, especially as these messages are bypassing Office 365 anti-phishing measures and are arriving in inboxes.

Any educational institution that is relying on Microsoft Exchange Online Protection (EOP) for blocking spam and phishing emails – EOP is the default protection provided free with Office 365 licenses – should strongly consider improving their anti-phishing defenses with a third-party spam filter.

SpamTitan has been developed to provide superior protection for Office 365 environments. The solution is layered on top of Office 365 and seamlessly integrates with Office 365 email. In addition to significantly improving spam and phishing email protection, dual antivirus engines and sandboxing provide excellent protection from malware.

For further information on SpamTitan anti-phishing protection for higher education, give the SpamTitan team a call today. You can start protecting your institution immediately, with installation and configuration of SpamTitan taking just a few minutes. The solution is also available on a free trial to allow you to assess SpamTitan in your own environment to see the difference it makes before deciding on a purchase.

Attack on California State Controller Serves as Warning for All Businesses on Phishing Threat

A phishing attack on an employee of the California State Controller’s Office Unclaimed Property Division highlights how a single response from an employee to a phishing email could easily result in a massive breach. In this case, the phishing attack was detected promptly, with the attacker only having access to an employee’s email account for less than 24 hours from March 18.

In the 24 hours that the attacker had access to the email account, the contents of the account could have been exfiltrated. Emails in the account included unclaimed property holder reports. Those reports included names, dates of birth, addresses, and Social Security numbers – the type of information that could be used to steal identities.

The email that fooled the employee into clicking a link and disclosing login credentials appeared to have been sent from a trusted outside entity, which is why the email was assumed to be legitimate. After stealing the employee’s credentials undetected, the attacker immediately went to work and tried to compromise the email accounts of other state workers.

In the short time that the individual had access to the account, around 9,000 other state workers were sent phishing emails from the compromised account. Fortunately, the attack was detected promptly and all contacts were alerted about the phishing emails and told to delete the messages.  That single compromised account could easily have led to a massive email account breach.

Phishing is now the biggest data security threat faced by businesses. The attacks are easy to conduct, require little skill, and can be extremely lucrative. Email accounts often contain a treasure trove of data that can be easily monetized, the accounts can be used to send further phishing emails internally and to external contacts and customers, and a breach of Microsoft 365 credentials could allow a much more extensive attack on a company. Many ransomware attacks start with a single response to a phishing email.

To improve protection against phishing attacks it is important to train the workforce how to identify phishing emails, teach cybersecurity best practices, and condition employees to stop and think before taking any action requested in emails. However, phishing attacks are often highly sophisticated and the emails can be difficult to distinguish from genuine email communications. As this phishing attack demonstrates, emails often come from trusted sources whose accounts have been compromised in previous phishing attacks.

What is needed is an advanced anti-phishing solution that can detect these malicious emails and prevent them from being delivered to employee inboxes. The solution should also include outbound email scanning to identify messages sent from compromised email accounts.

SpamTitan offers protection against these phishing attacks. All incoming emails are subjected to deep analysis using a plethora of detection mechanisms. Machine learning technology is used to identify phishing emails that deviate from typical emails received by employees, and outbound scanning can identify compromised email accounts and block outbound phishing attacks on company employees and contacts.

If you want to improve your defenses against phishing, give the SpamTitan team a call today to find out more. The full product is available on a free trial, and during the trial you will have full access to the product support team who, will help you get the most out of your trial.

An Easy Way to Block Email Impersonation Attacks on Businesses

Ransomware attacks are soaring and phishing and email impersonation attacks are being conducted at unprecedented levels. In 2020, ransomware attacks ran amok. Security experts estimate the final cost to global businesses from ransomware in 2020 will be $20 billion. They also predict that the ransomware trend will continue to be the number one threat in the coming years. Why? Because ransomware makes money for cybercriminals.

Ransomware criminals know no boundaries in their rush to make money. Every social engineering trick in the book has played out over the years, from sextortion to phishing. Feeding the loop of social manipulation to generate a ransom demand is the proliferation of stolen data, including login credentials: credential stuffing attacks, for example, are often related to ransomware attacks, login to privileged accounts allowing malware installation. Cybersecurity defenses are being tested like never before.

Personal Data is Targeted

Large enterprises are big targets as they store vast quantities of personal data which can be used for identity theft. Retailers are being attacked to obtain credit/debit card information and attacks on hospitals provide sensitive health data that can be used for medical identity theft.

Small businesses are not such an attractive target, but they do store reasonable amounts of customer data and attacks can still be profitable. A successful attack on Walmart would be preferable, but attacks on SMBs are far easier to pull off. SMBs typically do not have the budgets to invest in cybersecurity and often leave gaps that can be easily exploited by cybercriminals.

One of the most common methods of attacking SMBs is phishing. If a phishing email makes it to an inbox, there is a reasonable chance that the message will be opened, the requested action taken and, as a result, credentials will be compromised or malware will be installed.

The 2018 KnowBe4 Phishing Industry Benchmarking Report shows that on average, the probability of an employee clicking on a malicious hyperlink or taking another fraudulent request is 27%. That means one in four employees will click a link in a phishing email or obey a fraudulent request.

Email impersonation attacks are often successful. They involve sending an email to an individual or small group in an organization with a plausible request. The sender of the message is spoofed so the email appears to have been sent from a known individual or company. The email will use a genuine email address on a known business domain. Without appropriate security controls in place, that message will arrive in inboxes and several employees are likely to click and disclose their credentials or open an infected email attachment and install malware. Most likely, they will not realize they have been scammed.

SpamTitan is an award winning spam filter – Read over 300+ reviews on Capterra.

One method that can be used to prevent these spoofed messages from being delivered is to apply Domain-based Message Authentication, Reporting and Conformance (DMARC) rules. In a nutshell, DMARC consists of two technologies – Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

SPF is a DNS-based filtering control that helps to identify spoofed messages. SPF sets authorized sender IP addresses on DNS servers. Recipient servers perform lookups on the SPF records to make sure that the sender IP matches one of the authorized vendors on the organization’s DNS servers. If there is a match the message is delivered. If the check fails, the message is rejected or quarantined.

DKIM involves the use of an encrypted signature to verify the sender’s identity. That signature is created using the organization’s public key and is decrypted using the private key available to the email server. DMARC rules are then applied to either reject or quarantine messages that fail authentication checks. Quarantining messages is useful as it allows administrators to check to make sure the genuine emails have not been flagged incorrectly.

Reports can be generated to monitor email activity and administrators can see the number of messages that are being rejected or dropped. A sudden increase in the number of rejected messages indicates an attack is in progress.

DMARC seems complex, but with the right setup, it’s an invaluable security tool that defends against phishing and malicious email content. With phishing one of the most common ways attackers steal data, it’s important for organizations to implement the right solutions and rules that stop these messages before they can reach a user’s inbox.

While SPF provides a certain degree of protection against email spoofing, DMARC is far more dependable. SpamTitan email security incorporates DMARC authentication to provide even greater protection against email spoofing attacks. DMARC is not a silver bullet that will stop all email impersonation and phishing attacks. It is an extra layer of security that can greatly reduce the number of threats that arrive in inboxes.

SpamTitan is an award winning spam filter – Read over 300+ reviews on Capterra.

Organizations  must adapt to Cyber-Threats

Phishing, Impersonation attacks, ransomware – all must be stopped before the point of entry and not left to be dealt with after an attack has taken hold. The use of social engineering to manipulate users, along with stolen data and credentials to propagate attacks, and adaptive tools that evade detection, makes ransomware a formidable security threat.

Endpoint protection is clearly not enough. A powerful anti-spam solution like SpamTitan  can detect threats in real-time before they become an infection. Unlike traditional endpoint anti-malware, smart monitoring platforms perform real-time updates and protect against active and emerging phishing URLs and threats. Cybercriminals are masters of invention and have many tricks up their sleeve, however, businesses can fight back, but to do so, they must take real-time action.

TitanHQ’s anti-phishing and anti-spam solution – SpamTitan – incorporates DMARC to stop email impersonation attacks along with advanced anti-malware features, including a Bitdefender-powered sandbox.

For further information securing  email accounts and blocking email impersonation attacks, contact TitanHQ today.

New PayPal Phishing Scam Seeks Extensive Amount of Personal Information

A new PayPal phishing scam has been identified that attempts to obtain an extensive amount of personal information from victims under the guise of a PayPal security alert.

Fake PayPal Email Notifications

The emails appear to have been sent from PayPal’s Notifications Center and warn users that their account has been temporarily blocked due to an attempt to log into their account from a previously unknown browser or device.

The emails include a hyperlink that users are asked to click to log in to PayPal to verify their identity. A button is included in the email which users are requested to click to “Secure and update my account now !”. The hyperlink is a shortened bit.ly address, that directs the victim to a spoofed PayPal page on an attacker-controlled domain via a redirect mechanism.

If the link is clicked, the user is presented with a spoofed PayPal login. After entering PayPal account credentials, the victim is told to enter a range of sensitive information to verify their identity as part of a PayPal Security check. The information must be entered to unlock the account, with the list of steps detailed on the page along with the progress that has been made toward unlocking the account.

First of all, the attackers request the user’s full name, billing address, and phone number. Then they are required to confirm their credit/debit card details in full. The next page requests the user’s date of birth, social security number, ATM or Debit Card PIN number, and finally the user is required to upload a proof of identity document, which must be either a scan of a credit card, passport, driver’s license, or a government-issued photo ID.

Request for Excessive Information

This PayPal phishing scam seeks an extensive amount of information, which should serve as a warning that all is not what it seems, especially the request to enter highly sensitive information such as a Social Security number and PIN.

There are also warning signs in the email that the request is not what it seems. The email is not sent from a domain associated with PayPal, the message starts with “Good Morning Customer” rather than the account holder’s name, and the notice included at the bottom of the email telling the user to mark whitelist the sender if the email was delivered to the spam folder is poorly written. However, the email has been written to encourage the recipient to act quickly to avoid financial loss. As with other PayPal phishing scams, many users are likely to be fooled into disclosing at least some of their personal information.

Consumers need to always exercise caution and should never respond immediately to any email that warns of a security breach, instead they should stop and think before acting and carefully check the sender of the email and should read the email very carefully. To check whether there is a genuine issue with the account, the PayPal website should be visited by typing in the correct URL into the address bar of the browser. URLs in emails should never be used.

To find out more about current phishing scams and some of the key protections you can put in place to improve your resilience against attacks, contact the SpamTitan team today.

 

Do you use the same password across online accounts?

  • Make your password hard to guess - use a combination of upper and lower case letters, numbers, and special characters.
  • Change your password frequently.
  • Never use the same password with more than one account. If you do and you password is stolen you are exposed and hackers could potentially gain access to every single account that that email address is associated.

If you receive one of these Paypal texts, to delete it immediately. Always read your messages before you click, or even better – don’t click on the link and contact PayPal directly.

Phishing Sources

Phishing messages can come from a range of sources, including:

  • Email
  • Phone calls
  • Fraudulent software
  • Social Media messages
  • Advertisements
  • Text messages

SpamTitan provides phishing protection to prevent whaling and spear phishing by scanning all inbound email in real-time. SpamTitan searches for key indicators in the email header, domain information, and content. SpamTitan also performs reputation analysis on all links (including shortened URLs) contained in emails and block malicious emails before being delivered to the end user. How SpamTitan protects from phishing attempts:

  • URL reputation analysis during scanning against multiple reputations.
  • Detect and block malicious spear-phishing emails with either existing or new malware.
  • Heuristic rules to detect phishing based on message headers. These are updated frequently to address new threats.
  • Easy synchronization with Active Directory and LDAP.
  • Spam Confidence Levels can be applied by user, user-group and domain.
  • Whitelisting or blacklisting senders/IP addresses.
  • Infinitely scalable and universally compatible.

SpamTitan checks every URL in an email against known blacklists - with 100% active web coverage. Protect your users from email links to malicious sites with SpamTitan. SpamTitan's sandboxing feature protects against breaches and sophisticated email attacks by providing a powerful environment to run in-depth, sophisticated analysis of unknown or suspicious programs and files.

Our free trial gives you the opportunity to evaluate our industry-leading email security solution in your own environment, and your clients the opportunity to provide feedback on how effective SpamTitan is at preventing all types of malware, ransomware and phishing attacks from entering your network.

SpamTitan is a multi-award-winning email protection, anti-phishing, and email filtering solution. Start your free trial for SpamTitan today to discover how we can prevent malware attacks.

Phishing attacks are extremely complex and  increasing.  The best way to protect against phishing scams is with a modern, robust email security solution such as SpamTitan.  SpamTitan utilizes an array of anti-phishing tools such as antivirus scanning, heuristic analysis, DMARC authentication and sandboxing.  Few vendors offer all of these solutions in one package.

To protect against advanced threats you need advanced protection. Take a closer look at SpamTitan – sign up for a free demo at a time that suits you.

Pysa Ransomware Gang Targeting Education Sector

Throughout 2020 the healthcare sector has been a major target of ransomware gangs, but the education sector is also facing an increase in attacks, with the Pysa (Mespinoza) ransomware gang now targeting the education sector.

Pysa ransomware is a variant of Mespinoza ransomware that was first observed being used in attacks in October 2019. The threat group behind the attacks, like many other ransomware threat groups, uses double extortion tactics on victims. Files are encrypted and a ransom demand is issued for the keys to decrypt files, but to increase the probability of the ransom being paid, data is exfiltrated prior to file encryption. The gang threatens to monetize the stolen data on the darkweb if the ransom is not paid. Many attacked entities have been forced to pay the ransom demand even when they have backups to prevent the sale of their data.

Since October 2019, the Pysa ransomware gang has targeted large companies, the healthcare sector, and local government agencies, but there has been a recent increase in attacks on the education sector. Attacks have been conducted on K12 schools, higher education institutions, and seminaries, with attacks occurring in 12 U.S. states and the United Kingdom. The rise in attacks prompted the FBI to issue a Flash Alert in March 2020 warning the education sector about the increased risk of attack.

Analyses of attacks revealed the gang conducts network reconnaissance using open source tools such as Advanced Port Scanner and Advanced IP Scanner. Tools such as PowerShell Empire, Koadic, and Mimikatz are used to obtain credentials, escalate privileges, and move laterally within networks. The gang identifies and exfiltrates sensitive data before delivering and executing the ransomware payload. The types of data stolen are those that can be used to pressure victims into paying and can easily be monetized on the darkweb.

Identifying a Pysa ransomware attack in progress is challenging, so it is essential for defenses to be hardened to prevent initial access. Several methods have been used to gain access to networks, although in many cases it is unclear how the attack started. In attacks on French companies and government agencies brute force tactics were used against management consoles and exposed Active Directory accounts. Some attacks have involved exploitation of Remote Desktop Protocol vulnerabilities, with the gang is also known to use spam and phishing emails to obtain credentials to get a foothold in networks.

Since several methods are used for gaining access, there is no single solution that can be implemented to block attacks. Educational institutions need to use a combination of security solutions and cybersecurity best practices to harden their defenses.

Antivirus/antimalware solution is a must, as is ensuring it is kept up to date. Since many attacks start with a phishing email, an advanced email security gateway is also important. Choosing a solution such as SpamTitan that incorporates dual AV engines and sandboxing will maximize the chance of detecting malicious emails. SpamTitan also incorporates machine learning methods to identify new methods of email attacks.

End user training is also important to teach staff how to identify potentially malicious emails and train them on cybersecurity best practices such as setting strong passwords, not reusing passwords, and the dangers of using public Wi-Fi networks. Also consider disabling hyperlinks in emails, flagging emails that arrive from external sources, and implementing multi-factor authentication on accounts.

Patches and security updates should be implemented promptly after they have been released to prevent vulnerabilities from being exploited. You should use the rule of least privilege for accounts, restrict the use of administrative accounts as far as possible, and segment networks to limit the potential for lateral movement. You should also be scanning your network for suspicious activity and configure alerts to allow any potential infiltration to be rapidly identified. All unused RDP ports should be closed, and a VPN used for remote access.

It is essential for backups to be made of all critical data to ensure that file recovery is possible without paying the ransom. Multiple backups of data should be created, those backups should be tested to make sure file recovery is possible, and at least one copy should be stored securely on an air-gapped device.

New PayPal Phishing Scam Uses Unusual Activity Alerts to Obtain Credentials

A PayPal phishing scam was first detected in  2019 – the scam used unusual activity alerts as a lure to get users to login to PayPal to secure their account. This is a common tactic that has been used to steal PayPal credentials before, but this campaign was different as the attackers are after much more than just account credentials. This PayPal phishing campaign stole credentials, credit card details, email addresses and passwords, and security questions and answers.

This PayPal phishing scam  has mutated over the years and has proved to be one of the most dangerous to date in terms of the financial harm caused. PayPal accounts can be drained, credit cards maxed out, sensitive information can be stolen from email accounts, and email accounts can be then used for further phishing scams on the victim’s family members, friends, and contacts.

How these Phishing Attacks Work

The PayPal phishing scams usually start with a warning designed to get the recipient to take immediate action to secure their account. They are informed that their PayPal account has been accessed from a new browser or device. They are told PayPal’s security controls kicked in and as a result, the user is required to login to their account to confirm their identity and remove limitations that have been placed on the account.

The email points out that PayPal could not determine whether this was a legitimate attempt to access their account from a new browser or device, or a fraudulent attempt to gain access to their PayPal Account. Either way, action is required to confirm their identity. A link is included to allow them to do that.

If the link is clicked, the user will be directed to a fake PayPal website where they are required to login to restore their account. In this first stage, PayPal account credentials are obtained.  The user is then directed to a new page where they are asked to update their billing address. In addition to their address, they are also asked for their date of birth and telephone number.

The next page asks for their credit card number, security code, and expiry date, which it is claimed will mean they do not need to re-enter that information again when using PayPal. They are also then asked to confirm the details in a second step, which is an attempt to make sure no errors have been made entering credit card information.

The user is then taken to another page where they are asked for their email address and password to link it to their PayPal account. After all the information has been entered, they are told the process has been completed and their account has been secured and successfully restored.

All of these phishing pages have the feel of genuine PayPal web pages, complete with genuine PayPal logos and footers. The domains used for the scam are naturally fake but have some relevance to PayPal. The domains also have authentic SSL certificates and display the green padlock in the browser.

Security experts are still finding fake paypal websites that impersonate PayPal. Using advanced social engineering techniques they try to trick users into handing over sensitive data including log in credentials.

Read more on current phishing scams and how to prevent attacks.

https://www.spamtitan.com/blog/protect-against-spoofed-email-phishing-scams/

https://www.spamtitan.com/blog/category/email-scams/

Rising Number of COVID-19 Phishing Attacks

IT professionals are seeing an enormous number of Covid-19 themed email phishing attacks. SpamTitan  is blocking increasing levels of  these phishing emails. What started out as  dozens of Covid 19 phishing websites has morphed to tens of thousands – more are being identified and blocked daily.  With a large percentage of the workforce working from home, cybercriminals are trying to capitalize on the heightened anxieties of the public during the current crisis.

COVID-19 phishing scams are the most sophisticated versions of phishing emails the industry has seen. Are your employees and customers aware and are they protected?

COVID-19 vaccine scams

Cybercriminals are now shifting their focus to phishing email around Covid-10 vaccines.  These vaccine themed phishing emails use subject lines referencing vaccine registration, locations to receive the vaccine, how to reserve a vaccine, and vaccine requirements.

For your employees looking for vaccination information on company devices the consequences are obvious. If the user falls for the scam email they may divulge sensitive or financial information,  open malicious links or attachments exposing the organization to attack. These phishing campaigns are sophisticated and may impersonate trusted entities, such as health or government agencies playing a central role in the COVID vaccination rollout.

Preventing Phishing Attacks

Naturally you should take any security warning you receive seriously, but do not take the warnings at face value. Google, PayPal, and other service providers often send security warnings to alert users to suspicious activity. These warnings may not always be genuine and that you should always exercise caution.

The golden rule? Never click links in emails.

Always visit the service provider’s site by entering the correct information into your web browser to login, and always carefully check the domain before providing any credentials.

Phishing Protection

Without the right security tools in place, organizations are vulnerable to phishing attacks.  SpamTitan provides phishing protection by scanning all inbound email in real-time. SpamTitan searches for key indicators in the email header, domain information, and content and performs reputation analysis on all email links, ultimately blocking malicious emails before they reach the end-user.

SpamTitan checks every URL in an email against known blacklists - with 100% active web coverage. SpamTitan's sandboxing feature protects against sophisticated email attacks by providing a powerful environment to run in-depth analysis of unknown or suspicious programs.

Phishing attacks are increasingly complex and growing in number. One of the most effective ways to protect against phishing scams is with a powerful email security solution such as SpamTitan.  SpamTitan utilizes an array of anti-phishing tools such as antivirus scanning, heuristic analysis, DMARC authentication and sandboxing.  Few vendors offer all of these solutions in one package.

To protect against advanced phishing threats you need advanced protection.

Take a closer look at SpamTitan today – sign up for a free demo at a time that suits you.

How to Manage Requests to Disclose Employees Passwords

How many times have you had a phone call or an email from a manager in your organization asking for you to give them the password of an employee to enable them to access their email account?

This request is often made when an individual is on leave and a call is received from a client or colleague wanting to know if they have actioned a request sent before they left. All too often a client has sent an email to their account manager before he or she went on vacation, but it was accidentally missed.

Access to the email account is necessary to avoid embarrassment or to ensure that a sales opportunity is not missed. Maybe the employee in question has failed to set up their Out of Office message and clients are not aware that they need to contact a different person to get their questions answered.

In years gone by, managers used to keep a log of all users’ passwords in a file on their computer. In case of emergency, they could check the password and access any user account. However, this is risky. Nowadays this is not acceptable behavior. It also invades the privacy of employees. If a password is known by any other individual, there is nothing to stop that person from using those login credentials any time they like. Since passwords are frequently used for personal accounts as well as work accounts, disclosing that password could compromise the individual’s personal accounts as well.

Maintaining lists of passwords also makes it harder to take action over inappropriate internet and email use. If a password has been shared, there is no way of determining whether an individual has broken the law or breached company policies. It could have been someone else using that person’s login.

IT staff are therefore not permitted to give out passwords. Instead they must reset the user’s password, issue a temporary one, and the user will need to reset it when they return to work. Many managers will be unhappy with these procedures and will still want to maintain their lists. Employees will be unhappy as they often use their work email accounts to send personal emails. Resetting a password and giving a manager access could be seen as a major invasion of privacy.

What is the solution?

There is a simple solution which will ensure that the privacy of individuals is assured, while forgotten Out of Office auto-responders can be set. Important emails will not be missed either. To do this you can set up shared mailboxes, although these are not always popular.

Do this in Outlook and a manager may need to have many set up in their Outlook program. It will also be necessary for them to train staff members how to use the shared mailboxes, and policies might need to be written. They may need to have to permanently keep the mailboxes of multiple teams open in Outlook.

Is there an easier option?

There is another choice, and that is to delegate permissions. It is more complicated to implement this control as it requires an MS Exchange Administrator to provide Delegate Access. Using Delegate Access will make it possible for an individual, with the appropriate permissions, to send an email on behalf of another employee. This means mailboxes do not have to be open all the time. They can just be opened when an email needs to be sent. This may be ideal, but it will not allow a manager to set up a forgotten Out-of-Office auto-responder.

That would require a member of the IT department, a domain manager, to do it. A ticket would need to be submitted requesting the action. This may not be popular with managers, but it is the only way for the task to be performed without revealing the user’s login credentials or setting up a temporary password which would breach their privacy.

You might be unpopular, but security is vital

If you encounter resistance, you must explain the reasons why password sharing is not permitted: The risks it poses and the problems it can cause.

These matters should be included in a company’s computer, Internet and email usage policies. If the sharing of passwords contravenes company policies, any requests to share passwords would result in the IT department breaching those policies. Requests to divulge that information would therefore have to be denied.

Of course, Out-Of-Office auto-responders are not an IT issue. This is an issue that should be dealt in staff training. It is also a check that a manager should make before a member of staff leaves and goes on holiday, while the employee is still at work.

The dangers of password sharing

Organizations are facing an ever-growing threat from cybercriminals. In 2019 and 2020, we have seen many high-profile data breaches, resulting in serious financial repercussions and damaged brand reputation. Password-sharing at work carries a massive  risk for organizations. 81% of breaches originate with stolen or weak passwords. When hackers gain entry to your system, shared passwords make it easier for them to access other parts of your network.

If by chance an intruder finds a document full of shared passwords in a employee’s Google drive that opens up the entire system to attack.  This also exposes your organization to legal issues if customers’ privacy rights are violated.

Why do employees share passwords ?

Sharing passwords is extremely risky for the organization . Oftentimes the reason cited for doing this is easier collaboration with colleagues. Sometimes employees share passwords because it’s the company policy. In these situations it’s vital for I.T. to intervene and provide a better way for employees to collaborate, and potentially serious consequences down the road.

Reasons why passwords should never be shared, even with a manager

  • Passwords are private: This is a fundamental element of IT and network security. This rule cannot be broken or bent
  • There are alternatives to sharing of passwords that will achieve the same aim: ticket requests, shared mailboxes, and delegate permissions these should be used instead
  • The sharing of passwords violates an individual’s privacy
  • If a password is shared, the results of an account audit cannot be trusted.
  • Password reuse– Many people use the same password to access multiple accounts and platforms. By sharing reused passwords, employees increases the risk a single stolen password poses for companies.
  • You’re responsible for any activity conducted under your username. If someone else is logged in under your account, you’re still responsible for whatever happens.Data security is more important than an auto-responder
  • Bring Your Own Device (BYOD) – Employees are increasingly working from home and use their personal smartphones and laptops in addition to company-issued devices. The WFH trend has led  to productivity gains. Unfortunately, the benefits can easily be wiped out if passwords shared with friends or family gives unauthorized access to your network and confidential data.
  • Acceptable Usage Policies would be violated

Multi-Factor authentication to stop password sharing

 When MFA is in place, access is only possible when the user validates using two authentication factors. For example, they initially enter their password but must then complete a second authentication request. This could be a code received via a device. Multi-factor authentication, like any security approach, works best when used in tandem with other security strategies.

If a ban on password sharing does not exist in your organization, it must be implemented as a priority. You will not be able to do this without the support of senior managers. You may not feel that it is your job to try to implement a ban, but you should make a case for it. It will help your department protect the network, it will save you time in the long run, and it will be better for the business.

To find out more about password security and some of the key protections you can put in place to improve your resilience against attacks, contact the SpamTitan team today.

Fake Google ReCAPTCHA and Other Tactics in Ongoing Phishing Campaigns

A round up of some of the phishing campaigns and phishing tactics identified over the past few days in campaigns targeting businesses in the banking and IT sectors, and individuals seeking unemployment benefits.

Fake Google ReCAPTCHA Used in Ongoing Phishing Campaigns

The use of CAPTCHA, an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”, is now common in phishing campaigns. CAPTCHA involves an image test, such as identifying all images in a group that contain cars, a test to identify characters in a slightly obfuscated image, or simply confirming that “I am not a robot.”

The Google reCAPTCHA is used on websites to distinguish human traffic from machines to protect against abusive activities by malicious code and software. ReCAPTCHA is a sign of security and the use of this system on a website helps to inspire trust. That trust is being abused by cybercriminals who have added fake Google ReCAPTCHAs to phishing sites. This tactic is becoming much more common.

One recently identified campaign uses emails with a message about a voicemail message that impersonate company communication tools. The attachment directs the user to a phishing website where they are presented with a CAPTCHA challenge. In this campaign, the user must complete the standard ‘I am not a robot’ challenge and will then be presented with a Microsoft 365 login prompt. In addition to using Microsoft logos, the corporate logo of the company being targeted is also included. When credentials are entered, the user is told they have successfully validated and will proceed to a generic voicemail message. The lures used in these campaigns change frequently, with requests to review documents also common.

This campaigns targets business executives in the banking and IT sectors, although the same tactic has been used throughout 2020 on targets in other industry sectors.

NFA Impersonated in Phishing Campaign Targeting Member Firms

A phishing campaign has been detected targeting the financial industry which impersonates the National Futures Association (NFA). The tactics used in this campaign are common in phishing scams – Impersonating a trusted entity and abusing that trust to get individuals to install malware.

The emails in this campaign have been sent from an email address on a domain that closely resembles the legitimate NFA domain. The official NFA domain is nfa.futures.org, whereas the phishing emails have been sent from the domain nfa-futures[.]org.

The emails appear to have been sent by legitimate NFA staff members, with the signature including their name, job title, and the correct address of the office, with fake phone numbers. The signature of the email lists two websites: The official domain and also the fake domain.

As with many phishing campaigns, the recipient is told urgent action must be taken. The message says the NFA has made many attempts to contact the recipient about a matter that requires an urgent response. These emails are being used to direct individuals to malicious website or convince them to open malicious attachments with the aim of delivering malware.

Phishing Campaign Impersonates State Workforce Agencies Offering Unemployment Benefits

Cybercriminals are creating fake websites that mimic genuine state workforce agencies (SWAs) in the United States in order to steal sensitive personal information that can be used for identity theft and fraud. The tactics are similar to the above campaign, although the aim is to obtain sensitive information rather than install malware on a business network.

The state workforce agency websites that the malicious sites impersonate are used by individuals to apply for unemployment benefits. In order to receive those benefits, individuals must provide personally identifiable information. Campaigns are being conducted to impersonate these sites and trick people into believing they are on the genuine website. After landing on the malicious page, a series of questions must be answered as part of a fake application for unemployment insurance benefits.

Traffic to the fake unemployment benefit websites is generated through phishing emails and text messages that impersonate an SWA, encouraging recipients to apply for benefits. These messages have been created to closely resemble official communications, using the official logos and color schemes of each SWA, with the domain linked in the email closely resembling the official SWA website.

Solutions to Improve Defenses Against Phishing Attacks

Phishing attacks are often sophisticated and highly targeted, and tactics, techniques, and procedures continually change to bypass technical and human defenses. To stay one step ahead of the scammers, businesses need to adopt a defense in depth approach to cybersecurity and implement multiple overlapping layers of security to block threats. If phishers and hackers manage to bypass one layer of security defenses, others will be in place to provide protection.

Human defenses, such as training the workforce how to identify phishing emails is important. When a threat is encountered, employees will know how to react. It is also possible to condition employees not to take risks, such as opening emails attachments in unsolicited messages from unknown senders. The sophistication of campaigns, spoofing of email addresses, lookalike domains, and email impersonation tactics make it difficult for some phishing emails to be distinguished from genuine email communications.

Technical defenses will ensure most threats are blocked and do not reach inboxes. An email security gateway solution is a must and should also be used on Office 365 environments. The standard Office 365 spam filter is simply not good enough at blocking threats. Spam filters with machine learning capabilities and greylisting will help to ensure more threats are blocked, and multiple malware detection methods should be used, including sandboxing to detect new malware threats. A web filter should also be considered for blocking the web-based component of phishing attacks. A web filter will provide time-of click protection and prevent individuals from visiting malicious sites and downloading potentially malicious files.

For more information on improving your phishing defenses and to register for a free trial of two award-winning anti-phishing solutions, contact the TitanHQ team today.

Ryuk Ransomware Can Now Automatically Infect All Devices on the Network

One of the most prolific ransomware gangs has updated its ransomware giving it worm-like capabilities, allowing it to self-propagate and spread to other devices on the local network.

Ryuk ransomware first emerged in the summer of 2018 and has grown to become one of the biggest ransomware threats. The ransomware operation is believed to be run by an Eastern European threat group known as Wizard Spider, aka UNC1878.

In 2020, Ryuk ransomware was extensively used in attacks on large organizations. While some ransomware gangs took the decision not to attack healthcare organizations that were on the front line in the fight against COVID-19, that was not the case with Ryuk. In fact, the threat group embarked upon a major campaign specifically targeting the healthcare industry in the United States. In October 2020, the gang attacked 6 U.S. hospitals in a single day. If security researchers had not uncovered a plan by the gang to attack around 400 hospitals, the campaign would have claimed many more victims.

According to the ransomware remediation firm Coveware, Ryuk ransomware was the third most prolific ransomware variant in 2020 and was used in 9% of all ransomware attacks. An analysis of the Bitcoin wallets associated with the gang suggest more than $150 million in ransoms have been paid to the gang.

Ryuk ransomware is under active development and new capabilities are frequently added. The Ryuk gang was one of the first ransomware operators to adopt the double-extortion tactics first used by the operators of Sodinokibi and Maze ransomware, which involve stealing data prior to the use of encryption and threatening to publish or sell the stolen data if the ransom is not paid.

Ryuk ransomware also had a feature added that allowed it to mount and encrypt the drives of remote computers. The ransomware accesses the ARP table on a compromised device to obtain a list of IP addresses and mac addresses, and a wake-on-LAN packet is sent to the devices to power them up to allow them to be encrypted.

The latest update was discovered by the French national cybersecurity agency ANSSI during an incident response it handled in January. ANSSI discovered the latest variant had worm-like capabilities that allow it to propagate automatically and infect all machines within the Windows domain. Every reachable machine on which Windows RPC accesses are possible can be infected and encrypted.

Ryuk is a human-operated ransomware variant, but the new update will greatly reduce the manual tasks that need to be performed. This will allow the gang to conduct more attacks and will decrease the time from infection to encryption, which gives security teams even less time to identify and remediate an attack in progress.

While different methods are used for initial access, Ryuk ransomware is usually delivered by a malware dropper such as Emotet, TrickBot, Zloader, Qakbot, Buer Loader, or Bazar Loader. These malware droppers are delivered via phishing and spear phishing emails. Around 80% of Ryuk ransomware attacks use phishing emails as the initial attack vector.

Once a device has been compromised it is often too late to identify and block the attack before data theft and file encryption, especially since the attacks typically occur overnight and during the weekend when IT teams are depleted. The best defense is to block the initial attack vector: The phishing emails that deliver the malware droppers.

Having an advanced spam filtering solution in place is essential for blocking Ryuk ransomware attacks. By identifying and quarantining the phishing emails and preventing them from reaching inboxes, the malware droppers that deliver Ryuk will not be downloaded.

To block these attacks, consider augmenting your email security defenses with SpamTitan. SpamTitan is an award-winning email security gateway that is proven to block phishing emails that deliver malware downloaders. To find out more, contact the SpamTitan team or start a free trial of the solution today.

TitanHQ Wins 3 Experts Insights’ 2021 Best-Of Awards

TitanHQ has been recognized for its email security, web security, and email archiving solutions, collecting not one, not two, but three prestigious awards from Expert Insights.

Expert Insights was launched in 2018 to help businesses find cybersecurity solutions to protect their networks and devices from an ever-increasing number of cyber threats. Researching cybersecurity solutions can be a time-consuming process, and the insights and information provided by Expert Insights considerably shortens that process. Unlike many resources highlighting the best software solutions, Expert Insights includes ratings from verified users of the products to give users of the resource valuable insights about how easy products are to use and how effective they are at blocking threats. Expert Insights has helped more than 100,000 businesses choose cybersecurity solutions and the website is visited by more than 40,000 individuals a month.

Each year, Expert Insights recognizes the best and most innovative cybersecurity solutions on the market in its “Best-Of” Awards. The editorial team at Expert Insights assesses vendors and their products on a range of criteria, including technical features, ease-of-use, market presence, and reviews by verified users of the solutions. Each product is assessed by technology experts to determine the winners in a broad range of categories, including cloud, email, endpoint, web, identity, and backup security.

“2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Craig MacAlpine, CEO and Founder, Expert Insights. “Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”

Three TitanHQ cybersecurity solutions were selected and named winners in the Expert Insights’ 2021 “Best-Of” Awards in the Email Security Gateway, Web Security, and Email Archiving categories. SpamTitan was named winner in the Email Security Gateway category, WebTitan won in the Web Security category, and ArcTitan was named a winner in the Email Archiving category. SpamTitan and WebTitan were praised for the level of protection provided, while being among the easiest to use and most cost-effective solutions in their respective categories.

All three products are consistently praised for the level of protection provided and are a bit hit with enterprises, SMBs, and MSPs.  The solutions attract many 5-star reviews from real users on the Expert Insights site and many other review sites, including Capterra, GetApp, Software Advice, Google Reviews, and G2 Crowd.  The cybersecurity solutions are now used by more than 8,500 businesses and over 2,500 MSPs.

“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said Ronan Kavanagh, CEO, TitanHQ. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.”

NHS Phishing Emails Detected Offering COVID-19 Vaccine

A new phishing scam has been detected targeting UK residents that spoofs the National Health Service (NHS) and offers recipients the opportunity to register to receive a COVID-19 vaccination. The NHS COVID-19 vaccine scam is one of several to be intercepted in recent weeks that offers the chance to get a vaccine, when in reality it will involve disclosing sensitive information.

Since the SARS-CoV-2 virus started spreading beyond the borders of China, scammers have been conducting a wide range of COVID-19 phishing scams. Now that the vaccine rollout is progressing in the UK and globally, using the promise of an early vaccine as a lure was to be expected.

In the latest campaign, the sender’s address has been spoofed to make it appear than the messages have been sent by the NHS, and NHS branding is used in the message body. Recipients are instructed that they have been selected to receive the vaccine based on their family and medical history.

The lure is plausible, as in the UK the most at-risk groups have mostly been vaccinated, and the NHS is now moving into priority group 6, which is all individuals aged 16 to 65 with an underlying medical condition. The NHS has also asked people to be patient and to wait until they are contacted about the vaccine to arrange an appointment, which may be via email.

The NHS COVID-19 vaccine scam emails require the recipient to click a link that directs them to a website where they are instructed to provide some information to confirm their identity. In this case, the aim of the scam is not to obtain credentials, but personal information including name, address, date of birth, and credit card details.

Phishing has become the attack vector of choice for many cybercriminal operations during the pandemic. One study indicates an increase of 667% in phishing as an attack vector, showing the extent to which cybercriminals have changed their attack tactics during the pandemic. One study by Centrify shows the number of phishing attacks had increased by 73% between March 2020 and September 2020.

Research published by the ransomware response firm Coveware shows that the volume of ransomware attacks using phishing as the infection vector increased sharpy in the final quarter of 2020, overtaking all other methods of attacks to become the main method of gaining access to business networks.

Phishing attacks are expected to continue to increase in 2021 due to the ease at which they can be conducted and the effectiveness of the campaigns. Attacks are also becoming more sophisticated and harder for employees to identify.

Spear phishing attacks that target certain companies and individuals are becoming much more prevalent. These campaigns involve prior research, and the messages are tailored to maximize the chance of a response.

With phishing so prevalent, it is vital for businesses to ensure they are sufficiently protected and have an email security solution installed that is capable to blocking these threats.

Dual AV engines and sandboxing are capable of blocking known and zero-day malware and ransomware threats, while machine learning technology and multiple threat intelligence feeds provides protection against current and emerging phishing threats.

SpamTitan significantly improves protection for Microsoft Office 365 accounts, the credentials to which are highly sought after by phishers and offers businesses excellent protection from all email-based attacks at a very affordable price.

If you want to protect your inboxes and block more malicious emails, contact TitanHQ for more information about SpamTitan. The multi-award-winning antispam solution is also available on a free trial for you to see for yourself how effective it is and how easy it is to use.

Tax Professionals Targeted in Phishing Campaign Seeking Electronic Filing Identification Numbers

Tax season has begun and so have the annual scams targeting tax professionals. Each year in the run up to the tax filing deadline, cybercriminals conduct scams in order to obtain electronic filing identification numbers (EFINs).

In the United States, the Internal Revenue Service (IRS) issues EFINS to tax professionals and individuals to allow them to file tax returns electronically. If cybercriminals obtain these EFINs they can file fraudulent tax returns in victims’ names to obtain tax rebates. Obtaining an e-file number of a tax professional will allow tax returns to be filed for many individuals, so these scams can be very lucrative.

These scams usually start with a phishing email using a lure to get the recipient to visit a malicious website where they are asked to provide information or upload documents that contain sensitive information. Alternatively, recipients are told to download files which silently install a malware downloader which ultimately gives the attackers full control of the victim’s computer.

Commonly, the spam emails spoof the IRS and instruct tax professionals to provide information or documents in order to prevent the suspension of their account. At such as busy time of year, suspension of an account is best avoided. Faced with this threat, tax professionals may provide the requested information.

One of the phishing emails recently intercepted spoofed the IRS by using the sender name “IRS Tax E-Filing,” with the subject line “Verifying your EFIN before e-filing.” The emails looked convincing and required “authorized e-file originators” to reverify prior to filing returns through the IRS system. The emails claimed the IRS had started using this new security measure to prevent unauthorized and fraudulent activities. The scammers requested a PDF file/scan of the EFIN acceptance letter and both sides of the individual’s driver’s license. Similar scams have been conducted that require tax preparers’ ID numbers and e-services usernames and passwords to be provided.

This year, in addition to the usual phishing emails spoofing the IRS, campaigns have been detected where the attackers claim to be potential clients looking for tax preparers ahead of the filing deadline. Attachments are provided that would typically be needed by tax preparers, but they are laced with malicious scripts that install keylogging malware that records and exfiltrates keystrokes, with are likely to include usernames and passwords.

Tax preparers that fall victim to these scams can suffer catastrophic damage to their reputations, so it is important to exercise caution when opening any emails and to stop and think carefully about any request to provide sensitive information or download files.

One of the easiest ways to protect against these scams is to implement an advanced spam filtering solution that can identify and block these malicious messages. SpamTitan is a powerful email security solution that identifies and blocks malware and documents containing malicious scripts with dual antivirus engines, sandboxing, and machine learning techniques. In addition to blocking malware threats, SpamTitan is highly effective at blocking phishing emails containing malicious links.

The award-winning spam filter is quick and easy to implement and maintain, requiring no technical knowledge. You can be up and running in minutes and protecting your inbox from phishing and malware attacks, which will allow you to concentrate on your business at this busy time of year and avoid costly cyberattacks.

For more information about SpamTitan, to book a product demonstration or to register for a free trail, give the SpamTitan team a call today.

Novel Phishing Campaign Identified Using Malformed URL Prefixes

Phishers regularly changes their tactics, techniques and procedures and create more convincing scams to trick employees into disclosing sensitive information or installing malware on their computers. One novel tactic that was first observed in the fall of 2020 involved the use of malformed URL prefixes. Over the following months, the number of emails sent with these atypical URL prefixes grew, and according to GreatHorn researchers, the volume of these messages increased by almost 6,000% in the first month of the year.

URLs start with either HTTP:// or HTTPS://, which are the standard URL protocols. While end users may check to see if the URL starts with HTTP or HTTPS to determine whether the connection to the website is encrypted, they may not notice or be overly concerned about what comes after the colon. That is also true of certain security solutions and browsers, which also do not check that part of the URL.

The new tactic sees one of the forward slashes swapped with a backslash, so HTTPS:// becomes HTTP:/\ and it is enough of a change to see phishing emails delivered to inboxes. This tactic has been combined with another tactic that reduces the chance of the link being identified as malicious. The URL linked in the emails directs the user to a web page that includes a reCAPTCHA security feature. This feature will be known to most internet users, as it is used by a great deal of websites and search engines to distinguish between real users and robots.

The challenge must be passed for a connection to the website to me made. Having this security feature helps to convince the visitor that they are arriving on a legitimate site, but it also stops security solutions from assessing the content of the site. If the user passes the reCAPTCHA challenge, they are then redirected to a different URL that hosts the phishing form.  That webpage very closely resembles the login prompt of Office 365 or Google Workspace, with this campaign mostly targeting Office 365 credentials.

Since this new tactic is now proving popular it is worthwhile incorporating this into your security awareness training sessions to make employees aware of the need to check the URL prefix, and also add a rule in SpamTitan to block these malformed URLs.

Don’t Be Fooled by this Adidas Phishing Scam!

A new Adidas phishing scam has been detected that offers free shoes and money. The messages claim that Adidas is celebrating its 93rd anniversary and is giving 3000 lucky customers a free pair of Adidas sneakers and a free $50 a month subscription.

“Adidas is giving away 3000 Free Pair of Shoes to celebrate its 93rd anniversary. Get your free shoes at <link>”

The very same scam was run in 2019 claiming to celebrate 69th anniversary and on that occasion was giving 2,500 lucky customers a free pair of Adidas sneakers and a free $50 a month subscription. The scammer saw success previously and have clearly decided it’s worth trying again.

The Scam Adidas Email

There is also an email version of the scam. The fake Adidas email claims  the recipient has won a large sum of money and all they need to do to claim the cash is send their personal details via email.

Scam emails are now a very effective form of cyber attack. Most successful hacking attacks today begin with a phishing email. Scam emails containing ransomware or BEC are a challenge for corporate security.

A successful breach can cost an organization millions but defending against this kind of attack requires powerful  anti-spam and malware technology. To defend against this kind of phishing attack  you need a cutting edge email security solution to stop scam emails, a security aware workforce to identify a scam email and spot a spoof email, and powerful web protection that blocks user from accessing dangerous websites

WhatsApp phishing scam

The WhatsApp phishing scam is targeting users on mobile devices in specific locations. If the user clicks the link in the message and is determined not to be using a mobile device, they will be directed to a webpage that displays a 404 error. The scam will also only run if the user is in the United States, Pakistan, India, Norway, Sweden, Nigeria, Kenya, Macau, Belgium or the Netherlands.

Provided the user is on a mobile device and located in one of the targeted countries, a series of four questions will be asked. The responses to the questions are irrelevant as all users will be offered a “free” pair of sneakers after answering the four questions.

In order to be able to claim the prize, users must share the offer with their contacts on WhatsApp. Regardless of whether the user does this, they will be directed to another webpage where they are asked further questions and are finally offered a “free” pair of sneakers worth $199.

There is another catch. In order to claim their free sneakers, the user must pay $1. The user is advised that they will also be charged $49.99 a month for the subscription at the end of the month if they do not cancel. The user is told they can cancel at any point.

On the payment screen the user is told that the payment will be processed by organizejobs.net. Proceeding with the payment will see the user charged $1, followed by the subscription cost of $49.99 in 7 days.

The campaign is being run on WhatsApp, although similar scams have been conducted via email and SMS messages. Several variations along the same theme have also been identified spoofing different shoe manufacturers.

The link supplied in the WhatsApp phishing message appears to be genuine, using the official domain for the country in which the user is located. While the domain looks correct, this is an example of a homoglyph attack. Instead of the domain adidas.de, the i is replaced with a vertical line – a homoglyph attack.

These types of scams are commonplace. Homoglyph scams take advantage of the ability to use non-ASCII characters in domain names. Similar scams use a technique called typosquatting – where domains closely matching real brand names are registered: Incorrect spellings for instance, such as “Addidas” instead of Adidas, or with an i replaced with a 1 or an L.

In this case, the attackers appear to be earning a commission for getting users to sign up, although disclosing debit and credit card details could easily see the information used to run up huge bills or drain bank accounts.

There are various warning signs indicating this is an Adidas phishing scam. Close scrutiny of the domain will reveal it is incorrect. The need to share the message to contacts is atypical, being notified of a charge after being told the shoes are free, the failure to ask the user to choose a pair of shoes or even select their size, and an odd domain name is used to process payment. However, even with these tell-tale signs that the offer is not genuine, this adidas phishing scam is likely to fool many people.

Be warned. If you receive any unsolicited WhatsApp message offering you free goods, best to assume it is a phishing scam.

To find out more about some of the key protections you can put in place to improve your resilience against email scams and phishing attacks, contact the SpamTitan team today.

Most Ransomware Attacks Start with a Phishing Email

Ransomware attacks in 2020 were conducted at twice the rate of the previous year, with many organizations falling victim and having to pay large ransoms to recover their data or risk sensitive information being published or sold to cybercriminal organizations.

At the start of 2020, data exfiltration prior to the deployment of ransomware was still only being conducted by a small number of ransomware gangs, but that soon changed as the year progressed. By the end of the year, at least 17 cybercriminal gangs were using this double extortion tactic and were stealing sensitive data prior to encrypting files. Faced with the threat of publication of sensitive data, many attacked organizations felt they had little alternative other than to pay the ransom demand.

The extent of ransomware attacks in 2020 has been highlighted by various studies by cybersecurity researchers over the past few weeks. Chainalysis recently released a report that suggests more than $350 million has been paid to cybercriminals in 2020 alone, based on an analysis of the transactions to blockchain addresses known to be used by ransomware threat groups. Of course, that figure is likely to be far lower than the true total, as many companies do not disclose that they have suffered ransomware attacks. To put that figure into perspective, a similar analysis in 2019 estimated the losses to be around $90 million. Those figures are for ransom payments alone, not the cost of resolving attacks, which would be several orders of magnitude higher.

The increase in attacks can be partly attributed to the change in working practices due to the pandemic. Many companies switched from office-based working to a distributed remote workforce to prevent the spread of COVID-19 and keep their employees protected. The rapid change involved hastily implementing remote access solutions to support those workers which introduced vulnerabilities that were readily exploited by ransomware gangs.

Most Ransomware Attacks Now Start with Phishing

Throughout 2020, phishing was commonly used as a way to gain access to corporate networks, accounting for between 25% and 30% of all ransomware attacks, but new data released by the ransomware attack remediation firm Coveware shows the attack methods changed in the last quarter of 2020. As companies and organizations addressed vulnerabilities in remote access solutions and VPNs and improved their defenses, phishing became the most common attack method. Coveware’s analysis shows that in the final quarter of 2020, more than 50% of ransomware attacks started with a phishing email.

Ransomware can be delivered directly through phishing emails, although it is more common to use intermediary malware. The most commonly used malware variants for distributing ransomware are Trojans such as Emotet and TrickBot, both of which are extensively delivered via phishing emails. These malware variants are also capable of self-propagating and spreading to other devices on the network.

Access to compromised devices is then sold to ransomware gangs, who access the devices, steal sensitive data, then deploy their ransomware payload. The Emotet botnet played a large role in ransomware attacks in 2020, and while it has now been disrupted following a joint law enforcement operation, other malware variants are certain to take its place.

The same report also highlighted the nature of businesses attacked with ransomware. Far from the gangs targeting large enterprises with deep pockets, most attacks are on small- to medium-sized businesses with under 250 employees. 30.2% of attacks were on businesses with between 11 and 100 employees, with 35.7% on businesses with 101 to 1,000 employees. Healthcare organizations, professional services firms, and financial services companies have all been targeted and commonly fall victim to attacks, although no sector is immune.

70% of ransomware attacks now involve data theft prior to encryption, so even if backups exist and can be used to restore data, it may not be possible to avoid paying the ransom. There is also a growing trend for data to be permanently deleted, which leaves businesses with no way of recovering data after a ransomware attack.

Steps to Take to Block Ransomware Attacks

What all businesses and organizations need to do is to make it as hard as possible for the attacks to succeed. While there is no single solution for blocking ransomware attacks, there are measures that can be taken that make it much harder for the attacks to succeed.

With most ransomware attacks now starting with a phishing email, an advanced email security solution is a must. By deploying best-of-breed solutions such as SpamTitan to proactively protect the Office365 environment it will be much easier to block threats than simply relying on Office 365 anti-spam protections, which are commonly bypassed to deliver Trojans and ransomware.

A web filtering solution can provide protection against ransomware delivered over the internet, including via links sent in phishing emails. Multi-factor authentication should be implemented for email accounts and cloud apps, employees should be trained how to identify threats, and monitoring systems should be implemented to allow attacks in progress to be detected and mitigated before ransomware is deployed.

What is DMARC Email Authentication and Why is it Important?

DMARC email authentication is an important element of phishing defenses, but what is DMARC email authentication, what does it do, and how does it protect against email impersonation attacks?

There is some confusion about what DMARC email authentication is and what it can do. In this post we explain in clear English what DMARC means and why it should be part of your anti-phishing defenses.

What is DMARC

DMARC is short for Domain-based Message Authentication, Reporting, and Conformance. Its purpose is to make it harder for threat actors to conduct phishing attacks that spoof brands and get those messages delivered to inboxes. DMARC is a critical component of email cybersecurity that reduces an attacker’s ability to get email threat to an end user’s inbox.

With DMARC, organizations can create a record of who is authorized to send emails from their domain. This helps to prevent misuse of a company brand in phishing campaigns.

If DMARC is implemented on email, a business can have all incoming emails checked against DMARC records and any email that fails the check can be subjected to certain actions.

The message can be delivered as normal with a warning and the email will be included in a report of emails that failed the check. The message could automatically be sent to quarantine for manual approval before delivery is made. Alternatively, the message could be rejected or subjected to a custom policy. An organization can select the best policy to adopt based on their level of risk tolerance.

DMARC will not stop all phishing emails from being delivered, but it is an important measure to implement to stop email spoofing and reduce the number of phishing emails that reach inboxes. DMARC is just one of several rules that are used to determine whether emails are genuine and should be delivered or if the messages have been sent from an unauthorized user.

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DNS records are also used to determine whether the email server being used is authorized to send emails for the organization. 

What is  Sender Policy Framework (SPF)

The Sender Policy Framework (SPF) is an email-authentication technique used to restrict who can send emails from your domain. It allows your mail server determine when a message comes from the domain that it uses. SPF has three major elements: a policy framework, an authentication method and specialized headers to convey the information.

An email message contains two sender addresses:

  1. The From:header, displaying the name and email address of the sender
  2. The Envelope From:or Return-Path email address.

Both types of sender addresses can be easily spoofed.

SPF uses a DNS record to verify the Envelope From: only. This means that if a spammer spoofs the Envelope From: address using a domain where SPF is enabled, the mail will be caught by the receiving server. If the spammer spoofs the From: header, SPF will not catch this. The SPF record indicates which email servers are authorized to send mail on behalf of a domain. This would be the organization itself and any third parties, such as marketing companies.  The SPF record is a DNS TXT record that includes IP addresses and hostnames that are allowed to send emails from a particular domain. The SPF record is the first thing checked by DMARC rules.

Together with the DMARC related information, this gives the receiver (or receiving systems) information on how trustworthy the origin of an email is. SPF is, just like DMARC, an email authentication technique that uses DNS (Domain Name Service). This gives you, as an email sender, the ability to specify which email servers are permitted to send email on behalf of your domain.

DKIM

DKIM is more advanced and uses a TXT record and asymmetric public-private key encryption. With DMARC enabled, the signature is encrypted with the public key and the key is published on DNS servers. The domain’s private key is then used at the recipient’s email server for verification.

If DKIM is enabled, the public key-encrypted signature is compared with the message that is decrypted using a newly generated key to confirm that the message has not been altered. DKIM also confirms that the sender is from the listed domain and that the sender has not been spoofed.

DMARC offers a much greater level of protection than SPF and is more dependable, so both should be implemented. Both SPF and DMARC are incorporated into SpamTitan to better protect users from email spoofing attacks. Enabling SPF, DKIM and DMARC will help greatly reduce the amount of spoof emails recieved, and that is only good.

To find out more about improving your email security defenses, contact the TitanHQ team today.

Coordinated Law Enforcement Effort Takes Down Emotet Botnet

The notorious Emotet botnet, which has been used in extensive attacks on companies around the globe for many years, has been taken down as part of a coordinated effort by Europol, the FBI, the UK National Crime Agency, and other law enforcement agencies.

The threat actors behind Emotet used their malware to create a backdoor in the systems of many companies, with access then sold to other threat groups to conduct further malicious activities including stealing sensitive data and extortion through the deployment of ransomware.

The operation has been planned for around two years and was coordinated to ensure that the multi-country infrastructure was simultaneously taken down to disrupt any attempts by the threat group to reconstruct the network. Law enforcement agencies have seized control of hundreds of servers and have taken control of the entire Emotet infrastructure, in what will be seen by many to be the most important malware takedowns to date. The takedown has prevented the Emotet gang from communicating with the malware and has resulted in the loss of control of the army of compromised devices that make up the botnet.

Europol and its partners succeeded in mapping the entire infrastructure, took control of the network, and deactivated the Emotet Trojan. A software update was placed on the main servers used to control the malware, two of which were located in the Netherlands. Infected computer systems will retrieve the update, which will see Emotet Trojan on those systems quarantined.

The Most Dangerous Malware and Most Prolific Botnet

Emotet is arguably the most dangerous malware of recent years and the botnet used to distribute it is one of the most prolific. Around 30% of all malware attacks in 2020 involved the Emotet Trojan.

Phishing emails were used to deliver the Emotet Trojan. Massive phishing campaigns were conducted using a wide range of lures to trick recipients into opening malicious attachments or visiting websites that downloaded the Emotet Trojan. The lures used in the campaigns frequently changed, taking advantage of world events to maximize the probability of the attachments being opened.

Emotet started life as a banking Trojan but was later developed to also serve as a malware dropper. Emotet delivered other banking Trojans such as TrickBot as the secondary malware payload, and ransomware variants such as Ryuk – each of which were dangerous in their own right.

Devices infected with Emotet are added to the botnet and used to distribute copies of the Emotet Trojan to other devices on the network and the user’s contacts by hijacking the user’s email account. A single device on a corporate network that was infected with Emotet could quickly result in widespread infection. The Trojan was also particularly difficult to eradicate, as removal of the infection would only be temporary, with other devices on the network simply re-infecting the cleaned device.

In the leadup to the 2020 Presidential election in the United States, Microsoft and its partners succeeded in seizing control of some of the infrastructure used to control and distribute the TrickBot Trojan. In that case the operation was only temporarily successful, as the TrickBot gang was able to rapidly recover and restore its infrastructure.

Time will tell as to how successful the Emotet takedown has been and whether the operation has only temporarily disrupted the activities of the Emotet gang or whether the takedown has left it completely crippled.

Phishing Campaign Abuses Windows Finger Utility to Download MineBridge Backdoor

A new phishing campaign has been identified that abuses the Windows Finger command to download a malware variant called MineBridge.

The Finger command in Windows can be used by a local user to obtain a list of users on a remote machine or, alternatively, to obtain information about a specific remote user. The Finger utility originated in Linux and Unix operating systems but is also included in Windows. The utility allows commands to be executed to find out whether a particular user is logged on, although this is now rarely used.

There are also security concerns with the finger utility, and it has been abused in the past to find out basic information about users that can be targeted in social engineering attacks. Vulnerabilities in the finger protocol have also been exploited in the past by some malware variants.

Recently, security researchers discovered Finger can be used as a LOLBin to download malware from a remote server or to exfiltrate data without triggering alerts from security solutions. Finger is now being used in at least one phishing campaign to download malware.

MineBridge malware is a Windows backdoor written in C++ that has previously been used in attacks on South Korean companies. The malware was first identified in December 2020 by researchers at FireEye and in January 2020 several campaigns were identified distributing the malware via phishing emails with malicious Word attachments.

The latest campaign sees the attackers impersonate a recruitment company. The email is a recommendation of a candidate for consideration for a position at the targeted firm. The sender recommends even if there are no current openings, the CV should be checked, and the candidate considered. The email is well written and believeable.

As is common in phishing campaigns, if the document is opened a message will be displayed that tells the user the document has been created in an old version of Windows and to view the content the user needs to ‘enable editing’ and then ‘enable content’. Doing so will run the macro, which will fetch and download a Base64 encoded certificate using the Finger command. The certificate is a malware downloader that used DLL hijacking to sideload the MineBridge backdoor. Once installed, MineBridge will give the attacker control over an infected device and allow a range of malicious actions to be performed.

It is easiest to block attacks like this by installing an advanced spam filtering solution to block the malicious emails and prevent them from reaching inboxes. As an additional protection against this and other campaigns that abuse the Finger.exe utility in Windows, admins should consider disabling finger.exe if it is never used.

Microsoft is the Most Impersonated Brand in Phishing Attacks on Businesses

Phishing scams can be difficult for employees to identify. The emails provide a plausible reason for taking a certain action, such as clicking a link in an email. The websites that users are directed to are virtually indistinguishable from the genuine websites that the scammers spoof and credentials are commonly captured.

The pandemic has seen increasing numbers of employees working from home and accessing their company’s cloud applications remotely. Businesses are now much more reliant on email for communication than when employees were all office based. Cybercriminals have been taking advantage and have been targeting remote workers with phishing scams and many of these attacks have been successful.

Employees often receive training on cybersecurity and are told to be wary of emails that have been sent from unknown individuals, but many still open the emails and take the requested action. The emails often spoof an individual that is known to the recipient, which increases the likelihood of that email being opened. It is also common for well known brands to be impersonated in phishing attacks, with the attackers exploiting trust in that brand.

A recent analysis of phishing emails by Check Point revealed the most commonly impersonated brand in phishing attacks over the past 3 months is Microsoft, which is not surprising given the number of businesses using Office 365. The study revealed 43% of phishing attempts that mimic brands impersonate Microsoft.

Microsoft credentials are then captured in these attacks and are used to remotely access accounts. The data stored in a single email account can be substantial. There have been many healthcare phishing attacks that have seen a single account compromised that contained the sensitive data of tens of thousands or even hundreds of thousands of patients. These phishing emails are often only the first step in a multi-stage attack that gives the threat actors the foothold they need for a much more extensive attack on the organization, often resulting in the theft of large amounts of data and ending with the deployment of ransomware.

Microsoft is far from the only brand impersonated. The analysis revealed DHL to be the second most impersonated brand. DHL-based phishing attacks use failed delivery notifications and shipping notices as the lure to get individuals to either disclose sensitive information such as login credentials or open malicious email attachments that download malware. 18% of all brand impersonation phishing attacks involve the impersonation of DHL. This makes sense as the phishers target businesses and especially during a pandemic when there is increased reliance on courier companies.

Other well-known brands that are commonly impersonated include PayPal and Chase to obtain account credentials, LinkedIn to allow professional networking accounts to be compromised, and Google and Yahoo are commonly impersonated to obtain account credentials. Attacks spoofing Amazon, Rakuten, and IKEA also make the top 10 most spoofed brand list.

Phishers mostly target business users as their credentials are far more valuable. Businesses therefore need to ensure that their phishing defenses are up to scratch. Security awareness training for employees is important but given the realistic nature of phishing emails and the plausibility of the lures used, it is essential for more reliable measures to be implemented to block phishing attacks.

Top of the list of anti-phishing measures should be an advanced spam filter. Many businesses rely on the spam filtering capabilities of Office 365, but this only provides a level of protection. The default spam filter in Office 365 is not particularly effective at blocking sophisticated phishing attacks. Businesses that rely on Microsoft’s Exchange Online Protection (EOP) see many phishing emails delivered to inboxes where they can be opened by employees.

To better protect against phishing attacks, a third-party spam filter should be layered on top of Office 365. SpamTitan has been developed to provide enhanced protection for businesses that use Office 365. The solution implements seamlessly with Office 365 and the solution is easy to implement and maintain. The result will be far greater protection from phishing attacks and other malicious emails that employees struggle to identify.

For further information on SpamTitan, to register for a free trial, and for details of pricing, give the TitanHQ team a call today.

Easy to Implement Anti-Phishing Solutions for MSPs

To protect their clients from phishing attacks, Managed Service Providers (MSPs) need to provide a comprehensive range of cybersecurity solutions. This post explores the risks from phishing and suggests some easy to implement anti-phishing solutions for MSPs to add to their security offerings.

Phishing is the Number One Cyber Threat Faced by SMBs

Phishing is the number one cyber threat faced by businesses and one of the hardest to defend against. All it takes is for an employee to respond to a single phishing email for a costly data breach to occur. The consequences for the company can be severe.

Email accounts contain a wide range of sensitive information. A phishing attack on a UnityPoint Health hospital in Des Moines, IA, in 2018 saw the protected health information of 1.4 million patients compromised.  Also in 2018, a phishing attack on the Boys Town National Research Hospital saw one account compromised that contained the information of more than 105,300 patients. Phishing emails are also used to introduce malware and ransomware. These attacks can be even more damaging and costly to mitigate.

The healthcare industry is extensively targeted by phishers due to the high value of healthcare data, although all industry sectors are at risk. In response to the high number of cyberattacks and the current threat levels, the Trump administration recently launched the “Know the Risk, Raise your Shield” campaign. The campaign aims to raise awareness of the threat from phishing and other attack methods and encourage private businesses to do more to improve their defenses.

Phishing will continue to be a major threat to businesses for the foreseeable future. Attacks will continue because they require relatively little skill to conduct, phishing is highly effective, and attacks can be extremely lucrative.

Easy to Implement Anti-Phishing Solutions for MSPs

There is no single solution that will provide total protection against phishing attacks. Businesses need layered defenses, which provides an opportunity for MSPs. SMBs can struggle to implement effective defenses against phishing on their own and look to MSPs for assistance.

MSPs that can provide a comprehensive anti-phishing package will be able to protect their clients, prevent costly phishing attacks, and generate more business. Effective anti-phishing controls are also an easy sell. Given the cost of mitigating attacks, the package is likely to pay for itself. But what solutions should be included in MSPs anti-phishing offerings?

Listed below are three easy-to-implement anti-phishing solutions for MSPs to offer to their clients, either individually or part of an anti-phishing security package.

Advanced Spam Filtering

Advanced spam filtering solutions are essential. They block phishing emails on the server before they can be delivered to inboxes or employees’ spam folders. An advanced spam filter will block in excess of 99.9% of spam and malicious emails and by itself, is the single most important solution to implement.

SpamTitan is an ideal anti-phishing solution for MSPs. This cloud-based solution supports an unlimited number of domains, all of which can be protected through an easy to use interface. The solution supports per domain administrators, with each able to implement elements of their own email such as searches and the release of messages from the quarantine folder. Reports can be generated per domain and those reports can be scheduled and automatically sent to clients. The solution can be fully rebranded to take an MSP logo and color scheme, and the solution can be hosted in TitanHQ’s private cloud or within your own data center.

Security Awareness Training and Testing

While the majority of malicious emails will be blocked at source, a very small percentage may slip through the net. It is therefore essential for employees to be aware of the risks from phishing and to have the skills to identify potential phishing emails. MSPs can help their clients by providing a staff training program. Many security awareness training companies offer MSP programs to help manage training for clients and a platform to conduct phishing simulation exercises to test security awareness.

DNS-Based Web Filtering

Even with training, some employees may be fooled by phishing emails. This is to be expected, since many phishing campaigns use messages which are highly realistic and virtually indistinguishable from genuine emails. Spam filters will block malicious attachments, but a web filter offers protection from malicious hyperlinks that direct users to phishing websites.

A DNS-based web filter blocks attempts by employees to access phishing websites at the DNS-level, before any content is downloaded. When an employee clicks on a phishing email, they will be directed to a block screen rather than the phishing website. Being DNS-based, web filters are easy to implement and no appliances are required.

WebTitan is an ideal web filtering solution for MSPs. WebTitan can be configured in just a couple of minutes and can protect all clients from web-based phishing attacks, with the solution managed and controlled through a single easy-to-use interface. Reports can be automatically scheduled and sent to clients, and the solution is available in full white-label form ready for MSPs branding. A choice of hosting solutions is also offered, and the solution can connect with deployment, billing and management tools through APIs.

Key Product Features of SpamTitan and WebTitan for MSPs

  • Easy to manage: There is a low management overhead. SpamTitan and WebTitan are set and forget solution. We handle all the updates and are constantly protecting against new threats globally, in real-time.
  • Scalability: Regardless of your size you can deploy the solution within minutes. SpamTitan and WebTitan are scalable to thousands of users.
  • Extensive API: MSPs provided with API integration to provision customers through their own centralized management system; a growth-enabling licensing program, with usage-based pricing and monthly billing.
  • Hosting Options: SpamTitan and WebTitan can be deployed as a cloud based service hosted in the TitanHQ cloud, as a dedicated private cloud, or in the service provider’s own data center.
  • Extensive drill down reporting: Integration with Active Directory allows detailed end user reporting. Comprehensive reports can be created on demand or via the scheduled reporting options.
  • Support: World class support – we are renowned for our focus on supporting customers.
  • Tried & Tested: TitanHQ solutions are used by over 1500 Managed Service Providers worldwide.
  • Rebrandable: Rebrand the platform with your corporate logo and corporate colors to reinforce your brand or to resell it as a hosted service.

TitanSHIELD Program for MSPs

To make it as easy as possible for MSPs to incorporate our world class network security solutions into their service stacks, TitanHQ developed the TitanSHIELD program. The TitanShield MSP Program allows MSPs to take advantage of TitanHQ’s proven technology so that they can sell, implement and deliver our advanced network security solutions directly to their client base. Under the TitanSHIELD program you get the following benefits:

TitanSHIELD Benefits

Sales Enablement

 

Marketing

Partner Support Private or Public Cloud deployment Access to the Partner Portal
Dedicated Account Manager White Label or Co-branding Co-Branded Evaluation Site
Assigned Sales Engineer Support API integration Social Network participation
Access to Global Partner Program Hotline Free 30-day evaluations Joint PR
Access to Partner Knowledge Base Product Discounts Joint White Papers
Technical Support Competitive upgrades Partner Events and Conferences
24/7 Priority Technical Support Tiered Deal Registration TitanHQ Newsletter
5 a.m. to 5 p.m. (PST) Technical Support Renewal Protection Better Together Webinars
Online Technical Training and FAQs Advanced Product Information Partner Certificate – Sales and technical
Access to Partner Technical Knowledge Base Competitive Information and Research Sales Campaigns in a box
  Not-for-Resale (NFR) Key Public Relations Program and Customer Testimonials
  Product Brochures and Sales Tools TitanHQ Corporate Style Guide and Logo Usage
  Partner Advisory Council Eligibility TitanHQ Partner Welcome Kit
  QTRLY Business Planning and Review Access to TitanHQ’s MVP Rewards Program
  Access to Partner Support  

For further information on TitanHQ’s anti-phishing solutions for MSPs, contact the TitanHQ team today and enquire about joining the TitanSHIELD program.

 

Trump-Themed Phishing Emails Attempt to Deliver QRAT Malware

A Trump-themed phishing campaign has been detected that attempts to deliver the Qnode Remote Access Trojan (QRAT) under the guise of a video file that appears to be a Donald Trump sex tape.

QRAT is a Java-based RAT that was first detected in 2015 that has been used in several phishing campaigns over the years, with an uptick in distribution observed from August 2020. Interestingly, the malicious file attachment – named “TRUMP_SEX_SCANDAL_VIDEO.jar” – bears no relation to the phishing email body and subject line, which offers a loan as an investment for a dream project or business plan. The subject line is “GOOD LOAN OFFER,” and the sender claims a loan will be provided if there is a good return on the investment and between $500,000 and $100 million can be provided. It is unclear whether an error has been made and the wrong file attachment was added to the email or if this was a deliberate mismatching of a malicious .jar file. While the emails are unlikely to fool many end users, there may be enough interest in the video to pique the interest of some recipients.

The phishing campaign does appear to be poorly constructed, but the same cannot be said of the malware the campaign attempts to deliver. The version of QRAT delivered in this campaign is more sophisticated than previously detected versions, with several improvements made to evade security solutions. For instance, the malicious code used as the QRAT downloader is obfuscated and split across several different buffers within the .jar file.

Phishing campaigns often take advantage of interest in popular new stories and the Presidential election, allegations of election fraud, and recent events at Capitol Hill have seen President Trump trending. It is likely that this will not be the only Trump-themed phishing campaign to be conducted over the next few days and months.

This campaign appears to target businesses, where the potential returns from a malware infection is likely to be far higher than an attack on consumers. Blocking threats such as this is easiest with an advanced email security solution capable of detecting known and new malware variants.

SpamTitan is an advanced, cost-effective spam filtering for businesses and the leading cloud-based spam filter for managed service providers serving the SMB market. SpamTitan incorporates dual anti-virus engines to identify known malware threats, and a Bitdefender-powered sandbox to identify zero-day malware. The solution also supports the blocking of risky file types such as JARs and other executable files.

SpamTitan is also effective at blocking phishing emails without malicious attachments, such as emails with hyperlinks to malicious websites. The solution has multiple threat detection features that can identify and block spam and email impersonation attacks and machine learning technology and multiple threat intelligence feeds that provide protection against zero-minute phishing attacks.

One of the main reasons why the solution is such as popular choice with SMBs and MSPs is the ease of implementation, use, and maintenance. SpamTitan takes the complexity out of email security to allow IT teams to concentrate on other key tasks.

SpamTitan is the most and top-rated email security solution on Capterra, GetApp and Software Advice, is a top three solution in the three email security categories on Expert Insights and has been a leader in the G2 Email Security grids for 10 consecutive quarters.

If you want a spam filtering solution that is effective and easy to use, look no further than SpamTitan. For more information, give the TitanHQ team a call. SpamTitan is also available on a free trial to allow you to evaluate the solution in your own environment before deciding on a purchase.

2020 Phishing Statistics

The threat from phishing is ever present and phishing remains the leading cause of data breaches. All it takes is for one employee to fall for a phishing email for threat actors to gain the foothold they need to conduct more extensive attacks on the organization. But how common is phishing? In this post we provide some key 2020 phishing statistics to raise awareness of the threat and highlight the need for businesses to rethink their current phishing defenses.

2020 Phishing Statistics

Phishing is the easiest way for cybercriminals to gain access to sensitive data and distribute malware. Little skill or effort is required to conduct a successful phishing campaign and steal credentials or infect users with malware. The latest figures show that in 2020, 22% of reported data breaches started with a phishing email and some of the largest data breaches in history have started with a phishing attack, including the 78.8 million record data breach at the health insurer Anthem Inc., and the massive Home Depot data breach in 2014 that saw the email addresses of 53 million individuals stolen.

Phishing can be conducted over the phone, via SMS, social media networks, or instant messaging platforms, but email is most commonly used. Around 96% of all phishing attacks occur via email. Successful phishing attacks result in the loss of data, theft of credentials, or the installation of malware and ransomware. The cost of resolving the incidents and resultant data breaches is substantial. The 2020 Cost of a Data Breach Report by the Ponemon Institute/IBM Security revealed the average cost of a data breach is around $150 per compromised record with a total cost of $3.86 million per breach. A single spear phishing attack costs around $1.6 million to resolve.

Employees may believe they are able to spot phishing emails, but data from security awareness training companies show that in many cases, that confidence is misplaced. One study in 2020 revealed that 30% of end users opened phishing emails, 12% of users clicked a malicious link or opened the attachment in the email, and one in 8 users then shared sensitive data on phishing websites. Bear in mind that 78% of users claimed that they know they shouldn’t open email attachments from unknown senders or click links in unsolicited emails.

The 2020 phishing statistics show phishing and spear phishing are still incredibly common and that phishing attacks often succeed. Another study revealed 85% of companies have fallen victim to a phishing attack at least once. Phishing websites are constantly being created and used in these scams. Once a URL is confirmed as malicious and added to a blacklist, it has often already been abandoned by the threat actors. In 2020, around 1.5 million new phishing URLs were identified every month.

2020 has seem a massive increase in ransomware attacks. While manual ransomware attacks often see networks compromised by exploiting vulnerabilities in firewalls, VPNs, RDP, and networking equipment, ransomware is also delivered via email. Since 2016, the number of phishing emails containing ransomware has increased by more than 97%.

How to Detect and Block Phishing Threats

Tackling phishing and preventing successful attacks requires a defense in depth approach. An advanced spam filtering solution is a must to prevent phishing emails from reaching inboxes. Companies that use Office 365 often rely on the protections provided as standard with their licenses, but studies have shown that the basic level of protection provided by Microsoft’s Exchange Online Protection (EOP) is insufficient and average at best and phishing emails are often not detected. A third-party, solution is recommended to layer on top of Office 365 – One that incorporates machine learning to identify never before seen phishing threats. The solution should use email authentication protocols such as DMARC, DKIM, and SPF to identify and block email impersonation attacks and outbound scanning to identify compromised mailboxes.

End user training is also important. In the event of a phishing email arriving in an inbox, employees should be trained to identify it as such and be conditioned into reporting the threat to their IT team to ensure action can be taken to remove all instances of the threat from the email system. Web filters are also important for blocking the web-based component of phishing attacks and preventing employees from visiting phishing URLs. Multi-factor authentication on email accounts is also essential. In the event of credentials being stolen, MFA will help to ensure that the credentials cannot be used to access email accounts.

Beware of COVID-19 Vaccine Phishing Scams!

Cybercriminals are leveraging interest in COVID-19 vaccination programs and are conducting a range of COVID-19 vaccine phishing scams with the goal of obtaining sensitive data such as login credentials or to distribute malware. Several government agencies in the United States have recently issued warnings to businesses and consumers about the scams including the Department of Health and Human Services’ Office of Inspector General and the Centers for Medicare and Medicaid Services, and law enforcement agencies such as the FBI.

COVID-19 vaccine scams can take many forms. Campaigns have already been detected that offer early access to COVID-19 vaccines. These scams require a payment to be made as a deposit or a fee to get to the top of the waiting list. Other scams offer the recipients a place on the waiting list if they apply and provide personal information.

COVID-19 vaccine phishing scams are being conducted via email; however, it is likely that fraudsters will advertise on websites, social media channels, or conduct scams over the telephone or via SMS messages and instant messaging platforms. While many of these scams target consumers, there is potential for businesses to be affected if employees access their personal emails at work or if the scam emails are sent to work email addresses.

Scam emails often include links to websites where information is harvested. These links may be hidden in email attachments to hide them from email security solutions. Office documents are also commonly used for delivering malware, via malicious macros.

The emails typically impersonate trusted entities or individuals. COVID-19 vaccine scam emails are likely to impersonate healthcare providers, health insurance companies, vaccine centers, and federal, state, or local public health authorities. During the pandemic there have been many cases of fraudsters impersonating the U.S. Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO) in Covid-19 related phishing scams.

The U.S. Department of Justice recently announced that two domains have been seized that impersonated vaccine developers. The domains were virtual carbon copies of the legitimate websites of two biotechnology companies involved in vaccine development. The malicious content has been removed, but there are likely to be many more domains registered and used in COVID-19 vaccine phishing scams over the coming weeks.

Warnings have also been issued about the risk of ransomware attacks that take advantage of interest in COVID-19 vaccines and provide the attackers with the foothold in networks they need to conduct their attacks.

There are four important steps that businesses can take to reduce to risk of falling victim to these scams. Since email is extensively used, it is essential to have an effective spam filtering solution in place. Spam filters use blacklists of malicious email and IP addresses to block malicious emails, but since new IP addresses are constantly being used in these scams, it is important to choose a solution that incorporates machine learning. Machine learning helps to identify phishing threats from IP addresses that have not previously been used for malicious purposes and to identify and block zero-day phishing threats. Sandboxing is also important for identifying and blocking zero-day malware threats that have yet to have their signatures incorporated into the virus definition lists of antivirus engines.

While spam filters can identify and block emails that contain malicious links, a web filtering solution is also recommended. Web filters are used to control the websites that employees can access and prevent visits to malicious websites through general web browsing, redirects, and clicks on malicious links in emails. Web filters are constantly updated via threat intelligence feeds to provide protection against recently discovered malicious URLs.

Businesses should not neglect end user training and should regularly provide refresher training to employees to help them identify phishing threats and malicious emails. Phishing simulation exercises are also beneficial for evaluating the effectiveness of security awareness training.

Multi-factor authentication should also be applied as a last line of defense. In the event of credentials being compromised, multi-factor authentication will help to ensure that stolen credentials cannot be used to remotely access accounts.

With these measures implemented, businesses will be well protected from malware, COVID-19 vaccine phishing scams, and other phishing threats.

For further information on spam filtering, web filtering, and protecting your business from malware and phishing attacks, give the TitanHQ team a call today.

Code Injection Technique Used to Obtain Data from Within PDF Files

Recently, a new technique has been identified that is being used by hackers to conduct cross-site scripting attacks from within PDF files.

PDF files have long been used by hackers for phishing attacks and malware delivery. Oftentimes, emails are sent with PDF file attachments that contain hyperlinks to malicious websites. By adding these links into the files rather than the body of the email message, it is harder for security solutions to identify those malicious links.

The latest attack method also uses PDF files, but instead of tricking employees into revealing their login credentials or visiting a malicious website where malware is downloaded, the attackers attempt to obtain sensitive information contained in PDF files.

The technique is similar to those used to by hackers in web application attacks. Cross-site scripting attacks – or XXS attacks for short – typically involve injecting malicious scripts into trusted websites and applications. When a user visits a website or a hacked application, the script executes. The scripts give the attackers access to user information such as cookies, session tokens, and sensitive data saved in browsers, such as passwords. Since the website or application is trusted, the web browser will not recognize the script as malicious. These attacks are possible in websites and web applications where user input is used to generate output without properly validating or encoding it.

The same technique has been shown to also work within PDF files and is used to inject code and capture data. This is achieved by taking advantage of escape characters such as parentheses, which are commonly used to accept user input. If the input is not validated correctly, hackers can inject malicious URLs or JavaScript code into the PDF files. Even injecting a malicious URL can be enough to capture data in the document and exfiltrate it to the attacker-controlled website, as was demonstrated at the Black Hat online conference this month.

What sort of data could be captured in such an attack? A substantial amount of sensitive data is contained in PDF files. PDF files are used extensively for reports, statements, logs, e-tickets, receipts, boarding passes, and much more. PDF files may contain passport numbers, driver’s license numbers, bank account information, and a range of other sensitive data. The presenters at the conference explained they found some of the largest libraries of PDF files worldwide were sensitive to XXS attacks.

In the most part, the vulnerabilities in PDF files that allow XXS attacks are not due to the PDF files themselves, but improper coding. If PDF libraries fail to properly parse code of escape characters and allow unprotected formats, they will be vulnerable. Fortunately, Adobe released an update on December 9 which prevents this type of security vulnerability from being exploited, although companies that create PDF files must update their software and apply the update to be protected.

This is just one way that malicious attachments can be used to obtain sensitive information. As previously mentioned, malicious macros are commonly added to office documents, executable files are added as attachments to emails and masquerade as legitimate files, and malicious code can be injected into a range of different file types.

One of the best ways to protect against attacks via email using malicious attachments is to use an advanced email security solution that can detect not just known malware but also never-before-seen malicious code. This is an area where SpamTitan Email Security excels.

SpamTitan incorporates dual anti-virus engines (Bitdefender/ClamAV) to catch known malware threats and sandboxing to identify malicious code that has been added to email attachments. Files are subjected to in-depth analysis in the security of the sandbox and are checked for any malicious actions.

To find out more about protecting your organization from malicious emails and malware, give the TitanHQ team a call.

500,000 Record Healthcare Data Breach Highlights Risk of Phishing Attacks

The healthcare industry in the United States has long been targeted by cybercriminals seeking access to sensitive patient data. Patient data is a valuable commodity, as it can be used for a multitude of fraudulent purposes including identity theft, tax fraud, insurance fraud, and blackmail and understandably has a high black market value.

Some of the largest healthcare data breaches ever reported have started with a phishing attack, including the 78.8 million-record data breach at the health insurer Anthem Inc. and the cyberattack on Premera Blue Cross, another U.S. health insurer, which affected around 11 million individuals, both of which were reported in 2015.

While healthcare data breaches on the scale of Anthem’s have been avoided since, large phishing-related breaches are still occurring. The latest phishing-related data breach to be reported by a U.S. health insurer resulted in the exposure of the health records of almost 500,000 Aetna health plan members.

The phishing attack saw the attackers gain access to the email system of a business associate of Aetna. EyeMed manages vision benefits services for the health insurer and has several other healthcare clients. The compromised account contained highly sensitive information such as names, addresses, dates of birth, and full or partial Social Security numbers – information that is extremely valuable to phishers and identity thieves. In total, the records of 484,157 Aetna members were potentially compromised, along with the data of 60,000 members of Tufts Health Plan, and around 1,000 members of Blue Cross Blue Shield of Tennessee. While it was not the largest healthcare data breach of 2020, it does rank in the top 10 healthcare data breaches of the year.

Unfortunately, healthcare industry phishing attacks involving the exposure and/or theft of more than 100,000 patient records are far from unusual. There have been more than a dozen such breaches reported by healthcare organizations and their business associates in 2020, and several dozen smaller phishing attacks.

The healthcare industry is extensively targeted and is vulnerable to phishing attacks. Unfortunately, all it takes is for one employee to respond to a phishing email for their account to be compromised. Emails often contain personal and protected health information and can be downloaded by the attackers, and the compromised account can be used to send further phishing emails to other employees in the organization. In addition to gaining access to multiple email accounts, phishing can give attackers the foothold they need for a more extensive compromise, as was the case with the Anthem and Premera data breaches.

According to a report released by the Healthcare Information and Management Systems Society (HIMSS), its survey of healthcare cybersecurity professionals revealed 57% had experienced a successful phishing attack in the past year.

Securing the email system can be a challenge in healthcare and preventing phishing attacks is a constant struggle. Unfortunately, while there are excellent email security solutions available that will ensure the vast majority of phishing emails are blocked, it is not possible to deploy a single solution and prevent all phishing attacks from succeeding. What is required is a layered approach to phishing defenses. With multiple layers of protection, if one layer fails to block a threat, others will help to ensure the threat is blocked.

At the heart of phishing defenses should be an advanced machine-learning/AI-based anti-phishing solution such as SpamTitan. SpamTitan itself provides multiple layers of protection to block known phishing threats, while the machine-learning components identify new phishing threats that have yet to be seen. SpamTitan also incorporates multiple measures to identify and block email impersonation attacks, has a data loss protection feature, and anti-malware capabilities that block both known and zero-day malware threats.

A web filter is an often-overlooked anti-phishing measure. Web filters target the web-based component of phishing attacks and provide time-of-click protection to stop employees from visiting phishing websites via links in malicious emails.

As Microsoft pointed out in a summer blog post this year, multi-factor authentication is a must.  Multi-factor authentication kicks in when credentials are obtained in phishing attacks and stops those credentials from being used to access email accounts. MFA can block more than 99.9% of attacks using compromised credentials.

End user training should also not be neglected. Conditioning employees how to recognize phishing emails and respond appropriately is essential, not just for cybersecurity but also HIPAA compliance.

These measures can be the difference between a successfully thwarted attack and a costly data breach, and the cost of implementing these solutions is cheaper than many people think. To find out more, give the TitanHQ team a call.

Emotet Botnet Springs Back to Life and Delivers TrickBot Christmas Present

After a 2-month break, the Emotet botnet is back up and running and has been observed conducting a phishing email campaign that is delivering between 100,000 and 50,0000 messages to inboxes a day.

Emotet first appeared in 2014 and started life as a banking Trojan; however, over the years the malware has evolved. While Emotet remains a banking Trojan, it is now best known as a malware downloader that is used to deliver a range of secondary payloads. The malware payloads it delivers also act as malware downloaders, so infection with Emotet often results in multiple malware infections, with ransomware often delivered as the final payload.

Once Emotet is installed on an endpoint it is added to the Emotet botnet and is used for spam and phishing campaigns. Emotet sends copies of itself via email to the user’s contacts along with other self-propagation mechanisms to infect other computers on the network. Emotet can be difficult to eradicate from the network. Once one computer is cleaned, it is often reinfected by other infected computers on the network.

Emotet often goes dormant for several weeks or even months, but even with long gaps in activity, Emotet is still the biggest malware threat. Emotet went dormant around February 2020, with activity resuming five months later in July. Activity continued until late October when activity stopped once again until Tuesday this week when it returned in time for Christmas. In 2020, Emotet has been observed delivering TrickBot and other payloads such as Qakbot and ZLoader.

During the periods of inactivity, the threat actors behind the malware are not necessarily inactive, they just stop their distribution campaigns. During the breaks they update their malware and returned with a new and improved version that is more effective at evading defenses.

The latest campaign uses similar tactics to past campaigns to maximize the probability of end users opening a malicious Office document. The phishing emails are usually personalized to make them appear more authentic, with Emotet using hijacked message threats with malicious content inserted. Since the emails appear to be responses to past conversations between colleagues and contacts, there is a greater chance that the recipient will open the email attachment or click a malicious hyperlink.

This campaign favors password-protected files, with the password to open the file supplied in the message body of the email. Since email security solutions cannot open these files, it is more likely that they will be delivered to inboxes. The malicious documents delivered in this campaign contain malicious macros. If the macros are enabled – which the user is told is necessary to view the content of the document – Emotet will be downloaded, after which the TrickBot Trojan will be delivered, usually followed by a ransomware variant such as Ryuk.

Previous campaigns have not displayed any additional content when the macros are enabled; however, this campaign displays an error message after the macros have been enabled instructing the user that Word experienced an error opening the file. This is likely to make the user believe the Word document has been corrupted. A variety of themes are used for the emails, with the latest campaign using holiday season and COVID-19 related lures.

An analysis by Cofense identified several changes in the latest campaign, including switching the malware binary from an executable (.exe) file to a Dynamic Link Library (.dll) file, which is executed using rundll32.exe. The command-and-control infrastructure has been changed and now uses binary data rather than plain text, both of which make the malware harder to detect.

Businesses need to be particularly vigilant and should act quickly if infections are detected and should take steps to ensure their networks are protected with anti-virus software, security policies, spam filters, and web filters.

Alarming Findings from Phishing Simulations on Remote Workers

The COVID-19 pandemic has forced businesses to reassess working practices and adapt to a new way of working, where employees no longer come to the office and instead work remotely. With COVID-19 vaccines on the way, businesses will soon be able to return to “a normal workplace.” However, many employees have got used to working from home and enjoy not having to commute and businesses have already put the effort into making sure their workforce can work effectively from home. Many businesses also report that there have been benefits, such as increases in productivity.

Once the pandemic is over it is likely that the normal workplace will be different from how it was before the pandemic. Many businesses have already stated they will adopt a hybrid workplace model, where employees can spend at least some of the week working remotely.

One of the problems with remote working is how to ensure that threats are dealt with effectively. Throughout the pandemic, cybercriminals and nation state hackers have targeted remote workers who are seen as an easy way to gain access to sensitive data and business networks. One of the ways that this is achieved is through phishing attacks.

One recent study, conducted by the security awareness training firm Terranova Security, explored how remote workers performed at detecting phishing emails and compared the results to phishing simulations conducted before the pandemic.

The company hosted a global ‘Gone Phishing Tournament’ with participants from 98 countries taking part over 11 days in October. Simulated phishing emails were sent to employees that mirrored real world phishing scenarios and responses were tracked, including clicks on suspicious links and any information entered into the webpages that users were directed to.

An analysis of the results revealed a significant year-over-year increase in click rates, which in a real-world scenario would mean that their credentials would have been stolen or they would have downloaded malware onto their computers.

20% of respondents quickly clicked phishing links in emails, compared to 11% before the pandemic. Worryingly, 67% of those who clicked revealed their login credentials on the fake phishing web pages compared to just 2% before the pandemic.

Naturally, the findings show just how important it is to provide ongoing security awareness training to the workforce to condition employees to check for the signs of phishing emails and teach them how to spot scams. They also highlight just how important it is to have an effective anti-spam solution that prevents the vast majority of phishing and scam emails from reaching inboxes where they can easily be clicked without thinking.

TitanHQ can’t help your business train your workforce how to recognize phishing emails and become more security conscious. That requires a commitment to training and phishing simulation exercises. TitanHQ can however help by ensuring phishing emails are not delivered to inboxes where they can attract a click.

TitanHQ developed SpamTitan to protect businesses from phishing and malware attacks via email, even sophisticated email-based attacks. SpamTitan incorporates many layers of protection such as blacklists of known spammers, message header analysis, content analysis, threat intelligence feeds, DMARC and SPF, and a machine learning system that can detect zero-day phishing attacks. Malware protection is provided by dual antivirus engines and sandboxing to identify never-before seen malware threats.

These and other protection mechanisms ensure that 99.97% of threats are detected and blocked, which helps reduce reliance on security awareness training and employees identifying phishing emails.

SpamTitan is an ideal solution for small- to medium-sized businesses and managed service providers serving the SMB market. Contact TitanHQ today to find out more about the solution, how cost-effective SpamTitan is, and how easy the solution is to implement, use, and maintain. Also be sure to check out the customer reviews on Capterra, GetApp and Software Advice, Google Reviews, Expert Insights, and G2 Crowd, where the solution consistently achieves high scores and, in many cases, is the top-rated email security solution.

Fake COVID-19 Financial Aid and Remote Working HR Memos Used in New Phishing Campaigns

Phishers are constantly changing their tactics to fool employees into clicking on links and disclosing their credentials. During the pandemic, many scammers switched from their tried and tested campaigns using standard business-themed lures such as fake invoices, purchase orders, and shipping notices to COVID-19 themed lures. These lures were topical and took advantage of people craving information about the coronavirus and COVID-19.

Phishers Use Fake Internal Memos About Changes to HR Work from Home Policies

Now a new phishing campaign has emerged that takes advantage of the changed business practices due to COVID-19. Many employees are still working remotely, even though their employers have started reopening their offices. During the pandemic, employees have got used to receiving regular internal company memos and updates.

The new phishing campaign spoofs the company’s HR department and appears to be an automated internal company email, similar to the messages employees are used to receiving. The emails claim to have voicemail attachments, which will also be familiar to many remote workers. The HTML attachments are personalized with the recipient’s name to add credibility to the message.

If the file attachment is opened, the user will be presented with a link they are required to click to receive the company information. In one campaign, this was a SharePoint link, although other cloud services could similarly be used. The link directs the user to SharePoint and provides an update on the company’s remote working policy. After reading the message, the worker is required to click a link that directs them to the actual phishing page where sensitive information is collected.

This campaign is very realistic. The fake remote working policy is well written and plausible and states that if employees wish to continue working from home after the pandemic, they are required to complete an HR form to provide notice in writing. The SharePoint-hosted Excel form where the user is directed is also plausible, but in addition to the request to continue to work from home, the user is required to supply their email credentials.

Phishing Campaign Offers Government Financial Aid to COVID-Affected Workers

A separate phishing campaign has been identified that is also linked to the pandemic, spoofing government agencies and offering pandemic-related financial assistance for individuals prevented from working due to COVID-19 restrictions or have otherwise been adversely affected. This campaign has targeted U.S. citizens, although similar campaigns could be conducted targeting individuals in other countries.

In this campaign, which has the subject message “US government to give citizens emergency financial aid,” the message states that the government begun issuing payments of cash compensation in October 2020. The message states that payment is only provided to USA residents and the maximum payout is $5,800.

A link is supplied in the email that the user is required to click to make a claim, which the email states will be reviewed by a support representative who will send a personal response within 24 hours. The link directs the user to a domain that spoofs the U.S. government. The user is required to enter their name and date of birth, followed by their address, contact information, Social Security number, and driver’s license number on a second form.

Phishing is the Most Common Type of Cybercrime

A recent Clario/Demos survey confirmed that phishing and email attacks are the most common types of cybercrime reported in both the United States and the United Kingdom.

The pandemic has made it easier for phishing attacks to succeed. Phishers are taking advantage of the uncertainty about changes to new ways of working caused by the pandemic, people working home alone without such a high level of support, and vulnerabilities that have been introduced as a result of the change to a fully remote workforce.

Businesses can better protect their employees by using cloud-based email and web filtering solutions. These solutions work in tandem to block the email and web-based component of phishing attacks and malware distribution campaigns. A cloud-based email filtering solution will filter out the majority of malicious messages and will keep inboxes free of threats. A web filter will prevent end users from visiting malicious links, downloading malicious attachments, or visiting malicious websites either through work-related or non-work-related Internet activity when working from the office or remotely.

TitanHQ has developed two easy to use, easy to implement, and highly effective email and web security solutions for protecting office-based and remote workers from the full range of web and email threats, including previously seen phishing emails and zero-minute attacks and new malware threats.

To better protect your business, your employees, and your networks from threats, give the TitanHQ team a call today to find out more. You will also have the opportunity to trial the SpamTitan Email Security and WebTitan Web Security solutions to see for yourself how easy they are to use and the protection they offer. You are also likely to be pleasantly surprised by how little this level of protection will cost.

Emotet Trojan Dominates Malware Threat Landscape

Banking Trojans have long posed a threat to businesses, but one in particular has stood head and shoulders above the rest in 2020: The Emotet Trojan.

Emotet: The Biggest Malware Threat in 2020

The Emotet Trojan first appeared in 2014 and was initially a banking Trojan, which was used to steal sensitive data such as bank account information from browsers when the user logs into their bank account. The Emotet Trojan has since been developed and it has now evolved into a much bigger threat.

Emotet is now far more effective at spreading to other devices, using a worm like element to infect other devices on the network as well as hijacking the user’s email account and using it to send copies of itself to victims’ contacts. Infected devices are added to the Emotet botnet, and have been used in attacks on other organizations. The operators of Emotet have now joined forces with other cybercriminal operations and are using their malware to deliver other Trojans such as TrickBot and QakBot, which in turn are used to deliver ransomware.

Data from HP Inc. revealed Emotet infections increased by 1,200% from Q2 to Q3, showing the extent to which activity has increased recently. Data from Check point show Emotet is the biggest malware threat, accounting for 12% of all infections in October 2020. TrickBot, which is delivered by Emotet, is the second biggest threat, accounting for 4% of infections.

Emotet and TrickBot are Driving the Increase in Ransomware Infections

The Emotet and TrickBot Trojans are driving the increase in ransomware infections globally, especially attacks on healthcare organizations. The healthcare industry in the United States is being targeted by ransomware gangs due to the increased chance of the ransom being paid. In many cases, the recent ransomware attacks have been made possible due to previous Emotet an TrickBot infections.

Unfortunately, due to the efficient way that Emotet spreads, removing the malware can be problematic. It is probable that more than one device has been infected, and when the Trojan is removed from one device, it is often reinfected by other infected devices on the network.

Emotet is primarily spread via phishing emails, most commonly using malicious macros in Word documents and Excel spreadsheets, although JavaScript attachments are also known to be used. The lures used in the phishing emails are highly varied, often using topical lures linked to recent news events, COVID-19, and holiday season lures in the run up to Halloween, Black Friday, and Cyber Monday.

The best way of preventing attacks is stopping the Emotet emails from reaching inboxes and making sure that employees are trained how to recognize phishing emails.

How SpamTitan Can Protect Your Organization

SpamTitan use a wide range of different techniques to identify phishing emails that are used to deliver malware such as Emotet. These measures provide layered protection, so should one check fail to identify the threat, several others are in place to provide protection.

SpamTitan uses dual antivirus engines to identify previously seen malware variants and sandboxing to identify new (zero day) malware threats. Suspicious email attachments are sent to the sandbox where they are subjected to in depth analysis to identify malicious actions such as command and control center callbacks.

Users can set controls to quarantine or reject messages with certain types of email attachments, and while blocking Word and Excel documents and spreadsheets is not practical for most businesses, setting rules to quarantine these files for manual review if they have macros is certainly wise, as is blocking JavaScript files and other file types commonly used to install malware.

SpamTitan uses Sender Policy Framework (SPF) and DMARC to block spoofing and email impersonation attacks, which are used to convince employees to open attachments and click malicious links. SpamTitan also includes outbound scanning, which detects devices that have potentially been infected and prevents messages from spreading Emotet internally and to business contacts.

There are many cybersecurity solutions that can provide protection against malware, but finding one that is easy to use, effective, and reasonably priced can be a challenge.

SpamTitan ticks all of those boxes. It is the most and best ranked email security solution on Capterra, GetApp and Software Advice, has achieved a rating of 4.9 out of 5 on Google reviews, and is listed in the top three in the email security gateway, MSP email security, and email security for Office 365 categories.

If you want to protect your organization from Emotet and other malware and phishing attacks, give the TitanHQ team a call to find out more about SpamTitan Email Security.

Many Healthcare Organizations Lack the Right Solutions to Block Phishing Attacks

The threat of phishing is ever present, especially for the healthcare industry which is often targeted by phishers due to the high value of healthcare data and compromised email accounts. Phishing attacks are having a major impact on healthcare providers in the United States, which are reporting record numbers of successful phishing attacks. The industry is also plagued by ransomware attacks, with many of the attacks having their roots in a successful phishing attack. One that delivers a ransomware downloader such as the Emotet and TrickBot Trojans, for example.

A recent survey conducted by HIMSS on U.S. healthcare cybersecurity professionals has confirmed the extent to which phishing attacks are succeeding. The survey, which was conducted between March and September 2020, revealed phishing to be the leading cause of cybersecurity incidents at healthcare organizations in the past year, being cited as the cause of 57% of incidents.

One interesting fact to emerge from the survey is the lack of appropriate protections against phishing and other email attacks. While it is reassuring that 91% of surveyed organizations have implemented antivirus and antimalware solutions, it is extremely concerning that 9% appear to have not. Only 89% said they had implemented firewalls to prevent cybersecurity incidents.

Then there is multi-factor authentication. Multifactor authentication will do nothing to stop phishing emails from being delivered, but it is highly effective at preventing stolen credentials from being used to remotely access email accounts.  Microsoft suggested in a Summer 2020 blog post that multifactor authentication will stop 99.9% of attempts to use stolen credential to access accounts, yet multifactor authentication had only been implemented by 64% of healthcare organizations.

That does represent a considerable improvement from 2015 when the survey was last conducted, when just 37% had implemented MFA, but it shows there is still considerable for improvement, especially in an industry that suffers more than its fair share of phishing attacks.

In the data breach reports that are required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules, which healthcare organizations in the U.S are required to comply with, it is common for breached organizations to state they are implementing MFA after experiencing a breach, when MFA could have prevented that costly breach from occurring in the first place. The HIMSS survey revealed 75% of organizations augment security after suffering a cyberattack.

These cyberattacks not only take up valuable resources and disrupt busines operations, but they can also have a negative impact on patient care. 28% of respondents said cyberattacks disrupted IT operations, 27% said they disrupted business operations, and 20% said they resulted in monetary losses. 61% of respondents said the attacks had an impact on non-emergency clinical care and 28% said the attacks had disrupted emergency care, with 17% saying they had resulted in patient harm. The latter figure could be underestimated, as many organizations do not have the mechanisms in place to determine whether patient safety has been affected.

The volume of phishing attacks that are succeeding cannot be attributed to a single factor, but what is clear is there needs to be greater investment in cybersecurity to prevent these attacks from succeeding. An effective email security solution should be top of the list – One that can block phishing emails and malware attacks. Training on cybersecurity must be provided to employees for HIPAA compliance, but training should be provided regularly, not just once a year to meet compliance requirements. Implementation of multifactor authentication is also an essential anti-phishing measure.

One area of phishing protection that is often overlooked is a web filter. A web filter blocks the web-based component of phishing attacks, preventing employees from accessing webpages hosting phishing forms. With the sophisticated nature of today’s phishing attacks, and the realistic fake login pages used to capture credentials, this anti-phishing measure is also important.

Many hospitals and physician practices have limited budgets for cybersecurity, so it is important to not only implement effective anti-phishing and anti-malware solutions, but to get effective solutions at a reasonable price. That is an area where TitanHQ excels.

TitanHQ can provide cost-effective cloud-based anti-phishing and anti-malware solutions to protect against the email- and web-based components of cyberattacks and both of these solutions are provided at a very reasonable cost, with flexible payment options.

Further, these solutions have been designed to be easy to use and require no technical skill to set up and maintain. The ease of use, effectiveness, and low price are part of the reason why the solutions are ranked so highly by users, achieving the best rankings on Capterra, GetApp and Software Advice.

If you want to improve your defenses against phishing, prevent costly cyberattacks and data breaches, and the potential regulatory fines that can follow, give the TitanHQ team today and inquire about SpamTitan Email Security and WebTitan Web Security.

COVID-19 Has Created the Perfect Environment for Black Friday Scams

Black Friday and Cyber Monday are fast approaching and this year even more shoppers will be heading online to secure their Christmas bargains due to the COVID-19 pandemic. In many countries, such as the UK, lockdowns are in place that have forced retailers to close the doors of their physical shops, meaning Black Friday deals will only be available online. 2020 is likely to see previous records smashed with even more shoppers opting to purchase online due to many shops being closed and to reduce the risk of infection.

Surge in Phishing Attacks in the Run Up to Black Friday

The fact that many consumers have been forced to shop online due to COVID-19 has not been missed by cybercriminals, who have started their holiday season scams early this year. Every year sees a sharp rise in phishing emails and online scams that take advantage of the increase in sales in the run up to Christmas, but this year the data show cybercriminals have stepped up their efforts to spread malware, steal sensitive data, and fool the unwary into making fraudulent purchases.

Recent figures released by Check Point show there has been a 13-fold increase in phishing emails in the past 6 weeks with one in every 826 emails now a phishing attempt. To put that figure into perspective, 1 in 11,000 emails in October 2020 were phishing emails. Check Point reports 80% of the phishing emails were related to online sales, discounts, and special offers, and as Black Friday and Cyber Monday draws ever closer, the emails are likely to increase further.

Local lockdowns have piled pressure on smaller retailers, who are at risk of losing even more busines to the large retailers such as Amazon. In order to get their much-needed share of sales in the run up to Christmas, many have started conducting marketing campaigns via email to showcase their special offers and discounts. Those messages are likely to make it easier for cybercriminals to operate and harder for individuals to distinguish the genuine special offers from the fraudulent messages.

Cybercriminals have also started using a range of different techniques to make it harder for individuals to identify phishing and scam messages. Some campaigns involved the use of CAPTCHAs to fool both security solutions and end users, and the use of legitimate cloud services such as Google Drive and Dropbox for phishing and malware distribution is also rife.

With the scams even harder to spot and the volume of phishing and other scam emails up considerably, it is even more important for businesses to ensure their security measures are up to scratch and scam websites and phishing emails are identified and blocked.

How to Improve your Defenses Against Black Friday Phishing Scams and Other Threats

This is an area where TitanHQ can help. TitanHQ has developed two security solutions that work seamlessly together to provide protection from phishing and malware attacks via email and the Internet, not just protecting against previously seen threats, but also zero-day malware and phishing threats.

The SpamTitan email security and WebTitan web security solutions use a layered approach to threat detection, each incorporating multiple layers of protection to ensure that threats are identified and blocked. Both solutions leverage threat intelligence using a crowd sourced approach, to provide protection against emerging and even zero-minute threats.

SpamTitan uses smart email filtering and scanning, incorporating machine learning and behavioral analysis techniques to detect and isolate suspicious emails, dual antivirus engines, sandboxing to trick cybercriminals into thinking they have reached their target, and SPF, DKIM, and DMARC to detect and block email impersonation attacks.

WebTitan is an AI-powered cloud-based DNS web filtering solution that provides protection from online threats such as malware and ransomware and the web-based component of phishing attacks. The solution uses automation and advanced analytics to search through billions of URLs/IPs and phishing sites that could lead to a malware or ransomware infection or the compromising of employee credentials. The solution is an effective cybersecurity measure for protecting against web-based threats for office-based employees and remote workers alike.

If you want to protect your business this holiday season and beyond and improve your defenses against email and web-based threats, give the TitanHQ team a call. Product demonstrations can be arranged, advice offered on the best deployments, and if the solutions are not suitable for your business, we will tell you so. You can also trial both solutions free of charge to evaluate their performance in your own environment before making a decision on a purchase.

Phishing Scam Spoofs IRS to Obtain Fraudulent Outstanding Tax Payment

A phishing campaign has been identified that spoofs the U.S. Internal Revenue Service (IRS) and advises recipients that they are facing imminent legal action to recover outstanding tax.

The emails are convincing and well written and are final demands for payment to prevent legal action to recover the outstanding funds. The emails warn the recipient that the IRS has made several attempts to make contact by telephone after no response was received to a written demand for payment that the emails claim was mailed 18 months previously in May 2019. The failure to respond has led to the IRS taking legal action, with charges due to be filed imminently to recover the outstanding tax.

In contrast to many scams that seek login credentials or attempt to get the user to open file attachments to trigger a malware download, this scam uses social engineering techniques to scare the recipient into making contact via email to resolve the fictitious issue. The purpose of the scam is to get the recipient to make a fraudulent payment or disclose their financial account information.

The lack of any hyperlinks or email attachments makes it more likely that the email will be delivered to inboxes and will not be identified as malicious by security solutions. Fortunately, SpamTitan users will be protected from this scam as multiple checks are performed which identify the scam for what it is.

The message body contains all the classic hallmarks of a phishing scam:

  • There is urgency to get prompt action taken – Immediate resolution of the issue is necessary
  • There is a threat of negative consequences if no action is taken – Legal action to recover funds
  • The request is plausible, but an atypical request is made – to only make contact via email

The emails include a case file number, detail the outstanding amount – $1450.61 in this case – and include a docket number and warrant ID for the impending legal action. The recipient is told that legal action will proceed in 4 days if payment is not made, and that the opportunity for voluntary action to rectify the issue is coming to an end.

In addition to the threat of legal action and a court case, the recipient is informed that credit reference bureaus may also be notified about the late/missed payment, which would negatively impact their credit score.

The emails have the subject line “Re: Re: Case ID#ON/7722 / WARRANT FOR YOUR ARREST,” indicating this is not the first time that the message has been sent, helping to emphasize that this is a final warning.

Steps have been taken to make the email appear official, with the display text of the sender address indicating the message has been sent from support @ irs.gov – the legitimate domain used by the IRS. However, the reply to email address supplied is legal.cc @ outlook.com – Which is clearly not an official IRS domain and the message headers show that the email was not sent from the domain stated.

The email does include a postal address; however, no telephone number is supplied. Full contact information would be provided in official IRS communications, although the IRS would not initiate contact with individuals via email.

The phishing emails highlight the importance of stopping to think about what is being requested and to take time to check emails carefully before responding, no matter how pressing the threat may be. Any request for payment should be verified by phone, with contact information obtained from a trusted source, never the contact details supplied in the email. A call to the IRS would quickly reveal this to be a scam.

The reason these scams succeed is because they rely on individuals responding quickly without thinking. Fortunately, an effective spam filter will detect these scam emails and will quarantine or reject the messages.

Election Interference-Themed Phishing Emails Identified Distributing the QBot Trojan

Cybercriminals have taken advantage of the uncertainty over the U.S. presidential election result over the past few days and are using exploiting fear about voting fraud to infect users with malware. With so many postal votes being sent this year, which take much longer to count than in-person votes, there was always going to be a delay in determining the outcome of the presidential election. In such a close election a winner may not be declared for some time, certainly several days after election day, and possibly weeks given the likelihood of several legal challenges and recounts.

Spam campaigns exploiting the situation started to be sent soon after the polls had closed distributing the QBot banking Trojan. When a device is infected with the QBot Trojan, the user’s email account is hijacked and used to send copies of the malware to the user’s contacts. To increase the probability of emails being opened by the recipients, previous email threads are hijacked, and a response is sent with a malicious attachment containing a macro that downloads the malware.

In this campaign, a search is performed for emails containing the word “election” and replies are sent to the senders of those messages. A zip file is attached to the emails named “ElectionInterference,” with the zip file containing a malicious spreadsheet.

The messages encourage the recipient to open the attached spreadsheet to discover important information about interference in the election. With President Trump suggesting in press conferences that there is substantial evidence of election fraud, these messages may seem very credible and enticing to recipients.

The spreadsheet mimics a secure DocuSign file and the user is instructed to enable content to decrypt the file and view the contents; however, doing so will allow macros to run which will silently download the Qbot Trojan.

The QBot Trojan was first identified in 2008; however, it has received many updates over the years to add new functions and mechanisms to evade security solutions. The ability to hijack Outlook email threads is a fairly new feature. The same tactic is also used by the Emotet Trojan to increase the probability of messages and their malicious attachments being opened. The tactic has proven very effective for the operators of Emotet.

In addition to targeting customers of major financial institutions, the QBot Trojan steals sensitive information such as credit card information and passwords. Like Emotet and the TrickBot Trojan, QBot is also a malware dropper. The operators of QBot team up with other threat groups and deliver their malicious payloads, with ransomware often delivered to QBot victims.

Threat actors are quick to seize any opportunity to infect devices with malware, as was seen in the early days of the COVID-19 pandemic when threat groups switched their spamming infrastructure to send COVID-19 themed lures. Election-themed emails are likely to continue for some time with legal challenges to the result expected. Holiday season is also fast approaching, and like previous years, threat actors will send Black Friday, Cyber Monday, and other holiday period themed phishing lures to steal credentials and distribute malware.

Businesses can protect against these phishing and malspam campaigns using a combination of a spam filter, web filter, antivirus software, and end user training.

Combating Healthcare Phishing Attacks: Tips for Healthcare Organizations

The healthcare industry is one of the main targets for hackers, and while ransomware attacks have increased considerably in recent months and vulnerabilities in VPNs, RDP, and software solutions are frequently exploited, healthcare phishing attacks are far more common.

Phishing attacks on healthcare organizations allow threat actors to steal credentials to gain access to email accounts and other systems and steal highly sensitive data. Phishing emails are also used to deliver malware loaders such as the Emotet Trojan, which delivers other malware payloads such as the TrickBot banking Trojan, which in turn delivers ransomware.

Most cyberattacks start with a phishing email, so it is essential for healthcare organizations to ensure they implement safeguards to block these attacks and by doing so, prevent costly data breaches and regulatory fines.

The HHS’ Office for Civil Rights has imposed substantial fines on HIPAA-covered entities for data breaches that have started with a phishing email, including the two largest ever HIPAA fines issued to date – the $16 million financial penalty for Anthem Inc. for its 78.8 million-record data breach and the $6,850,000 penalty for Premera Blue Cross for its breach of the protected health information 10,466,692 individuals.

Tips to Prevent Healthcare Phishing Attacks…

Unfortunately, as far as phishing goes, there is no silver bullet. No single solution will provide total protection against healthcare phishing attacks. What is required is layered defenses – technical solutions providing overlapping layers of security – and adherence to tried and tested cybersecurity best practices. Some of the most important anti-phishing measures you can implemented to stop healthcare phishing attacks are detailed below:

Implement an Advanced Spam Filter

A spam filter is one of the most important technical controls to block phishing attacks and prevent malicious emails from reaching the inboxes of your employees. Advanced spam filters use a combination of blacklists of known malicious IPs, email header and content scanning, link analysis, anti-virus scans, sandboxing, SPF, DKIM, and DMARC to detect and block email impersonation attacks, and AI and machine learning to identify zero-day phishing attacks.

You should implement an advanced spam filter and set rules to filter out all suspicious emails and reject malicious messages. Outbound scanning is also important to detect compromised email accounts that are being used to conduct further phishing attacks on your organization and vendors.

Use a Web Filter to Block the Web-Based Component of Phishing Attacks

Email filters are effective, but not infallible. New tactics, techniques, and procedures are commonly developed by threat actors to fool email security solutions. You may be able to block all malware and 99.9% or more of all malicious messages, but some messages are likely to sneak past your defenses.

A web filter provided additional protection by preventing your employees from visiting known malicious URLs that have been masked in phishing emails. Web filters block the web-based component of phishing attacks and malware downloads from the internet and work in tandem with spam filters to improve your security posture and block healthcare phishing attacks.

Implement Multi-Factor Authentication

A SANS Institute report suggests multi-factor authentication will block 99% of attempts by threat actors to use stolen credentials to remotely access email accounts, while Microsoft says MFA will stop more than 99.9% of email account attacks, yet many admins have not implemented multi-factor authentication. A recent survey by CoreView researchers suggests 78% of Microsoft 365 admins have not enabled MFA on their M365 accounts.

In the event of credentials being stolen – in a phishing attack or using brute force tactics – MFA should prevent those credentials from being used to remotely access your accounts.

Provide Regular Security Awareness Training

Technical measures are important for preventing healthcare phishing attacks but don’t forget the human element. Employees need to be trained how to recognize phishing emails and taught the correct response when a suspicious email is received. Security awareness training should also cover cybersecurity best practices.

To create a “security aware” culture in your organization, you need to provide regular security awareness training sessions, including an annual training session for all staff and more frequent shorter sessions or online CBT sessions throughout the year, making sure you keep the workforce aware of the latest threats. Not only will training help to prevent healthcare phishing attacks from succeeding, it is also a requirement for HIPAA compliance.

Conduct Phishing Simulation Exercises

Training is important, but so is testing. If you do not test your employees’ security knowledge, you will not know whether your training has been successful. There will always be employees that require more training than others, and through testing you will be able to identify the individuals that need more help.

Phishing simulation exercises are the best way to achieve this. You can find weak links in your workforce as well as your training program and ensure they are addressed.

Take Care with the Information You Make Available Online

In order to conduct a targeted phishing attacks on your organization, an attacker needs to know your email addresses. This information can often easily be found online in organizational charts and staff directories. Limiting the information you publish online will make it harder for email addresses to be harvested and used in attacks on your organization.

How to Reduce the Severity of Successful Healthcare Phishing Attacks

Healthcare phishing attacks are extremely common and often result in the exposure or theft of large amounts of protected health information. The Office for Civil Rights breach portal lists many email security breaches that have exposed the personal and health information of tens of thousands and even hundreds of thousands of patients and health plan members.

When conducting a risk analysis, consider what would happen in the event of a breach and take steps to reduce the severity of a breach should your defenses be penetrated. It is a good best practice to implement an email archiving solution to send all emails to a secure, cloud archive to ensure that no email data is lost and to implement policies requiring emails containing PHI to be deleted from your mail system. In the event of a breach, the PHI exposed will be greatly reduced and so too will the breach costs.

By using an email archive, you will still be able to remain compliant and retain al email data, but you will be able to significantly reduce risk while improving the performance of your mail server.

Ryuk Ransomware Attacks on Hospitals Spike with Many Fearing the Worst is Yet to Come

The cybercriminal organization behind Ryuk ransomware – believed to be an eastern European hacking group known as Wizard Spider – has stepped up attacks on hospitals and health systems in the United States. This week has seen a wave of attacks on hospitals from the Californian coast to the eastern seaboard, with 6 Ryuk ransomware attacks on hospitals reported in a single day.

Ryuk ransomware causes widespread file encryption across entire networks, crippling systems and preventing clinicians from accessing patient data. Even when the attacks are detected quickly, systems must be shut down to prevent the spread of the ransomware. While hospitals have disaster protocols for exactly this kind of scenario and patient data can be recorded using pen and paper, the disruption caused is considerable. Non-essential surgeries and appointments often need to be cancelled and, in some cases, hospitals have been forced to divert patients to alternative medical facilities.

It is unclear if any ransomware attacks on U.S. hospitals have resulted in fatalities, but there was recently a fatality in an attack in Germany, where a patient was rerouted to a different hospital and died before lifesaving treatment could be provided. Had the ransomware attack not occurred, treatment could have been provided in time to save the patient’s life. The attacks in the United States also have the potential to result in loss of life, especially in such as large-scale, coordinated campaign.

Earlier in the week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS) issued an advisory after credible evidence emerged indicating Ryuk ransomware attacks on U.S. hospitals and healthcare providers were about to increase.

It is unclear why the attacks have increased now and the exact motives behind the current campaign, but recently Microsoft and U.S. Cyber Command, in conjunction with several cybersecurity firms, disrupted the TrickBot botnet – A network of devices infected with the TrickBot Trojan. The TrickBot Trojan is operated by a different cybercriminal group to Ryuk, but it was extensively used to deliver Ryuk ransomware. The botnet is back up and running, with the threat actors switching to alternative infrastructure, but there have been suggestions that this could be a response to the takedown.

The Ryuk ransomware attacks on hospitals come at a time when healthcare providers are battling the coronavirus pandemic. In the United States the number of new cases is higher than at any time since the start of the pandemic. Hospitals cannot afford to have systems taken out of action and patient care disrupted. The timing of the attacks is such that hospitals may feel there is little alternative other than paying the ransom to ensure that disruption is kept to a minimum. Ransomware gangs are known to time their attacks to cause maximum disruption.

Ryuk ransomware attacks on hospitals have been steadily increasing in the United States prior to the latest spike. Figures released by Check Point Research in the past few days show ransomware attacks on hospitals increased 71% from September, with healthcare the most targeted industry sector, not only in October, but also Q3, 2020. Ryuk ransomware attacks account for 75% of all ransomware attacks on hospitals in the United States.

There is concern that the latest attacks will be just the tip of the iceberg. Some security experts suggest the gang is looking to target hundreds of hospitals and health systems in the United States in this campaign. Each attack on a health system could see several hospitals affected. The attack this week on the University of Vermont Health Network impacted 7 hospitals.

Defending against ransomware attacks can be a challenge, as multiple methods are used to gain access to healthcare networks. Ryuk ransomware is commonly delivered by the TrickBot Trojan, which is delivered as a secondary payload by the Emotet Trojan. The Buer loader and BazarLoader are also being used to deliver Ryuk ransomware. These malware downloaders are delivered via phishing emails so a good spam filter is therefore important.

Employees should be made aware of the increased threat of attack and advised to exercise extra caution with emails. Software updates need to be applied promptly and all systems kept fully patched and up to date. Default passwords should be changed, and complex passwords used, with multi-factor authentication implemented where possible. If it is not necessary for systems to be connected to the Internet, they should be disconnected, and RDP should be disabled where possible.

It is also essential for regular backups of critical data to be made and for those backups to be stored securely on non-networked devices to ensure that in the event of an attack hospitals have the option to recover their data without having to pay the ransom.

Further information on indicators of compromise and other mitigations are available in the CISA Ryuk ransomware advisory.

New Windows Update Lure Used in Phishing Campaign Distributing the Emotet Trojan

The Emotet Trojan is one of the main malware threats currently used to attack businesses. The Trojan is primarily distributed using spam emails, using a variety of lures to convince users to install the Trojan.

The spam emails are generated by the Emotet botnet – an army of zombie devices infected with the Emotet Trojan. The Trojan hijacks the victim’s email account and uses it to send copies of itself to the victim’s business contacts using the email addresses in victims’ address books.

Emotet emails tend to have a business theme, since it is business users that are targeted by the Emotet actors. Campaigns often use tried and tested phishing lures such as fake invoices, purchase orders, shipping notices, and resumes, with the messages often containing limited text and an email attachments that the recipient is required to open to view further information.

Word documents are often used – although not exclusively – with malicious macros which install the Emotet Trojan on the victim’s device. In order for the macros to run, the user is required to ‘Enable Content’ when they open the email attachment.

Users are instructed in the documents to enable content using a variety of tricks, oftentimes the documents state that the Word document has been created on an IoS or mobile device, and content needs to be enabled to allow the content to  be viewed or that the contents of the document have been protected and will not be displayed unless content is enabled.

Earlier this month, a new lure was used by the Emotet actors. Spam emails were sent explaining a Windows update needed to be installed to upgrade apps on the device, which were preventing Microsoft Word from displaying the document contents. Users were instructed to Enable Editing – thus disabling Protected View – and then Enable Content – which allowed the macro to run.

The Emotet Trojan does not simply add devices to a botnet and use them to conduct further phishing attacks. One of the main uses of Emotet is to download other malware variants onto infected devices. The operators of the Emotet botnet are paid by other threat actors to distribute their malware payloads, such as the TrickBot Trojan and QBot malware.

The TrickBot Trojan was initially a banking Trojan that first appeared in 2016, but the modular malware has been regularly updated over the past few year to add a host of new functions. TrickBot still acts as a banking Trojan, but is also a stealthy information stealer and malware downloader, as is QBot malware.

As with Emotet, once the operators of these Trojans have achieved their aims, they deliver a secondary malware payload. TrickBot has been used extensively to deliver Ryuk ransomware, one of the biggest ransomware threats currently in use. QBot has teamed up with another threat group and delivers Conti ransomware. From a single phishing email, a victim could therefore receive Emotet, TrickBot/QBot, and then suffer a ransomware attack.

It is therefore essential for businesses to implement an effective spam filtering solution to block the initial malicious emails at source and prevent them from being delivered to their employee’s inboxes. It is also important to provide security awareness training to employees to help them identify malicious messages such as phishing emails in case a threat is not blocked and reaches employees’ inboxes.

Organizations that rely on the default anti-spam defenses that are provided with Office 365 licenses should consider implementing an additional spam filtering solution to improve protection against Emotet and other malware and phishing campaigns. Phishing emails often slip past Office 365 defenses and are delivered to inboxes. With a powerful, advanced spam filtering solution such as SpamTitan layered on top of Office 365 anti-spam protections, users will be better protected.

To find out more about the full features of SpamTitan and how the solution protects businesses from threats such as malware, ransomware, phishing, and spear phishing attacks, give the SpamTitan team a call today.

A product demonstration can be arranged, your questions will be answered, and assistance will be provided to help set you up for a free trial to evaluate the solution in your own environment.

Phishing Campaigns Targeting Users of Teleconferencing Platforms

Teleconferencing applications have been invaluable during the coronavirus pandemic. They have helped businesses continue to operate during extremely challenging times and have helped support a largely remote workforce.

Platforms such as Zoom, Skype, and Microsoft Teams saw user numbers skyrocket as national lockdowns were imposed and the high usage has continued as lockdowns have eased. The popularity of these platforms has not been missed by cybercriminals, who have devised many phishing campaigns targeting users of these platforms.

The platforms are used as instant messaging services by many workers who are keen to show that they are working hard while at home, so when a message arrives in an inbox informing them they have people trying to connect, they have missed a meeting, or there is a problem with their account, they are likely to reply quickly, often without thinking about the legitimacy of the request.

At first glance these emails appear to be genuine. The request is credible, the images and logos are legitimate, but closer inspection should reveal the messages are not what they seems.

Microsoft Teams Phishing Scams

One of the latest phishing campaigns to spoof a teleconferencing platform targets Office 365 users by spoofing Microsoft Teams. The messages advise the recipient that “There’s new activity in Teams,” and “Your teammates are trying to reach you in Microsoft Teams.” The email claims messages are waiting, and it is necessary to “Reply in Teams” to connect.

Clicking the link will direct the user to a web page that requires them to login to their Microsoft account. Everything on the page is how it should be, as the spoofed login page has been copied from Microsoft. However, close inspection of the URL will reveal a typo. The URL starts with microsftteams to make the web page appear genuine at first glance, but the full URL shows this is not a Microsoft domain. If the user enters their credentials they will be captured and used by the scammers to access the user’s account.

This is far from the only phishing scam to target Microsoft Teams users to obtain Microsoft Office credentials. Several Microsoft Teams phishing scams have attempted to obtain credentials using missed messages from teammates and other plausible lures.

Microsoft Office credentials are extremely valuable to scammers. Accounts can be used to gain access to email data, send further phishing emails, access intellectual property, and can be used as a launchpad for further attacks on the organization. The credentials can also be sold to other cybercriminals.

Similar scams have targeted users of other platforms such as Skype and Zoom. Users of the latter were targeted in one campaign that claimed a meeting was cancelled due to the pandemic, using subject lines such as “Meeting Canceled – Could we do a Zoom call.” A link is included in the email to initiate a call, with the destination site similarly harvesting credentials.

How to Avoid Teleconferencing Platform Phishing Scams

As with other forms of phishing scams, employees need to be vigilant. The emails create a sense of urgency and there is often a “threat” of bad consequences if no action is taken, but it is important to stop and think before responding to a message and to take time to check the email carefully.

You should not open any email attachments or click links in unsolicited emails, especially messages sent from unknown email addresses. Even if the email address appears genuine, take care. Access the teleconferencing platform using your normal login method, never using the links in the emails.

Businesses can protect their remote workers by implementing an advanced spam filtering solution such as SpamTitan to block these emails at source and ensure they are not delivered to their remote workers’ inboxes. A web filtering solution such as WebTitan is also advisable, as it will block attempts to visit malicious websites used to phish for credentials.

For further information on spam filtering and web filtering to protect your business, give the TitanHQ team a call today. Both solutions are available on a free trial – with full product support – to allow you to evaluate their effectiveness before making a decision.

TrickBot Phishing Campaigns Disrupted by Infrastructure Takedown

The TrickBot Trojan, one of the biggest malware threats to appear in recent years, has had its backend infrastructure taken down by a coalition of tech firms.

TrickBot started life in 2016 as a banking Trojan used to target Windows devices but the malware has received many updates over the years and has had many new modules added to give it a much wider range of capabilities. TrickBot targets hundreds of different banks and also steals credentials and Bitcoin wallets. In recent years, the operators have teamed up with several different criminal organizations and have used the Trojan to deliver keyloggers, cryptominers, information stealers and ransomware variants such as Ryuk and Conti. TrickBot can now perform a huge range of malicious actions via many different plugins and in January and February 2020 was targeting more than 600 websites via a webinject module, most of which being financial institutions.

The Trojan achieves persistence on infected devices and adds them to a botnet, which has grown into one of the largest in operation. The operators of the Trojan are also known to use the EternalBlue exploit to move around infected networks and spread the Trojan to other devices on the network. This can make removal of the Trojan difficult, as once it is removed from a device, other infected devices on the network simply reinfect it when it is reconnected.

TrickBot is primarily spread via phishing emails via malicious macros, but other malware-as-a-service operations also deliver TrickBot, such as Emotet. TrickBot typically used lures aimed at business users, such as shipment receipts, receipt reminders, required declarations, delivery notifications, and other logistics themes using Word and Excel attachments and Java Network Launch Protocol (.jnlp) attachments, as well as malicious hyperlinks embedded in emails. In 2020, a large-scale campaign was conducted using coronavirus and COVID-19 themed lures, one of which spoofed humanitarian groups and claimed to offer free COVID-19 tests.

Those emails were sent by a diverse range of compromised email accounts and marketing platforms, with the threat group also using domains with their own mail servers to distribute the malware. There has been growing concern that the botnet could also be used in campaigns to disrupt the upcoming November 3, 2020 U.S. presidential election.

TrickBot is stealthy and uses a variety of mechanisms to evade detection by security solutions, including password protected zip files, delayed downloads of the Trojan when macros are run, heavily obfuscated loaders, encryption of configuration files, and a complex command and control infrastructure. The latter has now been untangled and its backend infrastructure has been taken down.

Several tech firms including Microsoft, ESET, Black Lotus Labs, and NTT have been working together for months to try to disrupt the TrickBot operation. More than 125,000 samples of the TrickBot Trojan were analyzed along with over 40,000 configuration files used by various TrickBot modules. After several months of painstaking work, the command and control servers used by the botnet were identified and its network infrastructure was mapped. Armed with the IP addresses, Microsoft obtained a court order and seized control of the infrastructure of servers used to distribute and communicate with the malware and its various modules. The IP addresses associated with the malware have now been disabled.

When the takedown occurred, more than 1 million devices had been infected with the malware and were part of its botnet.  The takedown is great news, as one more malware threat – and a major one at that – has been taken out of action, at least temporarily. Efforts are now underway by ISPs to contact victims to ensure the Trojan is removed from their systems.

UK Businesses Targeted in HMRC Phishing Scam

Businesses in the United Kingdom are being targeted by scammers impersonating Her Majesty’s Revenue and Customs. There have been several campaigns identified over the past weeks that are taking advantage of the measures put in place by the UK government to help businesses through the COVID-19 pandemic and the forced lockdowns that have prevented businesses from operating or have forced them to massively scale back operations.

The HMRC scams have been numerous and diverse, targeting businesses, the self-employed, furloughed workers and others via email, telephone, and SMS messages. Some of the scams involve threats of arrest and jail time due to the underpayment of tax, demanding payment over the phone to avoid court action or arrest.

One scam targeted clients of Nucleus Financial Services and used a genuine communication from the firm as a template. The genuine email appears to have been obtained from a third-party hacked email account. The email advised recipients that they were due a tax refund from HMRC. A link is supplied in the email that the recipient is required to click to receive their refund. In order to apply to receive the refund the user must enter sensitive information into the website, which is captured by the scammers.

Another campaign has been identified that spoofs HMRC and similarly seeks sensitive information such as bank account and email credentials. In response to the COVID-19 pandemic, the UK government launched a scheme to help businesses by allowing them to defer their VAT payments between March and June 2020, until June 2021 to help ease the financial burden of the nationwide lockdown. Many businesses took advantage of the scheme and applied to have their Value Added Tax (VAT) payments deferred.

The campaign uses emails that spoof HMRC and inform businesses that their application to have their VAT payments deferred has been rejected as the company is in arrears. The emails include an attachment with further information and a report on their application. The document is password protected and the password is supplied in the email to allow the file to be opened.

A hyperlink is supplied which must be clicked which directs the user to a website where they are asked to enter sensitive information such as their bank account details and email address and password, which are captured by the scammers.

COVID-19 has presented scammers with a host of new opportunities to fool businesses into disclosing sensitive information. Many of the lures used in the emails, calls, and text messages are credible, the messages are well written, and the scammers have gone to lengths to make their phishing websites look like the entities they spoof.

Businesses should be on high alert and be particularly vigilant for phishing scams. They should advise their employees to take extra care with any request that requires the disclosure of sensitive information.

Technical controls should also be considered to block phishing emails at source and prevent visits to malicious websites. That is an area where TitanHQ can help. TitanHQ offers two anti-phishing solutions for businesses and MSPs to help them block phishing attacks: SpamTitan and WebTitan.

SpamTitan is a powerful email security solution that blocks phishing emails at source, preventing malicious messages from reaching inboxes. WebTitan is a DNS filtering solution that is used to control the websites that can be accessed over wired and wireless networks, blocking access to web pages that are used for phishing and malware delivery.

Both solutions are available on a free trial to allow you to evaluate their effectiveness before deciding on a purchase. Further information on the solutions, their benefits, and pricing can be obtained by calling the TitanHQ team.

Security Awareness Training Company Spoofed in Novel Phishing Campaign

Phishers are constantly devising new ways to trick employees into divulging their credentials. Realistic emails are sent using a variety of ruses to get employees to click on a malicious link, which often aims to obtain Microsoft Office 365 credentials. Office 365 accounts often contain a range of sensitive data, which can be stolen and used for many nefarious purposes.

Recently, a new campaign has been identified targeting businesses that attempts to obtain Microsoft Outlook credentials. The campaign spoofs KnowBe4, a company specializing in security awareness training for employees – Training that helps businesses teach their employees how to recognize a phishing email.

The emails alert the recipient about the impending expiration of a security awareness training module. The recipient is told they only have 24 hours remaining to complete the training. Three links are supplied in the email that appear, at face value, to link to the genuine KnowBe4 website; however, they direct the user to a phishing page on a compromised website where Outlook credentials and personal information are harvested, via a realistic login page for the Outlook Web App.

Instructions are provided for accessing the training outside of the network, with the user instructed to enter their username and password before clicking the sign in button. Doing so, it is claimed, will direct the user to the training module. While the site to which the phishing email links is convincing, the tell-tale sign that this is a scam is the domain. Several different URLs on multiple sites have been used in this campaign, all of which are unrelated to the security awareness training provider. However, busy employees may fail to check the URL before disclosing their credentials.

It is an interesting tactic to spoof a cybersecurity company dedicated to phishing prevention; one that may fool employees into believing the email is genuine.  Any company can be spoofed in a phishing campaign. Just because the company offers services to combat phishing does not mean that the email should not be subjected to the usual checks to verify its validity, which is something that should be emphasized in employee security awareness training sessions.

According to Cofense, which analyzed the websites, the compromised sites have recently hosted a web shell that allowed the attackers to upload and edit files. The websites had been compromised since at least April 2020, unbeknown to the site owners. The phishing kit used in this campaign has been loaded onto at least 30 different websites since the campaign commenced in mid-April.

Employees receive hundreds of emails each week and identifying every phishing email can be a difficult task, especially when many phishing emails are realistic and are very similar to genuine emails that employees receive every day. Security awareness training is important, but it is also essential to implement an advanced spam filtering solution that is capable of blocking virtually all (in excess of 99.9%) malicious emails.

With an advanced spam filtering solution in place – such as SpamTitan – these emails can be blocked at source and will not be delivered to end users’ inboxes, negating the threat.

Webinar Sept 22, 2020 – How to Ensure Business Continuity with Email Archiving for your Remote Workforce

Businesses had to suddenly adapt to a new way of working in 2020 due to COVID-19 and the countrywide lockdowns. In order to keep businesses running, many switched to remote working and allowed their employees to work from home. Even though employees are being encouraged to work from the office once again, many businesses have accepted that remote working, at least to some extent, is now here to stay.

When employees work remotely they are able to stay connected via email, instant messaging tools, and videoconferencing solutions. Many employers have even found that their employees have been more productive working from home. However, while employees are collaborating and connecting in new ways, remote working is not without its risks and many businesses are concerned about how they can protect their data and ensuring compliance in the new, remote working environment.

On Tuesday, September 22, 2020, TitanHQ is hosting a webinar to discuss the threat landscape with respect to remote working and will explain how you can ensure your email archiving and security are fit for purpose to maintain access to data for business and email continuity.

During the webinar TitanHQ experts James Clayton and Derek Higgins will cover the following topics:

  • The Current 2020 Technology Landscape
  • Security & Compliance in a time of Global Remote Working
  • Increase in Companies Relying Solely on Office 365
  • Protecting Business Critical Data
  • The Importance of Continuity in the Era of Remote Working

Attendees will also be introduced to the TitanHQ cloud email archiving solution, ArcTitan, including a live demo of the solution.

Webinar Information

Title:       How to Ensure Business Continuity with Email Archiving for your Remote Workforce

Date:     Tuesday, September 22, 2020

Time: 

  • London/Dublin: 5:00 pm (GMT +1)
  • USA:      12:00 pm ET; 9:00 am PT

Hosts:    

  • James Clayton, ArcTitan Product Specialist
  • Derek Higgins, Engineering Manager, TitanHQ

Click Here to Register for the Webinar

Departmental Benefits of Email Archiving

An email archive is important for compliance, but there are also several departmental benefits of email archiving. The improvements in efficiency as a result of implementing an email archiving solution can deliver cost savings and ease the burden on your workforce, with the benefits felt by al employees in your organization.

Most businesses choose to implement an email archiving solution to ensure emails can be found and quickly produced in the event of HR issues, customer disputes, legal actions, and to comply with federal, state, and industry regulations.

An email archive acts as a black box flight recorder for email. All emails that need to be retained are sent to the archive for long term storage. In the event of a compliance audit or eDiscovery request, the archive can be quickly searched, and important emails can be found and exported in minutes. An email archive is also important for disaster recovery, allowing business-critical emails to be recovered in the event of corruption, deletion or a cyberattack.

Businesses that implement an email archiving solution often discover there are many other benefits that come from the secure archiving of emails in a dedicated repository, separate from the mail server.

Email Archiving Benefits for the IT Department

Some of the biggest benefits are enjoyed by the IT department. Storing the millions of emails that are sent and received by the organization, along with their attachments, can consume a lot of expensive storage space. Email archiving solutions deduplicate emails before they are sent to the archive and will only store one copy of a message. The removal of duplicates and compression of data greatly reduces storage space resulting in significant cost savings.

The IT support team will undoubtedly receive many requests from employees to recover important emails that have been misfiled or accidentally deleted.  Many email archiving solutions can be configured to allow employees to access their own archives. When an email is lost, or is accidentally deleted, the employee can search their own archive for the missing email without bothering the IT department. The same is true for HR investigations, which will no longer need to involve the IT department to such a large degree.

By sending emails to the archive, they do not need to be stored locally in PST files or on the mail server. PST files are a security risk and are a management headache that can be avoided. An email archive saves considerable maintenance time and freeing up space on the mail server improves performance. In the event of disaster, such as hardware failure or a cyberattack, emails can be quickly and easily restored from the archive, saving the IT department considerable time which can be put to much better use.

Benefits of Email Archiving for the HR and Legal Departments

When there are employee disputes, email investigations need to be conducted. That involves the HR department contacting the IT department to get them to find the emails that have been sent or received by a particular employee. HR departments will not have to wait for a busy IT department to respond and can simply search for the emails they need in the archive.

An archive will help to ensure compliance and if an eDiscovery request is received, rather than taking hours or days to compile all the necessary email data, the eDiscovery process is a quick and easy. An email archive ensures there is an immutable record of emails, which is essential in any legal actions. The legal department can be 100% sure that emails will not have been accidentally deleted, and since a full audit trail is maintained, access attempts can easily be identified along with any attempted changes to email content. Email archiving can save hours of time, which can be put to more productive uses.

Benefits for All Employees

A study conducted by Adobe found that employees spend a huge amount of their time on email. In 2019, a typical employee spent around 5 hours a day checking their email accounts. Emails are often misplaced or are accidentally deleted, resulting in productivity losses. Being able to access their own archives means employees will never lose an email, as a quick search can easily be performed on the archive.

Employees can prove that they sent or did not receive an email, access to emails is much faster, inboxes are easier to clear, and searches are more efficient.

ArcTitan Cloud – Secure Email Archiving with Lightning Fast Searches

ArcTitan Cloud is a 100% cloud-based, secure email archiving service from TitanHQ. ArcTitan is fully compliant with HIPAA, SOX, GDPR, Federal Rules of Civil Procedure and other key regulations that have data retention requirements.

ArcTitan stores a copy of every message that is sent and received by your organization (subject to user-defined policies). The archive is self-maintaining and self-healing, which ensures a reliable service with minimal or no disruption during an outage. The archive is stored securely on Replicated Persistent Storage on AWS S3, and the archive is automatically backed up to prevent data loss. All data are encrypted at rest and in transit, with strong authentication controls to prevent unauthorized access.

A set and forget solution, ArcTitan ensures that emails will never be lost again. When you need to perform a search and find emails, searching is lightning fast. A search of 30 million messages takes less than a second.

If you are not currently archiving your emails, take advantage of the 30-day free trial of ArcTitan to find out more about how the solution can help your business. If you are already archiving and are unhappy with your current provider, give the TitanHQ team a call to find how much you can save by switching provider and the additional benefits that ArcTitan offers.

5 Ways to Quickly Identify a Phishing Email

Even though there are easy ways to identify a phishing email, many employees are fooled by these scams. Phishing attacks involve the use of social engineering to convince the target to take a certain action, such as opening an email attachment that has a malicious script that downloads malware or visiting a website that requires sensitive information to be entered. These scams can be convincing, the reason supplied for taking a particular action is often credible, and any linked website can be difficult to distinguish from the site it impersonates.

Phishing campaigns can be conducted cheaply, little skill is required, phishing can be very profitable, and the attacks often succeed. It is no surprise that more than two thirds of data breaches start with a phishing email, according to the Verizon Data Breach Investigations Report.

How to Identify a Phishing Email

Phishing emails can take many forms and there is a myriad of lures that are used to fool the unwary, but there are tell-tale signs that an email may not be what it seems. By checking certain elements of an email, you will be able to identify all but the most sophisticated phishing attempts. It only takes a few seconds to perform these checks and that time will be well spent as they will help you identify a phishing email and prevent costly data breaches and malware infections.

Check the true sender of the email

This seems an obvious check but spoofing the sender of an email is one of the most common ways that phishers fool people into responding. The display name is spoofed to make it appear that the email has been sent from a trusted contact. The display name may be PayPal, Netflix, the name of your bank, or your boss or a colleague. However, the actual email address is likely to be from a free email service provider such as @gmail.com or @yahoo.co.uk.

Hover your mouse arrow over the display name or click reply and check the actual sender of the email. The domain name (the bit after @) should match the display name and that domain should be one that is used by the company that appears to have sent you the email. Beware of hyphenated domains such as support-netflix.com. These are unlikely to be genuine.

Check for grammatical errors and spelling mistakes

Read the email carefully. Are there spelling mistakes or grammatical errors? Does the wording seem odd, as if it has not been written by a native English speaker? Scammers are often from non-English speaking countries and may use Google translate to create their emails, which is why the wording may seem a little odd.

Before Google, Netflix, or your bank sends an email, it will be subject to proof checking. Mistakes will be made on occasion by they are exceedingly rare. Some phishing scams deliberately include spelling mistakes and poorly written emails to weed out people who are unlikely to fall for the next stage of the scam. If you fall for the email, it is likely that you can be fooled by the next stage of the attack.

Phishing emails are often addressed in a way that makes it clear that the sender does not know your name.  “Dear customer” for example. Most companies will use your name in genuine email communications.

Phishers use urgency and a “threat” if no action is taken

Phishers want you to take action quickly rather than stop and think about the legitimacy of any request. It is common for a request to be made that needs immediate action to prevent something undesirable from happening.

For example, someone has tried to login to your account and you need to take immediate action to secure your account. Something has happened that will result in your account being closed. A payment has been made from your account for something that you have not purchased, and you need to take action to stop that payment from going through. Phishers use fear, urgency, and threats to get prompt action taken and count on people acting quickly without thinking or carefully checking the email. Spending an extra 30 seconds checking an email will not make any difference to the outcome, but it can prevent you from being fooled by a scam.

Check the true destination of any link in the email

Most phishing attacks seek sensitive information such as login credentials. For these to be obtained, you will most likely be directed to a website where you must enter login credentials, financial information, and personal details to verify your identity. Emails are often written in HTML and include a button to click that directs you to a website.

You should check the true URL before clicking. Hover your mouse arrow over any button to find out where you are being directed and make sure the URL matches the context of the message and uses an official domain name of the company referenced in the email. The same applies to the anchor text of a link – the text that is displayed in a clickable link. Make sure you perform the same check on any link before clicking.

On a mobile device this is even more important, as the small screen size means it is not always possible to display the full URL. The visible part of the URL may look like it is genuine, but when viewing the full URL you will see that it is not. Just press on the URL and keep pressing until the link is displayed.

Beware of email attachments

Email attachments are used in phishing scams for distributing malware and for hiding content from spam filters. Hyperlinks are put in an attachment rather than the message body to fool security solutions, and scripts are used in email attachments that may run automatically when the attachment is opened.

If you are sent an unsolicited email that includes an attachment, treat it as suspicious and try to verify the email is legitimate. If the email has been sent by a colleague, give them a quick call to make sure they actually sent the email, even if the sender check was passed. Someone may have compromised their account. Do not use any contact information supplied in the email, as it is likely to be incorrect.

Only open email attachments that you are confident are genuine, and then never “enable content” as this will grant a macro or other malicious script permission to run.

Anti-Phishing Solutions for Businesses

TitanHQ has developed two powerful anti-phishing solutions to help businesses block phishing and other email and web-based cyberattacks. SpamTitan is an advanced email security solution that has been independently verified as blocking 99.97% of spam and phishing emails and is used by thousands of businesses to keep their inboxes free of threats.

SpamTitan performs a myriad of checks to determine the likelihood of an email being malicious, including RBL checks, Bayesian analysis, heuristics, machine learning techniques to identify zero-day threats, and sender policy frameworks to block email impersonation attacks. Dual antivirus engines are used to detect known malware and sandboxing is used to analyze suspicious email attachments safely to check for malicious actions.

WebTitan is a DNS filtering solution that blocks the web-based component of phishing attacks by preventing employees visiting known malicious websites, suspicious sites. WebTitan also blocks malware downloads.

Both solutions are competitively priced, easy to implement and use, and provide protection against the full range of email and web-based threats. For further information on improving protection from phishing attacks and other cyber threats, give the TitanHQ team a call. Alternatively, you can register for a no obligation free trial of both solutions to evaluate them in your own environment.

Phishing Protection Measures Every Business Should Have in Place

Phishing is a cybersecurity threat that businesses of all sizes are likely to face and one that requires multiple phishing protection measures to prevent. Phishing is the term given to fraudulent attempts to obtain sensitive information such as login credentials to email accounts or employee/customer information. Phishing can take place over the telephone (vishing), via text message (SMiShing), or through social media networks and websites, but the most common phishing attacks take place over email.

When phishing occurs over email, an attack usually consists of two elements. A lure – a reason given in the email that encourages the user to take a particular action – and a web-based component, where sensitive information is collected.

For instance, an email is sent telling the recipient that there has been a security breach that requires immediate action. A link is supplied in the email that directs the recipient to a website where they are required to login and verify their identity.  The website is spoofed to make it look like the site it is impersonating and when information is entered it is captured by the attacker.

Phishing protection measures should be deployed to block both of these components. First, you need a solution that stops the phishing attack at source and prevents phishing emails from being delivered to inboxes. You should also have security measures in place to prevent information from being handed over to the attackers at the web stage of the attack. As an additional protection, in case both of those measures fail, you need to prevent stolen credentials from being used to gain access to the account.

Four Essential Phishing Protection Measures

Phishing protection measures should consist of four elements: a spam filter, a web filter, end user training, and multi-factor authentication – often referred to as layered phishing defenses. If one layer should fail, others are in place to make sure the attack does not succeed.

Spam filtering

A spam filter is your first line of defense and one that will block the vast majority of email threats. An advanced spam filter will block in excess of 99.9% of spam, phishing, and malware-laced emails. Spam filters incorporate several layers of protection. They use blacklists of known spammers – domains, email accounts, and IP addresses that have previously been used for spamming, phishing, and other nefarious activities. Checks are performed on the message headers and the message body is subjected to multiple checks to identify malicious URLs and keywords commonly used in spam and phishing emails. Each message is given a score, and if that score is higher than a pre-defined threshold, the message will be either deleted or quarantined. Spam filters also incorporate antivirus engines that check messages for malicious attachments.

Web filtering

Cybercriminals are constantly changing tactics and developing new methods to obfuscate their phishing attempts to bypass spam filters. Spam filters are updated to block these new attacks, but there will be a lag and some messages will slip through the net on occasion. This is where a web filter kicks into action. A web filter will check a website against several blacklists and will assess the content of the website in real-time. If the website is deemed to be malicious, the user will not be permitted to connect, instead they will be directed to a local block page.  Web filters also have AV software to prevent malware being downloaded and can be used to control the types of content users can access – blocking pornography for instance, or social media networks, gaming sites and other productivity drains.

End user training

Technical anti-phishing measures are important, but they will not block all attacks. It is therefore essential to provide end user training to help employees identify phishing and other malicious emails. A once-a-year formal training session should be conducted, with ongoing, regular shorter training sessions throughout the year to raise awareness of new threats and to reinforce the annual training. Phishing simulations should also be conducted to test whether training has been effective and to ensure that any knowledge gaps are identified and addressed.

Multi-factor authentication

If credentials are stolen in a phishing attack, or are otherwise obtained by a cybercriminal, multi-factor authentication can prevent those credentials from being used. In addition to a password, a second factor must be provided before account access is granted. This could be a token, code, or one-time password, with the latter usually sent to a mobile phone. While multi-factor authentication will block the majority of attempts by unauthorized individuals to access accounts, it is not infallible and should not be considered as a replacement for the other protections. Multi-factor authentication will also not stop malware infections.

Phishing Protection Solutions from TitanHQ

TitanHQ has developed two powerful cybersecurity solutions to help you protect against phishing and malware attacks: SpamTitan email security and the WebTitan web filter. Both of these solutions have multiple deployment options and are easy to implement, configure, and use. The solutions are consistently rated highly by end users for the level of protection provided, ease of deployment, ease of use, and for the excellent customer support if you ever have any problems or questions.

On top of that, pricing is totally transparent with no hidden extras, and the solutions are very competitively priced. Both are available on a free trial to allow you to test them in your own environment before committing to a purchase.

A Lesson Learned from a Recent Phishing Attack on a Security Awareness Training Organization

Businesses are constantly targeted by cybercriminals and phishing one of the easiest ways that they can gain a foothold in corporate networks. An email is sent to an employee with a lure to entice them to click an embedded hyperlink and visit a website. When they arrive on the site, they are presented with a login prompt and must enter their credentials. The login prompt is indistinguishable from the real thing, but the domain on which the login prompt appears is controlled by the attacker. Any information entered on the website is captured.

End user training will go a long way to keeping your business protected against phishing attacks. Phishers target people using a variety of “social engineering” tactics to get them to take a specific action, which could be visiting a website and downloading malware, giving up their login credentials, or sending a wire transfer to the criminal’s bank account. By conditioning employees to perform checks and to stop and think before taking any action suggested in an email, you will greatly improve resilience to phishing attacks.

Many employees will say that they can identify a phishing email and will never be fooled, but the number of successful phishing attacks that are occurring every day suggests there are gaps in knowledge and even the most tech-savvy individuals can be fooled.

To illustrate this point, consider the SANS Institute. If you have never heard of the SANS Institute, it is one of the world’s leading computer and information security training and certification organizations, including anti-phishing training.

In August 2020, the SANS Institute announced that one of its employees had fallen for a phishing scam and disclosed their login credentials. The attacker used those credentials to access the account and set up a mail forwarder that sent a copy of every email to the attacker’s email account. 513 emails, some of which contained sensitive information on SANS members, were forwarded to the account before the attack was detected. The emails contained the personally identifiable information of 28,000 SANS members. The SANS Institute decided to use this attack as a training tool and will be providing details of how it succeeded to help others prevent similar attacks.

This incident shows that even the most highly trained individuals can fall for a phishing email. Had training not been provided, instead of one compromised email account there could have been many.

Phishers are constantly changing tactics and developing new scams to fool people and technological anti-phishing solutions. The key to phishing attack prevention is to implement a range of defenses to block attacks. Any one of those measures may fail to detect a phishing email on occasion, but others will be in place to provide protection. This defense-in depth approach is essential given the sophistication of phishing attacks and the volume of messages now being sent.

In addition to regular end user training and phishing simulation emails to harden the human element of your defenses, you need an advanced spam filter. If you use Office 365 you will already have a basic level of protection provided through Microsoft’s basic spam filter, Exchange Online Protection (EOP), but this should be augmented with a third-party solution such as SpamTitan to block more threats. EOP blocks spam, known malware, and many phishing emails, but SpamTitan will greatly improve protection against more sophisticated phishing attacks and zero-day malware.

You should also consider implementing a web filter to block the web-based component of phishing attacks. When an employee attempts to visit a malicious website that is used to steal credentials and other sensitive information, a web filter can prevent that website from being accessed.

With a spam filter, web filter, and end user training, you will be well protected, but you should also implement 2-factor authentication. If credentials are stolen, 2-factor authentication can prevent those credentials from being used by the attacker to gain access to the account.

For more information on spam filtering, web filtering, and phishing protection, give the TitanHQ team a call. Our team of experienced engineers will be happy to help you set up SpamTitan email security and the WebTitan web filter on a free trial so you can see for yourself how effective both are at blocking phishing attacks and other cybersecurity threats.

Warning for Small Businesses About SBA Loan Phishing Scams

Several SBA loan phishing scams identified in recent weeks that impersonate the U.S. Small Business Administration in order to obtain personally identifiable information and login credentials for fraudulent purposes.

Due to the hardships suffered by businesses due to the COVID-19 pandemic, the SBA’s Office of Disaster Assistance is offering loans and grants to small businesses to help them weather the storm.

Hundreds of millions of dollars has been made available by the U.S government under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to help struggling individuals and companies during the pandemic. Cybercriminals have been quick to develop campaigns to fraudulently obtain those funds, raid bank accounts, steal sensitive information, and distribute malware and ransomware.

Several phishing campaigns have been launched since April 2020 targeting businesses that are considering or have already applied for loans under the SBA’s Economic Injury Disaster Loan Program.

Phishing emails have been sent encouraging small businesses to apply for a loan. One such campaign confirms that the business is eligible for a loan and the loan has been pre-approved. The purpose of the scam is to obtain business information that allows the scammers to apply for a loan on behalf of the business and pocket the funds.

Another scam impersonates the SBA and claims an application for a loan is complete and payment will be made once supporting documents have been received. The emails include an attached form that must be completed and uploaded to the SBA website. The email attachment appears to be a .img file but has a hidden double extension and is actually a .exe executable. Double clicking and running the file will see GuLoader malware installed, which is a downloader that can deliver a range of different malicious payloads.

The same email address used for that campaign was used in a different attack that included a PDF form that requested bank account information and other sensitive data, which needed to be completed and uploaded to a spoofed SBA website.

In the past few days, yet another SBA loan phishing scam has come to light. Phishing emails were sent to Federal Executive Branch, and state, local, tribal, and territorial government agencies. The phishing scam relates to an SBA application for a loan with the subject line “SBA Application – Review and Proceed.” The emails links to a cleverly spoofed SBA web page that indistinguishable from the genuine login page apart from the URL that attempts to steal credentials. The scam prompted the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency alert warning of the scam.

These SBA loan phishing scams use a variety of lures and have multiple aims, but they can be avoided by following good cybersecurity best practices.

First and foremost, you should have an advanced spam filtering solution in place such as SpamTitan. SpamTitan checks email headers and message content for the signs of spam, phishing and scams and uses DMARC and sender policy framework (SPF) to identify and block email impersonation attacks.

Dual antivirus engines detect 100% of known malware and sandboxing is used to subject attachments to deep analysis to identify malicious code and malware that has not been seen before. Machine learning technology is also used to identify new phishing scams, along with multiple threat intelligence feeds to identify known phishing scams.

Prior to opening any downloaded document or file it should be scanned using antivirus software that has up to date virus definitions. Check the properties of files to make sure they are what they claim to be and do not have a double extension.

Care should be taken opening any email or email attachment, even emails that are expected. Steps should be taken to verify the legitimacy of any request received via email, especially one that requires the provision of personally identifiable information or requests bank account and other highly sensitive information.

Emails and websites may look legitimate and have SBA logos, but that does not guarantee they are genuine. Always carefully check the sender of the email – Genuine SBA accounts end with sba.gov. The display name can easily be spoofed so click reply and carefully check the email address is correct. Care should be taken when visiting any website linked in an email. Check the full URL of any website to make sure it is the legitimate domain.

CISA also recommends monitoring users’ web browsing habits and restricting access to potentially malicious websites. The easiest way to do this is by using a web filtering solution such as WebTitan. WebTitan allows businesses to monitor Internet activity in real-time, send automatic alerts, block downloads of certain file types, and carefully control the types of website that can be accessed by employees.

For more information on spam filtering and web filtering solutions to protect your business from phishing and other cyberattacks, give the SpamTitan team a call today.

Increase in Netwalker Ransomware Attacks Prompts FBI Warning

Over the past few months, cyberattacks involving Netwalker ransomware have been steadily increasing and Netwalker has now become one of the biggest ransomware threats of 2020.

Netwalker ransomware is the new name for a ransomware variant called Mailto, which first appeared a year ago in August 2019. The threat actors behind the ransomware rebranded their malware as Netwalker in late 2019 and in 2020 started advertising for affiliates to distribute the ransomware under the ransomware-as-a-service model. In contrast to many RaaS offerings, the threat group is being particularly choosy about who they recruit to distribute the ransomware and has been attempting to build a select group of affiliates with the ability to conduct network attacks on enterprises that have the means to pay large ransoms and the data to warrant such large payments if attacked.

Netwalker ransomware was used in an attack in February on Toll Group, an Australian logistics and transportation company, which caused widespread disruption although the firm claims not to have paid the ransom. Like several other ransomware gangs, the Netwalker gang took advantage of the COVID-19 pandemic and was using COVID-19 lures in phishing emails to spread the ransomware payload via a malicious email attachment, opting for a Visual Basic Scripting (.vbs) loader attachments.

Then followed attacks on Michigan State University and Columbia College of Chicago, with the frequency of attacks increasing in June. The University of California San Francisco, which was conducting research into COVID-19, was attacked and had little choice other than to pay the $1.14 million ransom demand to regain access to essential research data that was encrypted in the attack. More recently Lorien Health Services, a Maryland operator of assisted living facilities, also had files encrypted by the Netwalker gang.

The recent attacks have seen the attack vector change, suggesting the attacks have been the work of affiliates and the recruitment campaign has worked. Recent attacks have seen a range of techniques used in attacks, including brute force attacks on RDP servers, exploitation of vulnerabilities in unpatched VPN systems such as Pulse Secure VPNs that have not had the patch applied to correct the CVE-2019-11510 vulnerability. Attacks have also been performed exploiting user interface components of web apps, such as the Telerik UI vulnerability CVE-2019-18935, in addition to vulnerabilities in Oracle WebLogic and Apache Tomcat servers.

With the ransoms paid so far, the group is now far better funded and appears to have skilled affiliates working at distributing the ransomware. Netwalker has now become one of the biggest ransomware threats and has joined the ranks of Ryuk and Sodinokibi. Like those threat groups, data is stolen prior to file encryption and threats are issued to publish or sell the data if the ransom is not paid.

The increase in activity and skill of the group at gaining access to enterprise networks prompted the FBI to issue a flash alert warning of the risk of attack in late July. The group appears to be targeting government organizations, educational institutions, healthcare providers and entities involved in COVID-19 research, and the attacks are showing no sign of slowing, in fact they are more than likely to increase.

Defending against the attacks requires a defense in depth approach and adoption of good cyber hygiene. An advanced spam filtering solution should be used to block email attacks, end users should be taught how to recognize malicious emails and shown what to do if a suspicious email is received. Vulnerabilities in software are being exploited so prompt patching is essential. All devices should be running the latest software versions.

Antivirus and anti-malware software should be used on all devices and kept up to date, and policies requiring strong passwords to be implemented should be enforced to prevent brute force tactics from succeeding. Patched VPNs should be used for remote access, two-factor authentication should be implemented, web filters used for secure browsing of the internet, and backups should be performed regularly. Backups should be stored on a non-networked device that is not accessible over the internet to ensure they too are not encrypted in an attack.

Watch Out for This New Netflix Phishing Scam!

Any popular platform is an attractive target for phishers, and with more than 167 million subscribers worldwide, the Netflix streaming service certainly falls into that category. While Netflix may not seem a key target for phishers, a successful attack could give scammers access to credit card and banking information.

Netflix phishing scams are common, so it is not unusual to see yet another scam launched, but one of the latest uses a novel tactic to evade security solutions. By incorporating a CAPTCHA challenge, it is harder for security solutions to access the phishing websites and identify their malicious nature.

This Netflix phishing scam starts with an email like many other Netflix scams that precede it. The emails appear to have been sent from the Netflix customer support team and advise the recipient there has been a problem with billing for the latest monthly payment. As a result, the subscription will be suspended in the next 24 hours.

The Netflix user is provided with a link to click and they are told they need to update their information on file. The emails also include a link to unsubscribe and manage communication preferences, although they do not work.

As with most phishing scams there is urgency and a threat. Update your information within 24 hours or you will lose access to the service. Clicking the link will direct the user to a fully functioning CAPTCHA page, where they are required to go through the standard CAPTCHA checks to verify they are not a bot. If the CAPTCHA challenge is passed, the user will be directed to a hijacked domain where they are presented with the standard Netflix sign-in page.

They must sign-in, then they are asked to enter their billing address, along with their full name and date of birth, followed by a second page where they are asked for their card number, expiry date, CVV code, and optional fields for their bank sort code, account number, and bank name. If the information is entered, they are told that they have correctly verified their information and they will be redirected to the real Netflix page, most likely unaware that they have given highly sensitive information to the scammers.

There have been many Netflix phishing emails intercepted over the past few months claiming accounts have been put on hold due to problems with payments. The emails are convincing and very closely resemble the emails sent out regularly by Netflix to service subscribers. The emails feature the Netflix logo, correct color schemes, and direct the recipients to very realistic looking login pages.

What all of these emails have in common is they link to a domain other than Netflix.com. If you receive an email from Netflix, especially one that contains some sort of warning or threat, login to the site by typing the correct domain into the address bar and always make sure you are on the correct website before entering any sensitive information.

Phishing Warning Issued to Sports Industry Following Spate of Attacks

Football is big business and large quantities of money are often transferred electronically between clubs to bring in new players. If scammers were to insert themselves into the communications between clubs, huge payments could easily be diverted. In 2018, the Italian football club Lazio was targeted with a phishing scam that resulted in a payment of €2 million being sent to an account under the control of scammers. The money was never recovered.

Now it appears that the sports industry is being targeted again. Recently, a similar scam was conducted on a Premier League football club in England. The hackers gained access to the email account of the managing director of the club through a phishing campaign after directing the MD to a domain where Office credentials were harvested. Those credentials were then used to access the MD’s email account, and the scammers inserted themselves into and email conversation with another club looking to purchase a player. Fortunately, the scam was detected by the bank and a £1 million fraudulent payment was blocked.

This type of scam starts with a phishing email but is referred to as a Business Email Compromise (BEC) scam. BEC scams are commonplace and often successful. They range from simple scams to complicated multi-email communications between two parties, whether one party believes they are communicating with the genuine email account holder when they are actually communicating with the scammer. When the time comes to make payment, the scammer supplies their own account credentials. All too often, these scams are not detected until after payment is made.

That is far from the only cyberattack on the sports industry in recent weeks and months. There have been several attempted cyberattacks which prompted to the UK’s National Cyber Security Center (NCSC) to issue a warning advising the UK sports sector to be on high alert.

Prior to lockdown, a football club in the UK was hit with a ransomware attack that encrypted essential systems, including the computer systems that controlled the turnstiles, preventing them from working. A game nearly had to be abandoned due to the attack. The ransomware attack is suspected to have also started with a phishing email.

The recent attacks are not limited to football clubs. NCSC data show that 70% of sports institutions in the United Kingdom have suffered a cyberattack in the past 12 months.

NCSC figures show approximately 30% of incidents resulted in financial losses, with the average loss being £10,000, although one organization lost £4 million in a scam. 40% of the attacks involved the use of malware, which is often delivered via spam email. A quarter of attacks involved ransomware.

While malware and ransomware attacks are costly and disruptive, the biggest cause of losses is BEC attacks. Figures from the FBI show these scams accounted for around half of all losses to cybercrime in 2019. $1.77 billion was lost to BEC attacks in 2019, with an average loss of $75,000 (£63,333). The true figure is likely to be even higher, as not all BEC attacks are reported. The FBI anticipates even greater losses this year.

While there are many different attack methods, email remains the most common vector used in cyberattacks on businesses. It is therefore essential to implement a robust email security solution that can block malicious emails and prevent them from being delivered to inboxes.

TitanHQ has developed a powerful, advanced email security solution that can help businesses improve their email security defenses and block phishing, spear phishing, BEC, malware, and ransomware attacks. SpamTitan incorporates multiple threat intelligence feeds, machine learning systems to identify phishing attempts, dual anti-virus engines, and a sandbox to subject suspicious email attachments to in-depth analysis. SpamTitan also incorporates SPF and DMARC to identify and block email impersonation attacks.

If you are concerned about email security and want to improve your defenses against email threats, give the TitanHQ team a call to find out more about SpamTitan and other security solutions that can help you defend your organization from cyberattacks.

Our customer service team will be happy to discuss your options and help set you up for a free trial so you can see for yourself the difference SpamTitan makes to email security.

Phishers Use Google Cloud Services to Steal Office 365 Credentials

A new phishing campaign has been detected that uses Google Cloud Services to fool victims into giving up their Office 365 credentials. The new campaign is part of a growing trend of disguising phishing attacks using legitimate cloud services.

The phishing attack starts like any other with an email containing a hyperlink that the recipient is requested to click. If the user clicks the link in the email, they are directed to Google Drive where a PDF file has been uploaded. When the file is opened, users are asked to click a hyperlink in the document, which appears to be an invitation to access a file hosted on SharePoint Online.

The PDF file asks the victim to click the link to sign in with their Office 365 ID. Clicking the link will direct the user to a landing page hosted using Google’s storage.googleapis.com. When the user arrives on the landing page, they are presented with an Office 365 login prompt that looks exactly like the real thing. After entering their credentials, they will be directed to a legitimate PDF whitepaper that has been obtained from a well-respected global consulting firm.

The campaign has been designed to make it appear that the victim is simply being directed to a PDF file that has been shared via Sharepoint, and the actual PDF file is displayed after the victim has divulged their credentials. It is therefore likely that the victim will not realize that their Office 365 credentials have been phished. The only sign that this is a scam is the source code on the phishing page, which even tech-savvy individuals would be unlikely to check.

This campaign was identified by researchers at Check Point, but it is just one of many similar campaigns to have been identified over the past few months. Since these domains are legitimate and have valid SSL certificates, they are difficult to detect as malicious. This campaign abused Google Cloud Services, but several other campaigns have been detected using the likes of IBM Cloud, Microsoft Azure and others to add legitimacy to the campaigns.

This campaign highlights the importance of providing security awareness training to the workforce and warning employees about the risks of clicking links in unsolicited emails, even those that link to genuine domains. An advanced email security solution should also be implemented to block malicious emails and ensure the majority of malicious messages are not delivered to inboxes. That is an area where TitanHQ can help.

Emotet Botnet Activity Resumes with Trickbot/Qakbot Malware Campaign

Emotet was the most prolific malware botnet of 2018 and 2019, but the botnet fell silent on February 7, 2020 but it has now sprung back to life and is being used to distribute Trojan malware.  The botnet returned with a malicious spam campaign on July 17 of at least 30,000 emails, mostly targeting organizations in the United States and United Kingdom. The scale of the campaign has now grown to around 250,000 emails a day with the campaign now global.

The Emotet botnet is a network of computers infected with Emotet malware and there are estimated to be around half a million infected Windows computers under the control of the botnet operators. Those infected devices are contacted through the attackers’ command and control (C2) servers and are sent instructions to send out spam emails spreading Emotet malware.

Once the malware is downloaded, the infected computer is added to the botnet and is used to send spam emails. Emotet infections can also spread laterally within an organization. When investigations are launched following the detection of Emotet, it is common for other computers to be discovered to be infected with the malware.

What makes Emotet particularly dangerous is the operators of the botnet pair up with other threat groups and deliver other malware variants. Emotet has been used to distribute a range of malware variants since its creation in 2014, but recently the malware payload of choice was the TrickBot Trojan. TrickBot is a banking trojan cum information stealer that also serves as a malware downloader. In addition to stealing sensitive data, the operators of TrickBot pair up with other malware developers, notably the developers of Ryuk ransomware.  Once TrickBot has stolen information, the baton is passed over to Ryuk, which will also steal data before encrypting files on network. The new Emotet campaign started by distributing the TrickBot Trojan, although the payload has since switched to the QakBot banking Trojan.  QakBot also delivers ransomware as a secondary payload, with Prolock often used in the past.

Emotet emails use a variety of lures to get recipients to click links to malicious websites or open infected email attachments. Emotet targets businesses, so the lures used are business related, such as fake shipping notices, invoices, purchase orders, receipts, and job applications. The emails are often personalized, and the threat actors known to hijack email threads and send responses with malicious documents added.

An Emotet infection is serious and should be treated with the same urgency as a ransomware attack. Prompt action may allow Emotet to be removed before a secondary payload is delivered.

Fortunately, Emotet malware is delivered via email so that gives businesses an opportunity to prevent infections. By deploying an advanced spam filter such as SpamTitan that has sandboxing to subject email attachments to deep analysis, these malicious emails can be identified and quarantined. Coupled with other email security measures such as end user training, businesses can mount a robust defense and block infections.

The return of Emotet was inevitable, and while the resumption of activity is bad news, there is some good news. A vigilante hacker has started sabotaging Emotet operations by targeting a weak link in their infrastructure. Emotet malware is downloaded from the internet from a range of hacked WordPress sites. The vigilante has found that the temporary stores of Emotet can be easily hacked as they tend to all use the same password. After guessing that password, the Emotet payload has been replaced with a variety of animated GIFs and has disrupted operations, reducing infections to around a quarter of their normal levels. That said, the Emotet gang is attempting to regain control of its web shells and infections with Emotet are still growing.

TitanHQ Implements New ArcTitan Email Archiving Systems

TitanHQ is performing a major update of the ArcTitan email archiving solution. That process is now well underway and existing ArcTitan users are being migrated to the new systems and will greatly benefit from the new and improved service.

The new and improved ArcTitan service is being delivered as a high availability, self-healing, horizontally scaled Kubernetes cluster. The new ArcTitan service uses a high availability Percona XtraDB MySQL database cluster within Kubernetes that handles all database operations. It is self-maintaining and can be scaled up with minimal user effort and no downtime.

The Kubernetes cluster has many components that work in harmony, with each of the components configured to be independently accessible to ensure availability and improve the reliability of the service. Since each component is independently available, in the event of one component going down, the remaining components will still be available. That means there will be minimal or no service outage, instead the single component will be taken offline and repaired without any effect on the others.

As is the case with the old ArcTitan service, all emails are given unique identifiers that are kept for the life of the archive. Emails are fully indexed, and the header, sender/receiver, body, and email attachments are all indexed separately. If historic emails need to be recovered, the indexing ensures millions of archived email messages can be searched and found in seconds.

The new ArcTitan systems encrypt and store raw email data in Replicated Persistent Storage. Ceph storage clusters are deployed which provide high performance block storage and file systems, with automated data replication and fail over.  For long term storage of email data, ArcTitan uses Amazon S3 to ensure reliability, redundancy, and scalability. ArcTitan indices are distributed across several Apache SoIr instances simultaneously.

ArcTitan customers will also benefit from a new graphical user interface (GUR) as shown in the image below:

TitanHQ is contacting all current ArcTitan users and is providing new account details that will need to be used to benefit from the new ArcTitan infrastructure. Applying the changes will require reconfiguration of the connector/mail server. Once that change has been applied, all mail will be directed to the new server for archiving.

Once TitanHQ has verified that the change has been made correctly, and all mail is being successfully sent to the archive on the new infrastructure, the original account will be closed off and will no longer accept emails. All emails from the old account will be migrated to the new infrastructure by TitanHQ and customers will be notified when that process has been completed. They will then have the chance to verify the migration has been completed. Once verified, the old account will then be deleted.

In the meantime, any emails stored using the previous account can still be searched and the archive will remain accessible if historical email needs to be accessed.

We are sure you will be happy with the changes and improved performance and reliability. If you have any questions about the new ArcTitan systems or your migration, our customer service team will be happy to help.

Phorpiex Botnet Activity Surges with Large-Scale Avaddon Ransomware Campaign

Over the past month there has been a surge in Phorpiex botnet activity. A botnet is a network of computers that have been infected with malware, placing them under the control of the botnet operator. Those computers are then used to send spam and phishing emails, often with the aim of distributing malware and ransomware. There are known to be around 500,000 computers in the Phorpiex botnet globally and the botnet has been in operation for almost 10 years.

The Phorpiex botnet has previously been used for sending sextortion emails, distributing cryptocurrency miners, and malware such as the Pony information stealer, GandCrab ransomware, and the XMRig cryptocurrency miner. In June, the Phorpiex botnet was used to conduct a massive Avaddon ransomware campaign that saw around 2% of companies targeted around the world.

Ransomware attacks have increased over the past few months, with many ransomware gangs delivering ransomware manually after gaining access to corporate networks by exploiting vulnerabilities in VPNs and other software or taking advantage of insecure default software configurations. There has also been an increase in ransomware attacks using email as the attack vector. Several ransomware variants are now being primarily delivered by email, and Avaddon ransomware was one of the biggest email threats in June. One week in June saw more than 1 million spam emails sent via the Phorpiex botnet, with most of those emails targeting U.S. companies.

Avaddon ransomware is a new ransomware variant that was first detected in June. The operators of Avaddon ransomware are advertising their malware as ransomware-as-a-service (RaaS) and have been recruiting affiliates to distribute the ransomware for a cut of the profits.

In early June, an Avaddon ransomware campaign was detected that used JavaScript attachments in spam emails. The files had a double extension which made them appear to be JPG files on Windows computers. Windows computers hide file extensions by default, so the file attachment would appear to be named IMG123101.jpg on a Windows computer in the default configuration. If Windows had been changed to display known file extensions, the user would see the file was actually IMG123101.jpg.js. Opening the file would launch a PowerShell and Bitsadmin command that would trigger the download and execution of Avaddon ransomware.

More recently, a campaign was detected that distributed Avaddon ransomware using spam emails with Excel spreadsheet attachments with malicious Excel 4.0 macros. In contrast to JavaScript files, which will run when opened by users, Excel macros require user action to run, so they are less effective. That said, users are instructed to enable the macros using a variety of social engineering techniques and they are still effective.

Avaddon ransomware searches for a range of file types, encrypts those files and adds the .avdn extension. A ransom note is dropped, and a link is supplied to a Tor site along with a unique user ID to allow the victim to login to pay the ransom for the keys to unlock encrypted files. There is no free decryptor available for Avaddon ransomware. File recovery will only be possible if the ransom is paid or if viable backups exist that have not also been encrypted by the ransomware.

Several subject lines have been used in the emails, such as “Your new photo?” and “Do you like my photo?”, with only a ? emoji in the body of the email. This tactic is simple, yet effective.

There are several steps that can be taken by businesses to prevent Avaddon and other email-based ransomware attacks. End user security awareness training should raise awareness of the threat and teach employees how to recognize phishing and malspam threats and condition them to report emails to their security team. If possible, macros should be disabled on all end user devices, although the email attachments used often change and disabling macros will not therefore always prevent infection.

One of the best defenses against email threats such as phishing, malware and ransomware is to install a powerful anti-spam solution such as SpamTitan. SpamTitan can work as a standalone anti-spam solution, but also as an additional level of protection for Office 365 email, complementing Microsoft Exchange Online Protection (EOP) and providing an additional layer of security to block zero-day phishing and malware threats.

For more information on protecting your organization from ransomware and other email threats, give the TitanHQ team a call today.

Phishing Scam Targets Remote Workers Returning to the Office

A new phishing campaign has been identified that targets remote workers that will soon be returning to the workplace and claims to include information on coronavirus training. The campaign is one of the most realistic phishing scams in recent weeks, as it is plausible that prior to returning to the office after lockdown would involve some changes to workplace procedures to ensure employee safety.

This campaign targets Microsoft Office 365 users and attempts to obtain users’ Office 365 credentials under the guise of a request to register for COVID-19 training.  The emails include the Office 365 logo and are short and to the point.

They just include the text, “COVID-19 Training for Employees: A Certificate For Healthy Workspaces (Register) to participate in Covid-19 Office Training for Employees.”

The message includes a button to click to register, and the emails claim to be “powered by Microsoft Office 365 health safety measures.”

Clicking the link will direct the user to a malicious website where they are required to enter their Office 365 credentials.

This campaign, like many others to have emerged over the past few weeks, closely follow world events. At the start of the pandemic, when there was little information available about COVID-19, phishers were offering new information about COVID-19 and the Novel Coronavirus. As more countries were affected and cases were increasing, incorporation was being offered about local cases in the area. Now that most countries have passed the peak of infections and lockdowns have helped to bring the virus under control, tactics have changed once again.

Campaigns have been detected in the United Kingdom related to the new Track and Trace system being used by the NHS to help control infections warning users that they need to purchase a COVID-19 test. Another campaign targeted parents who are experiencing financial difficulties due to COVID-19, asking for bank account information to allow them to receive a support payment from the government. Messages have also been detected about Free school dinners over the summer, now that the UK government has said that it will be providing support to parents.

There have been several campaigns that have taken advantage of the popularity of the Black Lives Matter movement following the death of George Floyd. This campaign asked recipients of the email to register their opinions about Black Lives Matter and leave a review, with the campaign used to deliver the TrickBot Trojan.

What these phishing campaigns clearly demonstrate is the fluid nature of phishing campaigns, that are regularly changed to reflect global events to maximize the chance of the emails being opened. They show that users need to remain on their guard and be alert to the threat from phishing and always take time to consider the legitimacy of any request and to perform a series of checks to determine whether an email is what it claims to be. This can be tackled through security awareness training, which should be provided to employees regularly.

Naturally, the best defense is to make sure that these emails are blocked and do not reach inboxes, which is why it is important to have layered defenses in place. An advanced spam filtering solution such as SpamTitan is required that uses machine learning and other advanced detection measures to identify new phishing scams along with measures to detect previously unseen malware variants. As an additional layer of protection, you should consider implementing a web filtering solution such as WebTitan that provides time-of-click protection to block the web-based component of phishing attacks and stop drive-by malware downloads. Alongside security awareness training, these solutions will help you to mount a formidable defense against phishing attacks.

iCalandar Phishing Scam Attempts to Obtain Banking Credentials

A new phishing campaign has been detected that uses calendar invitations to steal banking and email credentials. The messages in the campaign include an iCalendar email attachment which may fool employees as this is a rare file type for phishing. These attachments are therefore unlikely to have been specifically covered in security awareness training.

iCalendar files are the file types used to store scheduling and calendaring information such as tasks and events. In this case, the messages in the campaign have the subject line “Fault Detection from Message Center,” and have been sent from a legitimate email account that has been compromised by the attackers in a previous campaign.

Because the email comes from a legitimate account rather than a spoofed account, the messages will pass checks such as those conducted through DMARC, DKIM, and SPF, which identify email impersonation attacks where the true sender spoofs an account. DMARC, DKIM, and SPF check to see if the true sender of an email is authorized to send messages from a domain.

As with most phishing campaigns, the attackers use fear and urgency to get users to click without considering the legitimacy of the request. In this case, the messages include a warning from the bank’s security team that withdrawals have been made from the account that have been flagged as suspicious. This campaign is targeting mobile users, with the messages asking for the file to be opened on a mobile device.

If the email attachment is opened, the user will be presented with a new calendar entry titled “Stop Unauthorized Payment” which includes a Microsoft SharePoint URL. If that link is clicked, the user will be directed to a Google-hosted website with a phishing kit that spoofs the login for Wells Fargo bank. Both of these websites have valid SSL certificates, so they may not be flagged as suspicious. They will also display the green padlock that shows that the connection between the browser and the website is encrypted and secure, as would be the case for the genuine bank website.

The user is then asked to enter their username, password, PIN, email address, email password, and account numbers. If the information is entered it is captured by the attacker and the information will be used to gain access to the accounts. To make it appear that the request is genuine, the user will then be directed to the legitimate Wells Fargo website once the information is submitted.

There are warning signs that the request is not genuine, which should be identified by security conscious individuals. The use of SharePoint and Google domains rather than a direct link to the Wells Fargo website are suspect, the request to only open the file on a mobile device is not explained. The phishing website also asks for a lot of information, including email address and password, which are not relevant.

These flags should be enough to convince most users that the request is not genuine, but any phishing email that bypasses spam filtering defenses and is delivered to inboxes poses a risk.

Leading UK Private Equity Firm Invests in TitanHQ

One of the leading mid-market private equity investment firms in the United Kingdom has invested in TitanHQ. TitanHQ is headquartered in Galway, Ireland and is a fast-growing, global vendor of cloud-based cybersecurity solutions for SMBs, ISPs, and Managed Service Providers (MSPs) that serve the SMB market.

TitanHQ’s portfolio of solutions consists of SpamTitan Email Security, WebTitan Web Security, and ArcTitan Email Archiving. These solutions have been adopted by more than 8,500 businesses worldwide and are offered by approximately 2,500 MSPs in 150 countries.

TitanHQ, originally Copperfasten Technologies, was formed in 1999 and started life providing email security solutions to businesses in Ireland, but has since grown into a global company that provides SaaS solutions to companies including Pepsi, ViaSat, Virgin, O2, and Datto. The company has been recorded impressive growth and has become the leading provider of cloud-based security solutions to MSPs serving the SMB market, with an ARR of more than $15 million.

Livingbridge invests in companies with a value of up to £200 million and has an Enterprise 3 fund for investment in fast-growing companies up to the value of £50 million, with the latter fund used to invest in TitanHQ.

Livingbridge identified TitanHQ as a target for investment based on a proven track record at delivering powerful cloud-based SaaS solutions and being well positioned to benefit from strong, growing market momentum. The investment in TitanHQ will help accelerate the company’s ambitious growth plans through investment in people and product development.

TitanHQ received investment from Bill Mc Cabe’s Oyster Technology Investments at inception, and Oyster Technology Investments will continue to maintain a significant stake in the business.

“We are excited to be taking this next step in our growth journey with Livingbridge, a partner that understands the unique strengths of our business, shares our vision for success and has the experience and resources to help us to achieve it,” said Ronan Kavanagh, Chief Executive Officer of TitanHQ. “The recent pandemic and the growth of WFH initiatives has further highlighted the need for multiple layers of cyber security and our solutions form key pillars in this security strategy.”

“We are delighted to be partnering with TitanHQ, a uniquely positioned business with a well-differentiated product portfolio operating in a fast-growing, attractive market that is benefiting from strong macro tailwinds,” said Nick Holder, Director at Livingbridge. “There is a tremendous opportunity for Titan HQ to accelerate its growth trajectory over the coming years and we look forward to working closely with the management team to fulfil the company’s potential.”

TrickBot Malware Operators Adopt Black Lives Matter Malspam Campaign

As the COVID-19 pandemic has clearly shown, cybercriminals are quick to adapt their phishing and malware campaigns in response to global and local events. New lures are constantly developed to maximize the probability of success.

In the early stages of the pandemic, when very little was known about SARS-CoV-2 and COVID-19, there was huge public concern and cybercriminals took advantage. The threat actors behind TrickBot malware, one of the most dangerous malware threats, regularly change their lures in response to newsworthy events to increase the probability of emails and attachments being opened. The TrickBot gang adopted COVID-19 and coronavirus themed lures when the virus started to spread globally and there was a huge craving for knowledge about the virus and local cases.

It is therefore no surprise to see the TrickBot operators adopt a new lure related to Black Lives Matter. There were huge protests in the United States following the death of George Floyd at the hands of a police officer, and those protests have spread globally. In several countries the headlines have been dominated by stories about Black Lives Matter protests and counter protests, and the public mood has presented another opportunity for the gang.

The latest TrickBot email campaign uses a subject line of “Leave a review confidentially about Black Lives Matter,” which has been crafted to appeal to individuals both for and against the protests. The emails contain a Word document attachment named e-vote_form_3438.doc, although several variations along this theme are likely.

The emails request the user open and complete the form in the document to submit their anonymous feedback. The Word document includes a macro which users are requested to enable to allow their feedback to be provided. Doing so will trigger the macro which will download a malicious DLL, which installs the TrickBot Trojan.

TrickBot is first and foremost a banking Trojan but is modular and frequently updated with new functions. The malware collects a range of sensitive information, can exfiltrate files, can move laterally, and also download other malware variants. TrickBot has been extensively used to download Ryuk ransomware as a secondary payload when the TrickBot gang has achieved their initial objective.

The lures used in phishing and malspam emails frequently change, but malspam emails distribute the same threats. Security awareness training can help to improve resilience to phishing threats by conditioning employees how to respond to unsolicited emails. Making employees aware of the latest tactics, techniques, procedures, and social engineering tactics being used to spread malware will help them to identify threats that land in their inboxes.

Regardless of the ruse used to get users to click, the best defense against these attacks is to ensure that your technical defenses are up to scratch and malware and malicious scripts are identified as such and are blocked and never reach end users’ inboxes. That is an area where TitanHQ can help.

SpamTitan Cloud is a powerful email security solution that provides protection against all email threats. Dual antivirus engines block all known malware threats, while predictive technologies and sandboxing provides protection against zero-day malware and phishing threats. No matter what email system you use, SpamTitan adds an important extra layer of security to block threats before they reach inboxes.

For further information on how you can improve protection and block phishing, spear phishing, email impersonation, and malware and ransomware threats, give the TitanHQ team a call today.

Join TitanHQ and Magic Johnson at MVP GrowthFest on June 23, 2020

The COVID19 pandemic has created challenges for all businesses which are trying their best to adapt to a new normal. Businesses are slowing opening up their offices once again but it will be a long time before a return to “business as usual.” In fact, massive changes have had to take place and life after lockdown is likely to be considerably different to life before it.

Managed Service Providers have also had to adapt, and many Channel companies have realized the massive changes due to the pandemic have brought a wealth of opportunities. They are not suffering as a result of the challenges but have adapted their operations and have gained considerable growth momentum. How have these forward-thinking MSPs turned the pandemic into profit? What have they done to grow their businesses in such difficult times?

On June 23, 2020, MSPs will have an opportunity to get answers to these questions and discover how they can grow their business and thrive during the pandemic and in a post-COVID-19 world.

In line with social distancing requirements, MVP GrowthFest is a virtual event where MSPs will have the opportunity to learn how obstacles that appear to be blocking progress are challenges that can easily be overcome.

MVP GrowthFest is a 3-hour event headlined by the 3-time NBA Most Valuable Player (MVP) Award winning superstar, Earvin “Magic” Johnson Jr. Magic Johnson will be providing insights into the obstacles he has faced during his life and how he succeeded through a combination of talent, tenacity, and a strong commitment to the community.

The event will celebrate the energy that powers growth and the drive to thrive in uncertain times and MSPs will be treated to four powerhouse panels where a combined 15 Channel All-Stars will be providing valuable insights and practical steps to not only survive the pandemic but use it as an opportunity to grow and thrive.

TitanHQ’s Sales Director, Conor Madden, will be leading a security powerhouse panel and will explain how selling security is best achieved through education, and how this approach is essential for the modern-day MSP tech stack.

Currently, cyberattacks are occurring at unprecedented levels. Cyber actors having seized the opportunities COVID-19 has given them. MSPs can position their security stacks front and central and help businesses protect against these threats.

MSPs will naturally need the right solutions, and that is an area where TitanHQ can help, being the leading provider of cloud-based email and web security solutions to MSPs serving the SMB marketplace. TitanHQ solutions have been developed specifically to meet the needs of MSPs and are available at a price point that allows them to be packaged easily to significantly boost profits.

At the security powerhouse, attendees will also hear from:

  • Jon Murchison – CEO, BlackPoint Cyber
  • Kevin Lancaster – CEO, ID Agent & GM Security, Kaseya
  • Jessvin Thomas – President & CTO, SKOUT

Three further powerhouse sessions will be taking place at MVP GrowthFest giving MSPs further insights and assistance to grow their businesses and boost profits. There will also be $2,000 in prizes given out at the event.

Managing Through Change

Featuring:

  • Dan Wensley – CEO, Warranty Master
  • Joe Alapat – CEO & Founder, Liongard
  • Ryan Walsh – Chief Channel Officer, Pax8

Establishing Trust in the New Normal

Featuring:

  • Dave Goldie – Vice President of Channel, Cytracom
  • Ted Roller – Channel Chief, ConnectBooster
  • Andra Hedden – CMO, Marketopia
  • Frank DeBenedetto – Founder, AudIT

Leading & Accelerating through the Recovery

Featuring:

  • Tim Conkle – Founder, The 20
  • Dennis O’Connell – Vice President, Taylor Business Group
  • Ted Roller – Channel Chief, Zomentum

Advance registration is required

 Click Here to Book Your Place at MVP GrowthFest

Phishing Campaign Uses Fake Supreme Court Summons to Obtain Office 365 Credentials

A U.S. Supreme Court phishing campaign has been detected that uses a fake subpoena to appear in court as a lure to obtain Office 365 credentials. The emails are personalized and are addressed to the victim and claim to be a writ issued by the Supreme Court demanding the recipient attend a hearing. This is a targeted campaign rather than a spray and pray attack that attempts to obtain the credentials of high value targets such as C-Suite members.

The emails include a link that the recipient is required to click to view the subpoena. Clicking the link in the email directs the user to a malicious website where they are required to enter their Office 365 credentials to view the subpoena.

The domain used is brand new and, as such, it is not recognized as malicious by many security solutions, including the default anti-phishing measures of Office 365. The scammers have also used multiple redirects to hide the destination URL in another attempt to thwart anti-phishing defenses.

Prior to the user being directed to the phishing page, they are presented with a CAPTCHA page. CAPTCHA is used to prevent web visits by bots, but in this case, it may be used to add legitimacy to the phish to make the request appear genuine. The CAPTCHA page is real, and the user must correctly select the images in order to proceed. The page also includes the name of the user, further adding legitimacy to the scam. The CAPTCHA may also be a further attempt to make it difficult for the destination URL to be analyzed by security solutions.

This phishing campaign is realistic and uses urgency to get the user to take action quickly, rather than stopping to think about the request. There are signs that this is a scam, such as the domain name which clearly has nothing to do with the U.S. Supreme Court, and a few grammatical and spelling mistakes which would not be expected of any Supreme Court request.

However, the sender name in the email was spoofed to make it appear to have been sent by the “Supreme Court”, the request is certain to scare some recipients into clicking the link, and the landing page is sufficiently realistic to fool busy employees into disclosing their login credentials.

Exchange Online protection (EOP), which is provided by Microsoft free of charge with all Office 365 accounts, often fails to spot these zero-day attacks.

To improve protection against new phishing campaigns, an anti-spam solution is required that incorporates predictive techniques, threat intelligence feeds, and machine learning algorithms. SpamTitan incorporates these and several other layers of protection to identify zero-day phishing, malware, and ransomware campaigns and email impersonation attacks.

SpamTitan can be layered on top of Microsoft’s Exchange Online Protection to serve as an additional layer to your email security defenses to ensure that more malicious emails are blocked and never reach end users inboxes.

Office 365 Phishing Scam Bypasses Multi-Factor Authentication

A novel phishing scam has been identified that gains access to information on Office 365 accounts without obtaining usernames and passwords. The campaign also manages to bypass multi-factor authentication controls that has been set up to prevent stolen credentials from being used to remotely access email accounts from unfamiliar locations or devices.

The campaign takes advantage of the OAuth2 framework and the OpenID Connect protocol that are used to authenticate Office 365 users. The phishing emails include a malicious SharePoint link that is used to fool email recipients into granting an application permissions that allow it to access user data without a username and password.

The phishing emails are typical of several other campaigns that abuse SharePoint. They advise the recipient that a file has been shared with them and they are required to click a link to view the file. In this case, the file being shared appears to be a pdf document. The document includes the text “q1.bonus” which suggests that the user is being offered additional money. This scam would be particularly effective if the sender name has been spoofed to appear as if the email has been sent internally by the HR department or a manager.

Clicking the link in the email directs the user to a genuine Microsoft Online URL where they will be presented with the familiar Microsoft login prompt. Since the domain starts with login.microsoftonline.com the user may believe that they are on a genuine Microsoft site (they are) and that it is safe to enter their login credentials (it is not). The reason why it is not safe can be seen in the rest of the URL, but for many users it will not be clear that this is a scam.

Entering in the username and password does not provide the credentials to the attacker. It will authenticate the user and also a rogue application.

By entering in a username and password, the user will be authenticating with Microsoft and will obtain an access token from the Microsoft Identity Platform. OAuth2 authenticates the user and OIDC delegates the authorization to the rogue application, which means that the application will be granted access to user data without ever being provided with credentials. In this case, the authentication data is sent to a domain hosted in Bulgaria.

The user is required to enter their login credentials again and the rogue app is given the same permissions as a legitimate app. The app could then be used to access files stored in the Office 365 account and would also be able to access the user’s contact list, which would allow the attacker to conduct further attacks on the organization and the user’s business contacts.

The phishing campaign was identified by researchers at Cofense who warn access only needs to be granted once. Access tokens have an expiration date, but this method of attack allows the attackers to refresh tokens, so that potentially gives the attackers access to documents and files in the Office 365 account indefinitely.

With multi-factor authentication enabled, businesses may feel that they are immune to phishing attacks. Multi-factor authentication is important and can prevent stolen credentials from being used to access Office 365 and other accounts, but MFA is not infallible as this campaign shows.

This campaign highlights how important it is to have an email security solution that uses predictive technology to identify new phishing scams that have not been seen before and do not include malicious attachments. Phishing attacks such as this are likely to bypass Office 365 antispam protections and be delivered to inboxes, and the unusual nature of this campaign may fool users into unwittingly allowing hackers to access their Office 365 accounts.

For further information on how you can secure your Office 365 accounts and block sophisticated phishing attacks, give us a call today to find out how SpamTitan can improve your email defenses.

30% of British SMEs Have Suffered a COVID-19 Lockdown Phishing Attack

A recent survey by Capterra on British SMEs has revealed 30% have fallen victim to a phishing attack during the COVID-19 lockdown. Just under half of the phishing emails received (45%) were related to coronavirus or COVID-19.

COVID-19 phishing emails increased significantly during the first quarter of 2020 as the coronavirus spread around the world. Since the virus was unknown to science, scientists have been working tirelessly to learn about the virus, the disease it causes, how the virus is spread, and what can be done to prevent infection. The public has been craving information as soon as it is available, which creates the perfect environment for phishing attacks. People want information and threat actors are more than happy to offer to provide it.

The Capterra survey highlights the extent to which these campaigns are succeeding. Employees are receiving phishing emails and being fooled by the social engineering tactics the scammers have adopted. The high success rate has seen many threat actors temporarily abandon their tried and tested phishing campaigns that they were running before the SARS-CoV-2 outbreak, and have repurposed their campaigns to take advantage of the public’s thirst for knowledge about the virus. In the first quarter of 2020, KnowBe4 reported a 600% increase in COVID-19 and coronavirus themed phishing emails.

The high percentage of businesses that have experienced phishing attacks during the COVID-19 lockdown indicates many SMEs need to augment their anti-phishing defenses. There is also a need for further training to be provided to employees, as the emails are being opened and links are being clicked.

On the training front, formal training sessions may be harder to administer with so many employees working remotely. Consider conducting short training sessions via teleconferencing platforms and sending regular email alerts warning about the latest techniques, tactics and procedures being used in targeted attacks on remote workers. Phishing simulation exercises can be hugely beneficial and will help to condition workers to check emails thoroughly and report any threats received. These simulations also help identify which employees need further training to help them recognize potential phishing attacks.

Of course, the best way to ensure that employees do not open phishing emails and malicious attachments is to ensure they are not delivered to employees’ inboxes. That requires an advanced spam filtering solution.

Many SMEs and SMBs have now moved to an Office 365 hosted email solution, in which case email filtering will be taking place using Microsoft’s Exchange Online Protection – The default spam filtering service that protects all office 365 users. If you are reliant on this solution for filtering out phishing emails and other types of malicious messages, you should consider adding a third-party solution on top of EOP.

Exchange Online Protection provides a reasonable level of security and can block phishing emails and known malware threats, but it lacks the features of more advanced spam filtering solutions and cloud-based email security gateways, such as machine learning and predictive technology to identify attacks that have not been seen before.

As an additional protection against phishing attacks, a web filtering solution should be considered. In the event of a phishing email arriving in an inbox, a web filter serves as an additional layer of protection to prevent attempts by employees to visit websites linked in the emails. When an attempt is made to visit a known phishing website or web content that violates your acceptable internet usage policies, access will be blocked and the user will be directed to a local web page telling them why access has been denied.

Multi-factor authentication should also be implemented for email to ensure that in the event that credentials are compromised, a second factor must be provided before access to the email account is granted.

For more information on spam filtering and web filtering, and further information on TitanHQ’s advanced cloud-based email security solution – SpamTitan – and DNS-based web filtering solution – WebTitan – give the TitanHQ team a call today.

Two New Phishing Campaigns Targeting Remote Workers

Two new phishing campaigns have been identified targeting remote workers. One campaign impersonates LogMeIn and the other exploits the COVID-19 pandemic to deliver a legitimate remote administration tool that allows attackers to take full control of a user’s device.

LogMeIn Spoofed to Steal Credentials

Remote workers are being targeted in a phishing campaign that spoofs LogMeIn, a popular cloud-based connectivity service used for remote IT management and collaboration. The emails claim a new update has been released for LogMeIn, with the messages appearing to have been sent by the legitimate LogMeIn Auto-Mailer. The emails include the LogMeIn logo and claim a new security update has been released to fix a new zero-day vulnerability that affects LogMeIn Central and LogMeIn Pro.

A link is supplied in the email that appears to direct the recipient to the accounts.logme.in website and a warning is provided to add urgency to get the user to take immediate action. The email threatens subscription of the service will be suspended if the update is not applied.

The anchor text used in the email masks the true site where the user will be directed. If clicked, the user will be directed to a convincing spoofed LogMeIn URL where credentials are harvested.

There has been an increase in phishing attacks spoofing remote working tools in recent weeks such as LogMeIn, Microsoft Teams, Zoom, GoToMeeting, and Google Meet. Any request sent by email to update security software or take other urgent actions should be treated as suspicious. Always visit the official website by entering the URL into the address bar or use your standard bookmarks. Never use information provided in the email. If the security update is genuine, you will be advised about it when you login.

NetSupport Remote Administration Tool Used to Take Control of Remote Workers’ Laptops

A large-scale phishing campaign has been detected that uses malicious Excel attachments to deliver a legitimate remote access tool that is used by the attackers to take control of a victim’s computer.

The emails used in this campaign appear to have been sent from the Johns Hopkins Center and claim to provide a daily update on COVID-19 deaths in the United States. The Excel file attached to the email – covid_usa_nyt_8072.xls – displays graph taken from the New York Times detailing COVID-19 cases and when opened the user is encouraged to enable content. The Excel file contains a malicious Excel 4.0 macro that downloads a NetSupport Manager client from a remote website if content is enabled, and the client will be automatically executed.

The NetSupport RAT delivered in this campaign drops additional components, including executable files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. Once installed it will connect with its C2 server, allowing the attacker to send further commands.

Block Phishing Attacks and Malware with SpamTitan and WebTitan Cloud

The key to blocking phishing attacks is to implement layered anti-phishing defenses. SpamTitan serves as an additional layer of protection for email that works in tandem with the security anti-spam measures implemented by Google with G-Suite and Microsoft with Office 365 to provide a greater level of protection, especially against sophisticated attacks and zero-day threats. SpamTitan itself includes multiple layers of security to block threats, including dual anti-virus engines, sandboxing, DMARC, and predictive technologies to identify never-before-seen phishing and malware threats.

WebTitan Cloud serves as an additional layer of protection to protect against the web-based component of phishing attacks, with time-of-click protection to block attempts by employees to visit phishing websites linked in emails and redirects to malicious websites during general web browsing. WebTitan works in tandem with email security solutions to increase protection for employees regardless where they access the internet and allows different policies to be set when they are on and off the network.

For further information on these powerful cybersecurity solutions give the TitanHQ a team a call today to book a product demonstration and to receive assistance getting set up for a free trial of the full products.